CONTENTS 1 Glossary of Terms & Definitions... 2 2 Service Description... 2 2.1 Installation and Service Provision... 2 2.2 Cleaning and Mitigation... 3 2.3 Mitigation Limitations... 3 2.4 DDoS Attack Monitoring... 3 2.5 Reasonable Endeavours... 3 2.6 Maximum Throughput... 3 2.7 No Warranty... 3 2.8 Exclusions... 3 3 Charges... 4 3.1 Charges payable by the... 4 3.2 Additional Charges... 4 3.3 Charges for Service Changes... 4 4 Service Levels... 4 4.1 Availability... 4 4.2 Response Time... 5 5 Service Credits... 5 5.1 Limits of Service Credits... 5 5.2 Claiming Service Credits... 5 5.3 Calculation of Service Credits... 5 6 Responsibilities... 6 6.1 Technical Representatives... 6 6.2 Other Responsibilities... 6 7 Service Operation... 7 7.1 Contact Centre... 7 7.2 Service Changes... 7 7.3 Incident Management... 7 Page 1
1 GLOSSARY OF TERMS & DEFINITIONS Black Hole or Black Holing means discarding all data destined for a particular IP address so that it does not disrupt the flow of data to other IP addresses; DDoS or Distributed Denial of Service means a form of electronic attack involving multiple computers which send repeated requests to a server (web site) generating false traffic and rendering it inaccessible to valid users; DDoS Mitigation Platform means the global DDoS attack mitigation platform which consists of the components that support the removal of attack traffic from streams that include legitimate traffic; DDoS Protection Service or Service means s DDoS attack mitigation service, as listed in paragraph 2 of this Schedule 2S; End User means the actual end user(s) of the Service; Event means when any monitored component is not operating pursuant to its standard functionality, as indicated by alerts on s monitoring systems; Event Log means a log file which stores information about Events for future analysis; Incident means an unplanned interruption to a Service or deterioration in the normal quality of a Service; Incident Management means the Incident management Service provided by pursuant to this Schedule to investigate an Event or Incident; IP s means s who purchase any Service that relies upon the IP protocol suite as its transport mechanism; Managed Object means a specific profile configured on s DDoS Protection Service detailing the IP addresses or autonomous system number ( ASN ) to be protected by the Service; Response Time means the amount of time it takes for the service desk to take action against an Incident. Self-Mitigation means mitigation of s traffic instigated by the itself as part of the DDoS Protection Service via My Services if and to the extent such capability is granted by to the ; SLO means Service Level Objective, which is a specific target within the Service Level Agreement; Traffic Cleaning means the statistical analysis, active verification and anomaly recognition undertaken to identify malicious sources, reveal abnormal behaviour and discard packets that do not conform to the normal traffic pattern; Any other terms in capital letters shall have the meaning set forth in Schedule 1. 2 SERVICE DESCRIPTION The DDoS Protection Service may only be purchased by IP s. The Service comprises of the cleaning of the traffic directed towards the s public IP address and includes: a. installation and maintenance of the Service; b. configuration of a set of pre-defined monitoring parameters as specified by ; and c. monitoring of agreed parameters and status information via the Event Log. 2.1 INSTALLATION AND SERVICE PROVISION The is not required to purchase any additional equipment or software to implement the Service. Page 2
2.2 CLEANING AND MITIGATION a. When is notified of a DDoS attack, or instigates Self-Mitigation, traffic destined for the targeted IP address or ASN will be redirected to s DDoS Mitigation Platform for inspection. Diverted traffic will be subjected to multiple layers of Traffic Cleaning. b. WHILE TRAFFIC CLEANING IS IN PROGRESS AN INCREASE IN LATENCY MAY OCCUR. DURING SUCH PERIODS THE CUSTOMER SHALL NOT BE ELIGIBLE FOR SERVICE CREDITS FOR LATENCY OR ROUND TRIP DELAY ON ANY INTEROUTE SERVICE. 2.3 MITIGATION LIMITATIONS a. shall not instigate Self-Mitigation unless there is an actual DDoS attack. b. shall not instigate concurrent instances of Self-Mitigation. c. Mitigation shall not exceed seventy two (72) consecutive hours unless an actual DDoS attack is ongoing during such time. Where mitigation exceeds this limit reserves the right to apply Professional Service Charges. d. is limited to no more than twelve (12) mitigations per calendar year. Where mitigation exceeds this limit reserves the right to apply further Charges. 2.4 DDOS ATTACK MONITORING Following either the s request that the DDoS Protection Service be enabled, or the instigation of Self-Mitigation, will study traffic patterns in order to assist the to identify when a DDoS attack has ended and cease the mitigation. 2.5 REASONABLE ENDEAVOURS will use reasonable endeavours to ensure that legitimate traffic is received as normally as possible during a DDoS attack, and that the website user experience is affected as little as possible. In a DDoS attack, countermeasures will be deployed by to ensure disruptions to operations are minimised, and measures such as Black Holing will only be used by if determines that all other measures have failed or are likely to fail. 2.6 MAXIMUM THROUGHPUT s DDoS Protection Service supports a maximum throughput of 20Gbps ( Maximum Throughput ). Any traffic above the Maximum Throughput will be discarded by the Service. 2.7 NO WARRANTY This Service is designed to mitigate the and the s End Users from DDoS attacks. However, does not warrant that it shall withstand these attacks on all occasions. reserves the right to Black Hole any of the traffic as required to protect the Network or its traffic or its other customers traffic from the effects of a DDoS attack. 2.8 EXCLUSIONS The DDoS Protection Service neither offers nor provides: a. Load balancing of traffic or of the functionality of any Service; b. Direct access to s network security (except and to the extent allowed in the case of Self-Mitigation) or engineering staff; c. Archival and storage of log files beyond thirty (30) days; d. Incident response, forensics and investigations; e. Legal case preparation, PR incident support; Page 3
f. Security consulting services; g. Security reporting and analysis; h. Permanent filtering or cleaning of traffic; i. Direct support of End Users of the Service. 3 CHARGES 3.1 CHARGES PAYABLE BY THE CUSTOMER a. Charges for the Service typically comprise of an initial on-boarding Installation Charge, a Fixed Rate Charge and any Additional Charges set out within the Purchase Order. b. Unless otherwise agreed between the Parties in this Agreement, Charges for Services and any other applicable Additional Charges will be invoiced in accordance with the terms specified in Schedule 1 of this Agreement. 3.2 ADDITIONAL CHARGES a. Unless otherwise agreed between the Parties in writing, any additional Charges will be charged according to the Professional Service Charges. b. In addition to clause 3.2 a above, any additional work agreed outside of a Working Day, will incur Professional Service Charges calculated on an hourly basis. 3.3 CHARGES FOR SERVICE CHANGES a. During the first full calendar month following the Ready for Service Date, the shall be entitled to request changes to enable the service fully. These changes will be covered by the Installation Charge. b. Minor changes are non-chargeable for up to 3 change requests per calendar month then Professional Service Charges apply. c. Major changes will incur Professional Service Charges. 4 SERVICE LEVELS Further to the Service Levels set out within the Schedule 2 to which this Annex is appended, Service Levels are defined for the following Service performance measurements: a. Availability b. Response Time 4.1 AVAILABILITY 4.1.1 Calculation uses the following formula to calculate monthly Availability: (Minutes in Monthly Review Period Service Unavailability) Availability in % = Minutes in Monthly Review Period 4.1.2 Target Service Availability DDoS Mitigation Platform 99.95% Page 4
4.1.3 SLO Failure The DDoS Mitigation Platform is considered to be Unavailable where Traffic Cleaning cannot be performed. 4.2 RESPONSE TIME 4.2.1 Target shall respond to all Tickets of Priority 1 (Critical), as set out in paragraph 7.3, in accordance with the response times specified in the table set out below: Priority Priority 1 (Critical) Response Time SLO 1 hour 4.2.2 SLO Failure The Response Time objective is considered breached where fails to enable DDoS mitigation within the SLO, once notified by the. 5 SERVICE CREDITS 5.1 LIMITS OF SERVICE CREDITS Service Credits for the DDoS Protection Service are limited to 50% of the Fixed Rate Charge for the Service during any Monthly Review Period. 5.2 CLAIMING SERVICE CREDITS a. Failure to meet an SLO for a Service entitles the to claim Service Credits (subject to the exceptions set out herein). The must provide to all reasonable details regarding the relevant Service Credits claim, including but not limited to, detailed descriptions of the Incident, its duration and any attempts made by to resolve it. will use all information reasonably available to it to validate claims and make a good faith judgment on whether the Service Levels apply to the claim. b. Unavailability of the Service cannot be used to claim failure of another service. shall not be responsible for any cross default. 5.3 CALCULATION OF SERVICE CREDITS 5.3.1 Availability Service Credits Where Availability falls below target during any Monthly Review Period, the will be entitled to Service Credits as follows: Availability for the DDoS Mitigation Platform during Monthly Review Period falling below target by: Service Credits as % of Fixed Rate Charge Up to 0.25% 5% 0.25% 0.75% 10% 0.75% 1.5% 15% 1.5% 2.5% 20% 2.5% 3.5% 25% More than 3.5% 30% Page 5
5.3.2 Response Time Service Credits In the event that fails to achieve the SLO, the will be entitled to Service Credits as follows: Response Time for the DDoS Protection Service being enabled falling below target by: Service Credits as % of Fixed Rate Charge Up to 5 minutes 5% 5 minutes 15 minutes 10% 15 minutes 30 minutes 15% 30 minutes 45 minutes 20% 45 minutes 1 hour 25% More than 1 hour 30% 6 CUSTOMER RESPONSIBILITIES 6.1 TECHNICAL REPRESENTATIVES The must designate one or more qualified persons as their technical representatives and support points of contact with. These technical contacts can be updated online, by phone, or email and must be provided for both pre and post installation, and during Incident Management. 6.2 OTHER RESPONSIBILITIES undertakes that it shall: a. specify the IP addresses, IP address ranges or ASN for which the desires the DDoS Protection Service to be activated, by completing a form which will provide to the ; b. provide with contact details for the departments and/or people are to contact during a DDoS attack; c. monitor and detect abnormal or unusual traffic. If any such behaviour is detected, must either: i. inform and request that the DDoS Protection Service is enabled, or ii. where has provided the with a Self-Mitigation capability, the may instigate Self-Mitigation of their traffic, in line with the limitations set out in paragraph 2.3; d. report any Incidents or problems with the Services to the Contact Centre as soon as such problems have been identified; e. provide feedback on any maintenance approval requests passed to the within the reasonable times specified within such requests; f. do such other things and provide such information as may reasonably request in order for to provide the Service; g. not initiate a penetration test without agreeing and complying to the current Penetration Test Agreement. In case a penetration test is undertaken and no respective Penetration Test Agreement was signed, herby agrees that the Penetration Test Agreement is deemed to have been signed and that its stipulations bindingly apply. Page 6
7 SERVICE OPERATION 7.1 CUSTOMER CONTACT CENTRE When notifying the Contact Centre of an Incident or request, the following information should be provided: a. Organization name b. Service Identifier (SID) c. Issue description 7.2 SERVICE CHANGES a. The addition of Managed Object is a major change. b. The modification of a Managed Object is a minor change. c. Where the requests a minor change to be carried out on their Service, and where all of the relevant information is provided by the to, will endeavour to complete all minor changes within one (1) working day from receiving such requests. 7.3 INCIDENT MANAGEMENT 7.3.1 Incident Reporting Any suspected Incidents should be reported to the Contact Centre using the procedures detailed in the Service Handover Document to be provided on the Ready for Service Date. When reporting an Incident, the should identify the affected Service and provide details of the Incident. 7.3.2 Incident Duration All Incidents recorded will be reconciled against the corresponding ticket raised by the Contact Centre. The exact Incident duration will be calculated as the elapsed time between the Incident being reported to the Contact Centre and the time when Service is restored. 7.3.3 Incident Priorities a. Depending on the impact an Event or Incident has on the Service, each Event or Incident is categorized pursuant to clause 6.2 b into one of the following priority levels: priority level 1 (Critical), or priority level 3 (Standard). b. Any Events or Incidents relating to a security incident which requires post-restoration investigation are considered out of scope for the Incident Management Service and will require Professional Services, and be charged accordingly. Priority Priority 1 (Critical) Priority 3 (Standard) Description Hours of Operation Response Time When a DDoS attack is underway 24/7 1 hour Any request from a for information, advice, or standard changes Working Day 4 hours If responds to and works on a reported Critical Incident and it is subsequently found not to be a DDoS attack then Professional Service Charges will apply. Page 7