Document Owner: vFairs Head of IT Effective Date: 01-Jan-2020 Last Reviewed: 15-June-2024 Introduction As part of the vFairs platform, the Provider (“vFairs”) provides: A Hosting Service with related components. vFairs solution is hosted on Amazon AWS. We have datacenter locations in US, Canada and Europe (Germany). We allow tenants to specify their preferred data center location for hosting of their data and any restrictions they would like to apply. vFairs Data Center locations currently include: AWS US East Region Northern Virginia. AWS Canada (Central) Region Montreal AWS Germany (Frankfurt) Region Germany A Maintenance service for the Application and Platform including both corrective maintenance and enhancements. A Customer Support Service for the Application and Platform This document outlines the terms under which these services are offered and the associated service levels. Definitions Availability and uptime: This is the amount of time that services are running and accessible to the customer. Uptime is generally tracked and reported every calendar month. Downtime: This is the total accumulated time the service is unavailable. Service Commitment: vFairs will use commercially reasonable efforts to make service available with an uptime percentage of at least 99.95%. 1. Hosting Services 1.1 Customer Environment Definition Customer Resources As part of the Hosting Service and platform, each customer will have the following resources: Resources Availability Application Dedicated Application Server Instance Yes Application Database management (monitoring, tuning, configuration, backup/recovery) Yes Customer data Dedicated logically segregated database structure Yes Dedicated database access pools Yes Dedicated access logs Yes Network resources Delivery of contents using specialized CDN service provider for the hosted site images and client side scripts Yes Security behind redundant Firewalls Yes Availability using redundant load balancers Optional Hosting Infrastructure Secured Facility (24X7) surveillance, secured access, motion detectors Yes Redundant power (grid power supply, UPS, Power breakers, Parallel Battery, Diesel power generators) Yes Redundant first Tier carriers Yes 1.2 Service Availability vFairs will take all appropriate measures in terms of redundancy, monitoring and platform management so as to guarantee the following service availability outside of planned maintenance windows as described in this document: Service Availability* 0:00-0:00(GMT), Monday to Friday 99.95 % 0:00-0:00(GMT), 7 days a week 99% *As measured over a contract subscription period and does not include scheduled maintenance time. The Service is deemed unavailable when access to the login page is not possible from all public networks and confirmed by vFairs technical staff. 2. Data Privacy vFairs will constantly ensure the use of the latest state-of-the-art technology and procedures at its disposal to guarantee the security of the data hosted. 2.1 Security Infrastructure The following section provides details of current security infrastructure at vFairs’s hosting facilities which includes: • Intrusion detection services • Security monitoring • Security enforcement • Back up services • Restricted Physical Access • Restricted Network Access • Secured Data Access Infrastructure • Load balanced firewalls • Redundant HTTP Load Balancers • Isolated public/private LANs • Content Delivery network. • Standby Database/Application 2.2 SECURITY MONITORING DESCRIPTION Firewall Real-time detection with IDS Identifies threats from unauthorized users, back-door attackers and hackers Data collected through firewalls, detection sensors and VPN devices instantly terminate any unauthorized sessions. No Emails relaying No long-timeout URL System logs System logs on web services up to one week old. Continuous error log parsing for immediate issue resolution. System 24/7 monitoring Firewall Services LAN Traffic Load Balancer Services Site Availability Services Security enforcement description User Login User Session Establishment Use of 40, 56 or 1024 bits certificates (Optional) Use of Authorized Trusted Mode Connection Gateway Session Timeout for Inactive Users 2.3 System Back Up Backup Data Complete Customer data Document Attachments (If applicable) User Profiles (If applicable) System Logs Search Agents Backup Execution Backups are performed in a hot backup mode (i.e. no interruption of Service), on a daily basis. The degradation of performances related to the backup process is negligible. Backups are incremental. Restoration is provided in case of a major damage on the production platform. Backup Tapes Retention Duration All backups are run on a daily basis, including weekends. vFairs also performs a full backup of the system on a weekly basis. 2.4 Recovery on Major Failures vFairs will ensure that all the main components of the platform are redundant with active fail over capacity. In the event of a major failure, the following recovery time are applied: Severity Work begins within Resolution Time Critical Within 30 Minutes 3 hours Major Within 1 Hour 8 hours Minor As per priority of the client As per mutually agreed release schedule 2.5 Exceptions in maintenance policy on Application In the event of a major technical issue or breakdown by the provider of 3rd party software or services being used in the production platform of a given release, vFairs has the right not to provide fixes on “Critical” severity incident, provided another release that includes the fix can be made available to the customer. 2.6 Maintenance Patches Maintenance patches provide bug fixes, performance and SLA improvement through patches. Additional features and change requests might also be added, based on market needs. Such features and change requests do not impact the current configuration of the customer, nor require additional training. Release notes that describe the new features and changes requests, as well as bugs being fixed are communicated to the system administrator after the patch is deployed. 2.7 Patch Category There are 2 categories of patches: Normal patches include fixes on critical/major/minor severity bugs, as well as a combination of change requests and small features. These maintenance patches are deployed weekly during the maintenance window. Emergency patches include fixes on issues that are qualified as urgent by vFairs, or related to high-severity bugs, security threats, performance, or availability. Emergency patches are deployed as required. 2.8 Release Process Maintenance patches are deployed as required for all customers of a given release. Deployment occurs preferably in low system traffic time. The deployment is most of the time automatic. All existing setup and data will be kept as it. No user or administrator intervention. This does not require any manual intervention of customer administrator. 3. Data Ownership and Access 3.1 Data Ownership All user data generated by the customer pursuant to the provision of services in the contract shall be owned exclusively by the customer. 3.2 Data Retention User data will be held only as long as is necessary to implement, administer and manage the customer’s use of the vFairs platform. Once the contract between the two companies expires, all user and reporting data will be deleted from vFairs servers and backups. The customer can also submit a written request to delete this data at any time. Once the data is deleted, vFairs can provide an official data destruction certificate upon request. 3.3 Data Access The customer will always have full access to user and reporting data. Access for vFairs team members will be granted as needed on the principle of least privilege. 4. Customer Support 4.1 Support Description Customer Support Services are delivered in English or languages may be available, based on the language skills of the support team. Incidents may be reported to the vFairs Support Center using several possible methods like, email, Phone, Internet form. 4.2 Support Infrastructure The support is multi-tier and offered through a dedicated Project Manager, live chat support on event live days, and backend support through a team of developers and designers. In addition, we also provide 24×7 chat support to assist with event backend configurations. vFairs Customer Support Center operates on email-based trouble ticketing where all support tickets are logged and dispatched. All reported incidents are classified for the severity with 3 levels of incidents severity (minor, major, critical) triggering different internal resolution procedures and escalation routes. vFairs support organization will come back to the customer within an agreed time frame, based on the severity of the Incident. This contact will indicate the ticket #, the severity of the incident, as well as the expected time frame for providing a temporary fix/workaround, as well as a permanent resolution to the incident. There is an automatic notification of “high” severity incidents to vFairs Customer Administrator, System Administrator. 4.3 Phone Hours vFairs offers several Hot-line availability options: Standard Support Phone/Email Days Monday-Friday Time 9:00 –18:00 (GMT +4) 24 x 7 Support Email/Chat Days Monday-Sunday Time 0:00-0:00 (GMT +4) 5. Incident Resolution 5.1 Service Incident A Service Incident is defined as a malfunction of the vFairs BCCS which can be reproduced and whose root cause is found in the hosting service solution such as: the hosting service internal network, hosting service hardware or hosting service software components. 5.2 Incident Notification The vFairs System Administrator is responsible for notifying all identified users/customers via vFairs Incident Status Page (https://status.vfairs.com/) of all incidents including Planned Downtime, as well as any Unplanned Interruptions to system availability as they occur. All users/customers are responsible for checking and subscribing to the vFairs Incident Status Page for downtime and system status notifications. 5.3 Problem Severity Classification Severity Description Critical A Service Incident is classified as high if the service is not available (refer to service availability) Major A problem is classified as major if a key feature or service is unavailable vFairs technical staff has the right to demote or promote the severity of any incident based on the nature of that incident. 5.4 Incident Resolution Follow Up Each incident resolution is communicated to the user who reported it as well as the Customer Administrator. 6. Operating Procedures 6.1 Deployment of new services The following section details the terms under which vFairs will open Maintenance Windows to deploy patches, releases and platform upgrades. Normal patch release Deployment window 2 hours Deployment schedule Usually on weekends Interruption of service Usually none Maximum interruption of service 2 hours Upfront Notice Period Usually 2 days Emergency patch release Deployment window 2 hours Deployment schedule As required Interruption of service Usually none Maximum interruption of service 8 hours Upfront Notice Period As required Feature releases Deployment window 8 to 48 hours Deployment schedule Weekends Interruption of service Usually Yes Maximum interruption of service 24 hours Upfront Notice Period Usually 5 days Platform Upgrades Deployment window 8 to 48 hours Deployment schedule Weekends – Maximum twice a year Interruption of service Yes Maximum interruption of service 36 hours Upfront Notice Period Usually 2 weeks For all service interventions, planned downtime within the maintenance window is excluded from the overall Uptime calculation.