Zum Hauptinhalt springen

IaaS SERVICE AGREEMENT

Recipients:CLIENT
Document ReferenceCT.AM.JUR.ANX CdS-IaaS - 20251701_v3.0.docx_JJJJ AAAA
Your ContactsFirst Name Last Name Account Manager email: firstname.lastname@cloud-temple.com
Last Updated Date01/17/2025
Contractual Validation DateDay JJ YYYY
VersionDateActionAuthor
v0.106/07/2022Initial DraftLorena ALCALDE
v0.209/14/2022EnrichmentLorena ALCALDE
v1.012/30/2022Integration of IndicatorsLorena ALCALDE
v1.101/23/2023Footer UpdateLorena ALCALDE
v1.205/22/2023EnrichmentLorena ALCALDE
v1.306/29/2023EnrichmentLorena ALCALDE
v1.411/06/2023Capital Update and EnrichmentLorena ALCALDE
v1.511/30/2023EnrichmentLorena ALCALDE
v1.603/21/2024EnrichmentLorena ALCALDE
v2.003/29/2024Compliance Adjustments (SNC)Nicolas ABRIOUX
v2.004/03/2024PublicationLorena ALCALDE
v3.001/17/2025EnrichmentEmeline CAZAUX

Preliminary and Glossary

Preliminary

This document formalizes the Service Agreement associated with the IaaS service qualified as SecNumCloud under the name « Secure Temple».

The Service is SecNumCloud qualified (see certificate in Annex).

This Service Agreement complements and is supplementary to the Provider's General Terms and Conditions of Sale and Use. It is understood that the contractual documents shall be interpreted consistently with one another. In the event of contradiction or divergence between the terms of the contractual documents, the documents shall prevail over one another in the following order:

  1. General Terms and Conditions of Sale and Use (GTCU)

  2. SecNumCloud IaaS Service Agreement

  3. SecNumCloud OpenIaaS Service Agreement

  4. SecNumCloud PaaS Service Agreement

  5. Specific Service Agreement – Bare Metal

  6. Specific Particular Agreement

  7. Security Assurance Plan (SAP)

  8. Specific Terms of Use (STU)

  9. Data Protection Agreement

Glossar

Im vorliegenden Servicevertrag werden der Auftraggeber, der Dienstleister und die Parteien im Vertrag, an welchen dieser Servicevertrag angehängt ist, wie folgt identifiziert.

Die nachstehend verwendeten Ausdrücke im vorliegenden Servicevertrag werden gemäß den unten angegebenen Definitionen ausgelegt:

  • Änderung: Jeder Zusatz, jede Änderung oder Löschung, die den Service beeinflusst, die autorisiert, geplant oder übernommen wurde.

  • Standardänderung: Änderung, die einem festgelegten Verfahren unterliegt, bei der die Bedingungen für die Inbetriebnahme und die Auswirkungen (einschließlich finanzieller) im Voraus bekannt und von den Parteien akzeptiert sind. Sie wird dann in den Katalog der Standardänderungen aufgenommen und kann je nach Fall eine GTI und eine GTR aufweisen.

  • Vertrag: Bezeichnet den Vertrag, den der Auftraggeber beim Dienstleister abschließt, um dem Auftraggeber die Nutzung des Services zu ermöglichen, an welchen dieser Servicevertrag angehängt ist.

  • *Servicevertrag: Dieses Dokument, das im Rahmen eines spezifischen Vertrags oder der Allgemeinen Geschäftsbedingungen für Verkauf und Nutzung (AGB) erstellt wurde und in Übereinstimmung mit den Anforderungen des Referenzrahmens SecNumCloud steht.

  • Serviceanfrage: Anforderung zur Weiterentwicklung, die einem Verfahren unterliegt, deren Umsetzung: i) die CMDB nicht verändert, ii) der Betriebsablauf, die Kosten und die Risiken im Voraus bekannt und akzeptiert sind und keine spezifischen Rückgängigmachungsmaßnahmen erfordern, iii) die Umsetzung einer Service-Level-Agreement-Zusage unterliegt und im Fall der Umsetzung in Geschäftsstunden und Werktagen in die Vergütung des Vertrags einbezogen wird.

  • Verfügbarkeit: Fähigkeit, die Verfügbarkeit und die Aufrechterhaltung optimaler Leistungen des Services gemäß den in den Service-Level-Agreements (SLA) festgelegten Kriterien und Verpflichtungen sicherzustellen.

  • Technische Daten: Umfasst sämtliche Daten, die zur Bereitstellung des Services verarbeitet werden, insbesondere die Identität der Empfänger und Administratoren der technischen Infrastruktur, Protokolle der technischen Infrastruktur, Zugriffsconfiguration, Verzeichnisse, Zertifikate usw.

  • Ereignis: Ein „Ereignis“ ist jede erkennbare oder identifizierbare Vorkommnis, das für die Verwaltung des Services von Bedeutung sein kann.

  • Hypervisor: Betriebssystem, das die Ausführung von virtuellen Maschinen auf einem Rechenknoten ermöglicht.

  • Störung: Jedes unvorhergesehene Ereignis, das den normalen Betrieb des Services stört oder die Sicherheit der Daten gefährdet.

  • Sicherheitsstörung: Jedes Ereignis im Bereich des Services:

    • von vorsätzlicher, schädlicher Natur;
    • von zufälliger Natur, das Integrität, Vertraulichkeit oder Nachvollziehbarkeit des Services oder der Daten des Auftraggebers beeinträchtigt;
    • das bestehende Sicherheitsmaßnahmen beeinträchtigt. Beeinträchtigungen der Verfügbarkeit, die nicht vorsätzlich sind (z. B. Hardwareausfall, Fehler, Fehlfunktion, Naturkatastrophe), gelten nicht als Sicherheitsstörung.

  • Auftraggeber-Schnittstelle: Verwaltungsschnittstelle des Services, die dem Auftraggeber durch den Dienstleister zur Verfügung gestellt wird und eine Web-Verwungsconsole sowie eine API umfasst.

  • Inbetriebnahme: Verwaltungsmaßnahme(n) zur Umsetzung der Änderung, nachdem diese genehmigt wurde (die Änderung im Sinne von ITIL bezieht sich ausschließlich auf die Änderungsverwaltung und nicht auf deren Umsetzung/Realisierung).

  • Problem: Ursache eines oder mehrerer wiederkehrender Störungen, Ursache einer potenziellen Störung (Risikosituation), die einer Analyse und Lösung bedarf, um eine Wiederholung zu verhindern.

  • Region: Bezeichnet einen geografisch abgegrenzten Bereich aus Verfügbarkeitszonen, der Netzwerk-, Rechen- und Speicherdienste bereitstellt, um Latenz, Leistung und die Einhaltung lokaler regulatorischer Anforderungen zu optimieren.

  • Service: Bezeichnet den SecNumCloud-zertifizierten IaaS-Service „Secure Temple“, der dem Auftraggeber durch den Dienstleister aus von ihm betriebenen technischen Infrastrukturen zur Verfügung gestellt wird, wie in der Abschnitt „Beschreibung des Services“ dieses Servicevertrags beschrieben.

  • Secure Temple: Bezeichnet den SecNumCloud-zertifizierten IaaS-Service, der von der Gesellschaft Cloud Temple angeboten wird, wie in der auf der Website der ANSSI einsehbaren Bescheinigung und im Anhang dieses Servicevertrags definiert.

  • Schadensfall: Bezeichnet ein schwerwiegender Vorfall, der durch natürliche oder menschliche Ursache, zufällig oder vorsätzlich verursacht wird und erhebliche Verluste und Schäden für die betroffene Partei verursacht.

  • Überwachung: Überwachung eines Informationssystems oder eines Services, die die Erfassung verschiedener Daten wie Messwerte und Alarme beinhaltet. Diese Tätigkeit beschränkt sich auf Beobachtung und Verfolgung, ohne direkt in die überwachten Elemente eingreifen zu können – eine Befugnis, die den Administrationsaufgaben vorbehalten ist.

  • Tenant: Eine isolierte Instanz, die einem Benutzer oder einer Benutzergruppe vorbehalten ist, die eine gemeinsame Infrastruktur nutzt, dabei aber die Unabhängigkeit und Sicherheit der Daten und Anwendungen gewährleistet.

  • Verfügbarkeitszone (AZ) (Availability zone): Ein spezifischer, isolierter Bereich der Cloud-Infrastruktur, der zur Gewährleistung hoher Verfügbarkeit und Resilienz von Diensten durch eine geografische Verteilung der Ressourcen konzipiert ist.

Acronyms

AcronymDefinition
CABChange Advisory Board -- Change Advisory Board
CMDBConfiguration Management Database -- Configuration Management Database
COPILSteering Committee
COSTRATStrategic Committee
COPROJProject Committee
DBDatabase (database)
DPAData Protection Agreement
DRPDisaster Recovery Plan (DRP) (Disaster Recovery Plan)
GTEEscalation Time Guarantee
GTIIntervention Time Guarantee
GTRResolution Time Guarantee
ITILInformation Technology Infrastructure Library - Best practices for IT service management
IaaSInfrastructure as a Service
MCOMaintenance in Operational Condition
MOAClient (project owner)
MOEContractor (service provider)
MSPManaged Services Provider
OSOperating system (operating system)
PAQQuality Assurance Plan
PaaSPlatform as a Service
PASSecurity Assurance Plan
PASSIInformation System Security Audit Provider
RFCRequest For Change -- Change Request
RGPDGeneral Data Protection Regulation (personal data)
RPORecovery Point Objective -- Data freshness upon recovery after an incident
RTORecovery Time Objective -- Service restoration time after an incident
SDMService Delivery Manager
SLAService Level Agreement -- Service Level Agreement
SNCSecNumCloud
SOCSecurity Operations Center
TMAThird-party Application Maintenance
UOWork Unit
VABEValidation of Suitability for Good Operability
VABFValidation of Suitability for Proper Functioning
VMVirtual Machine (virtual machine)
VSRRegular Service Validation

Purpose of this Service Agreement

This Service Agreement establishes the terms and conditions under which the Provider undertakes to deliver the Service to the CLIENT. Its purpose is to:

  • Specify the performance requirements expected by the CLIENT in terms of functionality and reliability of the Service;

  • Outline the Provider’s obligations to meet the agreed-upon service levels;

  • Identify the regulatory standards specifically applicable to the delivered Service;

  • Ensure consistency and integrity in the evaluation of Service quality;

  • Guarantee the excellence of the services provided, assessed through quantitative performance indicators.

It is stipulated that, in the event the Provider loses its SecNumCloud qualification, the Contract may be terminated immediately and without penalty by the CLIENT. In such a case, the Provider undertakes to notify the CLIENT of this loss of qualification by sending an official notice via registered letter with acknowledgment of receipt.

It should be noted that any modification or adjustment to the SecNumCloud qualification shall not be interpreted as a revocation of the initial qualification.

Audit

The Provider undertakes to allow the CLIENT, or any third-party auditor who is not a competitor of the Provider and who has been designated by the Provider, to access all documents necessary to verify full compliance with the obligations related to conformity with the provisions of Article 28 of the General Data Protection Regulation (GDPR), thereby facilitating the conduct of audits.

By accepting this Service Agreement, the CLIENT explicitly grants authorization to:

  1. The National Agency for the Security of Information Systems (ANSSI), as well as the competent qualification body, to carry out verification of the compliance of the Service and its information system with the SecNumCloud reference framework.
  2. A qualified information systems security auditor, duly certified PASSI and expressly designated by the Provider, to conduct security audits concerning the Service.

Servicebeschreibung

Shared Responsibility Model

The Service provided by the Supplier is characterized by the delivery of the following offerings, which align with the shared responsibility principle presented in the SecNumCloud reference framework:

  • Provision of computing (compute) resources;

  • Provision of storage spaces;

  • Access to networking and internet connectivity services;

  • Offering of a backup service dedicated to virtual machines.

The shared responsibility model applied between the Supplier and the CLIENT within the scope of the Service is detailed in §7.1.

It is understood that the Supplier will leverage its expertise to deliver the Services in accordance with professional best practices and in compliance with the requirements of the SecNumCloud reference framework.

Detailed Scope of the Service

ServiceDescription
ComputeComputing resource of the Tenant COMMANDITAIRE
StorageProduction data of the Tenant COMMANDITAIRE
S3 Object StorageProvisioning of a sovereign, multi-AZ object storage infrastructure compatible with standard S3 APIs.
BackupSubject to subscription of appropriate mass-storage
Network InfrastructureNetworking resources of the Tenant COMMANDITAIRE
COMMANDITAIRE ConsoleService enabling the COMMANDITAIRE to access and manage its IaaS service via the Console interface
SupportSupport service accompanying the aforementioned services and only these (*)

_(*) Within the scope of the qualified SNC service and the Provider's responsibilities in this regard_

Datacenter Infrastructures

The Service encompasses the provision, for each Availability Zone, of the following qualified services:

  • A datacenter site located in France for the FR Region, compliant with the latest technological standards, offering a resilience level equivalent to or higher than Tier 3 of the Uptime Institute;
  • Provision of technical rooms within dedicated datacenters for housing essential technical equipment required for service production, including computing, storage, networking, cabling, and other necessary components;
  • Secure electrical power supply, provided by two distinct electrical circuits, ensuring uninterrupted service continuity;
  • Provision of climate control services, adjusted to meet equipment manufacturers’ standards and recommendations, to maintain an optimal environment for technical devices;
  • Continuous monitoring and detailed metrology, enabling precise tracking and proactive management of service performance and security.

The Provider ensures the availability of advanced fire detection and suppression services, designed to effectively identify and neutralize any fire outbreak within the facilities. These systems are essential to ensure the safety of equipment and data. They include high-precision smoke detectors and suppression devices capable of rapid response without damaging IT equipment. This service is critical to prevent fire risks, minimize potential damage, and ensure operational continuity.

The CONTRACTOR is informed that all implemented security procedures and measures, including annual failover tests on backup generators, are essential to guarantee service continuity and integrity. These practices are designed to minimize the risk of failure and ensure optimal responsiveness in the event of an incident. By accepting these conditions, the CONTRACTOR acknowledges the importance of these measures and commits to fully cooperating to facilitate their implementation. The CONTRACTOR is also encouraged to review the provided security recommendations and integrate them into its own risk management strategy.

Software Infrastructure for Service Management

The Provider supplies the COMMANDITAIRE with the administration console and the API necessary for using the Service. The Provider further undertakes to maintain this administration console and API in optimal operational condition and to ensure their continuous security. The administration console and API are collectively referred to as the "COMMANDITAIRE interface."

The Provider alerts the COMMANDITAIRE that abnormal use of the COMMANDITAIRE interface—particularly API command overload (hammering)—may trigger automatic security measures resulting in the blocking of access to the command APIs or the Service. It should be emphasized that this situation does not constitute Service unavailability but rather a protective action taken to safeguard the Service and the Provider’s infrastructure; therefore, the COMMANDITAIRE may not consider it as Service downtime for its calculations.

Furthermore, the Provider informs the COMMANDITAIRE that perfectly identical requests (duplicates) sent to its APIs are limited to one per second (Throttling). If the COMMANDITAIRE submits identical requests at a higher frequency, their rejection cannot be interpreted as Service unavailability.

Computing Infrastructure

The Service includes the provision, within the availability zones subscribed by the CUSTOMER, of the equipment necessary to run workloads in the form of virtual machines.

This includes:

  • Provision of the required technical chassis for the proper operation of the compute blades;
  • Provision of the compute blades in the quantities specified by the CUSTOMER and distributed across the availability zones of the CUSTOMER’s choice. It should be noted that these compute blades are exclusively dedicated to the CUSTOMER;
  • Provision of operating system software in the form of hypervisors, as well as assurance of the operational and security maintenance of the underlying software infrastructure required to manage these operating systems. It should be emphasized that, although the Provider is responsible for the operational maintenance and overall security of the Service, it does not possess specific knowledge regarding the CUSTOMER’s production environments or the requirements related to their workloads. Consequently, the responsibility for deciding when to update the operating systems of the hypervisor compute blades— an action that may require a reboot— rests entirely with the CUSTOMER. This operation can be performed via the CUSTOMER Interface.

The selection of the compute blade model, chosen from the catalog offered by the Provider, is the responsibility of the CUSTOMER.

Storage Infrastructure

The service includes providing the CONTRACTOR with a shared storage infrastructure of the SAN (Storage Area Network) type, offering various performance levels. This service encompasses:

  • Implementation and ongoing operation and security maintenance of the dedicated SAN network;
  • Installation and management of storage enclosures shared among clients, including their operational and security maintenance, monitoring, and metering;
  • Deployment of automated systems for allocating LUNs (Logical Unit Numbers) dedicated to the CONTRACTOR’s use, in accordance with the volumes subscribed by the CONTRACTOR.

Global Network Infrastructure

The Provider deploys, as part of the Service, a global network that enables the COMMANDITAIRE to make its hosted systems accessible. This service includes:

  • Provisioning, ongoing operational maintenance, and security assurance of all fiber-optic interconnections linking the various Availability Zones;

  • Provisioning, ongoing operational maintenance, and security assurance of the technical equipment necessary for proper network operation and isolation of the different clients.

The Tenant COMMANDITAIRE's network interconnection with the Internet or private networks, as well as the associated network equipment, operator links, and other technical components enabling this interconnection, are not part of the Service scope. This network interconnection is implemented in accordance with the provisions set forth in the Contract.

Backup Infrastructure

The Provider makes available to the CLIENT an integrated, dedicated, and managed backup service designed to protect its virtual machines. The Provider ensures the operational readiness and security of this backup service.

The Provider guarantees that the CLIENT's backups will be stored outside the availability zone of the workloads being backed up, provided the CLIENT has subscribed to the appropriate Work Units.

This backup service is limited to backing up virtual machines and the topology configurations of the IaaS environment of the CLIENT's Tenants within the scope of the Service. The development and implementation of an adequate backup policy by the CLIENT depend on the subscription to specific Work Units. Therefore, it is the CLIENT's responsibility to ensure the availability of the necessary technical resources with the Provider to implement its backup policy or adjust it according to the available resources.

The Provider undertakes to notify the CLIENT in case of capacity constraints and to provide advisory support for resource optimization. The Provider's obligations are limited to implementing the backup policy requirements expressed by the CLIENT, within the scope of the subscribed resources.

Implementation of Business Continuity or Disaster Recovery Solutions

The Provider supplies the CONTRACTOR with all necessary technical solutions to ensure optimal distribution of its resources across multiple Availability Zones. It is the CONTRACTOR's responsibility to efficiently manage this resource distribution, for which it has access to the tools provided by the Provider specifically designed for this purpose.

Limitations of Services in the Qualified IaaS Model

Managed Services in RUN

It is important to note that the following are excluded from the Service:

  • Hosting of physical components of the CUSTOMER;

  • Network interconnection of the CUSTOMER’s Tenant to the Internet or private networks, including operator links;

  • Any managed service or TMA (Third-Party Managed Application);

  • Any support for virtual machines at the OS level and above in the IaaS responsibility stack, even if it involves only monitoring.

That said, the CUSTOMER is in no way precluded from using such services through the Provider’s MSP offering to perform managed services on its Tenants. These services will then not be governed by the present Service Agreement and its bilateral commitments/clauses.

Emergency Configuration

By default, the Provider sets up the IaaS resources for the CUSTOMER by reserving resources and configuring deployments to use Availability Zones. It is the CUSTOMER's responsibility to select the Availability Zones via the CUSTOMER interface.

Backup Configuration

The backup service ends with the backup of virtual machines and topology configurations representing the IaaS environment of the COMMANDITAIRE's tenants within the scope of the Service.

The backup service and the completion of the COMMANDITAIRE's backup policy are subject to the subscription of storage space on the required mass storage to ensure the service. It is therefore the responsibility of the COMMANDITAIRE to subscribe to the necessary technical means from the Provider to ensure the backup policy within its IT environment, or to adjust the backup policy according to the implemented means. The Provider undertakes to inform the COMMANDITAIRE in case of technical capacity limitations.

The Provider will implement the necessary technical and human resources for backing up the hosted system, within the limits of the resources subscribed by the COMMANDITAIRE.

Furthermore, in cases where the environment is not covered by the Provider, it is the responsibility of the COMMANDITAIRE to define its own backup strategy and to configure the VM backups independently, or to submit a Service Request to the Provider so that the backup configuration for physical servers can be set up, provided the COMMANDITAIRE has a managed service contract enabling the Provider to act via the COMMANDITAIRE's interface—the administration console provided under this Service Agreement—which includes functionalities for configuring backups.

Additionally, this service will only commit to translating, via the COMMANDITAIRE interface, the configuration clearly specified by the COMMANDITAIRE.

For reasons of offer flexibility, the COMMANDITAIRE has the option to associate a "no backup" policy on certain of its VMs. In such cases, it is the responsibility of the COMMANDITAIRE to assume this choice. The Provider will not back up VMs associated with the "no backup" policy. The Provider alerts the COMMANDITAIRE that choosing the "no backup" policy or opting for manual backup exposes the COMMANDITAIRE to the risk of permanent data loss in the event of an incident on the lower layers or on layers dependent on the COMMANDITAIRE's responsibility within the IaaS model. In such a case, it will be impossible to hold the Provider responsible for restoring data, as there will be nothing to restore. The Provider recommends always backing up VMs.

For any matter concerning the OS installed on a virtual machine and any software or program running "above the OS," it is the responsibility of the COMMANDITAIRE to perform administrative and monitoring operations within the European Union if it wishes to ensure that the entire verticality of the IT layers is operated and managed from within the European Union. Administrative operations conducted outside the Provider's responsibility perimeter under this Service Agreement, as specified in the section "Shared Responsibility Model" of this Service Agreement.

Implementation des Dienstes

Technical Requirements

For the implementation of the Service, the CLIENT acknowledges that it will need to:

  • Operate with VMware virtualization in versions supported by the vendor and provided by the Provider as part of the Service;

  • Utilize the backup tool via the Provider;

  • Declare fixed IP addresses from which the Provider will authorize access to the CLIENT interface (whitelist filtering). Any modifications to this IP list must be carried out via the dedicated menu in the console or through Service Requests for subsequent changes. At service initialization, the Provider shall have been informed of at least 1 IP address as described above.

Service Location in France

It is specified that none of the operations or physical components involved in the provision of the Service, the subject of this Service Agreement, are located outside the European Union.

This specifically includes support, operational monitoring, and security monitoring (SOC) of the technical infrastructure delivering the Service. As a result, all storage, administrative tasks, monitoring activities, and processing are carried out in France.

Location of Datacenters Hosting the Service

In the absence of operations conducted by the Provider's employees and agencies, all production operations (including data storage and processing) and technical components delivering the Service are located in data centers based in France.

Location of Cloud Temple agencies operating the service

The Cloud Temple staff members providing services within the scope of the Service operate from Cloud Temple agencies, all located exclusively in France. These agencies are situated in France, in Tours, Lyon, Caen, and Paris La Défense.

The CLIENT is informed of the possibility that Cloud Temple employees may work remotely. However, the PROVIDER guarantees the same level of security for remote access, particularly regarding VPN access. These remote access arrangements are implemented in compliance with the requirements of the SecNumCloud reference framework.

Support

Art des dem begleitenden Services

Der Leistungserbringer stellt einen technischen Support-Service bereit, der den Auftraggeber bei der Verwaltung, Fehlerbehebung und Optimierung seiner bereitgestellten Ressourcen unterstützt. Dieser Service umfasst ein breites Spektrum an Tätigkeiten, von der Unterstützung bei der initialen Einrichtung der Dienste bis hin zum fortgeschrittenen technischen Support zur Lösung spezifischer Probleme.

Im Folgenden finden Sie eine Beschreibung der Merkmale und Funktionen des Support-Services:

  • Unterstützung bei der initialen Implementierung der Nutzung des Dienstes;
  • Unterstützung bei der Behebung von Störungen;
  • Unterstützung bei der Lösung technischer Probleme;
  • Überwachung und Beratung zur Optimierung der technischen Grundlage.

Im Rahmen des Support-Services übernimmt der Leistungserbringer keine Verantwortung für die Nutzung des Dienstes durch den Auftraggeber. Der Auftraggeber bleibt vollständig verantwortlich für die Konfiguration, den Betrieb seiner VMs und seiner Tenants sowie für die Verwaltung aller Elemente (einschließlich Daten und Anwendungen), die er auf den Infrastrukturen des Leistungserbringers gespeichert oder installiert hat. Der technische Support wird gemäß den Allgemeinen Geschäftsbedingungen und Nutzungsbedingungen erbracht, wobei der Leistungserbringer einer Mittelhaftung unterliegt.

Der Auftraggeber verpflichtet sich, den Support-Service verantwortungsvoll zu nutzen und insbesondere darauf zu verzichten, nicht abgeschlossene Dienstleistungen beim Leistungserbringer anzufordern oder die Teams des Leistungserbringers bei seinen eigenen Kunden oder Dritten einzuschalten, die nicht im Vertrag enthalten sind. Der Leistungserbringer behält sich das Recht vor, jede Anfrage abzulehnen, die diesen Kriterien nicht entspricht.

Das Engagementniveau des Supports ist abhängig von der Abonnement von entsprechenden Support-Einheiten.

Request for Technical Support

Technical support is accessible through a ticketing system via the COMMANDITAIRE console and is available during regular business hours, excluding public holidays (8:00 – 18:00; Monday to Friday; French calendar and time zone). For emergencies occurring outside of business hours, particularly incidents significantly impacting production, the on-call service can be reached via a number provided to the COMMANDITAIRE at Service initiation.

For each request or incident, it is mandatory to create a ticket with the Provider’s support team. Initiating this ticket, including all necessary information, is essential and marks the beginning of the evaluation of the Provider’s commitments.

As soon as the Provider receives a request or incident notification—whether through the management console or following a phone call—a ticket is automatically generated. When reporting an incident, it is crucial that the COMMANDITAIRE provides the Provider with as much detail as possible regarding the issue encountered. This step is essential to enable an accurate assessment of the situation, proper prioritization, and effective diagnosis.

The COMMANDITAIRE then receives an email confirmation indicating the creation of the ticket and its unique ticket number. The COMMANDITAIRE can check the status and history of their requests and incident reports directly through the management console.

Incident Management Process

Upon reporting an Incident, the Provider's technical support team initiates an investigation to identify the root cause of the issue and establish a diagnosis. The CUSTOMER must actively collaborate with the Provider by providing all necessary information and performing required tests. The Provider may access the CUSTOMER's Service to diagnose the Incident.

If the Provider's Services are deemed functional and the Incident is not attributable to the Provider, the CUSTOMER will be notified. At the CUSTOMER's request, the Provider may offer Professional Services to identify the source of the problem, which will be billed upon prior agreement in 30-minute increments.

In the event that the Incident is the responsibility of the Provider or one of its subcontractors, the Provider will complete the diagnosis and proceed with restoring the Service at no additional cost. The diagnosis is based on communications between the Parties and data provided by the Provider, which are considered conclusive by mutual agreement of the Parties.

Priorisierung von Behandlungen

Die Festlegung des Prioritätsniveaus eines Falls basiert auf einer matrixbasierten Analyse, die die Auswirkung des Vorfalls und sein Kritikalitätsniveau bewertet:

  • Die Auswirkungsniveaus sind wie folgt definiert:
AuswirkungsniveauBeschreibung
Auswirkung I1Der oder die Dienste des Anbieters sind unterbrochen
Auswirkung I2Der oder die Dienste des Anbieters sind beeinträchtigt
Auswirkung I3Der oder die Dienste des Anbieters sind derzeit stabil, zeigen jedoch Anzeichen eines potenziellen langfristigen Rückgangs
  • Die Kritikalitätsniveaus sind wie folgt definiert:
KritikalitätsniveauBeschreibung
Kritikalität C1Der oder die Dienste des Anbieters verschlechtern sich mit besorgniserregender Geschwindigkeit
Kritikalität C2Der oder die Dienste des Anbieters verschlechtern sich schrittweise im Laufe der Zeit
Kritikalität C3Der oder die Dienste des Anbieters weisen ein oder mehrere Unannehmlichkeiten auf, ohne signifikante Folgen zu haben
  • Aufgrund einer detaillierten Analyse der Situation unter Berücksichtigung der entscheidenden Faktoren für Auswirkung und Kritikalität wird dem Ticket gemäß der folgenden Entscheidungsmatrix eine Priorität zugewiesen:
Auswirkungsniveau / KritikalitätsniveauAuswirkung I1Auswirkung I2Auswirkung I3
Kritikalität C1Priorität P1Priorität P2Priorität P3
Kritikalität C2Priorität P2Priorität P3Priorität P4
Kritikalität C3Priorität P3Priorität P4Priorität P5

Die Service-Level-Vereinbarungen, die jeweils zu jedem Prioritätsniveau gehören, sind im folgenden Kapitel detailliert beschrieben.

Language and Location of Support Services

Support is provided by the Provider to the CUSTOMER in French at a minimum. Support may also be provided in English.

The Provider's support service operations for the qualified SecNumCloud infrastructure service offering are located within the European Union.

Service Level Agreements and Commitments

The Provider undertakes to ensure continuous monitoring of the performance and security integrity of its technical infrastructure delivering the Service, ensuring optimal operation.

Service unavailability, as defined by a performance indicator, is acknowledged as soon as it is detected by the Provider's monitoring system, or following notification from a user of the CLIENT. The start of unavailability is set at the earliest of these two events, ensuring accurate and fair calculation of downtime.

The end of unavailability is officially marked by the complete restoration of the service, confirmed either by the Provider's monitoring tools or by user feedback, thereby ensuring an effective resumption of operations and an accurate measurement of the interruption duration.

Infrastructure Availability Commitments

The Provider commits to maintaining an availability and performance level in compliance with the standards defined for each specified period. Service Level Agreements (SLAs) apply only if the CLIENT implements its systems across at least two of the Availability Zones available within the relevant Region.

In the event that the CLIENT fails to meet these conditions, the CLIENT will be unable to claim the application of the relevant SLAs, which are specifically identified by an asterisk (*). SLA accessibility is provided via the CLIENT interface. Measurements are calculated on a monthly basis:

  • **SLA 1 (*) : IC-INFRA_SNC-01** -- Compute Power Availability: Guaranteed availability rate of 99.99%, calculated on a 24/7, 7-day basis.
  • **SLA 2 (*) : IC-INFRA_SNC-02** -- Storage Availability: Guaranteed availability rate of 99.99%, calculated on a 24/7, 7-day basis.
  • SLA 3 : IC-INFRA_SNC-03 -- Backup Reliability: Guaranteed availability rate of 99.99%, calculated on a 24/7, 7-day basis.
  • **SLA 4 (*) : IC-INFRA_SNC-04** -- Network Infrastructure Availability: Guaranteed availability rate of 99.99%, calculated on a 24/7, 7-day basis.
  • SLA 5 : IC-INFRA_SNC-05 -- Internet Access: Guaranteed availability rate of 99.99%, calculated on a 24/7, 7-day basis.

Notes:

  • In response to a Distributed Denial-of-Service (DDoS) attack, the Provider reserves the right to adjust its internet routing configuration to mitigate the impact of the attack and protect its infrastructure. In particular, if an IP address belonging to the CLIENT is targeted, the Provider may employ BGP blackholing techniques to block all traffic destined for the targeted IP address upstream with its providers, with the aim of safeguarding the CLIENT’s resources as well as those of other CLIENTs and the Provider’s infrastructure. The Provider strongly encourages the CLIENT to adopt similar protective measures, such as using commercially available Web Application Firewalls, and to carefully configure its security groups via the command API.

  • The Provider emphasizes the importance for the CLIENT to minimize open traffic flows, particularly by avoiding exposing administrative ports SSH (TCP port 22) and RDP (TCP port 3389) to the entire Internet (0.0.0.0/0 subnet), as well as internal protocols such as SMB (TCP/UDP port 445) or NFS (TCP/UDP port 2049).

Service Level Agreement for the COMMANDITAIRE Interface Availability

  • SLA 6: IC-INFRA_SNC-06 -- Access to the Service administration console: a guaranteed availability of 97%, ensured continuously, 24 hours per day and 7 days per week.
  • SLA 7: IC-INFRA_SNC-07 -- Access to the Service control APIs: an availability of 99.9%, calculated on a 24h/24, 7j/7 basis.

Support Availability Commitment

  • SLA 8: IC-INFRA_SNC-08 -- Performance commitments of the Provider's technical support for incidents, excluding scheduled maintenance:
PriorityResponse Time Guarantee (RTG)Performance Target
Priority P130 min95%
Priority P22 h90%
Priority P34 h90%
Priority P424 h85%
Priority P548 h85%
  • SLA 9: IC-INFRA_SNC-09 -- Performance commitments of the Provider's technical support for service requests:
TypeResponse Time Guarantee (RTG)Performance Target
Service Request4 h90%

Note:

  • The Response Time Guarantee (RTG) is calculated from the difference between the time the CLIENT opens the ticket and the first intervention by the Provider's support.
  • Investigation of incidents affecting the CLIENTs will not include remote intervention on servers hosted by the CLIENT. Support will be limited to explaining available metrics related to the CLIENT's environment, to facilitate understanding of incidents or performance issues. Based on the results of this analysis, recommendations may be provided.

S3 Object Storage Availability Commitment

  • SLA 10: IC-INFRA_SNC-10 -- The availability commitments for S3 object storage are as follows:
IndicatorCommitmentAvailability Target
IC-INFRA-SNC-10.1Durability of object storage within a region99.9999999% / year
IC-INFRA-SNC-10.2S3 Object Storage API availability99.99%
IC-INFRA-SNC-10.3Maximum latency for object access within a region150 ms

Notes:

  • The Object Storage Service is specifically designed for object storage and must be used exclusively for this purpose, strictly excluding any use in block mode. Using block mode through indirect methods, such as employing "FUSE" in a Linux environment, constitutes a violation of the terms of use. No incident, malfunction, or damage resulting from such non-compliant usage will be covered by the Service Level Agreements (SLAs) defined in this service agreement.
  • The durability guarantee is contingent upon the use of services in accordance with current best practices and standards, and explicitly excludes any data modification, whether intentional or accidental, resulting from actions taken by the CLIENT.

Clarification regarding the backup commitment

The backup strategy deployed for the CLIENT is contingent upon the subscription to the appropriate work units.

The Provider commits to providing a backup solution enabling the CLIENT to implement the desired backup policies.

It is specified that the Provider's scope ends with the provision of a backup service, and it is the CLIENT's responsibility to monitor via the CLIENT's interface the proper execution of associated backup policies.

It is further specified that the management of storage capacity for the dedicated backup storage space remains the sole responsibility of the CLIENT. The Provider will make the utilization rate available via the console.

Example: Failure to back up a virtual machine:

The CLIENT is responsible for verifying and monitoring the correct execution of backup policies. If the CLIENT detects that a virtual machine is not being backed up, it is their responsibility to investigate the cause. The CLIENT may contact the Provider's Support team, according to the support level subscribed to, for assistance.

SLA 8: IC-INFRA_SNC-08 and SLA 9 will apply exclusively in the event of a backup service incident.

Organization of the contractual relationship

Verpflichtungen des Auftragnehmers

Der Auftragnehmer verpflichtet sich:

  • den Auftraggeber angemessen zu informieren (z. B. im Falle einer Kapazitätsbegrenzung der technischen Ressourcen, die den Service bereitstellen).

  • den Auftraggeber formell und innerhalb eines Monats über jede rechtliche, organisationelle oder technische Änderung zu informieren, die Auswirkungen auf die Konformität des Services mit den Anforderungen zum Schutz vor Gesetzen außerhalb der Europäischen Union haben könnte (19.6 des Referenzrahmens SNC v3.2).

  • dem Auftraggeber Schnittstellen und Service-Schnittstellen in mindestens französischer Sprache zur Verfügung zu stellen.

  • die branchenspezifischen Anforderungen, die sich aus den Arten der Informationen ergeben, die der Auftraggeber im Rahmen der Umsetzung des Services übermittelt, zu berücksichtigen, soweit dies innerhalb der Verantwortlichkeiten des Auftragnehmers liegt und unter Berücksichtigung der im Vertrag festgelegten Bestimmungen.

  • die branchenspezifischen Anforderungen, die sich aus den Arten der Informationen ergeben, die der Auftraggeber im Rahmen der Umsetzung des Services später formuliert, zu prüfen und dem Auftraggeber die erforderlichen Maßnahmen zur Berücksichtigung dieser Anforderungen mitzuteilen.

  • keine Informationen über die Leistung an Dritte weiterzugeben, es sei denn, der Auftraggeber hat eine ausdrückliche schriftliche Genehmigung erteilt.

  • alle Informationen bereitzustellen, die zur Durchführung von Konformitätsprüfungen gemäß Artikel 28 der DSGVO erforderlich sind.

  • dem Auftraggeber im Rahmen dieser Dienstleistungsvereinbarung Bericht über jeden Sicherheitsvorfall zu erstatten, der den Service oder die Nutzung des Services durch den Auftraggeber beeinträchtigt (einschließlich der Daten des Auftraggebers).

  • einem qualifizierten Prüfer für die Sicherheit von Informationssystemen (PASSI), der vom Auftragnehmer beauftragt wurde, die Prüfung des Services sowie seines Informationssystems gemäß dem Kontrollplan des SecNumCloud des Auftragnehmers zu ermöglichen. Darüber hinaus verpflichtet sich der Auftragnehmer, alle erforderlichen Informationen bereitzustellen, um die Konformitätsprüfungen gemäß Artikel 28 der DSGVO, die vom Auftraggeber oder einem von diesem beauftragten Dritten durchgeführt werden, durchzuführen.

  • im Rahmen seiner Rolle als Unterunternehmer gemäß Artikel 28 der Verordnung zum allgemeinen Datenschutz (DSGVO) dem Auftraggeber Unterstützung und Beratung zu leisten und diesen unverzüglich zu informieren, sobald eine von ihm erteilte Anweisung die Möglichkeit einer Verletzung der Datenschutzvorschriften beinhaltet.

  • den Auftraggeber innerhalb einer angemessenen Frist über die Konsole des Auftraggebers oder per E-Mail an den zuständigen Ansprechpartner des Auftraggebers zu informieren, wenn ein Projekt den Sicherheitsniveau oder die Verfügbarkeit des Services beeinträchtigt oder beeinträchtigen könnte, oder zu einer Funktionsausfall führen könnte, sowie über potenzielle Auswirkungen, ergriffene Minderungsmaßnahmen und verbleibende Risiken.

  • alle Verfahren zu dokumentieren und umzusetzen, die erforderlich sind, um die geltenden gesetzlichen, regulatorischen und vertraglichen Anforderungen für den Service sowie die spezifischen Sicherheitsanforderungen des Auftraggebers, die dieser festgelegt und im Vertrag vorgesehen hat, einzuhalten.

  • die Daten des Auftraggebers, die aus der Produktion stammen, nicht für Tests zu verwenden, es sei denn, der Auftraggeber hat hierzu vorher ausdrücklich zugestimmt. Im Falle einer solchen Zustimmung verpflichtet sich der Auftragnehmer, diese Daten zu anonymisieren und die Vertraulichkeit dieser Daten während der Anonymisierung sicherzustellen.

  • die Daten und technischen Daten des Auftraggebers gemäß der in dieser Dienstleistungsvereinbarung beschriebenen „Prozedur zur Löschung von Daten am Ende des Vertrags“ zu löschen, wenn der Vertrag beendet oder gekündigt wird.

  • eine sichere Löschung aller Daten des Auftraggebers durch vollständiges Überschreiben aller Speichermedien, die seine Daten im Rahmen des Services enthalten, sicherzustellen.

Auf schriftliche und formelle Anforderung des Auftraggebers verpflichtet sich der Auftragnehmer:

  1. Den Auftraggeber Zugang zum internen Regelwerk und zur Ethikcharta des Auftragnehmers zu gewähren;

  2. Den Auftraggeber Zugang zu den Sanktionen zu gewähren, die bei Verstößen gegen die Sicherheitsrichtlinie drohen;

  3. dem Auftraggeber alle Ereignisse bereitzustellen, die ihn betreffen, aus den Protokollierungsdaten des Services; darüber hinaus kann der Auftraggeber unabhängig die Ereignisse, die seine Nutzung des Services betreffen, über die Web-Oberflächen und APIs des Services einsehen;

  4. dem Auftraggeber Zugang zu den Verfahren zu gewähren, die erforderlich sind, um die geltenden gesetzlichen, regulatorischen und vertraglichen Anforderungen für den Service sowie die spezifischen Sicherheitsanforderungen des Auftraggebers, die im Vertrag festgelegt sind, einzuhalten;

  5. dem Auftraggeber die Risikobewertungen bereitzustellen, die sich aus der Übermittlung der Daten des Auftraggebers an ein nicht zur Europäischen Union gehörendes Land ergeben;

  6. den Auftraggeber über nachfolgende Unterunternehmer, die an der Bereitstellung des Services beteiligt sind, zu informieren und ihn über jede Änderung, die diese Unterunternehmer betrifft, zu unterrichten.

Der Auftragnehmer und alle seine Tochtergesellschaften verpflichten sich, die grundlegenden Werte der Europäischen Union einzuhalten, nämlich die Würde des Menschen, die Freiheit, die Demokratie, die Gleichheit, die Rechtsstaatlichkeit sowie die Achtung der Menschenrechte. Der vom Auftragnehmer bereitgestellte Service entspricht der geltenden Rechtsvorschrift im Bereich der Grundrechte und den Werten der Europäischen Union hinsichtlich der Achtung der Würde des Menschen, der Freiheit, der Gleichheit, der Demokratie und des Rechtsstaats.

Limitation of Liability of the Provider

Due to the definitions and conditions outlined in this Service Agreement, the Provider’s liabilities are limited as follows:

  1. The shared responsibility model, described in the section “Shared Responsibility Model” of this Service Agreement, effectively limits the Provider’s involvement in operational layers “above” the provision of computing, networking, storage, and backup resources. This specifically excludes, without limitation:

    • Management of what is installed on virtual machines (OS, middleware, applications, etc.);

    • Maintenance and updating of the OS and other software installed by the CLIENT on its machines within its Tenants;

    • Security of programs, software, and applications installed on virtual machines;

    • Updating of virtual machines;

    • Application-level data backup.

  2. The Provider cannot commit to backing up the CLIENT’s Tenants without prior subscription by the CLIENT to the appropriate work units.

  3. The Provider cannot claim ownership of data transmitted or generated by the CLIENT. Such data remain the exclusive property of the CLIENT.

  4. The Provider emphasizes that it may in no circumstances exploit and/or use the data transmitted or generated by the CLIENT without prior explicit approval from the CLIENT, with the understanding that such data usage is reserved exclusively for the CLIENT.

  5. The Provider disclaims all liability for components physically hosted and managed by the Provider, but which are directly owned by the CLIENT or by a third party with whom the CLIENT has contracted. Hosting of physical components belonging to clients is not part of the Service and therefore falls outside the scope of this Service Agreement. It is the CLIENT’s responsibility to assess the level of compliance or dependency introduced by these components with respect to the qualified IaaS Service SecNumCloud.

Access Restrictions

Within the scope of the Service, the Provider is explicitly prohibited from accessing Tenants belonging to the CLIENT without prior authorization. It is the responsibility of the CLIENT to provide necessary access to the Provider’s personnel, based on the specific requirements of the hosting and, where applicable, professional support services, if this option has been selected by the CLIENT.

The CLIENT acknowledges that such access is granted exclusively for the purposes related to the provision of agreed services, thereby ensuring secure and compliant management in accordance with the terms of the agreement.

Remote access by third parties involved in the Provider’s service delivery is strictly prohibited. In the event that a specific technical requirement necessitates such access, it may only be established after clearly notifying the CLIENT, providing a detailed justification, and obtaining the CLIENT’s written consent.

This measure ensures control and security of the CLIENT’s data, by guaranteeing that any exception to the rule is duly authorized and documented.

Responsibilities of Third Parties Participating in the Provision of the Secure Temple Service

The Provider maintains a list of third-party partners involved in the provision of the Service. These third parties include software vendors, service providers (of the Provider), and other suppliers participating in the provision of the Service. The Provider implements the following measures with regard to these third parties:

  • The Provider requires all third parties involved in the implementation of the Service, in their contribution to the Service, to maintain a security level at least equivalent to the one the Provider commits to maintaining in its own security policy applicable to the Secure Temple Service;

  • The Provider contracts with each third party involved in the implementation of the Service specific audit clauses enabling a qualified body to verify that these third parties comply with legal requirements and SNC requirements, thereby allowing the Provider to fulfill its obligations under this Service Agreement;

  • The Provider implements a procedure to regularly monitor the measures implemented by third parties involved in the implementation of the Service to ensure compliance with the requirements necessary for the Provider to meet its obligations under this Service Agreement;

  • The Provider conducts ongoing monitoring of changes made by third parties involved in the implementation of the Service that could affect the security level of the Service’s information system.

Pflichten und Verpflichtungen des Auftraggebers

Der Auftraggeber hat die folgenden Verpflichtungen im Rahmen des Dienstleistungsangebots:

  • Als Erinnerung: Der Dienstleister stellt dem Auftraggeber eine Plattform zur Ausführung virtueller Maschinen bereit. Die Konfiguration dieser Maschinen liegt in der Verantwortung des Auftraggebers. Jede virtuelle Maschine kann ohne eine zugehörige Sicherungsrichtlinie nicht funktionieren. Der Dienstleister definiert über seine Schnittstellen automatische Sicherungsrichtlinien. Es liegt jedoch in der Verantwortung des Auftraggebers, diese Sicherungsrichtlinien zu aktivieren und somit die virtuellen Maschinen zu aktivieren.

  • Der Auftraggeber ermächtigt die ANSSI und die Qualifizierungsstelle SNC, den Dienstleistungsbereich und die technische Infrastruktur, die den Dienstleistungsbereich bereitstellt, zu überprüfen.

  • Der Auftraggeber ist verantwortlich dafür, dem Dienstleister gegebenenfalls spezifische branchenspezifische Anforderungen mitzuteilen, die sich auf die von ihm übermittelten Informationen beziehen und die vom Dienstleister berücksichtigt werden müssen.

  • Der Auftraggeber erklärt sich damit einverstanden, dem Dienstleister keine Anforderungen oder Maßnahmen zu stellen, die den Dienstleister von den Anforderungen des SecNumCloud-Referenzrahmens in seiner aktuellen Version abweichen lassen oder die Sicherheitsstufe, die durch die Einhaltung dieser Anforderungen gewährleistet wird, herabsetzen würden.

Rights of the CONTRACTOR

At any time during the contractual relationship, the CONTRACTOR may file a complaint regarding the qualified service with ANSSI.

At any time, the CONTRACTOR may request the Provider to make its internal regulations and code of ethics accessible.

Data Deletion at Contract End

Upon termination of the contract, whether by expiry or for any other reason, the Provider undertakes to securely erase all data belonging to the CLIENT, including technical data. The Provider will ensure to issue a formal notice to the CLIENT, respecting a notice period of twenty-one (21) calendar days. The CLIENT's data will then be deleted within a maximum period of thirty (30) days following this notification.

To confirm this deletion, the Provider will provide the CLIENT with a certificate verifying the erasure of the data.

Lifecycle of the Present Service Agreement

Effective Date of the Service Agreement

This Service Agreement becomes effective on the date of its signature by the CLIENT.

The collection, handling, storage, and processing of data carried out within the scope of pre-sales, implementation, and termination of the Service are conducted in compliance with applicable legislation.

Service Agreement Updates

Any modifications or additions to this Service Agreement shall result exclusively from requests submitted by the designated governance bodies. These proposed changes will be reviewed by the Parties, who are authorized to determine which aspects require formal written documentation.

It is agreed that any update to the Service Agreement, following validation, which alters the initially established financial terms, will require the preparation and signing of an amendment to the current Contract.

Factors that may trigger a revision of this Service Agreement include, but are not limited to:

  • Evolution of the technical infrastructure delivering the IaaS Service;
  • Adjustments made by the Provider to the services deployed to deliver the Service;
  • Changes in commitments made and applicable penalties;
  • Organizational reconfigurations within the COMMANDITAIRE or the Provider;
  • Expansion or reduction of the Service’s scope of application.

Version and revision management of the Service Agreement is documented in the preamble of the document to facilitate tracking.

Changes initiated by the CLIENT

The changes to the Service Agreement may, in particular, originate from:

  • An evolution of the infrastructure managed by the Provider;

  • A modification of the services implemented by the Provider;

  • A change in the service level commitments by the Provider.

Changes initiated by the Service Provider

Any modification to the Service Agreement requires acceptance by the CLIENT. It is understood that any validated modification or addition altering the financial terms of the Contract may require the signing of an amendment to it.

Reversibility

In addition, Cloud Temple undertakes to allow the revision of this Service Agreement (including its termination) without penalty for the CLIENT in the event of loss of SecNumCloud qualification.

The Services do not include an obligation of reversibility (i.e., assistance to the CLIENT to enable migration of its system to another provider), except for the provision by the Provider to the CLIENT of the CLIENT interface, allowing the CLIENT to back up and retrieve its data—including configuration data of its information system—through one of the following technical options, at the CLIENT’s discretion:

  • Provision of files in one or more documented and usable formats outside the service provided by the Provider; or
  • Implementation of technical interfaces enabling access to data according to a documented and usable schema (API).

The CLIENT, as sole owner of its system, must take all necessary measures to facilitate this process as required (including, in particular, the creation of thorough documentation and the development of reversibility plans). If the CLIENT requires additional support, the Provider may offer a consulting engagement on this matter under a separate contract to be negotiated.

Availability, Continuity, and Service Restoration

Incident- und Ausfallverwaltung

Incidents

Incident Types Covered under this Service Agreement

  • Incidents;

  • Failures and outages;

  • Security incidents affecting the availability, confidentiality, or integrity of the Service.

Incident Management

The Provider informs the CUSTOMER as soon as possible of any incidents or outages, via a notification in the CUSTOMER's console or by email to the designated CUSTOMER contact. The Provider informs the CUSTOMER about the incident resolution through the same channel used to report the incident, or through the channel specified in the incident notification.

Security Incident Notification Level

The CONTRACTOR is responsible for selecting the severity levels of security incidents for which they wish to be notified, for example by formalizing them in an applicable SLA for the Service.

By default, the CONTRACTOR is notified of:

  • Security incidents with impact (impact levels I1 and I2 according to the impact scale defined in the prioritization process for handling incidents in this Service Agreement);

  • Security incidents affecting the confidentiality or integrity of the CONTRACTOR’s data entrusted within the scope of the Service;

  • Personal data breaches for which the CONTRACTOR is responsible for processing in accordance with Article 8 of Annex DPA under the scope of the Service;

Service Maintenance

Nature of Maintenance

Data breaches involving personal data for which the Provider is responsible for processing and which include personal data of the CLIENT, in accordance with Article 8 of Annex DPA. The maintenance provided consists of:

  • Implementation of the Service's operational readiness maintenance plan to ensure good availability indicators, as committed to by the Provider above;

  • Implementation of the PCA/PRA plan, if subscribed to by the CLIENT, triggered according to any incidents that may occur.

Remote Access to Cloud Temple within the COMMANDITAIRE's Scope

Under the terms of this Service Agreement, the Provider is prohibited from accessing the Tenants or the COMMANDITAIRE's interface environment.

It shall be the responsibility of the COMMANDITAIRE to grant the necessary access to the Provider's personnel. The COMMANDITAIRE acknowledges that such access will be used solely for hosting purposes and ultimately for managed services (if subscribed to by the COMMANDITAIRE).

Remote access by third parties involved in service delivery within the COMMANDITAIRE's scope

No remote access by third parties involved in delivering the Service is permitted.

If a technical requirement made such access necessary, this type of access would only be granted after notifying the COMMANDITAIRE, providing justification, and obtaining their written approval.

Data Deletion Procedure at Contract End

At the end of the Contract, whether due to expiration or for any other reason, the Provider shall ensure the secure deletion of all data processed under the Service, including the COMMANDITAIRE’s technical data. The Provider shall provide formal notice with a minimum lead time of twenty-one (21) calendar days. The COMMANDITAIRE’s data shall be deleted within a maximum period of thirty (30) days following notification. The Provider shall issue a data deletion certificate to the COMMANDITAIRE.

Applicable Law

In general

The governing law and jurisdiction applicable to this Service Agreement is French law.

Compliance with Applicable Laws and Regulations

The Provider undertakes the following:

  • Identification of legal and regulatory requirements applicable within the scope of the Service;

  • Compliance with applicable legal and regulatory requirements regarding data entrusted to the Provider, within the limits of the Provider’s responsibilities on one hand, and the provisions set forth in the Contract on the other hand;

  • Compliance with the Data Protection Act (Loi informatique et libertés) and the GDPR;

  • Implementation of measures to protect personal data;

  • Establishment of a legal and regulatory monitoring process;

  • Maintaining appropriate relationships or ongoing monitoring with sectoral authorities related to the nature of the data processed under the Service. This includes, in particular, ANSSI, CERT-FR, and CNIL.

GDPR

Acting as a data processor within the meaning of Article 28 of the General Data Protection Regulation (GDPR), the Service Provider undertakes:

  • To ensure transparency and traceability;

  • To appoint a Data Protection Officer (DPO) responsible for defining and implementing measures to protect personal data;

  • To provide assistance and advice to the CLIENT and to alert the CLIENT if an instruction from the latter constitutes a breach of personal data protection rules, provided the Service Provider has the means to identify such a breach;

  • To guarantee security for the processed data (due to the SecNumCloud certification).

Protection vis-à-vis du droit extra-européen

Le siège statutaire du Prestataire est établi au sein d'un État membre de l'Union européenne. Le capital social et les droits de vote dans la société du Prestataire ne sont pas, directement ou indirectement :

  • détenus individuellement à plus de 24 % ;

  • et détenus collectivement à plus de 39 % ;

par des entités tierces ayant leur siège statutaire, leur administration centrale ou leur établissement principal au sein d'un État non membre de l'Union européenne.

En cas de recours par le Prestataire, dans le cadre du Service, au service d'une société tierce – y compris un sous-traitant – ayant son siège statutaire, son administration centrale ou son établissement principal au sein d'un État non membre de l'Union européenne ou appartenant ou étant contrôlée par une société tierce domiciliée en dehors de l'Union européenne, le Prestataire s'engage :

  • à ce que cette société tierce ne dispose d'aucun accès aux données traitées par le service « Secure Temple » ;

  • à disposer d'une autonomie d'exploitation grâce à la possibilité de faire appel à un autre sous-traitant ou de mettre rapidement en œuvre une alternative technologique.

Pour mémoire, les données visées sont celles qui sont confiées au Prestataire par le COMMANDITAIRE ainsi que toutes les Données techniques comprenant des informations sur les COMMANDITAIRES.

Aux fins du présent article, la notion de contrôle est entendue comme celle mentionnée au II de l'article L233-3 du code de commerce.

SIGNATUREN

Ort: _______________, den
__________________

Für Cloud Temple, den AUFTRAGNEHMER

Für ___________________, den AUFTRAGGEBER