managed services for virtual private cloud solution pack ... · networking service options for...

© 2018 DXC Technology. All rights reserved. Confidential

Managed Services for Virtual Private Cloud Solution Pack Selections and Prerequisites

Subject Requirements

Governing Agreement FastTrack Modular Contract including:

• Base Terms • Cloud and SaaS Module Terms

DXC Services Managed Services for Virtual Private Cloud (“Managed VPC”), Release 10.0, as set out in this Solution Pack (“Services”)

Mandatory Addenda Managed Services Acceptable Use Policy

Optional Add-On Service Features

Customer has chosen to receive the following Add-Ons and will be invoiced accordingly. While all these selectable Add-Ons are described in this Solution Pack as Schedules, only those specifically selected below in an Order will be delivered. ☐ Managed VPC Continuity Services

☐ Managed VPC Backup and Recovery Services ☐ Managed VPC Storage Services

☐ Managed VPC Networking Services

☐ Managed VPC SAP and SAP HANA Management Services

☐ Managed Database Services

Managed Services for Virtual Private Cloud Solution Pack


Table of Contents 1. Statement of Work ........................................................................................ 3

1.1 Introduction 3 1.2 Scope of Service 3 1.3 Commencement of Services 3 1.4 Managed Services Portal Access 4 1.5 Network Access 4 1.6 Managed Services for Virtual Private Cloud 5 1.7 Additional Optional Services 8 1.8 Additional Optional Add-Ons 10 1.9 Maintenance Windows 11 1.10 Customer Audits 12 1.11 Support Services 13

2. Service Levels ............................................................................................. 16 2.1 Overview 16 2.2 Measurement and Reporting 16 2.3 Service Levels and Credits 16 2.4 Service Level Objectives 18

3. Pricing.......................................................................................................... 23 3.1 General 23 3.2 Expenses 23 3.3 Currency 23 3.4 Charges Generally 23 3.5 Service Volume Discount 24 3.6 Minimum Order Term Commitments 25 3.7 Termination Charges 25

4. Definitions ................................................................................................... 26 Schedule 1. Pricing Schedule ............................................................................... 40 Schedule 2. Security Services .............................................................................. 41 Schedule 3. Continuity Services .......................................................................... 65 Schedule 4. Backup and Recovery Services ....................................................... 73 Schedule 5. Managed VPC Storage Services ...................................................... 85 Schedule 6. Managed VPC Networking Services ................................................ 88 Schedule 7. Managed VPC SAP and SAP HANA Management Services ........... 92 Schedule 8. Managed Database Services .......................................................... 108



1. Statement of Work

1.1 Introduction This Solution Pack will apply to each Order placed under this Solution Pack and will remain in effect unless it is terminated or expires in accordance with the terms of the Governing Agreement. In the event of any conflict or inconsistency between this Solution Pack and the Governing Agreement, this Solution Pack will prevail with respect to the subject matter of this Solution Pack. General descriptions or references to particular services in this Solution Pack or elsewhere in the Governing Agreement are subject to the more detailed descriptions below.

All capitalized terms shall be defined in the Governing Agreement and/or this Solution Pack. References to DXC’s policies, procedures, technical, and other standards refer to the latest versions in effect which may change from time to time.

1.2 Scope of Service DXC will provide to Customer the Services described by this Solution Pack following submission of Orders. The Services are limited to the activities described within this Solution Pack as DXC Responsibilities.

The Services consist of the provision of Physical or Virtual Servers, related storage and other resources, and support services, all as described below. Optional items and Services are provided to the extent specified in an Order.

Customer will use the Managed Services Portal to submit Orders for the Services offered under this Solution Pack. A complete list of orderable items available in the requested data center may be viewed in the Managed Services Portal.

1.3 Commencement of Services

1.3.1 DXC Responsibilities:

a. Designate at least one Authorized Representative.

b. Provide notice to the Customer when DXC’s Authorized Representative changes.

c. Provide access to a virtual private compartment dedicated to Customer, isolated with Virtual Local Area Network (“VLAN”) technologies and protected by a dedicated virtual firewall according to Schedule 2 (“Security Services”).

d. Provide notice to Customer when the Services are available for use.

e. Provide all communications, documentation, and support in English only.

1.3.2 Customer Responsibilities:

a. Designate two Authorized Representatives (and backups to be used when designated Authorized Representatives are unavailable).

b. Provide notice to DXC whenever Customer’s Authorized Representatives change.



c. Check the Managed Services Portal regularly, and at least monthly to review notices provided by DXC.

d. Install software, tools, and utilities (other than software that DXC is required to provide).

e. Deliver to DXC license keys and/or other information as DXC may reasonably request if required for DXC to install Customer’s software on a Virtual Server.

f. Load Customer Data.

g. Test the Services.

h. Provide technical and other information as DXC may reasonably request as necessary to perform the Services.

i. Maintain responsibility for all authorized and unauthorized use of the Services by and behalf of the Customer.

j. Comply with DXC’s policies and procedures and related documentation as provided by DXC to Customer.

k. Perform all Customer Responsibilities set out in this Solution Pack at Customer’s own cost.

1.4 Managed Services Portal Access


a. Provide Customer and its Authorized Representatives access to the Managed Services Portal.


a. Maintain responsibility for granting access to Portal Users through an identity management system or request that DXC grant access to Portal Users on Customer’s behalf.

b. In all cases, retain responsibility for designating the individuals to be granted access to the Managed Services Portal or to revoke a Portal User’s access for any reason. Customer is responsible for all actions taken by a Portal User.

1.5 Network Access


a. Allow Customer access to the Managed VPC network and provide technical requirements to Customer as needed.

b. Provide Customer access to a virtual private compartment dedicated to Customer that is initially provisioned with a single VLAN.


a. Acquire access to the Managed VPC network. This can be accomplished through a virtual private network (“IPSec”), dedicated circuits, the public internet, or a combination of these means. All such network access will comply with technical requirements communicated by DXC, and are at Customer’s expense. Once this connection is established, Services will commence.



b. Order additional VLANs as needed via the Managed Services Portal. Networking service options for Managed VPC are further described in Schedule 6 (“Networking Services”).

1.6 Managed Services for Virtual Private Cloud DXC will provide Customer the following Services, subject to availability and in accordance with the terms of this Solution Pack and the applicable Order.

1.6.1 DXC Responsibilities (Physical and/or Virtual Servers):

a. Perform the responsibilities as follows in accordance with the applicable Order:

DXC Responsibilities Managed Servers

Unmanaged Servers

i. Provide Customer with access to the Physical and Virtual Servers, storage, and other resources through the standard connectivity option chosen by Customer at the time(s) specified.

X

ii. Provide Customer with administrative access to the Physical and Virtual Servers through the standard connectivity option chosen by Customer at the time(s) specified. This administrative access is provided upon request and Customer is responsible for all actions performed with this access.

X

iii. Install operating system(s) under a DXC provided Operating System License or a Customer provided Operating System License (for Physical Servers or Virtual Servers on Customer Dedicated Virtual Host Clusters only.)

X X

iv. Pre-configure Physical and Virtual Servers to provide application interconnects necessary to support Customer Middleware requirements.

X X

v. Provide and manage the Virtual Host (for Virtual Servers only).

X X

vi. Maintain hardware in good working condition. This includes periodic upgrade and/or replacement of hardware as DXC deems appropriate.

X X

vii. Provide operating system support and maintenance. This includes periodic update of operating system(s) as DXC deems appropriate.

X

viii. Monitor Availability of the servers, DXC supplied operating system, and DXC’s network (up to the Customer’s entry connection point with DXC).

X

ix. Provide a bandwidth capacity of 200 Mbps per Customer virtual firewall.

X X



x. Provide a Virtual Firewall Instance with a capacity limit of 15,000 concurrent connections.

X X

xi. Investigate outages, perform appropriate corrective action to Restore the hardware, DXC-supplied operating system, and related DXC tools.

X

xii. Investigate outages reported by Customer, and perform appropriate corrective action to Restore the server hardware, connectivity, and operating system provided by DXC.

X

xiii. Deploy and update commercial anti-malware tools, investigate Incidents, and undertake remedial action necessary to Restore servers and operating systems to operation.

X

xiv. Change the current DXC defined Virtual Server configuration to a larger or smaller DXC defined Virtual Server configuration if requested by the Customer. (For Virtual Servers using VMware only)

X X

1.6.2 Customer Responsibilities (Physical and/or Virtual Servers):

a. Perform the responsibilities as follows in accordance with the applicable Order:

Customer Responsibilities

Managed Servers

Unmanaged

Servers i. Obtain and maintain the DXC supported

network access option chosen by Customer.

X X

ii. If Customer has elected to use its own Operating System License for a Physical Server or a Virtual Server on a Customer Dedicated Virtual Host Cluster, obtain (at its expense) such extensions, modifications, or additional licenses and support contracts as required by DXC to provide the Services.

X X

iii. Maintain operating system(s), using patches supplied by the appropriate vendor(s).

X

iv. Install its non-DXC managed applications and Customer Data on data disks, rather than the system disk, and, if necessary, re-install its applications and Customer Data as needed following any outage.

X X

v. Perform all installations in accordance with requirements as communicated by DXC.

X

vi. Correct any security concerns regarding Customer installed applications that are identified by DXC vulnerability scans.

X



vii. If Customer has elected to install an Oracle or Microsoft SQL Server database managed by DXC under a separately executed DXC contract or statement of work, use such databases only on Unmanaged Servers.

X

viii. Deploy and update commercial anti-malware tools, investigate Incidents, and undertake remedial action necessary to Restore servers and operating systems to operation.

X

ix. Comply with the terms of all its software licenses and support contracts including any open source license terms that apply to Middleware in its Order (see Section 1.6.3.2).

X X

1.6.3 Middleware

1.6.3.1 Managed Services

DXC offers optional managed services for Middleware platforms listed below to supplement Customer’s existing Managed VPC infrastructure.

Middleware service options can change at any time and are subject to availability and may be limited to available releases.

Middleware is subject to current license terms from the Middleware provider as specified below.

1.6.3.2 License Terms

The following license terms shall apply to any Customer ordered Middleware applications and tools listed below:

Middleware Options License Terms

Apache HTTP server, Apache Tomcat server, Apache ANT software

http://www.apache.org/licenses/

JBOSS Wildfly software

GNU Lesser General Public License available at: https://www.gnu.org/licenses/lgpl.html

Visual Studio Community 2015 Software

Microsoft Visual Studio 2015 License available at: https://www.visualstudio.com/support/legal/mt171547

Java Software Oracle license available at: http://www.oracle.com/technetwork/java/javase/terms/license/index.html

PHP https://secure.php.net/license/ OpenSSL https://www.openssl.org/source/license.html Mozilla NSS https://www.mozilla.org/MPL/ Nginx http://nginx.org/LICENSE

http://www.apache.org/licenses/

https://www.gnu.org/licenses/lgpl.html

https://www.visualstudio.com/support/legal/mt171547

http://www.oracle.com/technetwork/java/javase/terms/license/index.html

http://www.oracle.com/technetwork/java/javase/terms/license/index.html

https://secure.php.net/license/

https://www.openssl.org/source/license.html

https://www.mozilla.org/MPL/

http://nginx.org/LICENSE



Microsoft IIS Service

Microsoft ISS Terms of Use at: http://www.iis.net/terms-of-use

Eclipse Service Eclipse Public License available at: https://www.eclipse.org/legal/epl-v10.html

Jenkins Service MIT Public License available at: https://jenkins.io/license/

Nexus Repository Manager Service

Sonatype Master EULA available at: http://www.sonatype.com/usage/master-eula

1.6.4 Operating System License Terms

1.6.4.1 Red Hat Enterprise Linux

If Customer has elected to use Red Hat Enterprise Linux as its operating system, Customer agrees to accept, sign, or assent to Red Hat’s Software Subscription Agreement for End Users in the Cloud at www.redhat.com/licenses/cloud_cssa/ and permit DXC to supply Customer information to Red Hat if requested by Red Hat.

1.6.4.2 SUSE Linux Enterprise Server

If Customer has elected to use SUSE Linux Enterprise Server as its operating system, Customer agrees to review SUSE Subscription Offering Terms and Conditions at https://www.suse.com/products/server/policy.html and permit DXC to supply Customer information to SUSE if requested by SUSE.

1.7 Additional Optional Services DXC will provide the Optional services specified in this Section following Customer’s submission of an Order. These Optional services will be subject to the rates specified in the Managed Services Portal or in an Order and are subject to availability in the data center from which the Services are provided to the Customer.

1.7.1 Customer Dedicated Virtual Host Cluster

The Customer may order a Customer Dedicated Virtual Host Cluster in single or Dual Data Centers which consists of two to eight DXC defined and managed Virtual Hosts per data center and DXC defined Virtual Servers that can be managed by DXC (“Managed”) or Customer (“Unmanaged”). Virtual Hosts and Virtual Servers provided in a Customer Dedicated Virtual Host Cluster are not shared with other customers. Customer can select DXC defined Virtual Server sizes as required to run Customer applications. High Availability applies to Customer Dedicated Virtual Host Clusters purchased in Dual Data Centers only.

1.7.2 Virtual Server Snapshot Service for Customer Dedicated Virtual Host Cluster using VMware - Single Data Center (“Virtual Server Snapshot Service”).

Customer may order the Virtual Server Snapshot Service for Customer Dedicated Virtual Host Clusters using VMware for Services provided out of a Single Data Center. If Customer orders the Virtual Server Snapshot Service the Parties will have the following responsibilities.

1.7.2.1 DXC Responsibilities:

http://www.iis.net/terms-of-use

https://www.eclipse.org/legal/epl-v10.html

https://jenkins.io/license/

http://www.sonatype.com/usage/master-eula

http://www.redhat.com/licenses/cloud_cssa/

https://www.suse.com/products/server/policy.html



a. Create a new Snapshot of a Virtual Server that is part of a Customer Dedicated Virtual Host Cluster.

b. Remove the Snapshot and delete any associated storage.

c. Change the state of the Virtual Server to the state of the Snapshot.

d. Maintain the Virtual Server Snapshot for up to 48 hours, or remove earlier if requested by Customer.

1.7.2.2 Customer Responsibilities:

a. Submit an Order to purchase the Virtual Server Snapshot Service for Customer Dedicated Virtual Host Cluster using VMware - Single Data Center through the Managed Services Portal.

b. Notify DXC to request a new Snapshot of a Virtual Server as required.

1.7.3 Windows OS Cluster - Single Data Center

Customer may order an OS Cluster which consists of two to sixteen DXC defined and managed Physical Servers that are identically configured and a Windows Server operating system.

1.7.4 Linux OS Cluster - Single Data Center

Customer may order an OS Cluster which consists of two to four DXC defined and managed Physical Servers that are identically configured and a Red Hat Enterprise Linux Server or SUSE Linux Enterprise Server operating system.

1.7.5 Dual Data Center Service

In DXC data centers designated by DXC in the Managed Services Portal, Customer may order:

a. An OS Cluster that consists of a DXC defined Physical Server configuration running a Windows Server, Red Hat Enterprise Linux Server or SUSE Linux Enterprise Server operating system managed by DXC which is located in paired primary and secondary DXC data centers to provide the Customer High Availability; or

b. Managed or Unmanaged Virtual Servers that are configured by DXC to provide the Customer High Availability in the event of a data center failure.

1.7.6 Virtual Server Resizing

Customer may order Virtual Server resizing for Unmanaged Virtual Servers using VMware. This Service allows Customer to change the size of an existing VMware based Unmanaged Virtual Server to one with increased or decreased capacity as required to meet fluctuating workload demands. Any price change resulting from Virtual Server resizing will take effect when the resized Virtual Server becomes available for use. Resizing of an Unmanaged Virtual Server using this Service will have no impact on Customer Data which will transition to the resized Virtual Server.

1.7.7 Managed VPC Virtual Server Suspend and Resume

Customer may order Managed VPC Virtual Server Suspend and Resume to temporarily suspend (shut down) or resume (power on) any Unmanaged Virtual Server(s) using VMware. When an Unmanaged Virtual Server has



been suspended, the only operations available to the Customer are to resume or terminate the Managed VPC Service for that Virtual Server.

When a suspended Unmanaged Virtual Server is resumed, Customer will be responsible for bringing the Virtual Server up to the current DXC requirements for Unmanaged Virtual Servers. Recurring Charges will be reduced when Customer Managed Virtual Servers are suspended for more than one hour beginning at the top of the hour and are fully reinstated for resumed Unmanaged Virtual Servers.

Customer’s ability to resume a suspended Unmanaged Virtual Server can only be exercised within the term of the Contract. Any suspended Unmanaged Virtual Server that is not resumed within the term of the Contract will be subject to DXC disengagement terms specified in Section 1.11.3 and Customer’s right to remove Customer Data and Customer software from the suspended Unmanaged Virtual Server will be revoked.

1.7.8 Customer Provided VMware Virtual Server Image

This Optional Add-On allows the Customer to extend the catalog of Operating System Image choices that can be ordered by the Customer in the Managed Services Portal to include Customer provided Virtual Server images that the Customer has uploaded to the Managed Services Portal.

Customer provided Virtual Server images are subject to DXC formatting requirements and will only be available for ordering by Customer in the DXC data centers where the Customer has been on-boarded. This Optional Add-On is currently available for Unmanaged Virtual Servers using VMware. Customer provided Virtual Server images are limited to certain Operating Systems Images. Variable recurring Charges apply based on the size and number of Customer supplied Virtual Server images being hosted in the Managed Services Portal for Customer use only.

1.8 Additional Optional Add-Ons

1.8.1 Customer may Order the Optional Add-Ons that are described within this Solution Pack. These Optional Add-Ons will be subject to the rates specified in the Managed Services Portal or in an Order.


a. Provide the Optional Add-Ons as selected by Customer in an Order, and described as follows: i. Security Services as described in Schedule 2 that are not

designated as part of the Base Services, including; A. Optional Security Services reports; B. Encryption options; C. E-Discovery and Cloud Forensics services; D. Copies of data or evidence appropriate for chain of custody

requirements, E. Antivirus software for Linux; F. HIPPA security measures; and G. Additional perimeter and firewall options.

ii. Continuity Services as described in Schedule 3, including; A. Replication based disaster recovery; and



B. Recovery Rehearsals. iii. Backup and Recovery Services as described in Schedule 4,

including; A. Protection Services for servers; and B. Long-Term Protection and Archival Services.

iv. Managed VPC Storage Services as described in Schedule 5, for Multi-Tenant options including: A. Ultra-High-Performance Storage; B. High-Performance Storage; C. Performance Storage; D. Bulk Storage, and E. File Enhanced Storage.

v. Managed VPC Networking Services as described in Schedule 6, including; A. Network Switch as a Service; B. Bandwidth services; C. Leveraged internet service; D. Firewall concurrent sessions; E. Customer provided internet protocol; and F. Additional firewall and load balancing options.

vi. Managed VPC SAP and SAP HANA Management Services as described in Schedule 7, including; A. Installation, semi-automated application template

provisioning, monitoring, and management of the SAP Application up to the basis layer;

B. Installation, configuration, administration, and maintenance of the SAP landscape for SAP Basis; and

C. Installation, monitoring, and maintenance of DXC or Customer provided SAP HANA Appliances, and DXC provided and SAP HANA Systems and SAP HANA databases.

vii. Managed Database Services as described in Schedule 8, including: A. Installation, configuration, administration, monitoring, and

management of the DB Instance; B. Maintenance of the DB Instance; and C. Support of the DBMS environment via the Managed Services

Portal.


a. Review the available Optional Add-Ons and Order the desired or required Services on the Managed Services Portal as described in Section 1.2.

1.9 Maintenance Windows DXC performs maintenance during two types of Maintenance Windows and provides notification of Maintenance Windows as set forth below:

1.9.1 DXC Maintenance Window




a. Maintain Services’ provisioning and management systems during DXC Maintenance Windows.

b. Schedule DXC Maintenance Windows between 22:00 hours Saturday and 4:00 hours Sunday, local time at the relevant DXC data center, and at other times outside DXC local business hours, during nights, on weekends or holidays applicable to the DXC data center. DXC Maintenance Windows may occasionally be extended in DXC’s discretion (e.g., to accommodate major infrastructure changes) after notice to affected customers. The primary impact of this Maintenance Window, will be on the Managed Services Portal and provisioning of new services, which may not be available during a DXC Maintenance Window.


a. Acknowledge notice of DXC Maintenance Windows as necessary.

1.9.2 Customer Maintenance Window


a. Maintain Customer’s Managed VPC systems (e. g., Virtual Server, Physical Servers, Load Balancer Service, etc.) during Customer Maintenance Windows.

b. Schedule Customer Maintenance Windows for servers and other infrastructure provided to Customer as part of the Services at the same time as DXC Maintenance Windows or at other times as communicated by DXC.

c. Maintain a twelve-month rolling schedule of Customer Maintenance Windows that can be made available to the Customer upon request.

d. Notify Customer of any Maintenance Window that might impact Customer’s use of the Services.


a. Acknowledge that there will be scheduled down time during Customer Maintenance Windows.

1.10 Customer Audits


a. Following at least 30 days’ notice, provide Customer’s auditors and regulatory auditors with electronic or logical access to Customer Data and Customer’s dedicated environments in order to audit Customer’s systems, data, controls, and other matters pertinent to Customer’s business. Customer is not permitted to audit anything covered by a DXC conducted audit for the Services as described in Schedule 2.

b. Escort Customer auditors upon reasonable request for physical access to the DXC facilities.




a. Provide DXC with at least 30 days’ notice of a request for a Customer audit.

b. Conduct no more than a single annual audit (absent unusual circumstances, such as investigations that may warrant additional audits).

c. Request physical access to DXC facilities and acknowledge requirement to be escorted by DXC personnel.

d. Retain financial responsibility for DXC Charges for Customer requested audits and audit support.

e. Require Customer’s auditors and regulatory auditors to enter into confidentiality and other appropriate agreements reasonably requested by DXC.

f. Provide audit software to DXC for review and approval at Customer’s expense prior to installation.

g. Acknowledge that Customer’s auditors shall have no access to any shared infrastructure or to data concerning other DXC customers or DXC operations. Customer’s auditors may not be competitors of DXC or its Affiliates. Customer’s audits are at Customer’s sole expense.

1.11 Support Services

1.11.1 Liaison between DXC and Customer


a. Provide a DXC help desk to respond to Customer’s submission of support tickets related to Incidents or service requests (“Operations Center”). The Operations Center is open 365 days a year, 24 hours a day, 7 days a week and can be contacted by telephone or through a secure internet website.

b. Conduct business at the Operations Center in English.


a. Contact DXC to submit support tickets related to Incidents or Services’ requests via the Managed Services Portal or by contacting the DXC Operations Center.

b. Acknowledge that the secure internet website is the preferred method for contacting the Operations Center.

c. Designate up to five representatives authorized to contact the Operation Center. Customer may replace any of these designated representatives by giving notice to the Operations Center.

1.11.2 Incident Management


a. When Incidents are either detected by DXC or reported by Customer, DXC will classify Incidents according to the following priorities:



Priority Description Examples Customer

Updates

Priority 1 Emergency Incident

Site down, degraded single point of failure, site security breach, etc.

Initial acknowledgement within 15 minutes and hourly updates thereafter

Priority 2

Business critical Incident

Site degradation not related to single point of failure, suspected security vulnerability, etc.

Initial acknowledgment within 30 minutes and updates every 2 hours thereafter

Priority 3

Important Incident requiring action within 12 hours

Preventive work, such as restarting servers, troubleshooting errors, etc.

When scheduled and at status change thereafter (e.g., completion)

Priority 4

Standard Incident requiring action within 1 business day

Routine preventive work

When scheduled and at status change thereafter (e.g., completion)

b. Investigate the causes, undertake appropriate remedial action to Restore affected Services as quickly as reasonably possible and in compliance with applicable Service Levels, and thereafter take appropriate action to prevent recurrence. Remedial action may include workarounds and later corrective action.

c. Inform Customer of the status of Incidents reported by Customer at the intervals specified above and otherwise at reasonable intervals in accordance with DXC’s standard practice.

d. Inform Customer of the resolution of Incidents reported by Customer (subject to reopening if the resolution is unsuccessful). Resolution may include determinations that Incidents were caused by defects in Customer’s software or data, user errors, or other matters outside the scope of the Services and DXC’s responsibility.


a. Inform DXC of an Incident by notifying the Operations Center as quickly as reasonably possible following discovery of the Incident.

1.11.3 Disengagement

Beginning 90 days before the Contract, the Governing Agreement and/or this Solution Pack is scheduled to expire or promptly following issuance of notice to terminate the Contract, the Governing Agreement, this Solution Pack, and/or an Order for Services, the Parties will have the following responsibilities.


a. Give periodic notice to Customer of pending expiration or termination of the Contract, the Agreement, and/or this Solution Pack resulting in cessation of Services.



b. Provide any backup and Restore or archive services the Customer has purchased as described in Schedule 4 (“Backup and Recovery Services”) where additional requirements applicable to expiration or termination of these Services are provided. Requests for these Services must be made prior to termination of the Contract, the Governing Agreement, this Solution Pack or cancellation of an Order.

c. Ensure Customer Data associated with an Order is removed from all storage Media (including backups, if any) or rendered unreadable upon cancellation of that Order. The method used to remove Customer Data from storage Media varies based on the type of storage being used.

d. Following expiration of the Contract, the Governing Agreement or this Solution Pack, DXC will honor open Orders during a grace period for up to 90 days. No new Orders will be accepted during the grace period until/if the Contract is renewed. If the Contract is not renewed before completion of the grace period, all open Orders will be cancelled and Customer Data will be removed as noted above. Service charges will continue to apply until completion of the grace period, cancellation of any open Order(s), or transition to a renewed Contract; whichever occurs first.


a. Provide notice to DXC of Customer’s termination of the Contract, the Governing Agreement and/or this Solution Pack in accordance with the applicable termination and notice provisions of the Contract.

b. Remove all Customer Data and Customer software prior to cancellation of an Order in the Managed Services Portal once all Minimum Order Term Commitments have been met.

c. Disconnect from the DXC data center.



2. Service Levels

2.1 Overview This Section 2 describes Service Levels for the Services, the way they are measured and reported, and the consequences of Faults.

2.2 Measurement and Reporting

2.2.1 Effectiveness

Service Levels are measured and reported from the date and time servers are made available for Customer’s use. Service Credits may be assessed for Faults beginning within the first full calendar month thereafter.

2.2.2 Service Level Reports

DXC will provide reports of Service Level performance and applicable Service Credits, if any, including relevant calculations. Service Level performance calculations are based on Availability. For Managed Servers, monthly Service Level reports are made available to the Customer in the Managed Services Portal. For Unmanaged Servers, reports will be provided to the Customer upon request and Service Levels are provided up to the hypervisor for Virtual Servers and up to the hardware on Physical Servers.

2.3 Service Levels and Credits

2.3.1 Service Level Commitments

DXC will meet or exceed the applicable Service Levels as specified below. Any delivery requirements that fall outside criteria specified below will not be subject to any Service Level commitments. Service Level performance is based on Availability, which is calculated per tier as: ((Scheduled Infrastructure Uptime minus Unexcused Infrastructure Downtime) divided by Scheduled Infrastructure Uptime) multiplied by 100. The “Service Requirements” column in the following table lists the Add-Ons that Customer must elect and obtain in order to qualify for that Service Level.

2.3.2 Managed Server Service Levels

Service Level Name

Service Level Description

Service Requirements

Service Level

Standard Service Credit

SL Tier 2 (Option A) Single Data Center Availability

The following items are Available: (1) Physical Server, (2) storage for the Physical Server, and (3) operating system installed on the Physical Server.

Managed Physical Servers and associated services.

99.00% Two times the applicable monthly Charge (in the month the failure occurred) for the affected Physical Server, pro-rated for the duration of the Unexcused Infrastructure Downtime.

SL Tier 2 (Option B) Single Data Center Availability

The following items are Available: (1) Virtual Server, (2) storage for the Virtual Server and (3) operating system

Managed Virtual Servers and associated services.

99.90% Two times the applicable monthly Charge (in the month the failure occurred) for the affected Virtual Server, pro-rated for the



Service Level Name



Service Level


installed on the Virtual Server.

duration of the Unexcused Infrastructure Downtime


The following items are Available: (1) OS Cluster

Windows OS Cluster or Linux OS Cluster and associated services.

99.95% Two times the applicable monthly Charge (in the month the failure occurred) for the affected OS Cluster, pro-rated for the duration of the Unexcused Infrastructure Downtime


The following items are Available: (1) Virtual Server, (2) storage for the Virtual Server, and (3) operating system installed on the Virtual Server

Managed Virtual Servers and associated services.

99.95% Two times the applicable monthly Charge (in the month the failure occurred) for the affected Virtual Server, pro-rated for the duration of the Unexcused Infrastructure Downtime

SL Tier 4 (Option A) Dual Data Center High Availability


OS Cluster including two Physical Servers and associated services.

99.99% Two times the applicable monthly Charge (in the month the failure occurred) for the affected OS Cluster, pro-rated for the duration of the Unexcused Infrastructure Downtime

SL Tier 4 (Option B) Dual Data Center High Availability


OS Cluster including four or more Physical Servers and associated services.

99.999% Two times the applicable monthly Charge (in the month the failure occurred) for the OS Cluster, pro-rated for the duration of the Unexcused Infrastructure Downtime

SL Tier 4 (Option C) Dual Data Center Availability

The following items are Available: (1) one Virtual Server, (2) storage for the Virtual Server, (3) operating system installed on the Virtual Server

Managed and associated services.


Note: DXC does not offer an SL Tier 1 option for the Services.

2.3.3 Unmanaged Servers

Service Level Name



Service Level



The following items are Available: (1) Physical Server, and (2) storage for the Physical Server

Unmanaged Physical Servers and associated services

99.00% Two times the applicable monthly Charge (in the month the failure occurred) for the affected Physical Server, pro-rated for the duration of the Unexcused Infrastructure Downtime.




The following items are Available: (1) Virtual Server, and (2) storage for the Virtual Server

Unmanaged Virtual Servers and associated services



The following items are Available: (1) Virtual Server, and (2) storage for the Virtual Server

Unmanaged Virtual Servers and associated services


SL Tier 4 (Option C) Dual Data Center Availability

The following items are Available: (1) one Virtual Server, and (2) storage for the Virtual Server

Unmanaged Virtual Server and associated services


Note: DXC does not offer a SL Tier 1 option for the Services.

2.3.4 Service Credits

In the event of a Fault, Customer will receive a Service Credit by way of a compensatory credit to its Managed Services Portal account in an amount equal to two times the applicable Charges (in the month the failure occurred) for the affected Physical or Virtual Server or the OS Cluster, pro-rated for the duration of the Unexcused Infrastructure Downtime. For example, if DXC fails to meet the SL Tier 2 (Option A) Service Level due to 2 hours of Unexcused Infrastructure Downtime of a Physical Server, Customer will receive a credit equal to 4 hours’ Charges for that server. Service Credits are usable for future Orders or can be applied to a future invoice for Services but expire 12 months after issuance. Service Credits are Customer’s sole remedy for Faults except in case of a material breach.

2.4 Service Level Objectives

2.4.1 All Service Level objectives set out in this Section are targets and failure by DXC to achieve them is not subject to payment of Service Credits or other credits to the Charges. DXC’s failure to meet a Service Level objective does not constitute a breach of Contract.

2.4.2 Managed Services for VPC – Continuity Services

DXC will use commercially reasonable efforts to meet the following Service Level objectives for the Managed Services for VPC Continuity Services (“Continuity Services”) described in Schedule 3:

Recovery Time Objective Recovery Point Objective Replication Based Disaster Recovery

4 hours (measured from Invocation to operating system start) for up to 200 Servers (greater number of Servers may take longer).

15 minutes for applications capable of recovering to latest point in time. For customers choosing Tag Recovery Point, the



Recovery Point Objective will probably be longer with the exact time dependent on Customer’s requirements and configuration choices.

For Replication Based Disaster Recovery, Customer acknowledges that achievement of the Recovery Point Objective Service Level may depend upon network capacity and Availability, the rate of change in Customer’s data and other circumstances beyond DXC’s reasonable control. The Recovery Time Objective relates to a single Invocation event; should multiple events occur simultaneously the recovery time could be longer.

DXC will be excused from these Service Level objectives if the Customer does not have the number of Process Servers advised by DXC as required for meeting the Service Level objectives. DXC will not be responsible for providing Service Credits to the Customer in the event these Service Level objectives are not met.

2.4.3 Backup and Recovery Services

DXC will use commercially reasonable efforts to meet the following Service Level objectives for the Backup and Recovery Services described in Schedule 4:

2.4.3.1 Backup Success Rate (“BSR”)

Backup jobs should be successfully completed without errors and result in creation of a valid backup Image for the applicable Protection period at minimum of 98% of the time. Backup success is measured on a per server basis by accumulation of backup success/failure data for filesystem and database backups (including logs) down to an Object level within a billing cycle (30 days).

All backup jobs are monitored in real time 24 hours a day, 7 days a week for uninterrupted execution and smooth progress of all backup jobs (within or outside of Backup Windows). Backup jobs are adjusted, tuned up, and load balanced to maximize backup efficiency and minimize time required to complete backup. Upon failures, an Incident ticket is generated automatically and anomalies are thoroughly investigated and remediated.

2.4.3.2 Restore Success Rate (“RSR”) and Service Level Objective (“SLO”)

DXC will initiate Restore jobs by opening a ticket and assigning it to a backup administrator within four hours after receipt of a Customer Restore request. This Restore SLO is limited to measurement of time taken by DXC to assign the Restore request to the backup administrator. Actual time to initiate and complete the Restore job will vary due to priority, size of Restore job, and backlog of Customer Restore requests.

Restore jobs should be successfully completed at minimum of 98% of the time. Restore success is measured on a per request basis within a billing cycle (30 days).

2.4.3.3 Prioritization of Restore Requests

Restore request tickets will be prioritized by DXC based on Customer assigned business impact and severity level subject to the following criteria:



P1 Total loss of server, Service, or Service functionality. IMPACT: Significant financial loss, damage to reputation, risk to life/limb, or legal exposure and affects a majority of users at one or more Customer facilities. URGENCY: Loss or exposure is immediate with no available workaround options.

P2 Degradation of a server, Service, or Service functionality. IMPACT: Noticeable effect on the Customer’s ability to conduct business and affects a group of users. URGENCY: Loss or exposure is imminent or immediate, but can be reduced with workarounds.

P3 Some performance degradation or loss of Service or Service functionality. IMPACT: No impact on the Customer’s business operations and affects one to several users. URGENCY: No business loss or exposure. User inconvenience.

P4 A question or support request for a supported Service. IMPACT: No impact on the Customer’s business operations and affects one user. URGENCY: No business loss or exposure. User inconvenience.

2.4.3.4 DXC will act on each Restore request according to the priority of the ticket. DXC reserves the right to revisit the accuracy of each Restore request’s prioritization and the right to apply Charges if the prioritization is misused.

2.4.3.5 Backup and Recovery Services:

DXC will use commercially reasonable efforts to meet the following Service Level objectives for the Backup and Recovery Services described in Schedule 4.

2.4.4 Backup Success Rate

Backup jobs should be successfully completed without errors and result in creation of a valid backup Image for the applicable Protection period at minimum of 98% of the time. Backup success is measured on a per server basis by accumulation of backup success and failure data for filesystem and database backups (including logs) down to an Object level within a billing cycle (30 days).

All backup jobs are monitored in real time 24 hours a day, 7 days a week for uninterrupted execution and smooth progress of all backup jobs (within or outside of Backup Windows). Backup jobs are adjusted, tuned up, and load balanced to maximize backup efficiency and minimize time required to complete backup. Upon failures, an Incident ticket is generated automatically then thoroughly investigated and remediated.

2.4.5 Restore Success Rate and Service Level Objective

For all Restore and recovery requests not covered by self-service, DXC will initiate Restore jobs by fulfilling a service ticket created by the Customer via the Managed Services Portal and assigning it to a backup administrator within four hours after receipt of a Customer Restore request.



This Restore SLO is limited to measurement of time taken by DXC to assign the Restore request to the backup administrator. Actual time to initiate and complete the Restore job will vary due to priority, size of Restore job, and backlog of Customer Restore requests.

Restore jobs should be successfully completed at minimum of 98% of the time. Restore success is measured on a per request basis within a billing cycle (30 days).

2.4.6 Reconciliation

An integral part of monthly SLO reporting of Backup and Recovery Services is audit and adjustment of BSR and RSR reports delivered to Customer.

DXC can reconcile status of backup or Restore jobs before SLO reports are delivered to the Customer. Backup or Restore jobs can be either marked as successfully completed, ignored, or added if an attempt was not captured by the reporting.

DXC can set failed backup or Restore jobs as successful if failure is due to something outside of DXC’s control. A common example would be a backup failure due to network issues where the customer supports their own networks, password changes, account lockouts, removal of storage etc. These jobs could be marked as a success, since the expectation would be that the job would have completed successfully otherwise if these inhibiting factors were not present delivering a Service Level agreement (“SLA”) measure of 100%.

DXC can ignore failed backup or Restore jobs when multiple job attempts have been executed while the final one succeeded. A common example would be automatic restart of the backup job or an addition of new backup clients to the backup environment. As part of this change, the backup administrator attempts several test backups to validate connectivity. Several of these attempts could fail. These backup jobs could be ignored, excluding them from monthly SLO reporting.

2.4.7 Prioritization of Restore Requests

Restore request tickets will be prioritized by DXC based on Customer assigned business impact and severity level subject to the following criteria:

P1 Total loss of server, Service, or Service functionality. IMPACT: Significant financial loss, damage to reputation, risk to life/limb, or legal exposure and affects a majority of users at one or more Customer facilities. URGENCY: Loss or exposure is immediate with no available workaround options.

P2 Degradation of a server, Service, or Service functionality. IMPACT: Noticeable effect on the Customer’s ability to conduct business and affects a group of users. URGENCY: Loss or exposure is imminent or immediate, but can be reduced with workarounds.

P3 Some performance degradation or loss of Service or Service functionality. IMPACT: No impact on the Customer’s business operations and affects one to several users. URGENCY: No business loss or exposure. User inconvenience.



P4 A question or support request for a supported Service. IMPACT: No impact on the Customer’s business operations and affects one user. URGENCY: No business loss or exposure. User inconvenience.

DXC will act on each Restore request according to the priority of the ticket. DXC reserves the right to revisit the accuracy of each Restore request’s prioritization and the right to apply Charges if the prioritization is misused.



3. Pricing In consideration for the Services described by Section 1 (“Statement of Work”) as DXC responsibilities, Customer agrees to pay the Charges specified below. Customer remains responsible for all its other costs and expenses related to receipt and use of the Services, including (without limitation) telecommunications, infrastructure, and service charges (except to the extent covered by optional leveraged internet service) and license, support and other charges for software of all kinds (excluding only software that DXC expressly agrees to provide).

3.1 General For the Services set out in this Solution Pack, Customer agrees to pay the Charges specified below, and to pay or reimburse the other costs specified as Customer Responsibilities.

3.2 Expenses Customer will pay or reimburse DXC for reasonable travel and travel-related expenses and other out-of-pocket expenses incurred by DXC in connection with DXC’s performance of the Services set out in this Solution Pack, including any purchases by DXC on behalf of Customer. DXC will invoice Customer separately for all such expenses and will include a reasonable description of the expenses.

3.3 Currency Charges will be invoiced and payable in United States Dollars (“USD”).

3.4 Charges Generally Customer will be charged for servers, storage, Optional Add-Ons, and other resources when those resources become available for Customer use. DXC reserves the right to increase Charges to support significantly outdated technology or software.

3.4.1 One-Time Charges

One-time Charges consist of the Unit Charge less any applicable volume discount. One-time Charges will be invoiced in the next monthly invoice following DXC’s delivery of the Service that is subject to a one-time Charge.

3.4.2 Recurring Charges

Recurring Charges consist of (i) Unit Charges specified in the Managed Services Portal for Orders that are accepted by DXC for servers, storage, Optional Add-Ons, and other resources (ii) times the relevant volumes of resources then in use (iii) less any applicable volume discount. Recurring Charges continue until the Services are cancelled by the Customer after any minimum order term that applies under Section 3.6 (“Minimum Order Term Commitment”) has been met. Customer billing may be in daily or hourly increments. Recurring Charges will be pro-rated on a daily or hourly basis for partial months.

3.4.2.1 Backup and Recovery Services’ Service Charges



a. Customer agrees to pay one-time Charges and recurring Charges applicable to Services described in Schedule 4 when the Backup and Recovery Services are purchased. Charges are calculated based on the volume of backup storage consumed by Customer’s backups.

b. Customers consuming Backup and Recovery Services will have the ability to purchase four tiers of backup storage; as follows: i. On-line virtual disk storage:

A. Primary Disk – used to store primary backup copies; or B. Secondary Disk – used to store replicated backup copies off-

site. ii. Physical Tape storage:

A. Off-site Tape – uses Tape cartridges to store backup copies off-site; or

B. Compliance Archive – supports yearly Compliance Archival.

3.4.3 Unit Charge Adjustments

Unit Charges for the Services are market-based and may be adjusted by DXC in the Managed Services Portal as DXC deems necessary to align with then current market-based pricing for equivalent cloud services. Any market-based pricing adjustments made by DXC resulting in increases or decreases to Unit Charges will be applied to all future and open Orders, as applicable, beginning with the next monthly invoice issued to the Customer. For Services available for Order in the Managed Services Portal, Unit Charges specified in the Managed Services Portal will prevail and Schedule 1 attached to this Solution Pack is for information purposes only. For Services not available in the Managed Services Portal, Unit Charges will be as specified in Schedule 1.

3.5 Service Volume Discount DXC’s Unit Charges for Services will, as applicable, be reduced by a volume based discount percentage as provided in this Section.

a. The initial discount will equal the applicable discount rate percentage listed in the table below based on the corresponding monthly quantity of Operating System Images initially ordered by Customer. The initial discount will be set on the Contract effective date.

b. Thereafter, the discount rate applicable to DXC’s Unit Charges will be determined as follows: i. Beginning with the first full three months after the effective date,

and for each three-month period thereafter within the term of the Contract, DXC will determine the actual quantity of Operating System Images procured by Customer in all data centers under this Solution Pack.

ii. After the end of each such three-month period, the discount will equal the applicable discount rate percentage corresponding to the lowest monthly quantity of Operating System Images procured by the Customer during such three-month period. If that lowest monthly quantity of Operating System Images is less than the monthly quantity of Operating System Images initially ordered by Customer, then for six months following the end of such three-month period, the discount rate percentage will not be increased above the discount rate percentage corresponding to that lowest



monthly quantity (regardless of higher actual quantities of Operating System Images).

Volume Discount

Monthly Quantity of Operating System

Images Discount Rate

1-24 0.0% 25-49 2.0% 50-74 4.0% 75-99 6.0%

100-249 8.0% 250-499 10.0% 500-749 12.0% 750-999 14.0%

1000 and above 18.0%

3.6 Minimum Order Term Commitments The following minimum order term commitments apply when any of the following Services are purchased (“Minimum Order Term Commitments”):

Service Minimum Order Term

Customer Dedicated Virtual Host Cluster 1 Year

Physical Server 1 Month

Virtual Server (including those used in a Customer Dedicated Virtual Host Cluster)

1 Day

The Order term begins when the Service is first made available to the Customer.

3.7 Termination Charges Customer is responsible for any Minimum Order Term Commitments specified in Section 3.6 applicable to the Services purchased. Customer can terminate Services subject to the following prior notification requirements:

Server Type Minimum Prior Notice Physical Server(s) 30 Days

Virtual Server(s) Upon notification

If Customer terminates any Managed VPC Service that is subject to a Minimum Order Term Commitment prior to completion of the minimum Order term, it will be liable for an amount equal to the full Charges for such Services for the remaining Service period within the Minimum Order Term Commitment.



4. Definitions Active Directory Server means a hosted virtual machine providing Microsoft™ Active Directory functionality.

Add-On means an Optional Service feature that may be ordered by Customer and provided by DXC at an additional Charge outside of the Base Services. Affiliate means an entity controlled by, controlling, or under common control with a party.

Alert means a telephone call from Customer requesting commencement of recovery-related activities and services.

Allocated Hypervisor means a hypervisor that is installed on hardware that is not allocated to the shared pool.

Always on Availability Groups Instance means a Microsoft SQL Server DB Instance that allows groups of databases to be managed in defined groups and to fail over between nodes in the cluster.

Audit Day means one business day in which access to DXC facilities or DXC personnel is required to respond to auditor questions or provide evidence of compliance to controls.

Authentication Authority means a service or technology whose purpose is to verify the identity of a user through at least one authentication factor (see Multi-Factor Authentication).

Authorized Representative means DXC’s representative authorized to act for DXC and to serve as Customer’s principal point of contact concerning the Services, and Customer’s representative authorized to act for Customer and its Affiliates and to serve as DXC’s principal point of contact as designated by each party.

Availability or Available means any time during the calendar month when the applicable item subject to Service Levels as described in Section 2 is operational and functional.

Backup Window means a daily timeframe, during which the backup will be executed for a server.

Base means a Service that is provided by DXC when the Services are purchased. These Services are always provided and the Customer is not required to select them and may not decline them. Bulk Storage means a lower level of performance with high reliability.

BUR Vault means the dedicated storage area for Customer’s backup data in conjunction with the Backup and Recovery Services outlined in Schedule 4. Calculation Period means the first to the last day of the calendar month.

Change means an alteration or modification to the way the Services are provided, as requested by Customer or DXC.

Change Management or Change Management Process means the practices and methods described in the Statement of Work for the applicable Solution Pack or Schedule.

Change Type means the following classification: Normal Change, Routine Change, Emergency Change, and Project Change.



Charge means the amount payable by Customer to DXC for Services, as described by and adjusted pursuant to the applicable provisions of this Solution Pack.

Compliance Archive Service means the Service feature that provides a copy of Customer Data written to write once read many (“WORM”) Tape.

Compute Resources means the Virtual Servers and related infrastructure available at DXC’s facility for Rehearsals and recovery.

Configuration Item or CI means the components that need to be managed in order to deliver the SAP and SAP HANA Management Services. Information about each CI is recorded in a configuration record within the Configuration Management system and is maintained and controlled by DXC through Change Management.

Configuration Management means the process that tracks individual CI in accordance with this Solution Pack for the applicable Services. Continuity means the Base and Add-On Services described in Schedule 3.

Continuity User Guide means the written guide describing use of the Continuity Services made available to customers, as revised and updated from time to time. Contracted Continuity Storage Capacity means the storage available for Replication of Customer Data, as determined by DXC based upon the Replicated Data Sets specified by the Customer and the Compute Resources required to recover the systems being protected.

Customer Compartment means a Managed VPC compartment dedicated to the Customer.

Customer Data means all information provided by or on behalf of the Customer or any Customer Affiliate to DXC for use or access in providing the Services.

Customer Dedicated Virtual Host Cluster means a Virtual Host Cluster dedicated for use by a single customer.

Customer Responsibilities mean the responsibilities and obligations set out in this Solution Pack under those Sections headed ‘Customer Responsibilities’.

Data Controller means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the way any Personal Information are, or are to be, Processed. Data Copy means the copy of Customer Data created by Replication.

Data Transport Service means the Add-On Service feature that allows Customer to transport data in and out of their Managed VPC compartment using a transportable NAS device.

Database Instance or DB Instance means a set of process and memory segments that run on a Database Server node to manage and control access to the data, which resides in the database.

Database Management System or DBMS means a collection of programs that enable the storage, modification, and extraction of information from a database.

Database Server means a Physical Server or Virtual Server used to run Database Instance(s).



DB means a database.

Deployment Phase means the second of three phases of the Continuity Services as more fully described in Schedule 3.

Dialog Response Time means the percentage of the dialog steps with a DINOGUI Time of less than one second in the Calculation Period.

DINOGUI Time means the Dialog Response Time minus the graphical user interface time during the Calculation Period. DAS means digital storage directly attached to the server accessing it.

Discovery Phase means the first of three phases of the Continuity Services as more fully described in Schedule 3.

Dual Data Center means a pair of two data centers from where DXC provides High Availability.

Dual Data Center High Availability means the Service Level description that measures the Availability of the Services when Customer purchases the use of Dual Data Centers.

DXC Responsibilities mean the responsibilities and obligations set out in this Solution Pack under those Sections headed ‘DXC Responsibilities’.

E-Discovery and Cloud Forensics mean the Optional Security Services provided by DXC as more fully described in Section S2.3.7.

Emergency Change means a Change needed as a result of sudden loss of service or CI failure. An Emergency Change derives from a business-critical Incident and is the only reactive Change Type.

End User means any individual, agent or other third party that uses or receives the Services or acts on behalf of the Customer in using or receiving the Services or otherwise in performing Customer’s obligations under this Solution Pack.

Event means a change of state, which has significance for the management of a Configuration Item or the Services. The term Event is also used to mean an alert or notification created by any IT Service, Configuration Item, or monitoring tool. Events typically require DXC personnel to take actions and often lead to Incidents being logged.

Excused SAP Downtime means the circumstances where a SAP Application or SAP HANA Appliance that is subject to measurement is considered “available” in accordance with Section 2.

Excused Infrastructure Downtime means (i) Maintenance Windows; (ii) periods of downtime requested by Customer for administrative access or otherwise; (iii) outages excused by this Solution Pack; (iv) outages or unavailability of Customer managed operating systems and Customer Data, applications, software, peripheral devices, equipment, and networks; (iv) outages caused by Customer’s failure to apply security patches as instructed by DXC for Unmanaged Servers or where Customer does not allow DXC to apply security patches for Managed Servers; (v) outages caused by Customer’s continued use of an operating system version when general support for that version is no longer available from the operating system provider; and (vi) outages caused by Customer, Customer Affiliates, or their respective officers, employees, agents, or contractors. All other downtime is Unexcused Infrastructure Downtime.



Excused Managed Database Downtime means the circumstances where the Managed Database Services are considered “available” in accordance with Section 2.

Fail-Over means designation of the Data Copy as Primary Data and operation from servers within DXC’s facility after Invocation.

Fault means an unexcused failure to meet a Service Level. Faults may be excused for the reasons described by this Solution Pack.

FIPS means a set of federal information processing standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military US government agencies and by US government contractors and vendors who work with the agencies.

File Enhanced Storage means a file system level storage option that provides the attributes outlined in Section S5.2.3.

Force Majeure Event means circumstances beyond a party’s reasonable control that cause delays or failures in the party’s performance.

Full Server Backup means Protection that is applied to the operating system, Customer Data, Customer applications, and Customer databases without any Customer designated exclusions.

Gold Image means a predefined Operating System Image hardened to a level that in DXC’s opinion provides an acceptable balance between security and functionality for the majority of DXC customers. This Image is a starting point for Managed Servers and the Customer may request modifications to individual servers through the agreed change control processes where necessary.

Governing Agreement means the set of terms and conditions identified in the Selections and Prerequisites Table that govern this Solution Pack.

High Availability means the Services and Optional Add-Ons that provide the High Availability Service Levels in accordance with Section 2.

High-Performance Storage means one of the Performance Storage options as described in Section S5.2.3.

HIPAA means the United States Health Insurance Portability and Accountability Act of 1996 that provides data privacy and security provisions for safeguarding medical information.

HPE 3PAR means computer data storage products, including hardware disk arrays and storage management software used by DXC to provide the Services.

Image means copy of the state of a computer system stored in some non-volatile form such as a file.

Incident means any event which is not part of the standard operation of the Service and which causes or may cause an interruption to, or a reduction in, the quality of the Service.

Incident Management means the process of restoring normal service operations in response to Incidents in accordance with the applicable Statement of Work.

Infrastructure and Virtualization Security means those Security Services provided by DXC for the infrastructure as more fully described in Section S2.3.6.



ITIL means a set of detailed practices for IT service management that focuses on aligning IT services with the needs of business. Formerly it was an acronym for “Information Technology Infrastructure Library”.

In-Guest Backup means a backup agent installed on the host server for execution and processing of backups that creates certain load on the host server and effectively consumes CPU, RAM, network, and storage resources. Backup data is transferred from the host server to a backup Media server without involvement of Off-host Backup proxy servers.

Invocation means commencement of Continuity Services as described in Schedule 3 after DXC receives telephone notice from Customer directing DXC to commence delivery of Continuity Services due to the occurrence of a Force Majeure Event.

IOPS (input/output operations per second) means the standard unit of measurement for the maximum number of reads and writes to non-contiguous storage locations.

IO (input/output) means the communication between an information processing system, such as a computer, and the outside world, possibly a human or another information processing system.

IT means information technology, having to do with an entity’s computer hardware, software, or cloud environment.

LDAP means a lightweight directory access protocol.

Load Balancer Service means the Optional Add-On described in Section S6.2.9 that allows the Customer to distribute incoming application traffic among two or more servers within the same Customer Compartment at a DXC location in order to improve availability and scalability.

Local Cache Device means a Customer installed device on Customer’s dedicated network to separate Customer’s environments from other customers’ environments as part of the Backup and Recovery Services.

Logical Unit Number or LUN means a number used to identify a logical unit relating to computer storage. A logical unit is a device addressed by protocols and related to fiber channel, small computer system interface (“SCSI”), internet SCSI, and other comparable interfaces.

Long-Term Protection and Archival Services mean backup service options provided by DXC to address the Customer’s long-term backup and recovery service requirements.

Maintenance Windows mean actual time periods used by DXC for maintenance and similar purposes. Maintenance Windows may result in Services, servers, software, network connectivity, and equipment not being Available.

Managed Database means a Database Management System installed on Managed VPC infrastructure which is supported, monitored, and maintained by DXC.

Managed Database Availability means, with respect to the Managed Databases, the availability of the Database Instance, expressed as a percentage of Scheduled Managed Database Uptime for the relevant Database. This is calculated monthly using 24x7 monitoring as follows: Managed Database Availability = [Scheduled Managed Database Uptime



minus Unexcused Managed Database Downtime] divided by Scheduled Managed Database Uptime.

Managed Server means a Physical Server or Virtual Server that is managed by DXC.

Managed Services Portal means the web portal(s) from time to time established and maintained for Customer’s interaction with the Services.

Managed VPC Continuity Services Recovery Center means the DXC data center used to deliver Continuity Services.

Managed VPC Virtual Server Suspend and Resume means the Optional Add-On described in Section 1.7.7.

Management Infrastructure means servers and network devices used to provide cloud services to Managed VPC customers. For the avoidance of doubt, server instances (whether physical or virtual) are not Management Infrastructure, however the virtualization layer is.

Mandatory Addenda means those standard policies and/or supplemental terms and conditions Customer must agree to when purchasing the Services described in this Solution Pack as set out in the Selections and Prerequisites Table. Media means the material in a storage device on which data is recorded.

Middleware means software applications that facilitate exchanges of data between two or more application programs within the same environment, or across different hardware and network environments. Mbps means megabytes per second.

Microsoft SQL Server means a Server using Microsoft SQL as an operating system.

Mongo Database means the free and open-source cross-platform document-oriented database program known as MongoDB. Classified as a NoSQL database program, MongoDB uses JSON-like documents with schema. MS means millisecond.

MySQL means an open-source relational Database Management System which may be used in connection with the Managed Database Services described in Schedule 8.

Multi-Factor Authentication means requiring at least two types of authentication with at least one being something the user knows (such as a password) and at least one being something the user has (such as a fingerprint or a device).

Multi-Tenant means the use of a shared infrastructure or storage in which logical compartmentalization of data is achieved to prevent unauthorized access to data in one compartment from another. Access to each logical compartment is managed and limited by each customer.

NetApp means a file storage product used by DXC in providing the Backup and Recovery Services.

Network Address Translation or NAT means a methodology of remapping one Managed VPC private IP address space into another, routable on the internet by modifying network address information in IP datagram packet headers while they are in transit across the firewall.



NAS means a file-level computer data storage server providing data access across a network to users, servers, or applications on the network such as application and/or database software and web services.

NDMP means a network data management protocol to transport data between NAS devices and backup devices.

Network Switch means a network switch provided by DXC at an additional Charge that connects the Managed Servers to Customer’s network.

Normal Change means any temporary or permanent change to one or more Configuration Items within a managed IT environment that carries a risk higher than 'Low' and is not of a complexity to require use of formal project management methods.

Object means the smallest backup unit (i.e., E:\ drive, database log, or sub directory). For example, if a server has 10 filesystems, each backup will generate 10 Objects for purposes of calculating the backup success rate.

Off-host Backup means a backup agent installed on an off-host backup "proxy" that sends the Customer’s data to a designated storage device.

OLTP means on-line transaction processing which is a class of information systems that facilitate and manage transaction-oriented applications.

Operating System Image means a DXC specified operating system software that is installed on Virtual Servers or Physical Servers that are procured by the Customer.

Operating System Instances mean an operating system that runs on a single hardware. On some hardware, multiple Operating System Instances are possible.

Operating System License means a license that entitles the Customer to use an operating system. It does not include support unless otherwise noted.

Operational Phase means the third of three phases of the Continuity Services as more fully described in Schedule 3.

Option or Optional means a Service that is provided as a part of the Services only when specifically purchased by Customer as indicated in an Order.

Optional Addenda means any additional policies and/or supplemental terms and conditions that Customer must agree to when purchasing the Services described in this Solution Pack as set out in the Selections and Prerequisites Table.

Order means a request for Services made by the Customer through the Managed Services Portal or in a separate written request. Requests made through the Managed Services Portal are deemed accepted by DXC when placed by the Customer. All other requests will be effective only upon acceptance by DXC.

OS Cluster means a group of Physical Servers and other resources that act like a single system and enable High Availability.

Penetration Test Indemnification Form means a letter agreement used by DXC to define terms associated with performance of penetration testing for Customer’s information technology components where DXC owns, hosts, and/or operates certain information technology components used by Customer. Customer acceptance of terms specified in the letter agreement is required before such testing will be permitted.



Performance Storage means the optional SAN storage available as part of the Storage Services.

Personal Information means data which relates to a living individual who is identified or can be identified from that data or from that data and other information which is in the possession of, or is likely to come into the possession of, the Data Controller. Personal Information includes any expression of opinion about the individual and any indication of the intentions of the Data Controller or any other person in respect of the individual.

Physical Database Server means a Database Server delivered to the Customer using a Physical Server.

Physical Server means a physical computer system consisting of software and hardware that run essential computer programs, applications or web services across a network that are accessible to users on the network.

Portal User means those representatives designated by the Customer who are authorized to login to the Managed Services Portal for purposes described in this Solution Pack.

Primary Data means in-scope data directly written by Customer’s systems, or Customer’s initial copy, ordinarily located in Customer’s environment.

Problem means a series of related Incidents or a single Incident of significant business impact that requires root cause analysis for identification of the known error and recommendations for resolution.

Problem Management means the process of preventing, managing and reducing the impact of Problems in accordance with the applicable Statement of Work.

Process means obtaining, recording, or holding the Personal Information or carrying out any operation or set of operations whether or not by automatic means on the Personal Information, including: (a) organization, adaptation, or alteration of the Personal Information; (b) retrieval, consultation, or use of the Personal Information; (c) disclosure of the Personal Information by transmission, dissemination, or otherwise making available; or (d) alignment, combination, blocking, erasure, or destruction of the Personal Information.

Process Server means the DXC provided server used to facilitate the Replication, encryption, and transmission of the Replicated Data Sets from the Managed VPC data center to the Managed VPC Continuity Services Recovery Center.

Project means a discrete unit of non-recurring work (having a specific start and end date) that falls outside the standard Services and options described in this Solution Pack.

Project Change means a Change which is requested and delivered on a Project basis.

Protection or Protection Services mean a suite of features offered to the Customer to protect Customer servers and Customer Data enabling various levels of recovery and restoration.

Protection Plan means a pre-defined combination of backup service parameters and options that can be selected by the Customer.

RDM means an option in the VMware server virtualization environment that enables a storage Logical Unit Number to be directly connected to a Virtual Server from the storage area network.



RMC means an automated, non-intrusive software that uses Snapshots to integrate HPE 3PAR storage arrays and StoreOnce backup appliances for converged data protection that delivers recovery of application-consistent recovery points with flexible recovery options.

Recovery Point Objective (for Continuity Services) means anticipated elapsed time between the last complete Replication and a failure of Customer’s infrastructure.

Recovery Point Objective (for Managed Database Services) means the maximum allowed data loss period for the Managed Database environment after an Event causing a data Restore (e.g., block corruption, human errors).

Recovery Point Objective (for SAP Services) means the maximum allowed data loss period for the applicable SAP environment after a SAP environment event causing data Restore (e.g., block corruption, human errors).

Recovery Time Objective or RTO (for Continuity Services) means the anticipated time necessary to recover failed servers to operation, with related data using the Replication Equipment and Compute Resources, so that they are available to Customer for applications recovery and other Customer Responsibilities.

Recovery Time Objective or RTO (for Managed Database Services) means the boundary of time within which a Managed Database environment is targeted to be available after an unplanned Managed Database environment down Event. The end time of a Managed Database environment down Incident is defined as the time at which the Managed Database environment is made available again to the Customer. RTO is calculated as follows: Timestamp when the Managed Database environment is made available to the Customer minus timestamp when Managed Database environment down Event has been recorded in DXC's ticketing system.

Recovery Time Objective or RTO (for SAP Services) means the boundary of time within which a SAP environment is targeted to be available after an unplanned SAP environment down Event. RTO is calculated as follows: Timestamp when the SAP environment is made available to the Customer minus timestamp when SAP environment down Event has been recorded in DXC's ticketing system.

Red Hat Enterprise Linux Server means a Managed Server or Unmanaged Server that uses the Red Hat operating system.

Regulatory Compliance means the Optional Security Service component provided by DXC as more fully described in Section S2.3.9.

Rehearsal means the recovery of systems and data for the purposes of confirming the ability to recover the protected systems and the Customer to access and run the relevant applications.

Remote Access Gateway means an optional access point to the Managed Servers and Unmanaged Servers as an alternative to a pulse VPN gateway.

Remote Access User means an End User who is authorized to utilize the Remote Access Gateway.

Remote Access with Optional 2-Factor Authentication means the Optional Security Service component provided by DXC as more fully described in Section S2.3.12.



Remote Replication Equipment means Replication Equipment at the Managed VPC Continuity Services Recovery Center within the Replication Recovery Environment.

Replicated Data Sets mean data sets designated by Customer for Replication.

Replication means copying of data from one location to another, either continuously (so that all data written to local storage devices is copied to remote storage devices) or on a regular basis (so that changes to data written to local storage devices are recorded and replied to the remote storage devices at regular intervals).

Replication Agent means software resident on Customer servers in order to facilitate Replication.

Replication Based Disaster Recovery means the Continuity Service offering using asynchronous Replication for recovery as described in Schedule 3.

Replication Equipment means equipment used to replicate data and includes Local and Remote Replication Equipment.

Replication Recovery Environment means the servers, storage, and other infrastructure used to recover Customer’s Replicated Data Sets after Invocation.

Replication Window means the timeframe, during which Replication of data will occur. Backup and Recovery Services support four Replication Windows where a Replication Window is tied to the selected Backup Window.

Request for Change or RFC means a formal proposal for a Change. An RFC includes details of the proposed Change. Restore means copying of a backup to online storage for application use.

Routine Change means a pre-approved, well-defined, and fully documented Change with very low or no risk, implemented through a simplified Change Management Process.

SAN means a dedicated high-speed network (or subnetwork) that interconnects and presents shared pools of storage devices to multiple servers.

SAP Application means systems, applications, and products used in data processing to support functions such as financial and asset accounting.

SAP Application Security Guidelines mean the industry standard guidelines published by SAP.

SAP Basis means business application software integrated solution, which is a set of programs and tools that act as an interface with databases, operating systems, communication protocols, and business applications.

SAP Client means a Customer organizational entity that has its own master and transactional data.

SAP Downtime means the period of time when the SAP Application or SAP HANA Appliance is not available for normal business use. SAP Downtime may be Excused SAP Downtime or Unexcused SAP Downtime.

SAP HANA means a high-performance analytics appliance that uses an in-memory database.



SAP HANA Appliance means a DXC flexible, multi-purpose, data-source-agonistic in-memory appliance that combines SAP software components optimized to run on Intel-based hardware. It includes a number of integrated SAP software components including the SAP HANA database, real-time Replication services, data services, data and lifecycle management, support for multiple interfaces based on industry standards, and a data modeling tool called SAP HANA studio.

SAP HANA Infrastructure means SAP HANA Managed Server and Managed VPC storage functionality that can support a SAP HANA database managed by the Customer or a Customer designated third party within the Managed VPC infrastructure.

SAP HANA System means SAP HANA Appliance functionality using a Managed Physical Server and storage.

SAP Instance means a logical unit consisting of a set of SAP work processes that are administered by a dispatcher process with memory allocation.

SAP PAM means the documentation provided by SAP that outlines the current version, bundles the maintenance dates, patch dates, and release notes per release version to ensure current content availability and adherence.

SAP Service Catalog means a list of predefined changes provided to Customer at the time of engagement.

SAP Service Marketplace means the database provided by SAP for its customers.

SAP Services mean the Optional Add-On service features described in Schedule 7 and purchased by Customer; defined therein as Managed VPC SAP and SAP HANA Management Services.

SAP Solution Manager means a standard product from SAP used to manage and monitor SAP Instances.

SAP Web Application Server means a component of SAP which works as a web application server for SAP products.

Scale-Out means a SAP HANA Appliance that contains multiple blade servers. Scale-Up means a SAP HANA Appliance that contains a single blade server.

Schedule means a schedule to this Solution Pack unless specifically identified otherwise.

Scheduled Managed Database Uptime means the time when a Database Instance is scheduled to be available to Customer for normal business use. For clarity and as an example, Scheduled Managed Database Uptime excludes Maintenance Windows and outages and periods of administrative access requested by Customer.

Scheduled Infrastructure Uptime means that period in a month outside of Excused Infrastructure Downtime.

Section means a section or subsection in this Solution Pack unless specifically identified otherwise.

Security Incident Management means the Security Services provided by DXC that manage Incidents detected in the Managed VPC environment as more fully defined in Section S2.3.7.



Security Zone means one or more VLANs which are routed together and have a single firewall interface. Server means either a Managed Server or Unmanaged Server.

Service Credit means compensatory credit to Customer for Faults if and to the extent available under this Solution Pack.

Service Level means a quantitative performance standard for the Services set forth in Section 2.

Single Data Center means the Services are provided out of only one DXC data center and therefore different Service Levels apply than the Services provided out of Dual Data Centers.

Single Sign On means a mechanism whereby a single action of user authentication and authorization can permit a user to access other applications and systems where he/she has access, without the need to enter multiple user IDs and passwords.

SL Tier means DXC’s specific combination of responsibilities for Service Levels selected by the Customer in an Order.

Snapshot (for Continuity Services) means a point in time copy of the data (or subset thereof) on the storage array that can be used for various purposes without any changes that are made to the Snapshot copy being reflected in the original data on the storage array.

Snapshot (for the Services) means preservation of the configuration state of a Virtual Server at a specific point in time. The configuration state of the Virtual Server includes the internal storage, memory, virtual network connections, and the power status (powered-on, powered-off, and suspended). The status of applications and any external storage is not captured in the Snapshot.

Solution Design Document means the written document prepared by DXC in anticipation of this Solution Pack, describing detailed arrangements for provision of Continuity Services to Customer, including storage and communications network requirements, based upon information furnished by Customer. SSD means the solid-state drive used for the Storage Services.

Stabilization Period means the mutually agreed period after implementation, not exceeding three months, during which DXC will monitor the average Dialog Response Time. During the Stabilization Period the monitored threshold will be 80% of the dialog steps with a DINOGUI Time below one second. If the history during the Stabilization Period shows that load and performance are stable for the system under consideration then the value will be increased to the agreed value according to DXC’s Service Level obligations.

StoreOnce means the HPE storage appliances used by DXC to provide portions of the Services.

SUSE Linux Enterprise Server means a Managed Server or Unmanaged Server using the SUSE operating system.

Tag Recovery Point means a mark generated at a point in time where an application has been quiesced, and the file and application data buffers on the protected system have been flushed. The Tag Recovery Point can be



used at recovery time to provide improved data consistency for database or similarly complex applications.

Tape means the storage device that writes data sequentially in the order in which it is delivered and reads data in the order in which it is stored on the Media. TB means terabytes.

Technical Representative means the representative designated by Customer who is authorized to contact the Operations Center concerning operational matters, to obtain support, and manage Customer’s receipt of the Services.

Temporary Storage means storage capacity made available during either a Rehearsal or Invocation. This storage capacity is intended for transitory use and any data will be deleted at the end of the Rehearsal or Invocation.

Test Restore Service means the Service feature that allows the Customer to request “non-operational” restoration of data that is a Restore to a destination other than the source during normal service operations. The Test Restore Service is subject to an additional Charge at DXC’s then current rates.

Threat and Vulnerability Management means the Base and Optional Service components provided by DXC as more fully described in Section S2.3.8.

Ultra-High-Performance Storage means the optional SAN storage available as part of the Storage Services as further described in Section S5.2.3.

Unexcused Infrastructure Downtime means that period in a month when the applicable item subject to Service Levels as provided in this Solution Pack is not Available during Scheduled Infrastructure Uptime for that month caused by DXC’s failure to perform DXC’s Responsibilities under this Solution Pack. For Managed Servers (including Managed Servers that are part of an OS Cluster), Unexcused Infrastructure Downtime is measured from the time the outage is detected by DXC, until DXC determines that the outage is resolved. For Unmanaged Servers (including Unmanaged Physical Servers or Virtual Servers), Unexcused Infrastructure Downtime is measured from the time a service Incident ticket is opened by the Customer, until DXC determines the outage is resolved.

Unexcused Managed Database Downtime means Managed Database downtime that is not Excused Managed Database Downtime.

Unexcused SAP Downtime means SAP Downtime that is not Excused SAP Downtime.

Unit Charge means the then current list price for an orderable item in billable increments as provided in the Managed Services Portal or in a written quotation when the item is not available in the Managed Services Portal.

Unmanaged Server means a Physical Server or Virtual Server that is managed by the Customer.

Virtual Appliance means a VMware virtual server provisioned and operated by the Customer that the Customer has connected to a Managed VPC compartment.

Virtual Database Server means a Database Server delivered to the Customer using a Managed VPC Virtual Server.



Virtual Firewall Instance means a firewall instance made available from the Continuity shared firewall infrastructure. Virtual Host means a hypervisor installed and managed by DXC.

Virtual Host Cluster means a group of Virtual Hosts managed as a single unit through virtualization software installed and managed by DXC.

Virtual Routing Instance means a routing instance made available from the Continuity shared router infrastructure providing an access point for Customer routers.

Virtual Server means a complete system platform which supports the complete operating system installed on a system disk.

VMware means the operating system supplied by VMware, Inc.

VADP means an application programming interface that enables the Symantic NetBackup product to do centralized, off-host, and LAN free backup of vSphere Virtual Servers and Virtual Appliances as long as VMware supports the capability.

Windows Server means a Managed Server or Unmanaged Server running Microsoft Windows as an operating system.



Schedule 1. Pricing Schedule



Schedule 2. Security Services

S2.1. Introduction This Schedule will apply to each Order placed for Services and will remain in effect unless it is terminated or expires in accordance with this Solution Pack. The Security Services are provided to the extent Ordered by Customer. DXC’s performance may depend upon Customer’s performance of Customer’s Responsibilities or other dependencies. In the event of any conflict or inconsistency between this Schedule and this Solution Pack, this Schedule will prevail with respect to the subject matter of this Schedule. General descriptions or references to particular Security Services in this Schedule or elsewhere in this Solution Pack are subject to the more detailed descriptions below.

Security Service usage is limited to within the Customer’s Managed VPC environment. Termination or suspension of all or any part of the Services for any reason will automatically result in termination or suspension, respectively, of all (or in the event of a partial termination or suspension, the corresponding part) of the Security Services under this Schedule.

S2.2. Scope of Service DXC will provide to Customer the Services described by this Schedule following submission of Orders. DXC will deliver Security Services on a Managed VPC infrastructure in accordance with this Solution Pack except where otherwise specified below.

Security Service components noted as “Base” are included with the Services at no additional Charge. Security Service components noted as an “Option” or “Optional” will be made available to the Customer at an additional Charge. Customer acknowledges that because Unmanaged Servers are under its control, security features for Unmanaged Servers are more limited than for Managed Servers.

Customer will use the Managed Services Portal to order Security Services offered under this Solution Pack and designate which, if any, Optional Add-On is selected for purchase by Customer.

S2.3. Security Services

S2.3.1. Audit Assurance and Compliance

This Section describes the options available to Customer to receive information regarding security and compliance in the environment. Customer may conduct audits using the Customer Audit Days option described below only if the available reports do not sufficiently cover specific controls.

The table below describes Security Service components for this Section along with responsibilities related to these components.

Security Service Component Responsibilities Additional Ordering

Information

a. Server Penetration

Base DXC will:

• Review and approve (as appropriate) the properly

• One-time Charge per report when




Information Test Report

completed and signed indemnification form.

conducted or commissioned by DXC.

• Contact DXC to request this Option.

Customer will:

• Complete and sign (and cause any third-party auditors to sign) the DXC supplied Penetration Test Indemnification Form and conduct or commission (from DXC or an independent third party) a penetration test of the virtual private cloud (“VPC”) servers.

• Provide relevant findings to DXC.

b. Infrastructure Penetration Test Report

Option DXC will:

• Commission a penetration test from an independent third party and provide an annual summary copy of the report to the Customer.

• One report is issued globally for the Services. This report covers a representative sample of the DXC infrastructure and includes tests that attempt to break out of a Virtual Server, break out of a tenant compartment, break into the Managed VPC Management Infrastructure, and penetrate from the public internet.

• Customer VPC servers (Managed and Unmanaged Servers) are

Customer will:

• n/a




Information not included in the scope.

• One-time Charge per report. There is no need to purchase more than one copy.


c. ISAE 3402/SSAE16 SOC1 Type II Report

Option DXC will:

• Commission the report from an independent third party for the Managed VPC infrastructure and provide a copy of the report to the Customer as and when available.

• One-time Charge per report.

• Customer VPC servers (Managed and Unmanaged Servers) are not included in the scope.


Customer will:

• n/a

d. AT Section 101 SOC2 Report

Option DXC will:

• Commission the report from an independent third party for the Managed VPC infrastructure and provide a copy of the report to the Customer as and when available.

• One-time Charge per report.

• Customer VPC servers (Managed and Unmanaged Servers) are not included in the scope.


Customer will:

• n/a

e. Customer Audit Days

Option DXC will:

• Provide an audit coordinator and/or authorized escort.

• Charge is per Audit Day plus expenses.




Information

Customer will:

• Use available audit reports to address as many audit needs as possible.

• For any remaining items, provide scope and request for audit access 22 business days’ in advance.

• Commission auditors (Customer or an independent third party) to perform the audit.

• Provide relevant findings to DXC.

• Access to DXC facilities requires 22 business days’ prior notice.

• Access to DXC personnel requires 10 business days’ prior notice.


• All Customer audits are subject to the requirements described in Section 1.10 of this Solution Pack.

S2.3.2. Data Center Security

This Section describes the minimum basic controls in place at data centers hosting Managed VPC environments. Additional controls may exist and vary by location.

The table below describes Security Service components provided for DXC data centers, along with responsibilities related to these components.


Information a. Asset

Management Base DXC will:

• Maintain an inventory of physical assets in the DXC data center.

n/a

Customer will: • n/a

b. Physical Security Perimeters

Base DXC will: • Provide multiple

physical perimeters with restricted access to sensitive areas of the DXC data center.

• Provide access controls employing electronic badges and a second factor (i.e., passcode or biometrics).

n/a




Information Customer will: • n/a

c. Secure Disposal of Media

Base DXC will: • Securely erase data

before reuse of Media and securely dispose of Media that is physically decommissioned and not reused.

n/a


d. Guards Base DXC will: • Provide 24x7 guards to

patrol and monitor the DXC data center.

n/a


e. Video Surveillance

Base DXC will: • Provide monitoring and

recording of entry and exit points in and around the DXC data center.

n/a


f. Redundant Infrastructure

Base DXC will: • Provide redundant

power to be available in the form of multiple power feeds where possible and backup power in all locations.

n/a


g. Wireless Access Point Scanning

Base DXC will: • Perform quarterly

scans to detect and remove unauthorized wireless access points allowing connectivity to the VPC infrastructure.

n/a


S2.3.3. Encryption and Key Management

This Section describes the Optional encryption related services currently available for Managed VPC.

The table below describes Security Service components for encryption and key management activities, along with responsibilities related to these components.




Information

a. Encryption of Off-Site Backup Tapes

Option DXC will:

• Encrypt data backed up to Tape for removal to off-site storage.

• Included when Customer purchases off-site backup services as described in Schedule 4.


b. Encryption at Rest

Option DXC will: • Install and

configure Vormetric encryption console in Customer Compartment.

• Install agents on Managed Servers.

• Register agents to console.

• Give Customer access to the console to manage the encryption settings if requested by Customer.

• If DXC is requested to manage the console, place the console in “learn mode” to generate the policy.

• If DXC is requested to manage the console, activate the policy after an agreed period of time in “learn mode”.

• Recurring monthly Charge per console and per server.

• One console is recommended per Customer Compartment. Consoles are configured with 99% Availability. Encryption will continue to function if the console temporarily goes down.

• Prices decrease as the volume increases into progressive tiers. All servers will receive the rate for the total volume. Volumes may be combined between multiple sites if they

Customer will: • Cause agents to

be installed on Unmanaged Servers.

• Generate encryption keys and manage




Information encryption from the console or purchase additional consulting or training from DXC or directly from Vormetric as needed for assistance configuring policies.

are all for a single Customer.

S2.3.4. Governance and Risk Management

This Section describes Base Services performed by DXC to manage risk within the Managed VPC delivery environment and to prevent configuration drift and an Optional Add-On available to Customer. There are no Customer deliverables or ordering options associated with any Base Services listed below. DXC reserves the right to test or scan any Managed Server(s) for security issues at any time.

The table below describes Security Service components for governance and risk management activities, and responsibilities related to these components.


Information

a. Annual Risk Assessment

Base DXC will:

• Conduct a risk assessment of the Services’ offering at least annually.

n/a

Customer will:

• n/a

b. Security Policy Base DXC will:

• Configure Customer VPC servers (Managed and Unmanaged Servers) and infrastructure with settings compliant to DXC policies.

n/a

Customer will:

• Never circumvent or disable DXC provided security settings, tools, or controls without




Information DXC authorization.

• Determine the appropriate security policy for Customer managed operating systems.

c. Server Policy Compliance Scanning

Base DXC will:

• Conduct compliance scans on any Managed Server(s) without notice.

n/a


d. Server Policy Compliance Scanning Reports

Option DXC will:

• Provide access to server policy compliance scanning reports on DXC Managed and Unmanaged Servers in the Customer’s VPC compartment.

• Recurring monthly Charge per server.

• Orderable through the Managed Services Portal.

• Scanning may occur on any frequency deemed appropriate by the Customer, as frequently as weekly.

• Select servers may be scanned more frequently than weekly in troubleshooting circumstances, but not as a routine.

Customer will:

• Identify Customer VPC servers (Managed and Unmanaged Servers) to be included in the scanning report.



S2.3.5. Identity and Access Management

This Section outlines the controls in place for account management, access management, and authentication. Administrative access to Managed Servers is subject to DXC control with access provided to Customer when requested. DXC will not be responsible for any missed Service Levels caused by Customer action. DXC support personnel will not have access to Unmanaged Servers, so it is Customer’s responsibility to manage access to those servers.

The table below describes Security Service components for identity and access management activities, along with responsibilities related to these components.


Information

a. DXC Administrative Access

Base DXC will: • Cause all DXC

support personnel to securely authenticate with an individually identifiable access method and a minimum of 2-factor authentication before accessing the Customer’s VPC compartment.

n/a

Customer will:

• n/a b. Customer

Administrative Access

Base DXC will: • Upon request from

an authorized requester, allow administrative access to Managed Servers.

• Provide an initial administrative account for Unmanaged Servers.

n/a

Customer will:

• n/a c. Role Based

Access Control Base DXC will:

• Determine DXC support personnel access based upon job role and subject to an authorized approver.

n/a




Information Customer will:

• n/a d. Password

Controls Base DXC will:

• Configure password controls on Customer Servers (Managed and Unmanaged Servers) and infrastructure to comply with current DXC password policies.

n/a

Customer will:

• n/a e. User Access

Authorization Base DXC will:

• Require and record authorization for Managed VPC provisioned access credentials.

n/a

Customer will:

• n/a f. User Access

Reviews Base DXC will:

• Conduct quarterly reviews of all elevated access permissions to Managed VPC systems for DXC personnel.

n/a

Customer will:

• n/a g. User Access

Revocation Base DXC will:

• Remove access for DXC personnel whose access is no longer appropriate.

• Remove access for Customer personnel as directed by authorized requester.

n/a

Customer will:

• Notify DXC of any Customer user




Information access which is no longer required.

h. Accountability Base DXC will:

• Ensure DXC user accounts are traceable to an individual and are not shared.

n/a

Customer will:

• Assume responsibility for any actions performed by Customer employees.

i. Multi-Factor Authentication on the Managed Services Portal

Base DXC will: • Cause the Managed

Services Portal to be federated with Authentication Authority for two factors of authentication for all accounts before access is granted to the Managed Services Portal.

If the Customer does not have an LDAP or Microsoft Active Directory compatible Authentication Authority for first factor authentication, and a compatible second factor service, this can be purchased as an Add-On from DXC.

Customer will:

• Identify and supply an LDAP or Microsoft Active Directory compatible Authentication Authority for first factor authentication to be federated with the Managed Services Portal for authenticating Customer users with a username and password.

• Identify and supply a RADIUS compatible Authentication Authority for second factor authentication to be federated with the Managed Services Portal.




Information • Purchase the first

and second factor authentication service from DXC if Customer does not have a compatible solution as described above.

• Cause all Portal Users to maintain reasonably secure password credentials (keep credentials secret and use industry standard complexity requirements).

S2.3.6. Infrastructure and Virtualization Security

This Section describes Base Services related to Infrastructure and Virtualization Security.

The table below describes Security Service components for Infrastructure and Virtualization Security along with responsibilities related to these components.


Information

a. Time Synchronization of Management Infrastructure

Base DXC will:

• Cause all Managed VPC infrastructure systems to synchronize with a central and consistent time source.

n/a

Customer will:

• n/a

b. Customer Dedicated Virtual Firewall

Base DXC will:

• Cause the Virtual Firewall Instance to be dedicated to Customer and configure rules into and out of the Customer Compartment as directed by the Customer and as required by DXC to

n/a




Information provide the contracted support.

Customer will:

• Notify DXC of any changes to the firewall rules as required by the Customer or use a DXC provided interface to apply such rules.

c. Customer Segregation

Base DXC will:

• Configure multiple firewalls to prevent routing between the Customer Compartment and other tenant compartments.

n/a

Customer will:

• n/a d. OS Hardening Base DXC will:

• Configure Managed VPC operating systems to then current pre-hardened DXC Gold Images.

n/a

Customer will:

• n/a e. Virtual Server

Access Base DXC will:

• Configure the virtualization layer so that access through the virtualization layer to Virtual Server operating systems is not allowed.

• Access Virtual Server operating systems as required from the Customer Compartments via jump servers.

n/a

Customer will:

• n/a



S2.3.7. Security Incident Management, E-Discovery and Cloud Forensics

This Section describes the Base Services related to management of security incidents and events and Optional Add-Ons available to Customer.

The table below describes Security Service components for Security Incident Management and E-Discovery and Cloud Forensics along with responsibilities related to these components.


Information

a. Security Incident Management

Base DXC will: • Employ 24x7

monitoring and triage of security-related events with escalation for resolution and/or Incident Management.

• Notify the designated Customer contact of any material security Incidents directly impacting the Customer.

n/a

Customer will: • Manage Customer

security Incidents. • Notify the

designated DXC contact of any material security Incidents directly impacting the VPC environment.

• Designate a Customer contact to receive notification of material security Incidents

b. E-Discovery and Cloud Forensics

Option DXC will:

• Provide E-Discovery and Cloud Forensics services under direction of Customer.

• Subscription or Add-On services available.

• Contact DXC account team to request quotation.

• This service feature is provided

Customer will: • Subscribe to or

purchase Add-On service features if or as desired.




Information from a separate DXC organization to provide a level of separation.

c. Evidence Gathering for Customer Managed Incidents

Option DXC will: • Provide copies of

data or evidence appropriate for chain of custody requirements as required.

• Protect the availability and confidentiality of the data of other customers.

• Contact DXC account team to request quotation.

Customer will: • Provide DXC with

detailed requests for data gathering when required.

S2.3.8. Threat and Vulnerability Management

This Section describes the Base Services related to the discovery and management of malicious code and vulnerabilities and Optional Add-Ons available to Customer. DXC reserves the right to scan any Customer VPC servers (Managed and Unmanaged Servers) for security issues and vulnerabilities at any time.

The table below describes Security Service components for Threat and Vulnerability Management along with responsibilities related to these components.


Information

a. Antivirus Software on Windows

Base DXC will: • Cause antivirus

software to be installed and maintained on all Managed Servers using Windows OS.

• Configure signature updates to occur

n/a




Information

continuously or daily.

Customer will: • Install and

manage antivirus software on all Unmanaged Servers using Windows OS.

b. Antivirus Software on Linux

Option DXC will: • Cause antivirus

software to be installed and maintained on designated Managed Servers using Linux OS.

• Configure signature updates to occur continuously or daily.

• Recurring monthly Charge per server.

• Orderable through Managed Services Portal.

• The agent scans for Windows virus signatures on the Linux managed volumes.


c. Patch Management Base DXC will:

• Cause patches for Managed VPC operating systems to be tested and installed on a regular cycle and as deemed appropriate by DXC.

n/a

Customer will: • Avoid

unnecessary deferrals of patching for Customer VPC servers (Managed




Information

and Unmanaged Servers).

• Cause patches for Unmanaged Servers operating systems to be installed within a reasonable time.

d. Vulnerability Scanning

Base DXC will:

• Conduct vulnerability scans on any Customer VPC servers (Managed and Unmanaged Servers) without notice or restriction.

n/a


e. Vulnerability Scanning Reports

Option DXC will: • Provide access to

vulnerability scanning reports on servers in the Customer’s VPC compartment.

• Recurring monthly Charge per server

• Orderable through Managed Services Portal.

• Scanning may occur on any frequency deemed appropriate by the Customer, as frequently as weekly.

• Select servers may be scanned more frequently than weekly in troubleshooting

Customer will: • Identify servers to

be included in the scanning report.




Information

circumstances, but not as a routine.

f. External Vulnerability Scanning Reports

Option DXC will: • Provide Customer

a self-service vulnerability scan of public facing IP addresses using a scanner on the public internet.

• Deliver an external vulnerability scan report.

• One-time Charge per server per scan

• Orderable through the Managed Services Portal.

• Scanning may occur on any frequency deemed appropriate by the Customer.

• Scanning is fully automated.


S2.3.9. Regulatory Compliance

This Section describes an Optional Add-On not mentioned elsewhere.

The table below describes Security Service components for Regulatory Compliance along with responsibilities related to these components.


Information

a. HIPAA Option DXC will:

• Conduct infrastructure, operating system and server management in a manner compliant with HIPAA requirements.

Available at no additional cost to Customer.

Customer will:

• Identify and provide or purchase security options as required to meet HIPAA requirements (if




Information any) applicable to the Customer.

S2.3.10. Managed VPC Continuity Service – Security Supplement

This Section describes the additional layers of security that apply when select disaster recovery services described in Schedule 3 are purchased by the Customer for Managed Servers in conjunction with Managed VPC Services. These Continuity Services Security Service component Options will apply in the event of a conflict with any Base or Optional security services components stated elsewhere in this Schedule.

The table below describes Security Service components for Continuity Services along with responsibilities related to these components.


Information

a. Physical Security Perimeters

Option DXC will:

• Provide multiple physical perimeters with restricted access to sensitive areas of the DXC data center.

• Provide access controls employing electronic badges and a second factor authentication (i.e., passcode or biometrics).

• Standard feature when purchasing Continuity Services

Customer will:

• n/a b. Perimeter Network

Intrusion Prevention System

Option DXC will: • Place network

intrusion prevention sensors (“NIPS”) on the perimeter of the infrastructure to filter all inbound traffic.

• Maintain and tune the NIPS filters as deemed appropriate by DXC.





Information

Customer will: n/a

c. DXC Administrative Access

Option DXC will:

• Cause all DXC support personnel to securely authenticate with an individually identifiable access method and a minimum of 2-factor authentication before accessing the Customer’s VPC compartment.


Customer will:

• n/a d. Customer Dedicated

Virtual Firewall Option DXC will:

• Cause the Virtual Firewall Instance to be dedicated to Customer and configure rules into and out of the Customer Compartment as directed by the Customer and as required by DXC to provide the contracted support.


Customer will:

• Notify DXC of any changes to the firewall rules as required by the Customer or use a DXC provided interface to apply such rules.

e. Customer Segregation

Option DXC will:

• Configure multiple firewalls to prevent routing

• Standard feature when purchasing




Information between the Customer Compartment and other tenant compartments.

Continuity Services

Customer will:

• n/a f. Virtual Server

Access Option DXC will:

• Configure the virtualization layer so that access through the virtualization layer to Virtual Server operating systems is not allowed.

• Access Virtual Server operating systems as required from Customer Compartments via jump servers.


Customer will:

• n/a g. Encryption in Transit Option DXC will:

• Provide an encryption capability for Customer use when transmitting Customer Data over the public internet.


Customer will:

• n/a h. Secure Data

Deletion Option DXC will:

• Subject SAN-attached discs to a 3-pass wipe process when removing from operational use.


Customer will:

• n/a



S2.3.11. Web Application Firewall (“WAF”) Service

This Section describes the additional responsibilities that apply when the Web Application Firewall service is purchased by Customer in conjunction with the Services. DXC reserves the right to change software or tools without restriction to equivalent software or tools.

The table below describes optional Security Service components for the WAF service along with responsibilities related to these components.


Information

a. Web Application Firewall Service


configure a WAF in the Customer Compartment (currently the F5 Networks, Inc. (“F5”) Virtual application security manager (“ASM”) appliance).

• Give Customer access to the console to manage the WAF settings if requested by Customer.

• If DXC is requested to manage the WAF, place the ASM in “learn mode” to generate the policy.

• If DXC is requested to manage the console and activate the policy after an agreed period of time in “learn mode”.

• Recurring monthly Charge per ASM.

• One WAF is recommended per compartment. WAFs are configured with 99.9% Availability. Web sites will continue to function if the WAF temporarily goes down.

Customer will: • Purchase

additional consulting or training from DXC or directly from F5 as needed for assistance configuring the ASM.



S2.3.12. Remote Access with Optional 2-Factor Authentication

This Section describes the additional responsibilities that apply when the optional Remote Access with Optional 2-Factor Authentication service is purchased by the Customer in conjunction with the Services. DXC reserves the right to change software or tools without restriction to equivalent software or tools.

The table below describes Security Service components for the Remote Access with Optional 2-Factor Authentication service along with responsibilities related to these components.


Information

a. Remote Access Gateway


configure a Remote Access Gateway (“GW”) in Customer Compartment (currently a pulse VPN gateway Virtual Appliance).

• Manage the license for the GW.

• Configure the GW to use the Authentication Authorities specified by Customer.

• Recurring monthly Charge per GW.

• One GW is recommended per compartment. GWs are configured with 99.9% Availability. Servers will continue to function if the GW temporarily goes down.

Customer will: • Identify the

Authentication Authority (typically an LDAP compatible solution such as Microsoft Active Directory) and an optional second factor RADIUS compatible authority to be configured and provide the required details and credentials to connect the GW.

b. Remote Access User

Option DXC will: • Manage the

license for the End User which

• Requires at least one GW.




Information allows the End User to connect to the GW.

• Recurring monthly Charge per End User. Customer will:

• Identify the quantity of users to be assigned to each purchased GW.

c. 2-Factor Uplift for Remote Access User

Option DXC will: • Provide the

second factor (one-time password or digital certificate) to the identified users with instructions for use.

• Manage the license for the End User which allows the End User to authenticate with a second factor to the Remote Access Gateway.

• Requires an equal or greater number of Remote Access Users.

• Recurring monthly Charge per End User.

Customer will: • Identify the End

Users with requested contact information.

• Notify DXC immediately when an End User’s access is to be suspended or revoked.



Schedule 3. Continuity Services

S3.1. Introduction This Schedule will apply to each Order placed for Services, to the extent the Continuity Services are selected for purchase by Customer, and will remain in effect unless it is terminated or expires in accordance with this Solution Pack. In the event of any conflict or inconsistency between this Schedule and this Solution Pack, this Schedule will prevail with respect to the subject matter of this Schedule. General descriptions or references to particular services in this Schedule or elsewhere in this Solution Pack are subject to the more detailed descriptions below. Continuity Services are only available for use in the Customer’s Managed VPC compartment, and DXC will be obligated to provide Continuity Services only if Customer has also selected to purchase all the following Services for the servers, storage, and other infrastructure for which Customer desires the Continuity Services:

a. File System Level Backups as described in Schedule 4; and

b. Database Backups for Managed Servers as described in Schedule 4.

Termination or suspension of all or any part of the Services for any reason will automatically result in termination or suspension, respectively, of all (or in the event of a partial termination or suspension, the corresponding part) of the Continuity Services under this Schedule.

S3.2. Replication Based Disaster Recovery – Discovery Phase

S3.2.1. DXC Responsibilities:

a. Designate 2 or more representative(s) as its principal point(s) of contact for the Discovery Phase.

b. Collect requirements relating to Replicated Data Sets during the Discovery Phase.

c. Advise Customer on: i. The amount of Replication bandwidth required to maintain the

Replication Service Level objectives; ii. Connectivity solutions that are suitable for access to the Managed

VPC Continuity Services Recovery Center; and iii. The number of Process Servers required to maintain the

Replication Service Level objectives.

S3.2.2. Customer Responsibilities:

a. Designate at least two persons as its principal point(s) of contact for the Discovery Phase. Customer will also need to designate a technical network representative able to discuss the design aspects of how Customer will access systems once failed across to the Managed VPC Continuity Services Recovery Center.

b. Identify the servers that will be protected by the Replication Based Disaster Recovery service and ensure the required data regarding those servers is provided during the data collection element of discovery.



c. Provide support and assistance to DXC assigned Discovery Phase representatives so the volume of changed data over a day can be assessed and agreed for the servers that are to be included in the Replication Based Disaster Recovery service.

d. Advise DXC of any specific external connectivity requirements the Customer application will require when failed over to the Managed VPC Continuity Services Recovery Center.

e. If Customer access to the Managed VPC Continuity Services Recovery Center is not being provided by VPN over the internet, Customer will provide a suitable network solution to provide this access.

f. Ensure the Customer’s applications can meet the technical requirements of the Replication Based Disaster Recovery service.

S3.3. Replication Based Disaster Recovery - Deployment Phase


a. Designate two or more representative(s) as its principal point(s) of contact for the Deployment and Operational Phases of the engagement. DXC may replace its representative(s) for the Discovery, Deployment, or Operational Phases at any time and will so inform Customer.

b. Deliver, install, configure, and thereafter maintain the Replication Equipment within the Managed VPC Customer Compartment(s).

c. Perform technical tests as needed.

d. Install Replication Agents.

e. Configure Replication Recovery Environment for the Replicated Data Sets.

f. Upon completion of the foregoing, commence operations (as described in Section S3.4 below).


a. Designate at least two persons as its principal point(s) of contact for the Deployment and Operational Phases of the engagement. In addition, Customer will designate at least two Technical Representatives authorized to act for Customer concerning operational matters related to delivery of Services within the Deployment and Operational Phases which may include participation in periodic review sessions conducted by DXC as described in Section S3.3.1 above. Customer may replace its representative(s) for the Discovery, Deployment, or Operational Phases at any time and will so inform DXC.

b. Identify Replicated Data Sets and associated servers.

c. Make skilled, knowledgeable technical staff available and provide other cooperation and support as reasonably necessary to perform Customer’s Responsibilities and cooperate with DXC.

S3.4. Replication Based Disaster Recovery Operational Phase After completion of deployment, the Operational Phase will commence.




a. Monitor and manage the Replication Recovery Environment, consisting of the Replication Equipment and Compute Resources, taking appropriate corrective action as reasonably necessary to maintain sufficient operational capacity and capability.

b. Reconfigure the Replication Recovery Environment as needed to accommodate changes in Replicated Data Sets and other approved or permitted changes.

c. Make the Managed Services Portal for Continuity Services available to Customer. DXC will provide Managed Services Portal usage instructions to the Customer’s Authorized Representatives as required.

d. Increase or withdraw Replication Equipment and configure as needed to support increases or reductions in committed capacities and the size and number of Replicated Data Sets, as requested by Customer, and generally in accordance with the processes described above for deployment and below for disengagement.

e. Review information and documentation furnished by Customer and consult with Customer as needed regarding the accuracy and completeness of the information and documentation.

f. Conduct review sessions to consult with Customer’s Technical Representative regarding issues and Incidents at such times and intervals as DXC deems advisable (or upon Customer’s reasonable request).

g. Make Replication Equipment continuously available (apart from Maintenance Windows or essential repairs) for Replication of the data sets designated by Customer.

h. Upon Invocation, designate a point of contact, set up and enable Customer’s Replication Recovery Environment and make it available, together with any Optional Add-On selected by Customer in accordance with the procedures described by the Continuity User Guide.

i. After Invocation, support Fail-Over of protected systems, using Replicated Data Sets as Customer’s Primary Data and the Compute Resources.

j. When the Managed VPC production environment is again operational, set up reverse Replication, install Replication Agents, and, when ready to resume normal operations, set up forward Replication in accordance with the procedures described by the Continuity User Guide.

k. Provide the Security Services described by Schedule 2.


a. Review and update Replicated Data Sets and associated servers as needed but at least semi-annually.

b. Be responsible for resolution of any Problems that involve activities within the Customer Compartments specific to the data being replicated.

c. Maintain configurations for its systems to permit access by the Replication Equipment.

d. Coordinate software upgrades on relevant servers with DXC to ensure compatibility with Replication Agent software.



e. Consult the Managed Services Portal for Continuity Services regularly (but at least weekly) to monitor the Replication Recovery Environment, Replication targets, space usage, and other pertinent information.

f. Comply with Customer’s security obligations as described in Schedule 2.

g. Provide an Invocation declaration following notice from DXC that a Force Majeure Event affecting DXC’s performance of Continuity Services has occurred.

h. Promptly inform DXC of any perceived difficulty with Replication or other aspects of operations, and of any material changes in Customer’s environments that may affect Replication or other aspects of operations.

S3.5. Recovery Rehearsals


a. Upon Customer’s request, given at least 14 days advance notice (and subject in all cases to the potential need to make staff, equipment, and other resources available to perform recovery services and previously scheduled Rehearsals for other customers) schedule and conduct Rehearsals in accordance with its standard procedures then in effect, as disclosed in writing and made available to the Customer.

b. Conduct Rehearsals during normal business hours at the relevant DXC facilities, at times reasonably determined by DXC, using Snapshot copies of Replicated Data Sets and an isolated network within the DXC facility in order to avoid disruption of normal data Replication.

c. Provide a standard post-Rehearsal report and, upon request, conduct a post-Rehearsal conference call to review the results. If all or a portion of a Rehearsal is unsuccessful, it may be repeated (without additional Charge if it was unsuccessful because of DXC’s failure to perform its responsibilities).


a. Request a Rehearsal at least 14 days in advance.

b. Acknowledge that DXC reserves the right to suspend or cancel Rehearsals at any time, even while in progress, if equipment, staff, and other resources are required in order to support recovery services to customers.

S3.6. Maintenance Windows


a. Perform regular maintenance, update or upgrade hardware or software, or for other similar purposes during Maintenance Windows that are scheduled at DXC’s discretion at times announced in advance.

b. Advise Customer of any material changes in the timing or duration of the Maintenance Windows.

c. If Customer suffers a disaster during a Maintenance Window and Replicated Data Sets or equipment are then unavailable, make diligent efforts to complete maintenance then in progress as quickly as reasonably possible and make them available for performance of Replication Based Disaster Recovery services.




a. Acknowledge that DXC may take the Customer’s Replication Recovery Environment in the Managed VPC Continuity Services Recovery Center out of service during Maintenance Windows in order to perform regular maintenance as deemed required by DXC.

b. Acknowledge that during Maintenance Windows, replicated data will be retained temporarily on Customer’s Replication Equipment. Buffered data is released after completion of the Maintenance Window.

c. Acknowledge that DXC reserves the right to withdraw equipment from service during Maintenance Windows.

S3.7. Limitations and Exclusions a. Recovery services are limited to Contracted Continuity Storage Capacity

and Replicated Data Sets.

b. Replication Based Disaster Recovery services are provided using shared infrastructure, staff, and other resources maintained for use in Rehearsals and, when necessary, actual recovery for DXC customers generally. Resources are generally allocated on a first-come, first-served basis. Availability of sufficient capacity cannot be guaranteed, but if capacity is insufficient to meet recovery requirements of multiple customers (for example, following a major natural disaster or other catastrophe affecting multiple customers) DXC will use and allocate available capacity reasonably and impartially among similarly situated customers. Customer will cooperate with DXC to allocate available capacity among affected customers and will take reasonable measures, which may include (among others) shared use of facilities and equipment, substitution of configurations, and use of alternate DXC sites.

c. Replication Based Disaster Recovery services include two eight-hour business days for Rehearsals every twelve months. Rehearsals aborted by DXC (for example, because of disasters affecting other customers) do not count toward the foregoing limitations. Rehearsals are conducted during the normal business hours at relevant DXC facilities. Additional Rehearsals or Rehearsal time may be available at additional cost, subject to availability, as provided above.

d. Replication Based Disaster Recovery services include up to 90 days of recovery service (that is, operation using the Replicated Data Sets as Customer’s Primary Data and operation from the Compute Resources furnished under the Replication Based Disaster Recovery services) following an Invocation.

e. Replication Based Disaster Recovery services exclude support for Customer’s applications, operating systems, and End Users; creation of test cases or providing test resources; and additional copying of data to any backup service or device, other than the Replication Equipment. Customer further acknowledges that during recovery operations, DXC provides no additional data backup or redundancy beyond what the Customer is required to purchase as a prerequisite for Replication Based Disaster Recovery services, as specified in Section S3.1.



f. Customer acknowledges that data Replication is not instantaneous, but involves delays because of the Replication and communication technologies. DXC therefore has no responsibility or liability for data lost or corrupted because of communications time lags or delays, such as data generated between the time of the last successful data Replication and the relevant Invocation.

g. If a Force Majeure Event makes the Replication Equipment or the Managed VPC Continuity Services Recovery Center unavailable, DXC will promptly inform Customer and use reasonable efforts to restore operations in accordance with its corporate continuity plan then in effect.

h. After Invocation, Service Levels do not apply until normal operations are restored.

S3.8. Optional Add-On Service Features Upon request, through an Order or approved change, DXC will provide the Optional Add-Ons described below for the applicable additional Charges.

S3.8.1. Additional Rehearsals

Additional Rehearsals or Rehearsal blocks may be available at an additional Charge, upon Customer’s request, subject to availability of resources.

S3.8.2. Temporary Storage

Customer may request additional Temporary Storage to be made available during Rehearsal or Invocation. This storage capacity will be made available only for the period of the Rehearsal or Invocation and is intended for the storage of transitory data. All data held in the Temporary Storage will be deleted at the end of the Rehearsal or Invocation. Temporary Storage will not be available during normal operations and does not form part of the replicated storage capacity.

S3.8.3. Allocated Hypervisor

An Allocated Hypervisor on an associated allocated server is available as an Optional Add-On if Customer has specific physical hardware requirements for particular recovered virtual machines to run on. These hardware requirements will specify either socket count, core count, or memory of the Physical Server enabling Customer to meet specific application software licensing terms and conditions.

S3.8.4. Hosted Active Directory Server

If Customer requests this Optional Add-On, DXC will provide a virtual machine within the recovery environment to host an Active Directory Server in order to support complex Microsoft Active Directory configurations (e.g., multiple domains and/or multiple sites).

S3.8.5. Additional Virtual Routing Instance

Continuity Services provide as part of the core solution a single Virtual Routing Instance in the recovery environment. If Customer has more complex network requirements and needs multiple independent routers, Customer may purchase additional independent Virtual Routing Instances. These instances are made available during Invocation or Rehearsals and are not permanently active.



S3.8.6. Additional Virtual Firewall Instance

Continuity Services provide as part of the core solution a single Virtual Firewall Instance in the Invocation compartment. If multiple independent firewalls are required, Customer may purchase additional Virtual Firewall Instances. These instances are made available during Invocation or Rehearsals and are not permanently active.

S3.8.7. Process Servers

Additional Process Servers may be required to support the total amount of Customer Data to be protected. The number of total Process Servers will be determined by DXC and presented to Customer for approval.

S3.8.8. Customer Rehearsal Management Process Optimization

DXC provides remote access to a DXC consultant certified by Disaster Recovery Institute International (“DRII”) and/or the Business Continuity Institute (“BCI”) to advise the Customer in areas related to planning and execution of business IT process testing on the recovered systems and evaluation of the results of these tests. DXC’s standard list pricing applies based on the size of the engagement, which will also determine the maximum number of business days during which the DXC consultant would be available to the Customer. Additionally, DXC provides document templates for Customer internal use to assist the Customer in defining business processes to be tested after recovery, Customer Responsibilities related to testing business IT processes, desired outcomes of business IT process testing, and metrics used to validate successful testing of business IT processes. In support of this effort, the Customer will engage business process leaders who understand the Customer’s business processes to be recovered and can contribute to defining these business processes and verification of testing processes and metrics to be applied. The Customer is responsible for execution against the defined processes during the Rehearsal and for gathering and recording test results.

S3.8.9. IT Services Continuity Management (“ITSCM") Workshop

If this Optional Add-On is selected by Customer, DXC will facilitate an annual workshop, the purpose of which is to assess and document the Customer’s current Continuity Services capability and compare this to industry best practice as described by the BCI and DRII and within ISO 22301. DXC’s standard list pricing applies based on the size of the engagement, which will also determine the duration of the workshop. The workshop can be conducted virtually through use of teleconferencing or at the Customer requested location (subject to Customer’s reimbursement of DXC’s travel related expenses). The workshop will require active Customer participation as DXC deems necessary to determine the full scope of their ITSCM capability, which will encompass any third-party providers of ITSCM/disaster recovery services/solutions. Following the workshop, DXC will provide a report that will document findings resulting from the workshop and is intended to highlight deficiencies in the Customer’s existing ITSCM processes and to recommend remedial actions. This report is not, and may not be used as, an audit against ISO 22301, ISO 22313, or any Service management standard.



S3.9. Support Services

S3.9.1. Liaison between DXC and Customer

Provide Customer with access to the Operations Center as set forth in Section 1.11.

The following are examples of how the Operations Center priority levels would apply for Continuity Services:

Priority Description Examples Priority 1

Emergency event Production system outage or severely affected by Replication; requests for assistance during Fail-Over

Priority 2

Business critical Problem

Replication stalled

Priority 3

Degraded service Loss of a single Replication instance

Priority 4

Priority requests Response to high-priority support questions (at Customer’s reasonable request) High priority change request

Priority 5 Routine Lower priority questions or change requests

If an Incident reported to the Operations Center requires designation of the Data Copy as Primary Data, Replication will be suspended until the production site has been restored and data has been re-synchronized.

S3.9.2. Customer Data Erasure

All Customer Data residing on DXC storage infrastructure contained within the Replication Recovery Environment, and used to deliver the Services during Rehearsals or normal operations, will be erased from the storage as part of the standard Multi-Tenant storage array capability when returned to the storage pool prior to it being made available for use by other customers.

If Customer requires a 3-pass security erasure of their data, this is available on request as a chargeable custom Option priced on request and is not included as part of the Base Services.

S3.10. Disengagement Beginning 90 days before Continuity Services are scheduled to expire, or promptly following issuance of a termination notice for the Services and/or Continuity Services, DXC will have the following responsibilities. In case of partial termination, the following will apply only to the portion of Continuity Services terminated, including related infrastructure.

a. Discontinue activities associated with delivery of Replication Based Disaster Recovery, including discontinuation of all Replication and erasure of all storage media.

b. Give Customer notice that all operating systems and storage Media have been erased at the Managed VPC Continuity Services Recovery Center as further described in Section S3.9.2.



Schedule 4. Backup and Recovery Services

S4.1. Introduction This Schedule will apply to each Order placed for Services to the extent the Managed VPC backup and recovery services (“BUR”) are selected by Customer for purchase, and will remain in effect unless it is terminated or expires in accordance with this Solution Pack. In the event of any conflict or inconsistency between this Schedule and this Solution Pack, this Schedule will prevail with respect to the subject matter of this Schedule. General descriptions or references to particular Backup and Recovery Services in this Schedule 4 or elsewhere in this Solution Pack are subject to the more detailed descriptions below. Backup and Recovery Services’ usage is limited to within the Customer’s Managed VPC environment.

Termination or suspension of all or any part of the Services for any reason will automatically result in termination or suspension, respectively, of all (or in the event of a partial termination or suspension, the corresponding part) of the Backup and Recovery Services.

The Services as further described within this Solution Pack consist of:

a. Protection Services for servers or devices that provide Full Server Backup. Protection Service options include: i. Filesystem backup; or ii. Filesystem and database backup.

b. Long-Term Protection and Archival Services that provide additional backup copies retained beyond 60 days on: i. Encrypted physical medium (LTO cartridges) stored off-site in a

secure facility managed by third-party providers outside of DXC; and

ii. Encrypted on-line virtual disk storage located in a DXC data center(s), where the Services are provided.

S4.2. Responsibilities and Exclusions


a. Operate DXC data centers in accordance with DXC’s best practices: i. Access control by key card or biometric scanner; ii. Site monitoring which includes indoor/outdoor video surveillance

and on-site security personnel on a 24 by 7 basis; iii. Redundant power and cooling infrastructure; iv. Diverse network access points; v. ITIL based operations; and vi. Review of data center physical security at least annually.

b. Encrypt identity passwords for system user access.

c. Use two factor authenticated access to privileged user accounts by DXC personnel.

d. Provide encryption at Customer’s option for Customer Data transmitted over the network (public or private).



e. Provide dedicated appliances for the Customer with a perimeter firewall that filters traffic flows to allow only well-defined traffic to move through the firewall.

f. Control Customer separation using the following standard networking technologies: i. VLAN technology to maintain layer 2 segregation; ii. Multi-protocol label switching at layer 3 to maintain separate

Virtual Routing Instances for each customer allowing multiple subnets and VLANs to communicate within each customer environment; and

iii. Firewalls which provide perimeter security, and enable virtualized customer environments to exist within the same physical device.

g. Provide logical separation and isolation of Customer’s network traffic in order to reduce the risk that Customer Data could be subject to unauthorized exposure during transport across DXC’s BUR network infrastructure.

h. Assist Customer in securing dedicated Local Cache Device(s) which Customer will install within Customer-dedicated networks in order to separate Customer’s environments from other customers’ environments.

i. Collect and store security events from the hypervisor and other BUR devices so that security logs would be available for manual forensic analysis by DXC if such analysis were determined to be necessary.

j. Conduct Incident responses through DXC global security Operations Centers.

k. Make reasonable efforts to assist Customer with resolution of backup issues, provided they are promptly reported to DXC.

l. Secure Customer Data in the BUR Vault using industry standard “containers” that restrict customers to their dedicated storage pool.

m. Provide optional network intrusion detection and network intrusion prevention services to inspect traffic to the BUR network. Industry-standard attack filters are deployed in order to detect, report, and block known network security threats before they can harm the BUR network or infrastructure.


These Customer Responsibilities are not exhaustive.

a. Maintain responsibility for all security policies and procedures of its IT environment.

b. Install Local Cache Device within Customer-dedicated networks.

c. Provide suitable security controls applicable to the data and the applications in their environment.

d. Provide timely response to any security issues or Incidents identified by DXC.

e. Deploy software packages provided by DXC on all Customer’s servers protected by the Backup and Recovery Services (“Protected Servers”).

f. Configure and maintain Customer’s servers including backup agents, backup scripts, and associated applications.



g. Follow operational procedures delivered by DXC.

h. Accept standard firewall rules, in accordance with this Solution Pack.

i. Report, troubleshoot, and resolve Incidents impacting Customer’s servers protected by the Backup and Recovery Services remaining outside of DXC’s control.

j. Provide DXC with written notice, with delivery confirmation, at least 24 hours prior to performing a vulnerability scan of Customer’s dedicated network compartment(s).

k. Implement strong access and authentication controls and policies so that only its authorized users have access to the Customer servers.

l. For Protected Servers: keep operating systems patched on a timely basis; deploy commercial anti-malware tools and always keep those tools and definitions current; change default administrative passwords as necessary to maintain access security; and use reliable and secure authentication protocols and mechanisms.

m. Never access or attempt to access the DXC internal network or perform unauthorized testing or scanning (including penetration testing).

n. Require secure passwords when changing passwords on Customer accounts.

o. Restrict access within the applications and manage Customer user rights.

p. Notify DXC once encryption of Customer Data has been implemented.

q. Additionally, the Customer will: i. Implement all data and application controls including the retention

and removal of data from systems and encryption of sensitive data (if required);

ii. Follow secure practices for individual account based access for accountability and traceability;

iii. Identify sensitive data that requires “in country” retention. iv. Purchase appropriate Protection Plans to meet the Customer’s

requirements; v. Provide account information and access rights for Customer’s

servers in the Customer Compartment protected by the Backup and Recovery service and inform DXC when changes are implemented; and

vi. Adhere to monthly BUR Maintenance Windows and respecting Emergency Change windows as and when requested by DXC.

S4.3. Protection Plans Protection Services purchased by Customer provide protection for servers and all the storage assigned to servers (DAS or SAN) or NAS storage as described below. Responsibilities related to delivery of Protection Services are further detailed in Section S4.4.

S4.3.1. Filesystem Backup

If Customer chooses filesystem backup for their servers or devices (including Virtual Appliances), DXC will provide the following:



a. Weekly Full Server Backup of Customer files (excluding databases) using virtual storage technology;

b. Incremental daily filesystem backup of Customer files (excluding databases) using virtual storage technology;

c. FIPS compliant encryption of backup storage; and

d. Restoration of Customer’s files from backup upon request.

S4.3.2. Filesystem Backup for NAS Storage

If Customer utilizes the Backup and Recovery Services for their NAS storage, DXC will provide the following:

a. Weekly full and daily incremental NAS storage backup using virtual storage technology;

b. FIPS compliant encryption of backup storage;

c. Restoration of Customer’s files, folders, and shares from backup upon request; and

d. Recovery of Customer’s volumes from NAS Snapshot upon request.

Where NetApp arrays are managed by DXC, daily Snapshot of Virtual Machines will be created and retained for seven days.

In addition to the above, optional Long-Term Protection and Archival Services’ copies are available for NAS storage as described in Section S4.7. Note that protection for NAS storage does not support database backups.

S4.3.3. Filesystem and Database Backup

If Customer chooses filesystem and online database backup for their servers, DXC will provide the following:

a. Weekly Full Server Backup of Customer files (excluding databases) using virtual storage technology;

b. Incremental daily filesystem backup of Customer files (excluding databases) using virtual storage technology;

c. Online database backup of Customer databases using virtual storage technology with weekly full database backup (standard Protection Plan) or daily full database backup (high end Protection Plan); depending on the Protection Plan selected;

d. Daily on-line incremental/differential backup of Customer databases using virtual storage technology complementing weekly full database backup delivered by a standard Protection Plan;

e. Backup of the transaction log or archive log executed once every twelve hours (standard Protection Plan) or every two hours (high end Protection Plan) depending on the Protection Plan selected;

f. FIPS compliant encryption of backup storage; and

g. Restoration of Customer’s files and databases from backups upon request.

Note that not all databases support incremental or differential backups. Additional limitations may apply to the purchase of database backup services resulting from Customer required configuration of their database.



S4.4. Base Features The following Base features apply to all Protection Service options described in Section S4.3 and are provided to Customer purchasing Protection Services at no additional Charge subject to conditions noted below.

S4.4.1. Protection Period

Customer can choose one of the following Protection Periods:

a. Thirty days; or

b. Sixty days.

S4.4.2. Data Locality

Customers who require a guarantee that their data will not leave the country of origin (country where backup was created) will be able to select the "Data Locality" option.

By choosing this option, the Customer limits their ability to consume Replication based service outside of the BUR Vault. As a result, any Protection Service purchased by the Customer will be limited to creation of a single electronic backup copy and single off-site Tape copy. Protection periods of both backup copies align with the Protection Service described in Section S4.3.

S4.4.3. Protection for Virtual Servers

Image backup and file level restoration is provided by default for VMware and Microsoft Hyper-V Virtual Servers and VMware Virtual Appliances where filesystem backup was ordered by the Customer. (Image backup is not supported for either VMware or Microsoft Hyper-V Virtual Servers or VMware Virtual Appliances hosting databases.)

In addition to Image backup and file level restoration Customer can request the following:

a. File level data restoration to an original location (excluding Virtual Appliances), a different directory on the source server (excluding Virtual Appliances), or a different Virtual or Physical Server; or

b. Image recovery to the original location (with the overwrite option selected).

Protection for Virtual Servers hosted on VMware, Microsoft Hyper-V, and VMware Virtual Appliances will be delivered via an Off-host Backup restricting backup selection to Full Server Backup only.

S4.4.4. Bare Metal Recovery

Bare Metal Recovery (“BMR”) provides recovery of the operating system, Customer Data, and/or databases from backup copies following a disaster or corruption. BMR service options are described below:

a. BMR supports granular recovery of Microsoft Active Directory and Windows system status data allowing for full or partial Restore to the original or an alternate location.

b. BMR supports recovery to the original server within remote data center. BMR recoveries between data centers may be inhibited by third-party conditions unforeseen by DXC.



c. Physical Servers, Virtual Servers, and Virtual Appliances will not require minimal operating system reinstallation following a disaster before Restore can be initiated.

d. BMR capability does not support: i. Physical Server to Virtual Server recovery; or ii. BMR recoveries into Continuity Services data centers.

S4.5. Setting up Protection Services

S4.5.1. Backup Windows

Customer can choose from the following standard Backup Windows in local time for the data center where Backup and Recovery Services are delivered:

a. 18:00 – 06:00

b. 21:00 – 09:00

c. 00:00 – 12:00

d. 03:00 – 15:00

S4.5.2. Replication Windows

a. 06:00 – 18:00 for Backup Windows of 18:00 – 06:00

b. 09:00 – 21:00 for Backup Windows of 21:00 – 09:00

c. 12:00 – 00:00 for Backup Windows of 00:00 – 12:00

d. 15:00 – 03:00 for Backup Windows of 03:00 – 15:00

Replication of transaction/archive logs will be executed continuously by DXC outside of the Replication Window on 24/7 basis.

S4.6. Optional Add-On Service Features The following Optional Add-On applies to the Protection Service described in Section S4.3 and are provided to the Customer subject to conditions noted below. Additional Charges may apply for these Optional features at DXC’s then current rates.

S4.6.1. Test Restore Service

The most common use cases where the Customer could request Test Restore Services are:

a. To move data between servers (production to quality assurance/test);

b. For server and/or database upgrade; and/or

c. For Restore Rehearsal.

Test Restore Service requests must contain a single source and single destination (1 to 1 relationship). Customer Data can be restored to the original or an alternate Physical Server or Virtual Server. However, when Restore is to the original Physical Server or Virtual Server, this Service does not support overwriting the production data.

Operational Restores are included when Protection Plans are purchased.



S4.7. Long-Term Protection and Archival Charges for Long-Term Protection and Archival Services vary depending on the volume of backup storage consumed by Customer Data. Long-Term Protection and Archival Service options include:

S4.7.1. Electronic Vaulting Service

Electronic Vaulting Service (“EVS”) enables Replication of backup images to the BUR Vaults. Backup copies are replicated to BUR Vaults during the Customer specified Replication Window as outlined in Section S4.5.2.

EVS can be provided at an additional Charge. Customers choosing the EVS Option will receive the following:

a. FIPS level 2 compliant encryption of backup storage.

b. Choice of Protection Plans that provide copy frequency and Protection period for EVS as provided in the following table:

Copy Frequency Protection Period Daily 30 or 60 days

Monthly 12 or 24 months

c. Creation of two parallel backup copies retained in geographically dispersed BUR Vaults (A and B) deployed in Managed VPC data centers.

d. Ability to select a standard monthly copy weekend from available weekends during Customer on-boarding for Backup and Recovery Services for the monthly EVS.

e. Upon request, restoration of Customer Data from electronically vaulted copies.

S4.7.2. Off-site Tape Copy Service

Daily or monthly off-site Tape copy service can be provided at an additional Charge. Customers choosing the off-site Tape copy service Option will receive the following:

a. FIPS level 2 compliant encryption and storage of off-site copies.

b. Choice of Protection Plans that provide copy frequency and Protection period options for off-site Tape copy service as provided in the following table:

Copy Frequency Protection Period Daily 30 or 60 days

Monthly 12 or 24 months

c. Ability to select a standard monthly copy weekend from available weekends during Customer on-boarding for Backup and Recovery Services.

d. Upon request, restoration of Customer Data from off-site copies.

S4.7.3. Compliance Archive Service

Customers choosing the Compliance Archive Service Option will receive the following:



a. FIPS Level 2 compliance encryption and off-site storage of the WORM Tapes.

b. Choice of Protection Plan that provide yearly archival to WORM Tapes for 5, 7, or 10 years.

c. Upon request, restoration of data from off-site WORM Tape to the original DXC data center where the Services are provided.

d. Tapes will be verified for readability every 12 months and a reliability report will be provided. Tapes will be replaced as DXC deems necessary. DXC has no responsibility for loss, corruption, or destruction of data other than restoration from then-current archive copies maintained by DXC (only to the extent that DXC provides backups and Customer chooses relevant options).

e. WORM Tapes will be destroyed at the end of the Protection period specified by the Customer’s Order. A document certifying the destruction will be provided by DXC.

f. For archive services greater than five years, DXC will copy the existing WORM Tape to a new WORM Tape in the then-current Tape format and the original WORM Tape will be disposed of as outlined in (e) above.

g. Choice of the month when the archival copy will be created during Customer on-boarding for the Backup and Recovery Services.

S4.7.4. Backup Import Service

This Service enables Customer to import backup Images into long-term and/or archival protection. While importing backup images, the existing Protection period (retention) may be increased to align with standard Protection periods offered by Backup and Recovery Services. This optional Add-On can only be executed when the Customer is:

a. On-boarded into the Backup and Recovery Services; and

b. Eligibility requirements for long-term and/or archival protection have been met. These include: i. Linear Tape-Open (“LTO”) Tapes must be written in either Veritas

NetBackup or Veritas Backup Exec formats; ii. Original LTO Tape cartridges must not be of lower generation than

LTO-4; iii. Original Protection period of backup images to be imported must

be greater than 90 days; and iv. When the original Tape cartridge is encrypted, the encryption

key(s) must be provided in advance. DXC can only accept encryption keys compatible with HPE ESKM appliances.

DXC will not guarantee “import by date” for backup images to be imported. Tasks for this optional Add-On will be executed on a “first come first served basis” and will not be subject to any Service Levels.

Once the backup import procedure is finalized, the original Tape cartridges will be returned to the Customer and from that point forward, the Customer’s imported data will be subject to Charges associated with the Long-Term Protection and Archival Services purchased by the Customer.

Imported backup images will be available for restoration of files, folders, or databases to compatible server(s) or device(s) only. For example, it would



not be possible to restore an NDMP backup to a Physical Server or a VMWare Virtual Server to a Hyper-V Cluster. Full recovery of Physical or Virtual Servers is not supported by this optional Add-On.

S4.8. Backup and Recovery Services Self-Service

S4.8.1. On-Demand backup

On-demand backup allows the Customer consuming Backup and Recovery Services to execute ad-hoc Full Server Backup outside of the backup schedule at no additional Charge.

Customers who purchase Protection for filesystems can execute on-demand backup of filesystems only. Customers who purchase Protection for filesystems and databases can execute on-demand backup of filesystems and/or databases.

S4.8.2. Backup exclusions

The Backup and Recovery Services enable Customer to configure filesystem and/or database backup exclusions for individual backup clients, henceforth it is Customer’s responsibility to define and maintain backup exclusions they apply. Backup exclusions cannot be applied to:

a. NAS arrays protected via NDMP;

b. VMware Virtual Servers and Virtual Appliances protected by VADP (Off-host Backup for VMware);

c. Hyper-V Virtual Servers protected by an Off-host Backup for Hyper-V (“VSS”);

d. VMware Virtual Servers with RDMs when Snapshot backup is configured; or

e. Physical Severs when Snapshot backup is configured.

S4.8.3. Restore and Recovery

Customers consuming Backup and Recovery Services may execute Restores from backup copies retained locally at any time for the following workloads:

a. Filesystem Restores to the original or an alternate server (either Physical or VMware/Hyper-V Virtual Servers);

b. Database Restore to the original or an alternate server (either Physical or VMware/Hyper-V Virtual Servers); or

c. For restores to an alternate server, Customer is required to open a service request by contacting the VPC account team before they will be allowed to execute the restoration.

S4.9. Backup Limitations Backup limitations are based on the volume of storage assigned to a server. Following are DXC recommended backup limits:

Backup Type

Platform File Level

File and Database

Level

Image Level

Volume Level

Physical Server Off-host Backup – RMC* n/a n/a n/a n/a



In-OS backup 20 TB 20 TB n/a n/a VMware Virtual Server

Off-host Backup – VADP n/a n/a 10 TB n/a In-Guest Backup 3 TB 3 TB n/a n/a

VMware Virtual Server - RDMs

Off-host backup – RMC* n/a n/a n/a n/a In-Guest Backup 10 TB 10 TB n/a n/a

VMware Virtual Appliances

Off-host Backup – VADP n/a n/a 10 TB n/a

Hyper-V Virtual Server

Off-host Backup – VSS n/a n/a 5 TB n/a In-Guest Backup 3 TB 3 TB n/a n/a

VPC File Storage (NetApp)

Off-host Backup – NDMP

n/a n/a n/a 20 TB

* Off-host Backup – RMC backup will apply to solutions built around HPE 3PAR storage arrays only, when and if available. .

S4.10. Compatibility Matrix Customer remains responsible for evaluating and respecting compatibility between Backup and Recovery Services and the hardware and software components defined below:

a. Backup and recovery of the following operating systems, including OS Clusters and BMR: i. Microsoft Windows 2008R2 and above; ii. Red Hat Enterprise Linux 5 (x64 only) – 7.x; iii. SUSE Enterprise Linux (SLES) 11(x64 only) – 12; iv. Centos 5 (x64 only) – 7 (VMware Virtual Appliances only); v. HP-UX 11.x; and vi. Solaris 10 (x64 only) – 11.

b. Filesystem backup of the following filesystems: i. NTFS & ReFS; ii. Extant Filesystem (ext2-4); iii. Unix Filesystem (UFS); and iv. Journal Filesystem (JFS).

c. Flash backup of the following filesystems: i. NTFS (Windows); ii. ufs (Solaris); and iii. Online JFS (HP-UX).

d. Backup and recovery of the following database platforms (including High Availability implementations): i. Microsoft SQL Server 2008 and above; ii. Microsoft Exchange Server 2007 and above; iii. Microsoft SharePoint Server 2007 and above; iv. IBM Lotus Domino 8.0 and above; v. Oracle 11G and above; vi. Sybase ASE 15 and above; vii. IBM DB2 9.1 and above;



viii. SAP SQL 2008 and above; ix. SAP Oracle (BRtools) 6 and above; x. SAP Oracle RMAN 11G and above; xi. SAP IBM DB2 9.1 and above; xii. SAP Sybase ASE 15 and above; xiii. SAP MaxDB (BRtools) 7 and above; xiv. SAP HANA (Scale-up & Scale-out) SPS 5 and above (SPS12

strongly recommended); and xv. SAP HANA 2.0 (Scale-up & Scale-out) SPS 00 and above.

e. Off-host Backup for Virtual Servers and Virtual Appliances i. VMware ESXi 5 and above (VADP); and ii. Microsoft Hyper-V 2008R2 and above.

f. NDMP backup for NAS: i. NetApp FAS arrays (ONTAP 9.x) including NAS Snapshots and

NDMP accelerator; and ii. For compatibility with remaining NAS platforms please consult

DXC sales.

S4.11. Disengagement Disengagement begins 90 days before the Contract, the Governing Agreement and/or this Solution Pack is scheduled to expire or promptly following issuance of notice to terminate the Contract, the Governing Agreement, this Solution Pack, and/or an Order for Services.


a. Give periodic notice to Customer of pending expiration or termination of the Contract, the Governing Agreement and/or this Solution Pack resulting in cessation of Services.

b. Ensure Customer Data associated with an Order is removed from all storage Media (including backups, if any) or rendered unreadable upon cancellation of that Order. The method used to remove Customer Data from storage Media varies based on the type of storage being used.

c. Following expiration of the Contract, the Governing Agreement or this Solution Pack, DXC will honor open Orders during a grace period for up to 90 days. No new Orders will be accepted during the grace period until/if the Contract or the Governing Agreement is renewed. If the Contract or the Governing Agreement is not renewed before completion of the grace period, all open Orders will be cancelled and Customer Data will be removed as noted above. Service charges will continue to apply until completion of the grace period, cancellation of any open Order(s), or transition to a renewed Contract or Governing Agreement; whichever occurs first.


a. Provide notice to DXC of Customer’s termination of the Contract, the Governing Agreement and/or this Solution Pack in accordance with the applicable termination and notice provisions of the Contract and Governing Agreement.



b. Remove all Customer Data and Customer software prior to cancellation of an Order in the Managed Services Portal once all Minimum Order Term Commitments have been met.

c. Disconnect from the DXC data center.

S4.11.3. Termination of Orders for Backup and Recovery Services

Upon request, the Customer can choose to either remove or decommission Backup and Recovery Services’ option(s) under an Order as follows:

a. Removal of Backup and Recovery Services result in discontinuation of Protection for a server and retention of existing backup copies until the scheduled expiration date is reached. Customer Data can be restored to a Customer designated server or storage device before the expiration date of the backup copies is reached.

b. Decommissioning of Backup and Recovery Services results in discontinuation of Protection for a server and immediate expiration of existing backup images. Decommissioning of Protection Service cannot be reverted and will result in immediate and permanent deletion of backup data.

S4.11.4. Expiration or Termination of the Contract

Upon expiration or termination of the Contract, the Customer can choose to either remove or decommission Backup and Recovery Services as follows:

a. Removal of Backup and Recovery Services results in discontinuation of Services for all servers and retention of existing backup copies until the scheduled expiration date is reached. Customer Data can be restored to a Customer designated server or storage device before the expiration date of backup copies is reached. DXC is not obliged to provide Tape cartridges, USB sticks, DVD drives, or any other physical medium to the Customer upon expiration or termination of the Contract.

b. Decommissioning of Backup and Recovery Services results in discontinuation of Protection for all servers while existing backup copies are expired immediately. Decommissioning of Protection Services cannot be reverted and will result in immediate and permanent deletion of backup data. Requests for restoration of data must be submitted at least 90 days prior to expiration or termination of the Contract.



Schedule 5. Managed VPC Storage Services

S5.1. Introduction This Schedule will apply to each Order placed for Services to the extent the Managed VPC Storage Services, as defined in this Schedule (“Storage Services”) are selected by Customer for purchase, and will remain in effect unless it is terminated or expires in accordance with this Solution Pack. In the event of any conflict or inconsistency between this Schedule and this Solution Pack, this Schedule will prevail with respect to the subject matter of this Schedule. General descriptions or references to particular Storage Services in this Schedule 5 or elsewhere in this Solution Pack are subject to the more detailed descriptions below. Storage Service usage is limited to within the Customer’s Managed VPC environment. Termination or suspension of all or any part of the Services for any reason will automatically result in termination or suspension, respectively, of all (or in the event of a partial termination or suspension, the corresponding part) of the Storage Services.

If Customer purchases Multi-Tenant Storage Services, Customer can choose one or more of the following services for file system level storage or database storage: a) Ultra-High-Performance Storage, b) High-Performance Storage, c) Performance Storage, d) Bulk Storage, and e) File Enhanced Storage.

Customer will use the Managed Services Portal to order Storage Services. A complete list of orderable items available in the requested data center can be viewed in the Portal.

S5.2. Storage Services Optional Add-On Service Features The Storage Services Optional Add-Ons are listed in the table in Section S5.2.3 in order of highest to lowest levels of performance. Actual storage and application performance depend on a number of factors including without limitation workload size and type and read/write activity. LUN sizes for Physical Servers and virtual disk sizes for Virtual Servers available for ordering are as specified in the Managed Services Portal.


a. Provide the Storage Services as selected by Customer and described in this Schedule 5.


a. Select the appropriate storage tier to meet Customer’s performance requirements.

S5.2.3. Storage Service Options:

Storage Level

Storage Type

Intended Use (1)

Server Type

Performance Attributes

Average Response

Time Ultra-High-Performance Storage

SAN in Managed VPC environment

Read intensive applications or any applications with high demanding IO

Physical Servers only

Up to 150K IOPS at 8000 random IOs with 80/20 read/write ratio

≤ 3 MS



Storage Level

Storage Type

Intended Use (1)

Server Type

Performance Attributes

Average Response

Time workloads that

can benefit from SSD

High-Performance Storage (2)


Write intensive applications; applications that are critical to business revenue and require high performance and availability (e.g., SAP, Oracle Business Intelligence or OLTP)



≤ 12 MS

Performance Storage


Important applications; applications requiring fast response time for less critical business revenue (e.g., OLTP, SAP, Oracle, virtualization, or business applications)

Physical and Virtual Servers


≤ 15 MS

Bulk Storage


Less important applications; applications requiring slower response time for less business-critical revenue (e.g., content depot, fixed content, compliance, long term retention, or compute intensive applications requiring SAN storage)



≤ 30 MS

File Enhanced Storage

NAS in Managed VPC environment

Applications requiring fast response time for less critical business revenue (e.g., file-based storage, lower-cost storage for sharing unstructured data)

Physical and Virtual Servers

N/A N/A

Notes:



(1) Intended uses specified in this table are provided as guidance only and are not representations that the Services will be suitable for such uses in particular circumstances.

(2) Where High-Performance Storage is not available, DXC reserves the right to substitute with Ultra-High-Performance Storage at no increase in Charge to the Customer over what would apply to an equivalent allocation of High-Performance Storage.

(3) Average response times are measured at the storage array.

S5.3. Optional Add-On Service Feature

S5.3.1. Data Transport Service

S5.3.1.1. DXC Responsibilities:

a. Allow Customer access to the Managed VPC compartment with an approved NAS device.

b. Communicate any limitations applicable to the NAS device types supplied by Customer.

S5.3.1.2. Customer Responsibilities:

a. Encrypt the data being transported in and out of their Managed VPC compartment. Limitations may apply based on the approved NAS device type.

S5.4. Managed VPC Storage Service Limitations

S5.4.1. Location

Not all storage Optional Add-Ons are available in all DXC data centers. Only those storage Optional Add-Ons available for the data center housing the Customer’s Managed VPC environment will be available for selection in the Managed Services Portal (as they may be modified and supplemented from time to time by DXC).



Schedule 6. Managed VPC Networking Services

S6.1. Introduction This Schedule will apply to each Order placed for Services to the extent the Networking Services are selected for purchase by Customer, and will remain in effect unless it is terminated or expires in accordance with this Solution Pack. In the event of any conflict or inconsistency between this Schedule and this Solution Pack, this Schedule will prevail with respect to the subject matter of this Schedule. General descriptions or references to particular services in this Schedule or elsewhere in this Solution Pack are subject to the more detailed descriptions below.

Networking Services usage is limited to within the Customer’s Managed VPC environment. Termination or suspension of all or any part of the Services for any reason will automatically result in termination or suspension, respectively, of all (or in the event of a partial termination or suspension, the corresponding part) of the Networking Services under this Schedule.

Customer will use the Managed Services Portal to order Networking Services offered under this Solution Pack. A complete list of orderable items available in the requested data center can be viewed in the Managed Services Portal.

S6.2. Networking Services Optional Add-On Service Features DXC will provide the optional Networking Services Add-Ons specified in Customer’s Order, as described in this Section S6.2, at the rates specified in the Managed Services Portal or in a separate DXC accepted Order depending on the ordering mechanism used by the Customer at the time the Order is placed.

S6.2.1. Network Switch as a Service


a. Provide Network Switch as a Service that allows Customer provided physical devices to be connected to the Customer Compartment.

b. Manage one or more Customer dedicated Network Switches. Limitations apply to the specific devices supported as part of this Service.


a. Request the optional Network Switch as a Service through the Managed Services Portal.

b. Provide DXC with relevant information regarding specific devices to be supported.

S6.2.2. Bandwidth Services

These bandwidth service options allow the Customer to access Managed VPC resources:



S6.2.3. Leveraged Internet Service (“LIS”)


a. Provide: (i) installation and management of network connections to the relevant DXC data center(s), (ii) installation, configuration, and testing of these connections; (iii) monitoring availability of circuits, routers, and switch ports; and (iv) corrective action as deemed necessary and appropriate by DXC in the event of operational or security Incidents, if requested by Customer.


a. Request LIS through the Managed Services Portal.

S6.2.4. Compartment Bandwidth Service


a. Provide additional bandwidth capacity up to 800 Mbps in total, in increments of 50 Mbps, if requested by Customer.


a. Request additional bandwidth capacity as needed in increments of 50 Mbps, up to a total capacity of 800 Mbps, through the Managed Services Portal.

S6.2.5. Firewall Concurrent Sessions


a. Provide additional concurrent connections exceeding the base capacity limit of 15,000 concurrent connections upon Customer’s request.


a. Request additional concurrent connections through the Managed Services Portal.

S6.2.6. Customer Provided Internet Protocol (“IP”) Address Service (“Bring Your Own IP” or “BYOIP”)


a. Provide Customer with the eligibility requirements to obtain the BYOIP, enabling Customer to: i. Assign Customer provided IP addresses directly to Customer’s

VPC servers; ii. Keep Customer’s IP addressing schemes aligned with Customer’s

enterprise environment; and iii. Control which servers are assigned Customer provided IP

addresses.


a. Work with DXC to determine eligibility requirements for the Bring Your Own IP and provide required IP address information and server designations.



S6.2.7. Firewall Services


a. Provide Customer with specified use conditions to configure the firewall services.


a. Subject to DXC specified use conditions, configure firewall rules using the Managed Services Portal in the following areas: i. Network traffic between servers located in a Customer

Compartment and servers located outside the Customer Compartment; and

ii. Network traffic between servers located in different Security Zones in a Customer Compartment if Security Zones have been separately ordered by the Customer.

b. Access the Managed Services Portal to review a report of these Customer initiated changes to firewall rules.

c. Access the Managed Services Portal to configure the firewall for the following: i. One-to-one public network address translation; and ii. Many-to-one public network address translation.

d. Request VPC public IP addresses or modifications to all other firewall rules applied by DXC during commencement of Services as described in Section 1.3 using the Managed Services Portal. Customer requested modifications to DXC applied firewall rules are subject to risk assessment procedures further described in Schedule 2. Any Customer request for VPC public IP addresses or modifications to firewall rules resulting from Customer placement of a request through the Managed Services Portal that are deemed acceptable by DXC will be applied to the Customer Compartment at an additional Charge.

S6.2.8. IPsec VPN Tunnel Service (Site-to-Site)

This Service feature allows an encrypted link between Customer’s location(s) and the Customer Compartment (“IPsec VPN Tunnel Service”).


a. Configure the VPN parameters based on the Customer’s specific requirements.


a. Request the IPsec VPN Tunnel Service through the Managed Services Portal after verifying Customer meets the following conditions: i. Provide an IPsec compliant VPN device at Customer’s premises. ii. Bear sole responsibility for its IPsec compliant device(s). iii. Verify the device(s) are accessible via the internet or Customer

provided connectivity. iv. Do not exceed eight IPsec tunnels per Customer Compartment.



S6.2.9. Load Balancer Service


a. Provide the Load Balancer Service as requested by Customer and described in this Section S6.2.9.


a. Request the Load Balancer Service through the Managed Services Portal in order to: i. Balance network traffic within a Customer Compartment (but not

among or across either Customer Compartments or DXC locations); and

ii. Designate, through parameters on the Managed Services Portal, load distribution for unique instances on a single VLAN.

b. Acknowledge that the Load Balancer Service will not balance network traffic outside of the VLAN assigned to it or perform global network traffic management.



Schedule 7. Managed VPC SAP and SAP HANA Management Services

S7.1. Introduction This Schedule will apply to each Order placed for Services to the extent Customer selects to purchase either the Managed VPC SAP Services or Managed VPC SAP HANA Management Services (“Managed VPC SAP and SAP HANA Management Services”) and will remain in effect unless it is terminated or expires in accordance with this Solution Pack. In the event of any conflict or inconsistency between this Schedule and this Solution Pack, this Schedule will prevail with respect to the subject matter of this Schedule. General descriptions or references to particular Managed VPC SAP and SAP HANA Management Services in this Schedule or elsewhere in this Solution Pack are subject to the more detailed descriptions below.

If Customer selects to purchase Managed VPC SAP and SAP HANA Management Services, Customer must also purchase certain Storage Services as described in Schedule 5 and Backup and Recovery Services as described in Schedule 4.

Managed VPC SAP and SAP HANA Management Services usage is limited to within the Customer’s Managed VPC environment.

Termination or suspension of all or any part of the Services, Storage Services and/or Backup and Recovery Services for any reason will automatically result in termination or suspension, respectively, of all (or in the event of a partial termination or suspension, the corresponding part) of the Managed VPC SAP and SAP HANA Management Services under this Schedule.

DXC will deliver Managed VPC SAP and SAP HANA Management Services on a Managed VPC infrastructure in accordance with this Solution Pack except where otherwise specified below. This Schedule includes:

a. Installation, semi-automated application template provisioning, monitoring, and management of the SAP Application up to the basis layer;

b. Installation, configuration, administration, and maintenance of the SAP landscape for SAP Basis; and

c. Installation, monitoring, and maintenance of DXC or Customer provided SAP HANA Appliances, and DXC provided and SAP HANA Systems and SAP HANA databases, as further described below.

OEM appliances and third-party maintenance services are not supported under this Schedule.

S7.2. Commencement of Services DXC and Customer will each have the responsibilities set forth below related to the initial implementation of the Managed VPC SAP and SAP HANA Management Services.



S7.2.1. Managed VPC SAP Services


a. Provide setup and access to the Customer Compartment in accordance with this Solution Pack.

b. Provide a Managed VPC SAP database.

c. Install the SAP Application.

d. Provision DXC storage for SAP servers (as described in Schedule 5).


a. Provide support for setup and access to the Customer Compartment in accordance with this Solution Pack.

b. Provide all Oracle, Microsoft SQL, MaxDB, and Sybase licenses.

c. Provide SAP licenses for all SAP Application installation, including valid license keys for all cluster nodes.

d. Perform user testing in accordance with the test plan agreed to between DXC and the Customer at the time of implementation.

S7.2.2. Managed VPC SAP HANA Management Services


a. Where a Managed VPC SAP HANA Management Services option is selected, provide: i. Cabling and connecting Customer dedicated SAP HANA

Appliance infrastructure into the Customer Compartment; ii. Installation and configuration of the SAP HANA Appliance and

logical connection to the Managed VPC infrastructure; and iii. Creation of SAP HANA databases, profiles, and database user

accounts.

b. Where a SAP HANA System service option is selected, provide: i. Managed Servers and VLAN as described in this Solution Pack; ii. DXC managed storage as described in Schedule 5; iii. Configuration of Managed Servers, storage, and network as

required to support SAP HANA databases in a manner certified by SAP;

iv. Creation of SAP HANA databases, profiles, and database user accounts; and

v. Managed VPC SAP HANA Management Services as described in this Schedule.

c. Where a SAP HANA Infrastructure service option is selected, provide: i. Managed Servers and VLAN as described in this Solution Pack; ii. DXC managed storage or SAP HANA Appliance storage as

described in Schedule 5 ; and iii. Configuration of Managed Servers, storage, and network as

required to support SAP HANA databases in a manner certified by SAP.




a. Where a Customer managed and provisioned SAP HANA Appliances service option is selected, provide: i. SAP HANA Appliances; ii. SAP HANA licenses; and iii. Maintenance of the SAP HANA Appliance (which must be

purchased separately from DXC) and remediation of system errors (server, storage, network).

b. Maintain financial and administrative responsibility for the procurement and provisioning of the SAP HANA Appliance and software. Regardless of whether the SAP HANA Appliance has been purchased outright or leased, the maintenance of the appliance must be contracted with DXC. Customer bears all risk of loss for the SAP HANA Appliance, regardless of the cause of the loss (including without limitation, loss caused by the acts or omissions of DXC).

c. Where a SAP HANA System service Option is selected, provide SAP HANA licenses.

d. Where a SAP HANA Infrastructure service Option is selected, provide: i. SAP HANA licenses; and ii. Maintenance and management of the SAP HANA database.

S7.3. Onboarding

S7.3.1. Provisioning

The timeframes for Managed VPC SAP and SAP HANA Management Services provisioning varies depending on the SL Tier selected by Customer.

DXC managed SAP HANA Appliances are not pre-provisioned and the timeframes for the Managed VPC SAP HANA Management Services provisioning vary on a Project basis depending on the SL Tier and type of appliance selected by Customer.

Not all SAP HANA System models may be pre-provisioned and the timeframes for the Managed VPC SAP HANA Management Services provisioning vary depending on the SL Tier and type of server selected by the Customer.

S7.3.2. Changes in Service

DXC will manage elections and options for Managed VPC SAP and SAP HANA Management Services through the Managed Services Portal on behalf of the Customer. Other changes may be requested as outlined in Section S7.8.4 and agreed pursuant to this Solution Pack.

S7.4. Architecture - Managed VPC SAP Service


a. Deliver Managed VPC SAP Services on DXC technology configured in a standard form using physical and virtual elements as determined by DXC in its discretion. DXC reserves the right to modify standard form implementations for large scale deployments.



b. Use operational Change Management to substitute underlying hardware elements in support of the Managed VPC SAP Services, as deemed necessary by DXC, provided that the new elements perform as well or better than the replaced elements as determined by DXC.

c. Host a SAP product on either Virtual Servers or Physical Servers, in DXC’s sole discretion, in order to optimize the required underlying capacity.


a. No additional responsibilities.

S7.5. Architecture - Managed VPC SAP HANA Management Service SAP HANA Appliance is a Customer dedicated infrastructure that is connected into a Customer Compartment.


a. Provide SAP HANA Systems on DXC owned infrastructure configured to support SAP HANA databases in a manner certified by SAP.


a. If data being provisioned to the SAP HANA Appliance is from a source external to the Customer Compartment, maintain responsibility for ensuring the bandwidth in the network connectivity that Customer is required to provide is sufficient to avoid any latency Problems.

S7.6. Architecture - SAP Software Currency and Release Levels DXC will provide Services only for versions of SAP and SAP HANA that are supported by DXC for hosting on Managed VPC and are supported by SAP, as outlined in the SAP PAM.

Third-party software services that are not covered within the scope of Section S7.2.1 require evaluation by DXC to consider suitability for hosting on Managed VPC and, if considered suitable, may be subject to additional Charges.



S7.7. Management of Operations


Responsibility Managed VPC SAP System

DXC Managed

SAP HANA

Systems

SAP HANA Appliances

SAP HANA Infrastructure

Operate and manage authorized SAP systems, components, and databases (including use of proactive measures to the extent DXC considers appropriate) [1]

X

Operate and manage authorized SAP HANA Systems, components, and SAP HANA Appliances and databases (including use of proactive measures that DXC considers appropriate) [2]

X X

Check availability of new software, patches, and firmware to correct known errors

X X X

Implement software updates/patches (as available) during the predefined SAP and SAP HANA Maintenance Windows

X X X

Operate and manage the operating system and storage as a Managed Server

X

Table Notes

1. SAP systems, components, and databases included:

a. SAP Basis operations service;

b. SAP Basis administration (Java and ABAP Stack);

c. SAP Basis Security Management;

d. SAP database administration and security;

e. SAP platform administration;

f. SAP backup and Restore management (in addition to services described in Schedule 4);

g. SAN management for the SAP Basis operations service;



h. SAP Web Application Server;

i. SAP Basis, SAP database, web and server patch management; and

j. SAP output management.

2. Responsibility includes:

a. Monitoring the SAP HANA Appliance capacity and infrastructure performance;

b. Monitoring of the SAP HANA database as required to comply with the applicable SL Tier;

c. Analysis of errors detected in the SAP HANA System;

d. Notification to the Customer of steps executed in order to address SAP HANA Appliance hardware system errors;

e. Maintenance of SAP HANA software, including the installation and configuration of necessary vendor-issued standard software modifications as required to comply with the SL Tier;

f. SAP HANA database maintenance outside of planned SAP HANA Maintenance Windows (i.e., release changes);

g. Maintenance of SAP HANA database profile; and

h. Execution of a SAP HANA database backup and Restore in the event of an error in the underlying SAP HANA Appliance hardware that does not affect the database (the Restore will occur after the hardware error is resolved).

3. Storage required to support the SAP HANA Infrastructure will be provided in accordance with Schedule 5.

S7.7.2. Specific Operations Management Responsibilities for Managed VPC SAP Services

Each party’s specific responsibilities are shown in the following table: # Responsibilities DXC Customer

Workload Management 1 Plan, analyze, and define SAP ABAP based logon

groups, SAP remote function call server groups, and SAP operation modes

R

2 Maintain ABAP based SAP logon groups, SAP remote function call server groups, and SAP operation modes R

3 Manage SAP housekeeping and reorganization jobs such as print and spool subsystem reorganization jobs R C

Job Scheduling 4 Manage application job scheduling R

Output Management 5 SAP printer definition and support on OS level R 6 SAP printer definition and support on SAP level R 7 Manage SAP integrated ABAP print and spool

subsystem R

8 Maintain decentralized printing environments R



SAP-Remote Connection 9 Manage SAP remote service connection R 10 Maintenance System data in SAP Service Marketplace R

Operational Administration 11 Analyze and correct database-Instance errors R 12 Maintenance of database-capacity R 13 Define and implement operational procedures for in

scope CIs administration R

14 Perform user and group account administration of privileged users on operating system and database level

R

15 Manage SAP End Users and/or SAP authorization profiles (roles and concepts) R

16 Manage third-party services contracted through the Customer R

17 Perform operating system start-up/shutdown and kernel parameter changes to meet contractual obligations R

18 Perform operating system profile, parameter, and basis file system maintenance that are required for availability reasons or SLA fulfilment

R

19 Apply operating system patches (kernel patches, hot fixes, and support packages) that are required for availability reasons or SLA fulfilment

R

20 Perform SAP database profile and parameter maintenance that are required for availability reasons or SLA fulfilment

R

21 Analyze and correct update request errors R 22 Analyze and delete lock entries R 23 Analyze and correct ABAP-short dumps in SAP Basis R 24 Analyze and correct ABAP-short dumps in SAP

Application modules R

25 Apply SAP database patches (kernel patches, hot fixes, and support packages) that are required for availability reasons or SLA fulfilment and do not require full installation of the database software

R

26 Apply SAP Basis patches (kernel patches, hot fixes, and support packages) that are required for availability reasons or SLA fulfilment

R

27 Perform SAP solutions environment start-up and shutdown to meet contractual obligations R

28 Maintain basic connections between SAP standalone engines (former technology/middleware components) and application servers ABAP + JAVA

R

29 SAP Application specific tasks such as customizing modification or adoption of ABAP workbench objects or JAVA development objects

R

30 Purchase and maintain software license and maintenance agreements for any database or application software that is part of a SAP solution landscape

R



31 Maintain ABAP based systems through maintenance SAP Client 000 and 066 R

32 Initialize and maintain ABAP based correction and transport system/transport management system R

33 Setup, organize, and monitor transport requests R 34 SAP Client maintenance like create, delete, and copy

following Change Management R

35 Implement SAP-provided knowledge database (“SAP-Notes”) for SAP Basis as required to maintain the SAP Service Levels

R

36 Implement SAP-Notes for SAP Application modules R 37 Configure JAVA system landscape directory “SYSTEM

landscapes” (group systems) and system landscape directory “BUSINESS landscapes” (define business scenario details)

R

38 JAVA System landscape directory content maintenance such as generic common information model data, namespaces, version management, and software catalogue

R

39 Perform system landscape directory start-up and shutdown as needed for JAVA software units and application components

R

Legend: "R" = Responsible, “C” = Consult with DXC

S7.7.3. Specific Operations Management Responsibilities for Managed VPC SAP HANA Management Services and SAP HANA Appliances

Each party’s specific operations management responsibilities are shown in the following table:

# Responsibilities DXC Customer Operational Administration for Managed VPC SAP HANA Management

Services and SAP HANA Appliances 1 Perform SAP database and SAP HANA profile and

parameter maintenance that are required to meet the applicable SL Tier

R

2 Apply SAP HANA patches that are required to meet the applicable SL Tier R

3 SAP Application specific tasks such as customization, modification, or adoption of HANA application objects R

4 Purchase and maintain software license and maintenance agreements for any database or application software that is part of a SAP solution landscape

R

5 Setup, organize, and monitor transport requests R 6 Implement SAP-Notes for SAP HANA corrections

required to maintain the SAP Service Levels R

7 Implement SAP-Notes for SAP HANA, SAP Application modules R

8 Analyze and correct database-Instance errors R 9 Monitor database-capacity R 10 Perform user and group account administration of

privileged system users on operating system and database level

R



11 Manage SAP HANA End Users and/or SAP HANA authorization profiles (roles and concepts) R

12 Perform operating system start-up/shutdown and parameter changes to meet contractual obligations R

13 Perform operating system profile, and basis file system maintenance that are required to meet the applicable SL Tier

R

14 Apply operating system patches that are required to meet the applicable SL Tier R

15 Analyze and correct SAP HANA-short dumps R 16 Analyze and correct SAP HANA-short dumps in SAP

Application modules R

17 Procure SAP HANA Appliance and associated maintenance from DXC R

SAP-Remote Connection (for Customer provided SAP HANA Appliances) 18

Manage SAP remote service connection R

19 Maintain System data in SAP Service Marketplace R

Operational Administration for SAP HANA Infrastructure 20

Perform user and group account administration of privileged system users on the operating system R

21 Perform operating system start-up/shutdown and parameter changes to meet contractual obligations R

22 Perform operating system profile, and basis file system maintenance that are required to meet the applicable SL Tier

R

23 Apply operating system patches that are required to meet the applicable SL Tier R

Legend: "R" = Responsible

S7.8. Operational Services In addition to DXC’s obligations in this Solution Pack, DXC will provide the following Operational Services specifically for the Managed VPC SAP and SAP HANA Management Services as specified below.

S7.8.1. Incident Management

Incident Management provided by DXC for Managed VPC SAP and SAP HANA Management Services includes:

a. Recovery of the agreed Managed VPC SAP Services and SAP Applications within the SL Tier selected by Customer;

b. Recovery of the agreed Managed VPC SAP HANA Management Services and SAP HANA database; and

c. Notification to Customer in the event of a priority 1 Incident with SAP remediation.

S7.8.2. Problem Management

Problem Management provided by DXC for Managed VPC SAP and SAP HANA Management Services includes:

a. In the case of a priority 1 Incident, root cause analysis using SAP analysis tools; and



b. Coordination of Problem resolution with SAP support services.

S7.8.3. Event Detection and Notification

DXC will monitor the Managed VPC environment to meet the Managed VPC SAP and SAP HANA Management Services Service Levels applicable to the SL Tier selected by the Customer (“Event Detection and Notification”). The monitoring that DXC provides will apply to the following areas:

a. Specific SAP, SAP database and/or SAP HANA processes;

b. Alert messages of the SAP database and/or SAP HANA;

c. SAP logons; and

d. System hangs, very slow processes, and other negative situations or Events.


a. Monitor the environment to enable collection of SAP Events.

b. Monitor for unplanned Events and pre-determined system Events with DXC best practice established thresholds.

c. Raise and log Events where threshold is exceeded.

d. Provide timely notification of detected Events to Incident Management.

e. Assess incoming Event Alerts and take appropriate action.

S7.8.4. Change Management

DXC is responsible for coordination and management of additions, moves and changes to the SAP environment for all in-scope Configuration Items. The Customer can request additions, moves and/or changes in accordance with the change control process described in the Governing Agreement.

Each party’s specific Change Management responsibilities are shown in the following table.

# Responsibilities DXC Customer

1 Technical implementation of changes on the SAP operation system level R

2 Technical implementation of changes on SAP database-level and/or SAP HANA level R

3 Technical fundamental changes of the SAP system R

4 Implement customizations of SAP business applications R


The following table sets out DXC’s Change Management obligations for each SL Tier.

Activity SL Tier 1 SL Tier 2 SL Tier 3 SL Tier 4

Customer requested Routine or Normal Changes identified in the SAP Service Catalog

Available on a Project basis

Included as documented in the SAP Service Catalog



Project Changes Available on a Project basis Maintenance patches for SAP Services

Not applicable

Included in the Charges for each of these SL Tiers

Software Maintenance for SAP HANA Included once per year

DXC required Emergency Changes to meet contractual requirements

Included in the Charges for all SL Tiers

Other Emergency Changes Available on a Project basis

Customer requested patches Available on a Project basis

The following table shows DXC’s lead time obligations for qualification of change activities listed below based on SL Tier. For purposes of this table, qualification means to review and understand a Request for Change, estimate effort, and agree on the time required to deliver the change.


Lead time between RFC initiation and Routine Change qualification

Not applicable

2 business days

1 business day

1 business day

Lead time between RFC initiation and Normal Change qualification

Not applicable

4 business days

2 business bays

2 business days

Lead time between RFC initiation and Project Change qualification

Not applicable

10 business days

5 business days

5 business days

Lead time between RFC initiation and Emergency Change qualification

Not applicable

Not applicable

Not applicable

Not applicable

The following table shows objectives for each SL Tier for various post go-live activities related to Orders and RFC’s. There are no Service Level credits associated with these objectives.


Additional elapsed time to reconfigure SAP elements after dial up/down of infrastructure. e.g. storage, Virtual Servers.

Varies on a Project basis

1 business day after DXC notifies Customer of acceptance of an Order or RFC

Elapsed time for adding new SAP CI/database/application for which there is no known configuration, template or provisioning image.


10 business days after DXC notifies Customer of acceptance of an Order or RFC

Elapsed time for adding new SAP CI/database/application for which there is a known configuration, template or provisioning image.


5 business days after DXC notifies Customer of acceptance of an Order or RFC

S7.8.5. Configuration Management

DXC will provide documentation of all CIs for systems and software, which are necessary to perform the Managed VPC SAP and SAP HANA Management Services.



S7.8.6. Security Management

DXC will manage security Incidents as described below (“Security Management”).


a. Install SAP according to SAP Application Security Guidelines.

b. Install anti-virus software according to SAP recommendations.

c. Adapt SAP Application Security Guidelines to Customer policies if needed and allowed in accordance with SAP Application Security Guidelines.

d. Provide standard hardened operating system and SAP HANA builds.

e. Provide security Incident response, consisting of investigation and resolution of Incidents in accordance with DXC standard procedures.

f. Provide security policy compliance management through periodic scans to monitor SAP specific security configurations.

g. Provide automated SAP security checks including: i. Checking security notifications and managing actions with

Customer accordingly; and ii. Maintaining DXC-internal access control, Single Sign On, and

firewall routings.

S7.8.7. Each party’s specific Security Management responsibilities are as follows: Responsibility DXC Customer

Operational Security Management

Maintain operational security parameters according to Schedule 2 R

Deploy Security Management Infrastructure for SAP components and anti-virus for SAP systems R

Harden the operating system in accordance with DXC and SAP Application Security Guidelines R

Enable quality passwords for non-system management users and application End Users and change them on a periodic basis

R

Perform weekly security checks R

Maintain security profile parameters such as minimum password length R

Design and implement the application authorization concept (user profile and role management definition)

R

Install SAP software changes (that is, ABAP source code) to overcome known security vulnerabilities as made available by SAP using the Change Management Process

R

Access and maintain SAP administration SAP Client 000 R

Access and maintain system management SAP Client 066 R

Access and maintain Customer SAP Client (SAP Client other than 000 or 066)

R

Change all default passwords in production SAP Client for ABAP based systems

R

Verify ABAP based SAP servers against a defined SAP security checklist R




S7.8.8. Capacity Management

DXC provides monitoring of capacities of the Managed VPC and SAP HANA Infrastructure taking into account the Managed VPC SAP and SAP HANA Management Service requirements.

S7.9. SAP and SAP HANA Maintenance Windows Type SL Tier 1 SL Tier 2 SL Tier 3 SL Tier 4

SAP and SAP HANA Maintenance Window

N/A. 5-hour window (Quarterly)

5-hour window (Quarterly)

5-hour window (Quarterly)

Event Management, Incident Management, and Problem Management

N/A 24x7 24x7 24x7

Attended Operations

Monday through Friday, 08:00 through 18:00 Local Time, (reasonable commercial efforts)

Monday through Friday, 08:00 through 18:00 Local Time, unstaffed at all other times



Operations Time Window

Monday to Friday, 08:00 to 17:00 Local Time

24 x 7 24 x 7 24 x 7

Change Execution Time Window

Monday to Friday 08:00 to 17:00 Local Time

24 x 7 24 x 7 24 x 7

Office Time Window Monday to Friday,08:00 to 17:00 (EMEA / CET, AMS / EST)

Monday to Friday, 08:00 to 17:00 (EMEA / CET, AMS / EST)



Perform Service Review and Account Management meetings

Office Time Window

Office Time Window

Office Time Window

Office Time Window

Configuration Management - Identification, control and verification processing boundaries

Office Time Window

Office Time Window

Office Time Window

Office Time Window

Configuration Management processing boundaries - Status accounting (execution)







Request Fulfillment Planning, approval, and scheduling processing

Office Time Window

Office Time Window

Office Time Window

Office Time Window

Request Fulfillment Execution





Change Management Processing hours - Change Planning, Assessment, Approval, and Scheduling Operation time- For Routine, Normal, and Project Changes

Office Time Window

Office Time Window

Office Time Window

Office Time Window

Emergency Change Planning, Assessment, Approval, and Scheduling Operation time Change Management Processing hours





Routine, Normal, Emergency, and Project Change Management Execution Processing hours





Planning and communication hours of operation for the following processes: Incident Management, Problem Management, Operations Management, Security Management, and Capacity Management.

Office Time Window

Office Time Window

Office Time Window

Office Time Window

Execution hours of operation for the following processes: Incident Management, Problem Management, Operations Management, Security Management, and Capacity Management





Service Level Management Processing hours for meetings and communication

Office Time Window

Office Time Window

Office Time Window

Office Time Window

Planning, communication, and execution processing hours for the following processes: - SLA Management

Not applicable

Office Time Window

Office Time Window

Office Time Window



S7.9.1. Maintenance Impact

DXC will make reasonable efforts to minimize impacts to SAP Applications and Managed VPC SAP HANA Management Services resulting from Customer Maintenance Windows. DXC will accomplish this by:

a. Scheduling planned SAP and SAP HANA maintenance within the appropriate Customer Maintenance Windows;

b. Scheduling planned changes to SAP Applications and Managed VPC SAP HANA Management Services that have been agreed to under the Change Management Process within the Customer Maintenance Windows;

c. Providing advance notice to the Customer of Customer Maintenance Windows; and

d. Providing the Customer suggested alternatives to minimize any disruption in use of SAP Applications and/or Managed VPC SAP HANA Management Services resulting from Customer Maintenance Windows.

S7.10. Optional Add-On Service Features DXC will provide the Optional Add-Ons specified in this Section, at the rates specified by Customer’s accepted Order through the Managed Services Portal or otherwise in writing.

S7.10.1. Continuity Services for SAP

If Customer has purchased Continuity Services in connection with the Services, Customer may request additional Continuity Services for the Customer’s SAP Instance that will provide additional SAP Application support in the event of a SAP disaster as described below (“Continuity Services for SAP”).

Although Continuity Services currently do not support SAP HANA Appliances, there are several SAP HANA Replication capabilities available that can offer disaster recovery capabilities for SAP HANA workloads running on Managed VPC Services. Where Continuity Services are not available or do not address SAP related requirements, DXC can provide consulting services as described below to assist the Customer in determining what other options are available.

S7.10.2. Consulting Services

DXC will provide consulting services to Customer on a time and materials basis as specified in an accepted Order to scope the following Continuity Services that may be required by the Customer for the Customer’s SAP Instance and/or the Customer’s SAP HANA Appliance:

a. Coordinate Customer and DXC Rehearsal plan.

b. Isolate SAP systems and/or the Customer’s SAP HANA Appliances in scope for Rehearsal.

c. Execute user acceptance tests for Rehearsal.

d. Execute Customer functional user acceptance tests for Rehearsal.

e. Document the outputs expected from Rehearsals.

f. Process the release systems that have been used in Rehearsals.



S7.10.3. If Customer has not purchased Continuity Services, consulting services can include the following additional areas:

a. The type of Replication and disaster recovery service best suited to the Customer requirements;

b. The network requirements; and

c. The setup and ongoing Charges of a disaster recovery service.

At the conclusion of the consulting engagement, DXC will provide a written report documenting its recommendations for additional Continuity Services for SAP in the areas listed above.

S7.10.4. Delivery

Following its receipt of DXC’s recommendations document as provided above, Customer may request that DXC provide any or all of the recommended Continuity Services. DXC’s provision of any such services will be subject to the parties entering into a separate, written agreement documenting the services that DXC will provide, DXC’s Charges for the services, and each party’s respective obligations. Neither party will be obligated to enter into such an agreement.

S7.10.5. SAP Solution Manager

SAP Solution Manager integration with SAP Instances can be purchased as an Optional Add-On which will be installed, configured, and managed on a Managed Server to provide additional monitoring and reporting capabilities.



Schedule 8. Managed Database Services

S8.1. Introduction This Schedule will apply to each Order placed for Services, to the extent the services set forth in this Schedule 8 (“Managed Database Services”) are selected for purchase by Customer, and will remain in effect unless it is terminated or expires in accordance with this Solution Pack. In the event of any conflict or inconsistency between this Schedule and this Solution Pack, this Schedule will prevail with respect to the subject matter of this Schedule. General descriptions or references to particular Managed Database Services in this Schedule or elsewhere in this Solution Pack are subject to the more detailed descriptions below. Managed Database Services are only available for use within the Customer’s Managed VPC environment.

If Customer purchases Managed Database Services, Customer must also purchase backup services as described in Schedule 4 and Storage Services as described in Schedule 5.

Termination or suspension of all or any part of the Services, Storage Services, and/or backup services for any reason will automatically result in termination or suspension, respectively, of all (or in the event of a partial termination or suspension, the corresponding part) of the Managed Database Services under this Schedule 8.

DXC will provide Managed Database Services that deliver a Database Management System on the Managed VPC infrastructure in accordance with this Solution Pack except where otherwise specified below. Managed Database Services consist of installation, configuration, administration, monitoring, and management of the DB Instance, maintenance of the DB Instance, and support of the DBMS environment via the Managed Services Portal. Managed Database Services do not include Customer Data migration, which DXC can provide on a Project basis at an additional Charge.

S8.2. Managed Database Services DXC and Customer will each have the responsibilities set forth below related to the initial implementation of the Managed Database Services.


a. Install and maintain DB Instance system software.

b. Provision database Backup and Recovery Services as described in Schedule 4.

c. Provision and maintain DXC storage for DB Instances as described in Schedule 5.


a. Provide support for setup, licensing, and access to the Customer’s Managed VPC compartment in accordance with this Solution Pack.

b. Provide all Oracle licenses.

c. Provide all Microsoft SQL Server licenses.

d. Define the access type required.



e. Provide vendor authorization for support function utilization.

f. Plan, prepare, and execute Customer Data migration. Customer may request that DXC assist with or perform Customer Data migrations as a billable Project(s) at an additional Charge.

g. Perform user testing in accordance with an agreed test plan between DXC and the Customer at the time of implementation.

h. Manage application job scheduling.

i. Provide all application support.

S8.3. Management of Operations


a. Provide DB Instance administration and security.

b. Provide database patch management.

c. Provide proactive database Event Detection and Notification, including capacity threshold monitoring.

d. Monitor DXC Managed Database Availability.

e. Provide database backup and Restore functions as described in Schedule 4.

f. Operate and manage DXC Managed Database systems.

g. Check availability of new patch sets, patches, and firmware to correct known errors, as published by the applicable vendor.

h. Implement patch set updates, patches, firmware updates, and other proactive measures that do not require full installation of the database software (as available and determined appropriate at DXC’s discretion) during the predefined DXC Managed Database Maintenance Windows.

S8.3.2. Specific Operations Management Responsibilities

Each party’s specific operations management responsibilities are shown in the following table:

Responsibilities DXC Customer

Workload Management 1 Plan, analyze, and define database installation and

configuration based on logon groups, Database Server groups and operation modes.

R

Job Scheduling 2 Manage application job scheduling. R

Operational Administration 3 Define and implement operational procedures for in-

scope Configuration Item administration. R

4 Perform user and group account administration of privileged users on operating system and database level. R

5 Manage application End Users and/or database authorization profiles (roles and concepts). R



Responsibilities DXC Customer

6 Manage third-party services contracted through the Customer. R

7 Perform operating system and database startup/shutdown and kernel parameter changes to meet contractual obligations.

R

8 Perform operating system and database profile, parameter, and file system maintenance required for Managed Database Availability or DBMS SL Tier fulfillment.

R

9 Apply database patches (kernel patches, hotfixes, and support packages) that are required for Managed Database Availability or DBMS SL Tier fulfillment.

R

10 Any application specific tasks. R 11 Apply or run scripts that change Customer Data. C R

Legend: ”R” = Responsible, “C” = Consult with Customer

S8.4. Service Onboarding

S8.4.1. Provisioning

The timeframes for Managed Database Services provisioning vary depending on the SL Tier selected by the Customer.

S8.4.2. Managed Database Architecture

DXC will deliver Managed Database Services using physical and virtual elements as determined by DXC in its discretion.

S8.4.3. Managed Mongo Databases may be configured as follows:

a. Virtual Database Servers used for stand-alone Mongo Database Instances; or

b. Physical Database Servers used for stand-alone Mongo Database Instances.

S8.4.4. Managed MySQL Databases may be configured as follows:

a. Virtual Database Servers used for stand-alone MySQL Database Instances.

S8.4.5. Managed Oracle Databases may be configured as follows:

a. A Customer Dedicated Virtual Host Cluster for stand-alone Oracle Database Instances;

b. Physical Database Servers used for stand-alone and clustered Oracle Database Instances;

c. Up to ten Oracle Database Instances on each Database Server or cluster;

d. Oracle transparent data encryption; or

e. High Availability using:



i. Oracle Serviceguard cluster with two nodes in a single or Dual Data Center; or

ii. Oracle Real Application Clusters using up to six nodes in a Single Data Center.

S8.4.6. Managed Microsoft SQL Server Database Instances may be configured as follows:

a. Virtual Database Servers (SL Tier 2 or SL Tier 3) or Physical Database Servers used for stand-alone Microsoft SQL Server Database Instances;

b. Up to ten Microsoft SQL Server Database Instances on each Database Server or SQL server cluster;

c. Microsoft SQL Server Oracle transparent data encryption; and

d. High Availability using: i. Microsoft SQL Server Always on Availability Groups Instance

using up to five nodes in single and Dual Data Center (Physical Database Server only); or

ii. Microsoft SQL clusters using up to four nodes in single or Dual Data Center (Physical Database Server only).

S8.4.7. Managed SQL Server reporting services may be configured as follows:

a. Virtual or Physical Database Servers used for the SQL server reporting services.

b. The SQL Server reporting services will be installed, configured, and made available to the Customer who is then solely responsible for the report design, access controls, definition, content, scheduling, and generation.

S8.5. Operational Services

S8.5.1. Incident Management

Incident Management provided by DXC for Managed Database Services consists of:

a. Recovery of the agreed Managed Database Services within the SL Tier selected by Customer in an Order; and

b. Written notification to Customer in the event of an Incident.

S8.5.2. Problem Management

Problem Management provided by DXC for Managed Database Services consists of:

a. Root cause analysis in case of a priority 1 Incident (as defined in this Solution Pack); and

b. Coordination between DXC and the Customer related to the Problem resolution.

S8.5.3. Event Detection and Notification

DXC will monitor the Managed Database Services’ environment to meet the Service Levels for Managed Database Services according to the SL Tier selected by the Customer. Monitoring will apply to the following areas:

a. Specific agreed to DB Instance and database processes;



b. Alert messages from the Database Server; and

c. System stall, slow processing, and other negative situations or Events of the Database Server or the DB Instance.


a. Monitor Database Instance Events based on DXC’s best practice standard established thresholds.

b. Raise and log Events where the threshold is exceeded.

c. Provide timely notification of detected Events to Incident Management.

d. Assess incoming Event Alerts and take action to Restore the DB Instance as determined to be appropriate in DXC’s discretion.

S8.5.5. Change Management

DXC is responsible for coordination and management of moves, additions, and changes to the DXC Managed Database environment for all in-scope CIs. The Customer can request additions, moves, and/or changes under the terms of the Governing Agreement and these Change Management terms.

S8.5.6. Change Management activities include:

a. Make Physical/logical database configuration changes; and

b. Provide Database patch management.

The following table sets out DXC’s Change Management obligations for each SL Tier.

Activity SL Tier 2, SL Tier 3 and SL Tier 4

Response to Request for Change In accordance with the DXC Change Management Processes

Routine and Normal Changes • Will be performed as agreed during Customer Maintenance Windows

• Up to eight continuous hours per month of Excused Managed Database Downtime

Project Changes Available on a Project basis

Customer requested patches and other changes


The following table shows DXC’s lead time obligations for qualification of change activities listed below based on SL Tier. For purposes of this table, qualification means to review, understand, and estimate effort and to agree on the time required to deliver the change.

Activity SL Tier 2, SL Tier 3 and SL Tier 4

Lead time between RFC initiation and Routine Change qualification

2 business days

Lead time between RFC initiation and Normal Change qualification

6 business days



Lead time between RFC initiation and Project Change qualification

10 business days

Manage backup and Restore - Time to start the database Restore/recovery

Media mount time + 8 hours

S8.5.7. Configuration Management

DXC will provide documentation of all CI’s for the applicable systems and software that are necessary to perform the Managed Database Services as agreed to in an Order.

S8.5.8. Security Management

DXC obligations for Security Services are as described in Schedule 2.

S8.5.9. Capacity Management

DXC provides monitoring of capacities of the Managed VPC infrastructure, such as CPU usage and storage, taking into account the Managed Database Services requirements.

S8.5.10. Maintenance Impact

DXC will make Routine Changes to the Managed Database Services’ environment as described in Section S8.5.5 according to the following guidelines:

a. Schedule planned database maintenance within the appropriate Customer Maintenance Windows;

b. Schedule planned changes to Managed Database Services that have been agreed to under the Change Management Process within the Customer Maintenance Windows;

c. Provide advance written notice to the Customer of Customer Maintenance Windows; and

d. Provide the Customer suggested alternatives to minimize any disruption in use of DB Instances resulting from Customer Maintenance Windows.

S8.5.11. Managed Database Services Call Handling

In the case of an Incident or Problem with the Managed Database Services, the Customer’s Authorized Representatives may contact the DXC Operations Center by telephone subject to the limitations in the table below. The Authorized Representatives will also log service requests with the DXC Operations Center. The service requests will be handled and addressed by the appropriate DXC support personnel. After the Incident or Problem has been addressed, DXC will notify the Customer.

A dedicated DXC phone number will be provided to the Customer upon commencement of the Managed Database Services.

Limitation Description Limitation Values SL Tier 2, SL Tier 3 and SL Tier 4

Number of Authorized Representatives per Customer

Five

Service delivery language English

Incoming channel through which Incidents will be received.

Monitoring and telephone



Participate in Customer led isolation of application performance issues.


managed services for virtual private cloud solution pack ... · networking service options for...

Documents