Service Description STACKIT Cloud
Schwarz IT KG, Stiftsbergstraße 1, 74172 Neckarsulm, Registry court Stuttgart, HRA 730995 (“SIT”) as a national provider of professional infrastructure & platform-as-a-service provides services under the brand STACKIT brand (“STACKIT Cloud Services”) based on OpenStack, which is made available exclusively as Public Cloud version to companies (“Customers”). SIT is the IT service provider for the Schwarz Group.
The STACKIT Cloud Services follow the international ISO/IEC 27001:2013 norm and an ITIL based operating model and are provided by specialized experts.
1.2 Data center location
The STACKIT Cloud Services are provided and operated in the SIT data center in Germany and in the future also in other member states of the European Union. All data centers are operated in compliance with ISO27001, ISO20000 and TÜV Level 3. As a European Cloud Service Provider, STACKIT is subject to the European General Data Protection Regulation (GDPR).
This general service description (“Service description”) forms an essential element of the contract regarding the purchase of STACKIT Cloud Services between SIT and the customer in addition to the separately regulated conditions of use and the service certificate(s) selected by the customer.
In the case of inconsistencies between the conditions of use, the service description and the valid service certificate, the service certificate takes priority over the service description and the conditions of use; the service description takes priority over the conditions of use.
1.4 Change to the service description
SIT has the right to adapt the service description. This also applies to a current contractual relationship on the purchase of STACKIT Cloud Services with effect in the future; we refer to number 6 of the conditions of use which applies here.
2. Service Level Agreement
2.1 Service transfer point
The service responsibility for STACKIT Cloud Services to be provided by SIT ends at the point of Internet transfer between the respective data center operated by SIT and the Internet Service Provider from the respective region.
2.2 Operating Times
The operating times of STACKIT Cloud Services are Monday through Sunday, “24/7”, 365 days a year (with the exception of planned maintenance work).
The general availability of STACKIT Cloud Services is – after deducting the excluded events according to number 2.42.4- 99.9% in the calendar month average, provided nothing else is regulated in the respective service certificate underlying STACKIT Cloud Services (“Availability”). Availability information is only valid for contractually agreed STACKIT Cloud Services and their components; SIT does not provide an availability promise for the availability of the customer’s own components or components from a third party (both software and hardware).
The availability target per calendar month is calculated as follows:
- The availability also refers to a calendar month, is recorded on a calendar month basis and is accounted for as a percentage.
- “Total service minutes” means the total number of calendar month minutes (calculation: 60 minutes x 24 hours x number if calendar days in the month).
- “Total downtime minutes” means the number of minutes per month in which the contractually agreed STACKIT Cloud Services were not provided by SIT. The numbers of minutes per month that are not included in the calculation of availability as they are excluded events in the sense of number 4 shall be deducted from this value of the total downtime minutes.
The general availability of the STACKIT Portal and the STACKIT Application Programming Interface (API) are not subject to the SIT availability promise. SIT aims however to attain availability for the STACKIT Portal and the STACKIT Application Programming Interface (API) of 99.9% respectively on a monthly average. Downtime, malfunctions or other inaccessibility in the STACKIT Portal or the STACKIT Application Programming Interface (API) do not influence the calculation of the availability of a STACKIT Cloud Services.
2.4 Excluded events
Excluded events denote in particular those periods of time in which contractually agreed availability of STACKIT Cloud Services could not be guaranteed (“Excluded events“).due to the following listed downtime and malfunctions. Excluded events are not downtime. Excluded events include in particular:
- Downtime and malfunctions that have not been caused by SIT, in particular DNS, routing problems or unauthorized effects from a third party such as virtual attacks to the network or mail infrastructure (DoS/Viruses/Spam).
- Downtime and malfunctions that have taken place due to the performance of countermeasures against unauthorized effects or due to security incidents.
- Downtime and malfunctions from third party service providers outside the control of SIT or which cannot be traced back to the service provided by SIT or the network structure is outside SIT’s area of influence.
- Downtime and malfunctions that are due to incorrect use of programs or devices by the customer. This includes:
- Incorrect entries or non-adherence to instructions.
- Actions or omissions by the customer which exceed the stipulated and/or booked contingents.
- Actions or omissions by the customer to perform required configurations and/or to adhere to these.
- Downtime and malfunctions that can be attributed to the customer.
- Downtime and malfunctions that are the result of force majeure. Force majeure is an event that was unforeseeable for both parties even when practicing the greatest diligence that is reasonably to be expected; force majeure can include the following events in particular in this sense: Fire, explosions, power cuts, earthquakes, floods, severe storms, strikes, embargos, labor disputes, action taken by civil or military authorities, war, terrorism (including cyber terrorism), epidemics and pandemics, actions and omissions by Internet providers, actions and omissions by supervisory boards or administrative bodies (including passing laws or regulations or other acts of government that restrict the provision of STACKIT Cloud Services).
- Downtime and malfunctions which occurred due to maintenance work according to number 2.8.
STACKIT Cloud Services which are explicitly referred to and distributed by SIT as a test version, Beta or similar, are not subject to an availability promise from SIT. Downtime and malfunctions which occur through the use of these type of services by the customer are assessed as excluded events.
2.5 Supported software versions
STACKIT Cloud Services can exhibit specific software versions at the time of contract conclusion between the customer and SIT (“Main versions“). To keep STACKIT Cloud Services and the service provision to the customer secure and up-to-date, SIT retains the right to replace main versions of the software used with follow-up versions (“Follow-up versions“) – including in the case of concluded contractual relations.
In this case the following in particular applies:
- SIT informs the affected customer of the pending change and the end of the support period for main versions as part of the release notes under https://docs.stackit.cloud/display/STACKIT/Release+Notes (“Release Notes”).
- The main version affected by the change is supported by SIT as part of the Release Notes for at least a further 180 calendar days, calculated from the notification of the change, and shortly after is successively migrated to the follow-up version (“transition period“).
- The customer can disagree with a pending change until the end of the transition period. If the customer disagrees with the replacement of a main version with a follow-up version by the end of the transition period, SIT can properly terminate the subscription to the STACKIT Cloud Services affected by the change by the end of the transition period.
- Within this transition period it is possible to compete contracts based on the main version. However, these also have to be converted to the follow-up version at the end of the transition period. Therefore customers are instructed to obtain information as part of the Release Notes on any reported changes to the main versions before concluding a subscription for a STACKIT Cloud Services; the affected STACKIT Cloud Services in the subscribed main version is only available to customers, who subscribe to or extend STACKIT Cloud Services affected by the change within the transition period, until the end of the transition period, which can be significantly less than 180 calendar days depending on the time of conclusion of a subscription.
- It technically possible and at the request of the customer, the customer also has the option to migrate from the main version to the follow-up version even before the end of the transition period or –depending on the STACKIT Cloud Services – have it migrated by SIT. The customer does not, however, have entitlement to early migration.
- After the transition period has elapsed, SIT converts any main versions not yet migrated by the customer successively quickly to the follow-up version.
- In several cases during migration from the main version to the follow-up version it can occur that SIT cannot perform a proper automatic migration (in particular with customer data) without the cooperation of the customer. In these cases SIT will inform the affected customer of any necessary cooperation as part of the Release Notes. The customer has time up to the end of the transition period – calculated from the publication of the required cooperation within the Release Notes – to perform the necessary cooperation.
- After the transition period has elapsed, the main version will no longer be supported by SIT and can as such also no longer be used by the customer; SIT has the right, if technically possible for SIT, to conduct an automatic migration of the main version to the follow-up version, even if the customer did not previously perform the necessary cooperation; this can, in particular, cause data loss and functional loss or restriction of the affected STACKIT Cloud Services, as well as in connection with this used customer hardware and software or hardware and software from a third party. SIT does not assume liability, with the exception of the cases in number 15.1 of the conditions of use for damage which arises for the customer due to non-performance of migration or automatic migration.
- After conversion of software from the main version to the follow-up version the follow-up version should be regarded as the (new) main version in the sense of this number.
Data backup by SIT is not performed as standard, unless something else is regulated in the individual service certificate.
If there is a data backup for an individual STACKIT Cloud Services according to the contractual underlying service certificate, the data backup complies with the corresponding STACKIT Cloud Services in line with the following standards, provided there is no other regulation in the individual service certificate or nothing else has been configured by customers:
|Recovery Point Objective (RPO)||4 h|
|Recovery Time Objective (RTO)||4 h|
|Retention Period (RP)||14 days, day-by-day retention after the first 4 h|
- “Recovery Point Objective” (RPO): The Recovery Point Objective (RPO), or the maximum permissible data loss, consists of the specification of how old the version of the last current, consistent data backup can be. If data is lost and can be restored to the backup version with a required data backup.
- “Recovery Time Objective” (RTO): The Recovery Time Objective (RTO), or the maximum recovery time, describes the time period in which a data restoration to a functionally available system, including operating system data and required (application) data, can be consistently restored based on the backup.
- “Retention Period” (RP): The RP describes the maximum period of retention of safeguards.
SIT provides their customers with qualified staff as well as supporting resources for trouble-shooting according to the parameters below.
Incoming support cases are assessed according to their critical status, which results in different response times.
- Incidents: STACKIT Cloud Services are not available or their use is restricted.
- Service or support requests: All remaining support cases, e.g. problems in user registration or system support.
SIT retains the right to downgrade in the critical level if STACKIT Cloud Services is available and the reason for the malfunction is in the customer’s area of responsibility.
SIT points out that as part of the processing of a support case it may be necessary – depending on the customer matter – for SIT to access the customer’s STACKIT Cloud Services to be able to process the support case adequately.
|Channels||Help Center (support.stackit.cloud) E-Mail (email@example.com)|
|Availability of the malfunction indicator||24/7|
|Response times*||Incidents: < 4 h Service Requests: Best Effort|
|Solution time**||Best Effort|
|Knowledge & Best Practice||Zugang zur Knowledge Database (docs.stackit.cloud) Zugang zur Community (community.stackit.cloud)|
- *“Response time“: Is the time period within the service time from the receipt of the customer notification at SIT until the start of processing the notification by qualified staff (Visual inspection).
- **“Solution time“: Is the time period within the service time from the receipt of the customer notification at SIT until the time elapses in which SIT must have restored the contractually owed availability of the STACKIT Cloud Services.
2.8 Maintenance work
SIT conducts regular maintenance work (for example in the form of updates, patches, bug fixes or hardware exchange and hardware extensions) to guarantee the function, quality and security of the STACKIT Cloud Services.
SIT usually informs the customer of maintenance work which is likely to restrict the level of use of the STACKIT Cloud Services for the customer two weeks before it is conducted, using the STACKIT Cloud Status website. In the case of urgent maintenance work, the notification may be made within a significantly shorter time period or may be omitted entirely, depending on the individual case. SIT recommends to the customer that they regularly check for any pending maintenance work on the STACKIT Cloud Status website.
While maintenance work is being conducted access to the STACKIT Cloud Services can be temporarily halted or restricted, in particular if this is mandatory because of the type of maintenance work to be conducted.
Downtime that occurs due to maintenance work conducted will be treated as excluded events in the sense of number 2.4.
2.9 Service Payback
If the agreed availability for STACKIT Cloud Services is not adhered to as described, the customer receives a credit within the following transaction in the form of credit onto their customer account (“Service Payback“):
- To exercise the Service Payback the customer has to claim that the agreed availability of the booked STACKIT Cloud Services was not honored within two (2) weeks after receipt of the invoice for the affected STACKIT Cloud Services from SIT in text form stating the customer number, invoice number and the affected STACKIT Cloud Services. A claim that is not submitted to SIT within two (2) weeks cannot be considered.
- SIT will check the claim for the Service Payback for justification.
- If the claim is justified, the customer will receive a Service Payback credit for the following billing period onto their customer account.
- The amount of the Service Payback always corresponds to the proportionate invoice amount for the STACKIT Cloud Services which were not honored with regard to availability.
- If the customer Service Payback claim is rejected by SIT, it is the responsibility of the customer to present the violation against the agreed availability of STACKIT Cloud Services.
- A credited Service Payback is offset with remuneration claims from SIT for the provision of STACKIT Cloud Services in the following billing period, with the result that the final amount to be paid by the customer decreases accordingly.
- Payment or other compensation for credited Service Paybacks is excluded.
- The following Service Paybacks apply provided that no other regulation has been made in the STACKIT Cloud Services service certificate:
|Availability (month)||Service Payback|
Other customer claims for reduction of remuneration are excluded. Any customer claims for damages remain unaffected.
3. Security Incidents
3.1 Analysis option from SIT
In the case of STACKIT Cloud Services, which are provided by SIT and used by the customer who purchases the STACKIT Cloud Services, action can be taken by SIT at their own discretion to detect weak points both in SIT’s area of responsibility as well as in the customer’s area of responsibility (“Security Incidents“) at an early stage. The customer’s area of responsibility, in particular, encompasses all hardware, applications and software from third parties which are not provided by SIT (“customer’s area of responsibility“).
If security incidents in the customer’s area of responsibility are detected by SIT or an external service provider for SIT, the customer is informed of these. Depending on the level of severity of the security incident the customer is obliged to take timely and appropriate action for their area of responsibility to avoid the security incident (e.g. by patching the affected application). If the customer’s area of responsibility is not secured with the latest patches or Workarounds, for example, the area of responsibility may harbor security risks for SIT or the customer themselves, or if the quality of the STACKIT Cloud Services is negatively influenced or put at risk by a security incident in the customer’s area of responsibility, SIT retains the right to corresponding countermeasures according to number 3.3.
3.2 Data collection for analysis options by SIT
To detect potential security incidents in the customer’s area of responsibility, log data of customer systems or perimeter data (e.g. firewalls, switches, routers and others) can undergo a rules-based evaluation for anomalies and potential security incidents. Appropriate vulnerability scans (proactive and reactive) can also be performed for systems available on the Internet.
3.3 Possible countermeasures in the case of security incidents
To protect the customer and STACKIT Cloud Services, SIT reserves the right to take appropriate measures without prior consultation with the customer (“countermeasures”) in the event of suspected cases or proven security incidents and corresponding severity. Of course a separate notification will be sent to the customer on this subject at the latest in the follow-up. Countermeasures include:
- Disconnecting affected systems and STACKIT Cloud Services from the network, shutting them down or halting them to avoid damage to the systems and STACKIT Cloud Services.
- Forensic analysis of possible affected systems and STACKIT Cloud Services (in particular to gain knowledge for law enforcement, criticality or damage assessment).
- Other activities to avoid or reduce restrictions to other customer systems of the STACKIT Cloud Services or external systems.