...
Service Level Agreement
for WEM ZoomBIM
Solutions B.V.
…
…
Customer subsequently to be called User.
ZoomBIM Solutions B.V. located in Hogehilweg 24, 1101 CD Amsterdam, registered under number 55022669 at the chamber of commerce in Amsterdam and known to the Dutch tax authorities ,
under sales tax number NL8515.33.279.B01, represented by Harrie Huisman, Chief Executive Officer,,
to be called Supplier.
Considering:
The User, has licenses for use of the online development platform WEM for which the license costs have been paid on time and in full.
Supplier acts as developer and supplier of WEM, and is able to carry out maintenance and development.
WEM |
The Web Expert Module of ZoomBIM Solutions B.V. |
WEM |
All software, documentation and systems for the WEM modeler and WEM runtime environments delivered in a Platform as a Service (PaaS) solution. |
WEM Software |
See WEM |
WEM Platform |
See WEM |
WEM Runtime |
The server environment on which software which was developed using WEM (WEM Projects) is made available via an URL. |
WEM Modeler |
The environment in which the functionalities of WEM Projects are modeled, designed and published to the WEM Runtime. |
WEM Project(s) |
A solution built with the WEM Platform. |
Disruption(s) |
A disruption in the services provided by WEM. |
License agreement |
Agreement for the use of WEM. |
WEM Test application |
Availability of WEM |
Supply-Chain |
a network between Supplier and its suppliers that deliver specific services and/or systems and/or software and distribute this as specific product(s) to the User. This network includes different activities, entities, information, and resources, including cloud storage. |
Host Partner |
Supplier to ZoomBIM Solutions B.V. that provides the secured cloud storage environment. |
Subject |
Person about whom data are stored in any WEM Project. |
Supplier |
The company that provides a service to a client or User |
User |
Client that buys the service from Supplier |
This Service Level Agreement (SLA) describes the package of agreements made between Supplier and User of WEM, as made available by the Supplier in a Platform as a Service (PaaS) model and service levels that apply as such.
By means of this SLA, it is intended to clarify the agreements set between Supplier and User regarding WEM. This excludes: all (in WEM made) solutions, the WEM Projects.
The duration of this SLA is inextricably linked to the term of the signed license agreement of which this SLA is part. This SLA is valid and applicable only if User has a VALID WEM License. This SLA agreement will be extended or terminated in accordance with the User’s WEM License agreement.
This agreement does not include a penalty clause.
This SLA is offered free of charge by the Supplier as part of the WEM License which the User is contracted to. In case of special requirements by the User, additional charges may apply, all based on separate prices quotes or agreements to be signed by the Parties.
All communication regarding WEM and the Service Levels in this document can be found in the online WEM application via the URL http://my.wem.io
Release management includes the (further) development of new functionalities in the software; corrective application maintenance (bug fixing) and availability of the latest optimally working version of the software.
Supplier follows ISO 27001 clause 14 with the goal to ensure that information security is an integral part of information systems across the entire lifecycle, including during the developmental life cycle. This also includes the requirements for information systems which provide services over public networks.
The Supplier aims for constant product improvement and innovations and strives to release a new version regularly. The provision of new functionalities and bug fixes are the responsibility of the Supplier. New versions will be made available at times chosen by the Supplier. If User impact is expected, a notification about a new release will be provided by Supplier to User, in a timely manner, so that the User can have some time to prepare for such release.
In case WEM requires so, User is obliged to update to a new version within a reasonable time frame
The Supplier has the right to add new, and implement existing WEM functionalities in future versions differently, while continuously supporting the functionality of existing WEM Projects.
The Supplier is obligated to inform the User if a significant impact on existing WEM projects is expected as a result of changes in WEM functionalities. If necessary, the Supplier based on a best effort basis, will actively support maintenance of existing features within WEM Projects.
In cases like this, the Supplier will actively communicate with the User to seek a solution. However, the Supplier retains the right to take the lead in the implementation of the solution.
The Supplier’s support desk can be contacted for all incidents related to the functioning of WEM.
Supplier’s Support desk is reached via https://my.wem.io portal. A ticket can be submitted on a 24/7 basis however a representative will respond to the ticket according to clause 5.2.1.
WEM does depend on the supply chain of third parties who provide services supporting the WEM Platform (for example – Microsoft Azure, CloudVPS, etc…). In that manner, tickets which involve the responsibility of WEM supply-chain or WEM Partners will be handled by the supply chain and in accordance with their SLA’s.
As determined jointly, Support provided by the Supplier for incidents caused by intent or negligence of the User or a third party acting on behalf of the User, may be charged to the User based on normal commercial rates used by Supplier.
Support is guaranteed by the Supplier on all versions of WEM that are in production from Version
3.4.0. onwards, and for which the User has a valid License Agreement. Custom coded elements such as Scripts, widgets, (Custom) Master Templates, as well as other custom made additions, etc. are excluded from this SLA.
At all times, further development is performed on the last published WEM version. No further development will be committed on previous versions.
The User is entitled to support from a support desk within the frameworks set out in this document.
The support desk provides support for corrective, adaptive and preventive maintenance to ensure proper functioning of the latest version of WEM. Support desk can be reached on https://my.wem.io portal.
The Supplier is responsible for operational management of WEM and its supporting infrastructure. This operational management includes:
Supplier adheres to ISO 27001 measure A.12.1 for Operational procedures and responsibilities with the objective to ensure correct and secure operations of information processing facilities.
The Supplier strives for a minimum availability of WEM as tested via the “WEM Performance Baseline Application” in accordance with the following scheme:
Timeframe |
Hours |
Availability |
7 days/week |
24/7 |
99,5% |
Availability of WEM Software is based on the correct functioning of the WEM Runtime in the production environment. Correct functioning will be confirmed by periodically carrying out a test application and comparing its output with expected results.
The availability will be calculated over a period of one calendar year and is based on the number of minutes that the test application functions correctly, adding up the minutes of planned downtime divided by the total number of minutes during this period. See function below:
(Correctly functioning minutes + Planned downtime minutes) / Total minutes * 100% = Availability percentage
WEM intends to carry out maintenance work on the WEM Platform which can affect the availability of the WEM Platform during the maintenance activities taken. Planned downtime can be for WEM maintenance or for supply-chain maintenance as needed. WEM will inform User for Planned maintenance in writing on a timely manner to allow User to make any necessary actions to be ready for such downtime. Notification of a Planned downtime will include a date, start and expected end time, the Services/Functionalities which are maintained and if there is a possible impact.
The Supplier will make all its best effort so that WEM will not be unavailable for more than a maximum of 4 hours per situation in case of planned maintenance. If the Supplier expects WEM will not be available for longer than this maximum time, the User will be informed accordingly and the Supplier will initiate actions to offer the availability of WEM in an alternative manner. The User will be informed on the progress of such actions. Planned downtime always takes place in the Maintenance window hours which are between 22.00PM to 06.00AM CET.
User is aware that during a Planned downtime the WEM services may be completely or partially unavailable.
The Supplier periodically conducts backups of the WEM Runtime Data at minimum at the following frequency:
Nr. |
Timeframe |
Description |
1 |
Hourly basis |
Transactional backup |
2 |
Daily basis |
Differential backup |
3 |
Weekly basis |
Full Backup |
Backups are kept available for a period of 28 days.
Supplier will periodically, at least once a quarter, perform a restore of a backup to test the correctness of the back-up and restore process.
The storage of backups takes place at a different location with at least equal quality and security conditions as the data centers in which WEM is hosted.
For an optimal accessibility and usability of WEM, the User must ensure that User’s workstation
meets the following requirements:
The Supplier offers a Disaster Management and Recovery solution to all WEM Users with a valid WEM License. This is based on an alternate WEM environment with comparable functionality and warranted by the foundation “Stichting Waarborgfonds WEM-platform”, a specially established foundation for this purpose.
The Disaster Management solution is tested by the Supplier and can be put in place in case of
disruptions with priority 1 that can’t be resolved within 4 hours or in other disastrous situations.
The Supplier will decide in its sole discretion whether or not to activate the Disaster Recovery solution.
The Supplier can be reached for support requests through the https://my.wem.io portal 24 hours per day, 7 days per week.
Processing of support requests is available on workdays between 09:00h – 17:00h CET local time. All timeframes mentioned are based on these working hours in the Dutch Headquarters. Additional service level contracts are available in case additional contact methods and support are required.
When dealing with Malfunctions with a technical cause, the following times and service levels are maintained.
Priority |
Impact |
Description |
Response time |
1 |
High |
• WEM is not available at all (modeler, preview, staging and live) • WEM Live is not available; • There is a risk that company critical information will be lost. • In case of a data breach, the GDPR regulations apply |
1 hour |
2 |
Regular |
• WEM is partially unavailable (Modeler, Preview or Staging) • Functionality is not available or does not work (as expected). |
8 hours |
3 |
Low |
• Change requests |
16 hours |
Impact severity determines the time window within which the Supplier will respond to the reporting of an incident. Resolution times agreed with the User will always apply as a guideline.
Response times start the moment a report is received in the Supplier’s system based on the WEM standard business hours. For example – a change request which has been reported on Friday at
22.00 CET will be handled within 16 hours from the closest business day afterwards.
The Supplier aims to offer a solution as soon as possible. However, timeframe-guarantees cannot be given in advance. Incidents may be related to WEM and/or to the Supply-chain.
In case of the event of a failure of priority 1 occurs and in case circumstances requires, an Emergency maintenance shall apply. In such a situation Supplier will do all in its reasonable power to provide a solution in a minimum time however Supplier cannot guarantee a minimum time of unavailability of the WEM Platform. Events of failure can occur due to WEM and/or due to Supply- chain.
In case of such a situation, Supplier shall immediately inform User of the Emergency maintenance and the optional impacts and shall keep in contact will User.
If Solution time is over 4 hours WEM will assign a dedicated professional employee who will be in close direct contact with User in order to track the situation, update User upon the progress, etc… Solution time is calculated from the moment the Supplier receives the fault message. If the Supplier expects WEM will not be available for longer than this maximum time, the User will be informed of this and the Supplier will initiate actions to offer the availability of WEM in an alternative manner.
The User will be continuously informed of the progress
of these actions. For Users with a valid WEM License, Disaster Recovery operates as described in section 4.10. in case the incident refers to Supply-chain (such as Microsoft Azure), Resolution times will be according to Supply chain SLAs and commitments as well as the actual resolution of the issue by the supplier.
The Supplier will make every effort to repair all defects that have an impact on the User and were reported by the User or identified by the Supplier, as long as the issue is related to Supplier. In case the incidents relate to Supply-chain, such as if the User is running on a private cloud (ex. Azure, AWS etc.) Supplier will be in contact with Supply-chain to make sure it makes every effort to repair all defects that have an impact on the User and were reported by the User or identified by the Supplier .The Supplier reserves the right to set priorities regarding the repair of the incident. The Supplier is permitted to resolve the reported incident by offering the User a work-around, if applicable.
The Supplier refers to a possible ‘Processor Agreement’ in case an incident has occurred that requires access to privacy sensitive information from the User for this incident to be resolved. If such an agreement does not exist, the Supplier rightfully assumes this access is self-evident. In this manner, in case a Supply-chain needs to access the sensitive information, User will be informed and will decide if a User permission will be provided in writing.
The User is responsible to enter into a specific Processor Agreement with the Supplier where required by law.
The Supplier assumes that, the Supply-chain partner (ex. Azure, AWS) and User will exert every effort to make all necessary resources available for solving reported malfunctions.
The Supplier reserves the right to refuse to carry responsibility for a malfunction if the nature of this malfunction is beyond the scope of this document or if the User License for the use of WEM and/or Supply-chain is not valid.
If the provision of information of a finding reported by the User is insufficient for the Supplier to make a diagnosis, the Supplier reserves the right to return the notification with the request for more information. In case User does not provide sufficient information or does not respond within up to 3 approaches, the incident will be closed and a notification will be sent to User.
As soon as WEM Support has solved the issue, Support sets status of a ticket to Resolved. In that state Customers can Accept and Close the issue or Decline and Re-assign ticket to continue support.
In case an incident is resolved, the following information is reported to the User by the Supplier:
Support efforts will be invoiced to the User at current commercial rates if it appears that the incident is:
If there is any uncertainty regarding the aforementioned, distribution of costs will be determined in good consultation between the User and the Supplier.
In the event of disagreement about whether the service level has been successfully fulfilled, representatives of the User and the Supplier as mentioned in this agreement will be informed. These representatives, or persons appointed by them, will consult about structural solutions to improve the service level within a reasonable time period.
If these actions do not lead to structural improvements within 3 months, both parties can, at their own expense, name an independent third party as a mediator.
According to NEN 7510/ ISO 27001 part A.12.2 Supplier takes adequate measures for protection from malware, in particular computer viruses and hackers. In addition for processing of personal health information (if applicable) appropriate prevention, detection and response controls are implemented to protect against malicious software and appropriate user awareness training will be provided.
The Supplier selects and makes use of hosting partners. Herewith the WEM service is hosted and storage of data is accommodated. The Supplier guarantees the server farm(s) under its management will at all times be hosted by an ISO 27001 certified hosting partner. The Supplier also ensures protection of the organization’s assets that is accessible by hosting partners. Subjects rights will be protected, even if a potential external party has access to personal (health) information resides in another jurisdiction than the client or the (health) organization.
To enforce this, Supplier has set up an information security policy with respect to all Supplier relationships in the supply chain, according to NEN 7510 / ISO 27001 section A.15.1 “Information security in supplier relationships”. The implementation of this policy is handled in the form of guidelines, processes, and physical controls. In addition, to maintain an agreed level of information security and service delivery in line with supplier agreements, and according NEN 7510 / ISO 27001 A.15.2.1, a regular monitoring and review of supplier services is carried out.
In the unexpected event security breaches are detected, the concerned parties must inform each other as soon as possible. Supplier has set up an incident management process according NEN 7510/ ISO
27001 clause A 16. Information security incident management. The purpose of this incident management process is to restore an unplanned service interruption to the pre-agreed level as quickly as possible. Supplier adds to this monitoring the incidents and reporting to Users and stakeholders on the handling of incidents. The management of incidents is essential for incidents that hinder the operation of the WEM Platform to meet the requirements set with regard to the quality aspects of confidentiality, integrity, availability and verifiability.
This process description to handle incident management is fully compliant with the provisions in NEN 7510 / Iso 27001 clause A.16 Management of information security incidents. This specifically includes clause A12.6.1. Management of Technical Vulnerabilities.
In addition, with regard to confidentiality, the desired handling of privacy incidents is in accordance with the General Data Protection Regulation (GDPR), or in Dutch, ‘De Algemene Verordening Gegevensbescherming’ (AVG), is specifically examined. The following principle is included according NEN 7510/ ISO 27001 clause A-18.1.4 Privacy and protection of personally identifiable information. Supplier will follow Art. 33 GDPR Notification of a personal data breach to the supervisory authority https://gdpr-info.eu/art-33-gdpr/.
The Supplier is not obliged to provide maintenance services regarding errors and/or incidents arising due to:
If one of the cases as described under (a) to (c) occurs, the Supplier is free to identify faults, make diagnoses and/or solve them. In such cases a charge might apply according to the specific occasion.
Maintenance services under this agreement do not include:
Incident reports are available to the User at the https://my.wem.io portal at any time 24/7, depending on the chosen license:
This agreement is also subject to the most recent version of the “General, Service and Licensing Terms” and “Terms of use and Privacy Policy” of the Supplier.
These documents can be found on the website of the Supplier http://wem.io or can be sent to the User on request.
The Supplier may, in its sole discretion submit changes to this SLA and shall inform the User in writing. Any changes will then come into effect within 60 days.
All parties subject to this SLA declare that Dutch law applies to this agreement.
By signing this document, all parties indicate that they are in accordance with this agreement and all previous versions of the WEM SLA are invalid.