New ALA Policies, Practices & Business Rules for Internal & Outsourced IT &/or Related Services & Products

Context

The following list of IT-related policies, practices and business rules reflects the needs of a complex organization with a wide-range of business needs seeking to provide the best-possible service to members, customers, staff and the public with limited resources.

 

A Summary of Policies, Practices & Business Rules

1. Accessibility

The American Library Association places a high value on equity of access, including access to ALA services, products and information by users with disabilities. For that reason, all products and services must meet the WCAG 2.1 AA standard of the W3C WAI (Web Accessibility Initiative): https://www.w3.org/WAI/guid-tech.html  

Additional explanation and resource links are available on the ALA Support site: http://www.ala.org/support/style/accessibility

A statement of compliance at WCAG 2.1 AA of WAI is required.

Options to validate your URL:

2. Security

IT security, including protection of personally identifiable information (PII), encryption and payment card industry (PCI) is critical to ALA and to its members. ALA contracts with a security service for regular audits and reviews; a comparable level of attention to security it expected when outsourcing services. ALA ITTS and ALA Finance will work together to maintain a high level of security.

  1. Personally Identifiable Information
  • PII includes but is not limited to the combination of name and address information must be properly protected not only within current security protocols at ALA but also proper access controls and agreement limiting vendor access to PII. Please refer PII as defined in IL statute.
  1. Encryption
  • HTTPS is a protocol for secure communication over a network, consisting of a connection encrypted by Transport Layer Security or its predecessor (Secure Sockets Layer). HTTPS authenticates the visited website and protects the privacy and integrity of the exchanged data. ALA requires encryptions of all web services.
  1. Payment Card Industry (PCI) Compliance
  • The Payment Card Industry Data Security Standards (PCI DSS) is a set of security standards designed to ensure that companies that accept, process, or transmit credit card information maintain a secure environment. PCI DSS compliance is required.
  1. Security is also affected by payment gateways used to process ALA-related online payments and transactions (e.g., registrations, product purchases, donations). Fewer payment gateways lead to better internal controls; an increased number of gateways has a concomitant higher risk of fraud. In addition to security risk, external gateways also require account reconciliation; ALA Finance must be able, within reason, to audit any payment gateway’s transactions, done in the name of ALA or an ALA unit, for security and PCI compliance. Requests to use external gateways must be reviewed and approved by ALA Finance and IT.

 

3. Single Sign-On (SSO)

In most cases, ALA requires Single Sign-On for automatic authentication to web-based resources, including IP-based subscriptions, within ALA’s federated site (e.g., ALA/Division websites, various registration sites, ALA Connect). SSO enables users to log in once and then move from one portion of the federated website to another, without having to log in again. Applications that require login must utilize the SSO protocol in current use by the ALA. ALA currently uses Shibboleth to allow for a single user name and password to be used by members and customers on various platforms. End-user ease of use is a key value here.

4. iMIS Integration

  1. iMIS as a Data Source
  • iMIS, ALA’s association management platform, includes information on the identity and activity of each ALA member and customer. SSO (see 3, above) allows iMIS data to be securely passed into other systems so ALA members and customers do not have to reenter information (e.g., address information).
  1. iMIS Activity Integration
  • To provide effective personalized services to members and customers in the 21st century environment, ALA aspires to record all member/customer activity and all sales activity. Writing activity back to the iMIS database requires the configuration of web services with an outsourced vendor to allow for data collection in real time. The alternative – importing data from csv files or manual data entry – often leads to duplicate and/or erroneous data creation. Any external system must write relevant and timely data back to iMIS.
  1. Data Integrity
  • Manual data re-entry is a potential source of error and must be avoided.

 

5. Member and Customer Service

a. Discoverability

All ALA eLearning must be discoverable through the ALA eLearning site, regardless of unit of origin or registration process.

b. Providing customer service

ALA’s Member and Customer Service unit (MACS) must have information on ALA products and services in order to provide the level of customer service expected by ALA members and other customers. Any external service provider must provide a comparable level of support and must provide MACS with secondary customer service information (e.g., direct contact information for customer service).

6. Contract Review

IT contracts are reviewed by ITTS, and legal counsel where necessary based on contract complexity or issues, prior to going to the Senior Associate Executive Director of ALA (or Executive Director, ALA).

7. Attention to Association Resources

A reasonable discovery process – aimed at finding out what other ALA units are doing in similar situations or to address similar needs – will reduce unnecessary multiplication of contractual relationships. ITTS and Finance must review and approve outsource contracts.

8. IT Outsourcing Checklist with sample language

In a complex and rapidly changing IT environment, outsourcing – a formal contractual relationship through which ALA receives IT services from an external provider – may offer flexibility, cost-savings and/or opportunity to explore alternative approaches without long-term commitment. At the same time, outsourcing potentially raises issues related to the Association’s risk management, internal control, business reputation and data integrity. Outsourcing does not alter the responsibility of the ALA for effective oversight. ALA Management remains responsible for evaluating potential risk and ensuring prudent business practices. Due diligence processes will vary depending on the nature of the proposed project, the risks involved, and the impact on ALA of any breach or service failure. Reasonable risk mitigation strategies should be in place, proportionate to the specific project.

Checklist for Negotiation & Review of Outsource Arrangements

Download as a PDF / Word Document

The following checklist is designed to assist ALA units, including ALA Divisions, in their negotiation and review of outsource arrangements. [See Appendix A for sample contract.]

Due Diligence and Contract Management 

[ ] Does the proposed outsource company have the financial and/or organizational stability, experience and competence to implement and support the service over the proposed life of the contract?

[ ] Will be contractor be employing sub-contractors to complete the project or provide the contracted service?

[ ] Are there provisions in place for disaster recovery or continuity in the event of business failure?

[ ] What are the procedures that will be used to monitor the outsource project?

[ ] Is there a provision and a procedure for resolution of disputes?

[ ] Is there a provision for termination of the agreement by ALA?

[ ] Is there a service level agreement to guarantee performance?

Confidentiality and Security

[ ] Is compliance with current regulations related to personally identifiable information and PCI DSS clearly agreed to and documented?

[ ] Does the contract cover actions in case of a security breach – e.g, notification, liability.

[ ] Does the web site use HTTPS security on all pages?

Accessibility

[ ] Does the contract clearly require the contractor to meet Level 2 W3C WAI requirements?

ALA ITTS requests that Requests for Proposal for resources to be accessed on or through ala.org include the following language: ALA web resources must comply with Web Content Accessibility Guidelines (WCAG 2.0) at the AA level. If you are not familiar with this standard, please read “Understanding the Guidelines: A Quick Reference Guide” and information on recommended techniques from the W3C Working Group at https://www.w3.org/WAI/guid-tech.html. If your service does not meet this standard and you are not willing to work immediately toward compliance, you should not respond to this RFP.

[ ] Is satisfactory completion of accessibility testing required? If there is only partial satisfaction, what is the process for continued improvement? Are accessibility improvements clearly at the vendor’s expense?

Single Sign-On

[ ] Has the vendor implemented ALA’s current single sign-on solution (as of 07/14/2017: Shibboleth)? If not, is there a clear commitment to do so at the vendor’s expense?

iMIS Integration

[ ] Does the vendor have prior experience with iMIS integration?

[ ] Will activity be written back to iMIS live – or is a subsequent upload required?

Financial Controls

[ ] If the contractor collects revenues, how and where are those revenues be collected?

[ ] How and when will the revenues be received by ALA?

[ ] What documentation will be provided to assist ALA Finance in reconciliation?

[ ] Does the proposed outsource company have sufficient financial means/insurance to reimburse ALA should ALA endure financial hardship due to the outsource company actions or inactions?

Administration

[ ] Has the draft contract been reviewed by ALA ITTS?

[ ] If ALA members and customers may seek answers to questions (e.g., about a conference or webinar), has the unit proposing to contract the service provided ALA Member and Customer Service with the necessary information, including a contact in the unit?

ALA Communication Preferences

a. ALA asks members to select their communication preferences upon joining. Current text (as of 7/14/2017):

• From ALA and outside organizations

• Just ALA

• Official communications only

b. All units of ALA are required to adhere to member decisions on communications, and must use them in marketing communications with members. Communication preferences are stored in iMIS, and any use of an email marketing system must be able to export and implement these preferences. ALA currently uses Informz, which allows for communication preferences to be honored when pulling mailing lists from iMIS, and allows more granular choices to be made about marketing communications to members. Any outside marketing email system must be able to integrate with iMIS and member communication preferences.

Shibboleth SSO “Skeleton” or Standard Profile for Consuming iMIS Data

[iMIS_AddressCity] => Chicago

[iMIS_AddressLine1] => 50 E Huron St

[iMIS_AddressStateProvince] => IL

[iMIS_AddressZip] => 60611-2788

[iMIS_CommunicationPrefLevel] => 100000

[iMIS_CompanyName] => American Library Association

[iMIS_Email] => rberquist@ala.org

[iMIS_FamilySuffix] => III

[iMIS_FirstName] => Robert

[iMIS_FullName] => Robert E. Berquist, III

[iMIS_ID] => 1279227

[iMIS_InformalName] => Robert

[iMIS_IsCompany] => false

[iMIS_IsMember] => false

[iMIS_LastName] => Berquist

[iMIS_Login] => RBERQUIST

[iMIS_MemberType] => STAFF

[iMIS_MemberTypeDescription] => Staff Personnel

[iMIS_MiddleName] => E.

[iMIS_Participations] => ^CURRENT COMMITTEE|ALA|ALA-ZWINDOWS7|ALA Windows 7 Upgrade Community||||${SUB_GROUP}|Committee^CURRENT WEBACCESS||A_ALA|ALA Home\; should provide access to all other zones.|ALA Home\; should provide access to all other zones.|AGA|ALA Global Admin||^CURRENT WEBACCESS||A_M|Membership|Membership|SA|Site Admin||

[iMIS_ProviderUserKey] => 1279227

[iMIS_SummaryParticipations] => ^CURRENT COMMITTEE|ALA|ALA-ZWINDOWS7|ALA Windows 7 Upgrade Community||||${SUB_GROUP}|Committee^CURRENT WEBACCESS||A_ALA|ALA Home\; should provide access to all other zones.|ALA Home\; should provide access to all other zones.|AGA|ALA Global Admin||^CURRENT WEBACCESS||A_M|Membership|Membership|SA|Site Admin||

[iMIS_Title] => Internet Administrator

[iMIS_WorkPhone] => (312) 280-5833

Policy Enforcement

These policies and guidelines will be enforced by the Department Heads. Violations may result in disciplinary action, which may include suspension or more severe penalties up to and including termination of employment.

Appendix A - ALA Contract Example

Download as a PDF / Word Document

ALA Contract Example

(I) Customer / Provider Details:

Customer:

Provider:

Organization Name:

American Library Association

Organization Name:

Organization Address:

50 E. Huron Street

Chicago, IL 60611-2795

Organization Address:

Organization URL:

www.ala.org

Organization URL:

Agreement Contact:

Agreement Contact:

Contact Title:

Contact Title:

Contact Email:

Contact Email:

Contact Phone:

Contact Phone:

Customer Provider Contact Details

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

(II) Web Site

Services listed below will be provided for the following web site: HTTPS://example.ala.org, (“Web Site”)

(III) Agreement Term

Unless terminated earlier as provided below, the term of this Agreement is N

(IV) Services Provided

(1) Description of Service:

(a) Service Details:

 

(b) Fees:

(i) Implementation Fee: $$$$

 

(ii) Single-Sign-On Integration: Single-Sign-On (SSO) Integration with Customer’s Association Management System, iMIS 20.1.13 via Shibboleth 2.4.3, for Project accounts will be provided at Customer’s request for free or a fee of $$$$. Future SSO updates needed by Customer will be considered custom development work.

 

(iii) iMIS Activity Integration: Any activity records must be recorded in the Customer’s Association Management System, iMIS currently, 20.1.13 (vendor must verify current ALA version) via web service calls.

 

(iv) Accessibility Requirements: Sites that go live with unmitigated accessibility issues will be charged a fine of $500.00 dollars per day.

 

(v) Credit Card/Invoicing Fees: Customer agrees to pay a fee of N% of gross sale amount for all purchases. This fee shall cover all credit card fees, billing fees, collections, postage, materials and handling costs.

 

(vi) Flat Monthly Fee: $$$$

 

(vii) Design/Development Fees:$$$$$

 

(c) Requirements:

(i) Exclusive Content:

 

(ii) Encryption: HTTPS is a protocol for secure communication over a network, consisting of a connection encrypted by Transport Layer Security (TLS 1.2). HTTPS authenticates the visited website and protects the privacy and integrity of the exchanged data. ALA requires encryptions of all web services

 

(iii) Payment Card Industry (PCI) Compliance: The Payment Card Industry Data Security Standards (PCI DSS) is a set of security standards designed to ensure that companies that accept, process, or transmit credit card information maintain a secure environment. PCI DSS compliance is required.

 

(iv) Accessibility Requirements: ALA’s web resources must comply with Web Content Accessibility Guidelines (WCAG) 2.0 at level AA; understanding the guidelines, a

quick reference guide, and information on recommended techniques are available from the W3C Working Group. Websites must be submitted to ALA for accessibility testing no less than four weeks preceding launch dates so that there will be time for remediation, if required.

 

(v) Project Launch: Customer shall provide Company everything it needs to build the Project within thirty days of execution of this Agreement. Customer shall launch, as described in section (i) of this clause, the Project within NN calendar days

 

(vi) Pre-Launch Testing: Prior to launching the Project, Customer will be provided with a link to the Website on a staging server environment, and will be provided a list of use cases for testing specific activities on the site. Only after addressing any outstanding issues with standard functionality, and receiving official approval, will the site go live into production. During this period Customer may also test for accessibility and compatibility.

 

(vii) RFP Response: This document is included as Exhibit C to this agreement and details the services the project will provide.

 

(viii) Monthly Financial Reports: Company will provide customer with detailed financial reports, samples of which are included as Exhibit B, no later than the 15th day of the month, recapping activities for the month prior.

 

(ix) Single Sign-On (SSO): In most cases, ALA requires Single Sign-On for automatic authentication to web-based resources, including IP-based subscriptions, within ALA’s federated site (e.g., ALA/Division websites, various registration sites, ALA Connect). SSO enables users to log in once and then move from one portion of the federated website to another, without having to log in again. Applications that require login must utilize the SSO protocol in current use by the ALA. ALA currently uses Shibboleth to allow for a single user name and password to be used by members and customers on various platforms. End-user ease of use is a key value here.

 

(x) IMIS as a Data Source

iMIS, ALA’s association management platform, includes information on the identity and activity of each ALA member and customer. SSO allows iMIS data to be securely passed into other systems so ALA members and customers do not have to reenter information (e.g., address information).

 

(xi) IMIS Activity Integration

To provide effective personalized services to members and customers in the 21st century environment, ALA aspires to record all member/customer activity and all sales activity. Writing activity back to the iMIS database requires the configuration of web services with an outsourced vendor to allow for data collection in real time. The alternative – importing data from csv files or manual data entry – often leads to duplicate and/or erroneous data creation. Any external system must write relevant and timely data back to iMIS.

 

(xii) Service Level Agreement (SLA)/Business Continuity/Disaster Recovery Plan

Vendor must provide appropriate SLA/Business Continuity/Disaster Recovery plan for application. See Appendix B for examples.

 

(xiii) Security Breach Response, Remediation, and Notification Plan

a) Personally Identifiable Information (PII)

PII must be protected as stated in ALA’s Privacy Policy. PII is subject to the appropriate governing law. Vendor must have a PII security breach response plan. (Governing law example: http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702 Illinois PII Act).

b) Payment Card Industry (PCI) Breach

Vendor must have a PCI incident response plan.

c) Malware

Vendor must have a malware incident response plan.

 

(xiv) Server Maintenance

a) Vendor will employ industry best practices to protect application from compromise. (e.g. user maintenance, network controls, firewall)

b) Vendor will apply current releases of the operating system (OS) and keep current on appropriate OS patches.

c) Vendor will apply appropriate platform patches.

V) General Terms & Signature:

This Agreement contains the entire agreement and understanding by and between the parties with respect to the subject matter hereof, and no representations, promises, agreements or understandings, written or oral, not herein contained shall be of any force or effect. No change, modification or amendment shall be valid or binding unless in writing and signed by both parties. The provisions of this Agreement shall be deemed severable, and the invalidity or unenforceability of any one or more of the provisions hereof shall not affect the validity and enforceability of the other provisions hereof.

The General Terms & Conditions attached hereto are incorporated by reference as if set forth herein.

IN WITNESS WHEREOF, the parties set their hands and seals as follows

 

CUSTOMER Name

 

_______________________________

 

Signature:

 

_______________________________

 

Title:

_______________________________

 

Date:

 

_______________________________

 

Vendor Name

 

_______________________________

 

Signature:

 

_______________________________

 

Title:

_______________________________

 

Date:

 

_________________________________

 

General Terms & Conditions

1. Termination.

(a) The parties agree that this Agreement may be terminated, upon any one of the following conditions:

i) by either party upon the material breach of any of the terms of this Agreement by the other party which material breach is not cured within thirty (30) days after delivery of written notice thereof specifying the breach to the breaching party;

ii) by either party immediately upon giving notice, if (A) the other party ceases doing business for a period of thirty (30) days or more (for purposes of this paragraph, the reorganization of party and/or the acquisition and/or merger of the party with another entity is not “ceasing to do business”), (B) the other party makes a general assignment of a substantial portion of its assets for the benefit of its creditors, or (C) a bona fide bankruptcy, liquidation, receivership, or similar proceeding is instituted by or against the other party and such proceeding is not dismissed within one-hundred-twenty (120) days after the institution thereof; or

iii) at the end of any term.

 

(b) Upon termination, the non-breaching party shall be entitled to all remedies at law and equity.

 

(c) Upon termination, Customer shall be provided a copy of the client data collected during the term of this Agreement.

2. Software/Technology Ownership.

The parties agree that this Agreement is not a transfer or license of software rights. At all times covered by this Agreement and after its termination, ALA maintains all ownership and rights over its software, and the associated upgrades, customizations, and other materials and technologies associated with the software. ALA retains the right to all content, code, data and other materials created as a result of this Agreement and/or usage of its software.

3. Compliance.

Customer agrees to comply with the terms of the user agreements, privacy statements and any other existing agreements currently in use by VENDOR to collect and manage the content provided to the VENDOR by the ALA users

4. Client Content.

VENDOR and Client mutually acknowledge that neither party has direct control over content uploaded by ALA Members/Customers. Should either party become aware of content uploaded that may be libelous, defamatory, obscene, pornographic, abusive, or otherwise in violation of any state or federal law then the parties will work together to remove such content in a timely manner along with other actions deemed necessary.

5. Data ownership.

Customer shall retain ownership of all data created by usage of and that is entered into the system by users.

6. Indemnifications.

The parties agree to indemnify and hold the other harmless from all claims, judgments, settlements, damages, liabilities, actions, demands, costs, expenses, or losses, including reasonable attorney’s fees, arising out of any third-party claim that the other party’s content or services i) are libelous; ii) are infringements upon the copyright, trademark, trade secret or other proprietary rights of others, or (iii) result in any tort, injury, damage or harm of any kind to any third person.

7. No Warranties.

Neither party makes any warranty in connection with the subject matter of this Agreement, and hereby disclaims any implied warranties or merchantability and fitness for a particular purpose regarding such subject matter.

8. Limitation of Liability.

The parties agree that neither party shall be liable to the other for any special, incidental, or consequential damages, whether related to breach of contract, tort, negligence, technology failure, or any other cause of action. The maximum liability of the VENDOR relating to any transactions that are the subject matter of this Agreement shall be the amounts set forth in Section 4 in the Agreement.

9. General Provisions.

a) Assignment. Neither party may assign this Agreement in whole or in part without the other party’s written consent, except in the case that the majority of the equity or substantially all of the assets of one of the parties is transferred to a third party through merger or acquisition.

 

b) Dispute Resolution. The validity, interpretation, and enforcement of this Agreement shall be governed by the internal laws of the State of Massachusetts. The parties each hereby agree to the exclusive jurisdiction of the courts of the State of Massachusetts and the Federal Courts therein, and agree that a judgment of such courts will be enforceable in any court of competent jurisdiction over either party. The parties agree that service or process by certified mail, return receipt requested, shall be adequate services of process, and each party agrees that if service of process cannot be made on such party at the address provided to the other party or any subsequent address, such party hereby appoints the Secretary of State of the State of Massachusetts as its agent for service of process. Customer shall reimburse the VENDOR for all costs incurred by the VENDOR in enforcing its rights under this Agreement, including without limitation reasonable attorneys’ fees.

 

c) No Agency. The parties herein agree that they are independent contractors and will have no power or authority to assume or create any obligation or responsibility on behalf of each other. This Agreement will not be construed to create or imply any partnership, agency or joint venture.

 

d) Force Majeure. Any delay in or failure of performance by either party under this Agreement will not be considered a breach of this Agreement and will be excused to the extent caused by any occurrence beyond the reasonable control of such party including, but not limited to, acts of God, power outages, technological problems and governmental restrictions.

 

e) Non-disclosure. The parties agree that the terms of this Agreement may not be discussed with any third party not a party to this agreement.

 

f) Notice. Any notice or written communication required pursuant to the terms of this Agreement shall be deemed sufficient if delivered in person, mailed postage prepaid by certified or registered mail, to the address set forth in this of this Agreement.

Appendix B - Service Level Hosting Agreement (SLA)

Service level hosting agreement (SLA) Introduction

This service level agreement (SLA) describes the levels of service that the American Library Association (‘the client’) will receive from XXXXXXX (‘the supplier’).

Purpose

The client depends on IT equipment, software and services (together: ‘the IT system’) that are provided, maintained and supported by the supplier. Some of these items are of critical importance to the business.

 

This service level agreement sets out what levels of availability and support the client is guaranteed to receive for specific parts of the IT system. It also explains what penalties will be applied to the supplier should it fail to meet these levels.

 

This SLA forms an important part of the contract between the client and the supplier. It aims to enable the two parties to work together effectively.

Guaranteed uptime

Uptime levels

In order to enable the client to do business effectively, the supplier guarantees that certain items will be available for a certain percentage of time.

 

These uptime levels apply to items in the equipment, software and services covered in this agreement.

 

The level of guaranteed uptime depends on the priority level of each item:

 

Priority level  Guaranteed uptime
1 99.99%

 

Measurement and penalties

Uptime is measured the using supplier’s automated systems, over each calendar month. It is calculated to the nearest minute, based on the number of minutes in the given month (for instance, a 31-day month contains 44,640 minutes).

 

If uptime for any item drops below the relevant threshold, a penalty will be applied in the form of a credit for the client.

 

This means the following month’s fee payable by the client will be reduced if billed monthly. If billed yearly, a refund will be sent to the client.

 

The level of penalty will be calculated depending on the number of hours for which the service was unavailable, minus the downtime permitted by the SLA:

 

Penalty per hour (pro-rated to nearest minute)

5% of total monthly fee or .417% of yearly fee

 

Important notes:

• Uptime penalties in any month are capped at 50% of the total monthly fee or 4.2% of yearly fee.

• Uptime measurements exclude periods of routine maintenance. These must be agreed between the supplier and client in advance.

Guaranteed response times

When the client raises a support issue with the supplier, the supplier promises to respond in a timely fashion.

Response times

The response time measures how long it takes the supplier to respond to a support request raised via the supplier’s online support system.

 

The supplier is deemed to have responded when it has replied to the client’s initial request. This may be in the form of an email, text, or telephone call, to either provide a solution or request further information.

 

Guaranteed response times depend on the priority of the item(s) affected and the severity of the issue. They are shown in this table:

 

Issue severity (see Severity levels section, below)
Fatal Severe Medium Minor

15 minutes

30 minutes

60 minutes

90 minutes

 

Response times are measured from the moment the client submits a support request via the supplier’s online support system.

 

Response times apply 24/7/365, unless the contract between the client and supplier specifically includes provisions for out of hours support.

 

Severity levels

The severity levels shown in the tables above are defined as follows:

  • Fatal: Complete degradation — all users and critical functions affected. Item or service completely unavailable.
  • Severe: Significant degradation — large number of users or critical functions affected.
  • Medium: Limited degradation — limited number of users or functions affected. Business processes can continue.
  • Minor: Small degradation — few users or one user affected. Business processes can continue.

Measurement and penalties

Response time is measured by the supplier’s automated systems, over each calendar month.

 

If response time exceeds the guaranteed response times listed above for any given support requests per month. A penalty will be applied in the form of a credit for each request in each month that response time exceeds the above guarantee.

 

This means if billed less than monthly, the following month’s fee payable by the client will be reduced by any credit amount. If billed yearly, a refund will be sent to the client.

 

The level of penalty will be calculated depending on the number of hours for which the service was unavailable, minus the downtime permitted by the SLA:

 

Penalty per incident

5% of total monthly fee or .417% of yearly fee

 

Important notes:

  • Response penalties in any month are capped at 50% of the total monthly fee or 4.2% of yearly fee.

Backup Intervals

Backup should be done at the following intervals:

  • 6 Daily Backups
  • 5 weekly backups performed on Saturdays
  • Quarterly Backups on week 5

Appendix C

Insert RFP Response for the Project