Service Level Agreement
This is the service level agreement for Web Gateway, UTM and Iceni customers with contracts starting on or after 16th June 2020. For contracts starting before this date, please see the previous SLAs.
Definitions
- Customer – The party identified as the customer in the Opendium Online Safety Agreement.
- Opendium – Opendium Limited is a company registered in England and Wales with company number 5465437.
- Opendium System – An Opendium Web Gateway, Opendium UTM or Opendium Iceni system.
- Service Start Date – The date that Opendium begins supplying services under this agreement. For new customers, this is defined as the earliest agreed installation date, irrespective of whether installation is eventually rearranged for a later date. For existing customers, this is the start date of the most recently renewed agreement. e.g. If a customer arranges installation to be carried out on September 5th but then postpones installation to October 12th, the Service Start Date will be September 5th.
- We – Any use of the pronoun "we" refers to Opendium.
- You – Any use of the pronoun "you" refers to the Customer.
Packages and Extras
You can choose between our standard or advanced support packages when they purchase an Opendium System. Additionally, the following extras are available for purchase:
- Extended support hours – If you purchase our extended support package, you can contact an on-call engineer 7 days a week in an emergency.
- Additional telephone support – if you require more telephone support time than your support package includes, this will be charged by the hour (or part thereof) and invoiced in arrears at the end of your billing year.
- ICT administration staff training – when we install an Opendium System, we usually also have time to provide some basic training. However, if your ICT administrators require extra training sessions, they can be booked at any time.
- Networking consultancy – we are able to provide consultancy services for general network design, restructuring and problem solving.
- Bespoke enhancements – whilst we endeavour to continually improve our products, we are also aware that our customers occasionally want a bespoke feature, whether this be additional software functionality, or some unique provisions in the service level agreement.
- Accelerated development – we routinely accept feature requests from our customers, but we must consider the broader ecosystem in order to prioritise which enhancements will be developed first. Where an enhancement does not justify a high priority through our routine product enhancement programme, a customer can ask for it to be handled as a bespoke enhancement in order to accelerate its development.
Our Commitments
Except where otherwise stated, "support" refers to support given for issues directly associated with the Opendium System.
Installation
One of our engineers will spend one day at your premises to install your Opendium System onto your network and configure your systems appropriately. Usually we expect to spend about half a day on the installation itself and the remaining half day is used to provide basic training in the operation of the Opendium System, although this can vary depending on the complexity of the installation. If you expect to need more time for installation or training, or require additional networking consultancy, please discuss this with us.
Standard Support
The standard support service is invoiced in advance and begins on your Service Start Date.
For the first month of the school term immediately after installation, we will provide unlimited support during our normal support hours (09:00 – 17:00, Monday to Friday, excluding public holidays). Thereafter, within reason, we will provide unlimited support by email and up to 1 hour per month of telephone support. Additional telephone support time can be purchased on a pay-as-you-go basis at an additional cost which will be invoiced in arrears at the end of your billing year.
We will provide guidance and instruction to your ICT administration staff regarding any reconfiguration of the Opendium System that is required in the day to day running of your network.
We will provide software updates, which may include enhancements, new features and security updates, and they will usually be installed automatically. Any administration of your servers that we perform will be done remotely where practicable.
We will perform daily off-site backups of your Opendium System configuration, to be used in a disaster recovery situation. This does not include user data, such as emails, etc.
Advanced Support
The advanced support service is invoiced in advance and begins on your Service Start Date. In addition to our standard support commitments, described above:
Within reason, we will provide unlimited support by both email and telephone during our normal support hours.
In response to plain-English requests from your ICT staff, we will perform reconfigurations of the Opendium System as required for the day to day running of your network.
We will monitor your Opendium System remotely and act to resolve any problems that the monitoring alerts us to.
We will assist with advice on matters not directly related to your Opendium System on a case by case basis.
We will liaise with third party suppliers on technical matters relating to your Opendium System and any investigations arising from your support queries.
We aim to respond to non-urgent support requests within 1 working day and urgent service impacting support requests within 4 working hours. We will make all reasonable efforts to resolve urgent problems within 8 working hours. Urgent support requests must be raised by telephone; In the event that we are unable to answer the call please leave a voice mail message when prompted, including a contact number, and we will will endeavour to return your call or resolve the problem as soon as possible.
Extended Support Hours
The extended support hours service is invoiced in advance and begins on your Service Start Date. In addition to our standard support commitments, described above:
Normal support hours are extended to 08:00 - 18:00 Monday to Friday, excluding public holidays.
An on-call engineer can be contacted at any time in the event of urgent service impacting issues. Out of hours calls for non-service-impacting issues may incur a charge.
We will make all reasonable efforts to respond within 4 hours and resolve the problem within 8 hours. Out of hours support requests must be raised by telephone; In the event that we are unable to answer the call please leave a voice mail message when prompted, including a contact number, and we will will endeavour to return your call or resolve the problem as soon as possible.
Security Vulnerabilities and PCI DSS Compliance Scans
We take security very seriously. Our systems utilise operating systems based upon Red Hat Enterprise Linux, a number of third party software packages and our own software. Security problems should be reported to security@opendium.com, and will be triaged by our development team. We ensure that all security updates for all components are applied automatically in a timely manner.
Banks mandate that networks handling payment data must comply with the Payment Card Industry Data Security Standard (PCI DSS), and that internet-facing systems are regularly scanned for vulnerabilities. Our systems are engineered to meet the PCI DSS standards, but unfortunately, the scans are extremely blunt tools and produce numerous false positives which the Approved Scanning Vendor (ASV) must manually query and exclude.
In response to a "failed" PCI DSS scan, we will provide:
- the version number of your Opendium system's operating system;
- a link to the operating system vendor's CVE database, which confirms the status of any items that the PCI scan has flagged; and
- an itemised list of any vulnerabilities which affect other components, confirming their status.
As our products are based upon standard operating systems, the ASV should maintain their own database of false positives that they know their scanner produces for each operating system, be able to easily exclude them using this information, and provide a compliance certificate.
Unfortunately, some ASVs do not appear to keep such a database and require each of their customers to provide evidence against each flagged item separately, every time they are scanned. If required, we can review the ASV's report on your behalf and provide such evidence. However, as this is frequently a huge amount of work, we will make a charge for each false positive that could have been excluded using the information that was already provided.
Regular scanning is just one aspect of PCI DSS compliance, and can only highlight potential security problems at the edge of the network. We are usually well placed to understand a customer's internal systems and can provide consultancy to ensure that the more important aspects of security are addressed, which cannot be detected by a simple network scan. These include network design, data handling practices and the security of internal systems.
Your Commitments
Installation
Prior to installation, we require you to fill in the pre-installation questionnaire. This provides us with important information regarding the configuration of your network, allowing us to foresee problems that we may have to accommodate and for the installation to be completed quickly and smoothly.
Ongoing
Where practicable, you will inform us of any major changes to your network, and provide any requested technical documentation, at least 14 days before they are to be implemented. This is so that we are able to evaluate any reconfiguration of your Opendium System that will be required and, if necessary, book time with our engineers to implement and support the reconfiguration. This includes upgrades to the Opendium System. With respect to any resulting support requests, if such network changes are implemented for which we have not received appropriate notice or documentation, we reserve the right to: (a) exceed the stated response times, and (b) make an additional charge which will be invoiced in arrears at the end of your billing year.
You will allow Opendium staff to access your Opendium System remotely through your Internet connection (TCP port 22). If this is not possible due to the limitations of your Internet connection or your data protection policies, please discuss this with us as we may be still able to accommodate your requirements.
You will be provided with a customer number. Please keep this to hand and quote it whenever you contact us so that we can process your request as quickly as possible.
You will fulfil your responsibilities under the Data Processing section of the Opendium Online Safety Agreement.
Feedback
We are dedicated to continually improving our products and always welcome feedback. Please tell us what works well and what needs improvement.