STACKIT

Service Description STACKIT Cloud

1. General

1.1 Introduction

Schwarz IT KG, Stiftsbergstraße 1, 74172 Neckarsulm, Registry court Stuttgart, HRA 730995 (“SIT”) as a national provider of professional infrastructure & platform-as-a-service provides services under the brand STACKIT brand (“STACKIT Cloud Services”) based on OpenStack, which is made available exclusively as Public Cloud version to companies (“Customers”). SIT is the IT service provider for the Schwarz Group.

The STACKIT Cloud Services follow the international ISO/IEC 27001:2013 norm and an ITIL based operating model and are provided by specialized experts.

1.2 Data center location

The STACKIT Cloud Services are provided and operated in the SIT data center in Germany and in the future also in other member states of the European Union. All data centers are operated in compliance with ISO27001, ISO20000 and TÜV Level 3. As a European Cloud Service Provider, STACKIT is subject to the European General Data Protection Regulation (GDPR).

1.3 Scope

This general service description (“service description”) forms an essential element of the contract regarding the subscription of STACKIT Cloud Services in addition to the separately regulated terms of use and the service certificate(s) selected by the customer.

In the case of inconsistencies between the terms of use, the service description and the valid service certificate, the service certificate takes priority over the service description and the terms of use; the service description takes priority over the terms of use.

1.4 Change to the service description

SIT has the right to adapt the service description. This also applies to a current contractual relationship on the purchase of STACKIT Cloud Services with effect in the future; we refer to number 6 of the terms of use which applies here.

2. Service Level Agreement

2.1 Service transfer point

The service responsibility for STACKIT Cloud Services to be provided by SIT ends at the point of Internet transfer between the respective data center operated by SIT and the Internet Service Provider from the respective region.

2.2 Operating Times

The operating times of STACKIT Cloud Services are Monday through Sunday, “24/7”, 365 days a year (with the exception of planned maintenance work).

2.3 Availability

The general availability of STACKIT Cloud Services is – after deducting the excluded events according to number 2.4 – 99.9% (99,5% for non-redundant STACKIT Cloud Services) in the calendar month average, provided nothing else is regulated in the respective service certificate underlying STACKIT Cloud Services (“availability”). Availability information is only valid for contractually agreed STACKIT Cloud Services and their components; the availability consent does not cover the availability of the customer’s own components or components from a third party (both software and hardware).

The availability target per calendar month is calculated as follows:

The general availability of the STACKIT Portal and the STACKIT Application Programming Interface (API) are not subject to the SIT availability consent. SIT aims however to attain availability for the STACKIT Portal and the STACKIT Application Programming Interface (API) of 99.5% respectively on a monthly average. Downtime, malfunctions or other inaccessibility in the STACKIT Portal or the STACKIT Application Programming Interface (API) do not influence the calculation of the availability of a STACKIT Cloud Service.

2.4 Excluded events

Excluded events denote in particular those periods of time in which contractually agreed availability of STACKIT Cloud Services could not be provided (“excluded events“) due to the following downtime and malfunctions. Excluded events do not count as downtime. Excluded events include in particular:

STACKIT Cloud Services that are made available to the customer free of charge or are explicitly designated and distributed as a test version, beta or in a similar manner are not subject to an availability promise. Failures or malfunctions that occur due to the use of such services by the customer are considered as excluded events.

2.5 Supported software versions

STACKIT Cloud Services can be provided under a specific software version at the time of contract conclusion (“main versions“). To keep STACKIT Cloud Services and the service provision to the customer secure and up-to-date, SIT retains the right to replace main versions of the software used with follow-up versions (“follow-up versions“) – also for subscriptions already concluded.

In this case the following applies in particular:

2.6 Backup

Data backup by SIT is not performed as standard, unless something else is regulated in the individual service certificate.

If there is a data backup for an individual STACKIT Cloud Services according to the contractual underlying service certificate, the data backup complies with the corresponding STACKIT Cloud Services in line with the following standards, provided there is no other regulation in the individual service certificate or nothing else has been configured by customers:

Backup ParameterCharacteristic
Recovery Point Objective (RPO)4 h
Recovery Time Objective (RTO)4 h
Retention Period (RP)14 days, day-by-day retention after the first 4 h

2.7 Support

SIT provides their customers with qualified staff as well as supporting resources for trouble-shooting according to the parameters below.

Incoming support cases are assessed according to their critical status, which results in different response times.

SIT retains the right to downgrade in the critical level if the STACKIT Cloud Service is available and the reason for the malfunction is in the customer’s area of responsibility.

SIT points out that as part of the processing of a support case it may be necessary – depending on the customer matter – for SIT to access the customer’s STACKIT Cloud Services to be able to process the support case adequately.

Support levelStandard
ChannelsStatus Website (status.stackit.cloud)
Knowledge Database (docs.stackit.cloud)
Help Center (support.stackit.cloud)
Availability of the malfunction indicator24/7
Response times*Incidents: < 4 h Service Requests: Best Effort
Solution time**Best Effort
PriceFree

2.8 Maintenance

SIT conducts regular maintenance (for example in the form of updates, patches, bug fixes or hardware exchange and hardware extensions) to provide the function, quality and security of the STACKIT Cloud Services.

SIT usually informs the customer of maintenance work, which is likely to restrict the level of use of the STACKIT Cloud Services for the customer, two weeks before it is conducted, using the STACKIT Cloud Status website. In the case of urgent maintenance work, the notification may be made within a significantly shorter time period or may be omitted entirely, depending on the individual case. SIT recommends to the customer that they regularly check for any pending maintenance work on the STACKIT Cloud Status website.

During the performance of maintenance work, access to STACKIT Cloud Services may be temporarily suspended or restricted, in particular if this is mandatory due to the nature of the maintenance work to be performed.

Downtimes that occur due to maintenance work carried out shall be treated as excluded events within the meaning of clause 2.4.

2.9 Service Payback

If the agreed availability for STACKIT Cloud Services is not adhered to as described, the customer receives a credit within the following transaction in the form of credit onto their customer account (“service payback“):

Availability (month) Service Payback
< 99,9% (99,5% for non-redundant STACKIT Cloud Services)10%
< 99,0%20%
< 98,5%50%
< 95,0%100%
Further claims of the customer for reduction of the remuneration are excluded. Any claims for damages of the customer remain unaffected.

3. Incidents & Security Incidents

3.1 Information

SIT regularly provides customers with information about disruptions (“incidents“) via the STACKIT Cloud Status website (status.stackit.cloud).

In case of security incidents (“security incidents”), customers will be informed directly.

SIT recommends that customers continuously check the status of incidents & security Incidents on the STACKIT Cloud Status website.

3.2 Analysis option from SIT

For STACKIT Cloud Services provided by SIT and subscribed by the customer, SIT may take measures at its own discretion to detect vulnerabilities in the area of responsibility of SIT as well as in the area of responsibility of the customer at an early stage. In particular, all hardware, applications and software of third parties which are not provided by SIT (“customer’s area of responsibility“) are within Customer’s Area of Responsibility.

If security incidents in the customer’s area of responsibility are detected by SIT or external service providers of SIT, the customer will be informed about them. Depending on the severity of the security incident, customer is obliged to take appropriate measures for its area of responsibility in a timely manner to avoid the security incident (e.g. by patching an affected application). If, for example, the customer’s area of responsibility is not secured with the latest patches or workarounds, if the area of responsibility harbors security risks for SIT or the customer itself, or if the quality of the STACKIT Cloud Services is negatively affected or jeopardized by a security incident in the customer’s area of responsibility, SIT reserves the right to take appropriate countermeasures pursuant to clause 3.4.

3.3 Data collection for analysis options by SIT

To detect potential security incidents in the customer’s area of responsibility, log data of customer systems or perimeter data (e.g. firewalls, switches, routers and others) can undergo a rules-based evaluation for anomalies and potential security incidents. Appropriate vulnerability scans (proactive and reactive) can also be performed for systems available on the Internet.

3.4 Possible countermeasures in the case of security incidents

To protect the customer and STACKIT Cloud Services, SIT reserves the right to take appropriate measures without prior consultation with the customer (“countermeasures”) in the event of suspected cases or proven security incidents and corresponding severity. Of course a separate notification will be sent to the customer on this subject at the latest in the follow-up. Countermeasures may include:

Version: 1.2