Platform
Platform Smart content management Personalized experiences Real-time conversations Inspirational commerce Request a demo
Surprise and delight customers with your content everywhere, all the time.

About smart content management
Solutions:

Smart content management

Surprise and delight customers with your content everywhere, all the time.

About smart content management

Digital Experience Platform DXP

Headless CMS flexibility

Multilingual content marketing

Content marketing workflow

AI-Powered CMS

Content management system CMS

Digital asset management system

Omnichannel marketing automation

Trusted CMS security

Digital Signage

Content karma

Are your teams at one with their
content management system?
Nurture customers with personalized experiences at every opportunity

Overview of our personalisation tools

Personalized experiences

Nurture customers with personalized experiences at every opportunity

Overview of our personalisation tools

CoreMedia Journeys

Cross-channel marketing automation

Email & SMS Marketing Campaigns

Social Messaging

and more

CoreMedia Personalization & Optimization

AI personalization

Real-time Personalization

A/B and Multivariate Testing

and more

Make it amazing

Create awesome personalised
experiences with our cutting edge
Digital Experience Platform.
Leverage the power of AI and the human touch to create meaningful interactions.

Overview of real-time conversations
Solutions:

Real-time conversations

Leverage the power of AI and the human touch to create meaningful interactions.

Overview of real-time conversations

CoreMedia Touchpoints

Live Chat

Conversational Bots - Chatbot & Voicebot

Video Call for Shopping & Support

Smart Windows

and more

CoreMedia Cloud Contact Center

Click2Call, Inbound & Outbound Calls

Call Transcription & AI Contact Classification

Call Management

AI Agent Assistant

and more

Request a demo

Stay in touch

With your customers. At all times.
Grow your business by connecting the buying journey

Overview of inspirational commerce
Solutions:

Inspirational commerce

Grow your business by connecting the buying journey

Overview of inspirational commerce

Salesforce integrations

SAP integrations

Ecommerce integrations

Next Best Recommendations (NBO & NBA)

Request a demo

Retail therapy

Putting the feel good into
your eCommerce.
Client stories
Navigate constant change with cutting edge innovations.

Client stories
Client stories

Navigate constant change with cutting edge innovations.

Client stories

Your sector

Retail

B2B

Travel & leisure

Healthcare

Luxury brands

Financial services

Media & entertainment

Telecommunications
Deckers Brands

Creating personalized, frictionless, satisfying digital shopping experiences for their customers.
Resources
We are always learning and developing new ideas to improve and adapt to customer needs, you can too.
Stay on top of the latest news and features, and make the most of our extensive resources and training materials.

Resources Center
Resources

We are always learning and developing new ideas to improve and adapt to customer needs, you can too.
Stay on top of the latest news and features, and make the most of our extensive resources and training materials.

Resources Center

For developers

Documentation

Product lifecycle

Headless API

Solutions

For Financial Services

Resources

Blog

Knowledge base

Press

White papers & E-books

Support

Training & Enablement

Customer & Partner Support

Marketplace: Explore our integrations
Enablement

Make the most of our extensive
resources and training materials.
About
Our clients constantly innovate with us, making our solutions and technology something they don’t grow out of.

Our Customers
About

Our clients constantly innovate with us, making our solutions and technology something they don’t grow out of.

Our Customers

Our Story

Proof from the past. Promise for the future.

Our Styleguide

Contact

Contact us

Our locations

Events

Upcoming events

Talents

Careers
Speak with an expert

Tell us more about your needs and we'll put you in touch with the right people.
Get started
Get treated like a local by one of our global innovation experts.
Together we can help you make sense of the marketing tech to understand what’s most useful to you and your customers.

Tell us your needs
Get started

Get treated like a local by one of our global innovation experts.
Together we can help you make sense of the marketing tech to understand what’s most useful to you and your customers.

Tell us your needs

Assess your need

Get help understanding what you need

Speak with an expert

Speak to a sector expert

Request a demo

Implementation partners

Become a Partner

Explore our partner network

For developers

Free developer trial
How digitally evolved is your business?

Get help understanding what you need
Book a demo

Select Language
English

Book a demo

CoreMedia Experience Platform Service Description

Exhibit 2: Service Description

Exhibit 2 - Service Description 072024

1. Preamble

The following describes all components of CoreMedia Experience Platform – consisting of the CoreMedia Content Cloud and / or the CoreMedia Engagement Platform -.

The concrete scope of use of the CoreMedia Experience Platform software acquired by the Subscriber is set out in the Order Form, which is hereby referred to.

2. CoreMedia Content Cloud

2.1. CONTEXT

This chapter of this Service Description provides information on cloud services for CoreMedia Content Cloud - Service provided by CoreMedia pursuant to the Agreement between CoreMedia and the Subscriber.

2.2. ONBOARDING

2.2.1. Introduction

The CoreMedia onboarding team will initiate the onboarding following the signature of the Agreement.
Onboarding will start with a kick-off session to identify:

• Scope
• Subscriber`s key stakeholders of the project phase

After the kick-off, the CoreMedia onboarding team will provide an onboarding plan detailing the tasks and prerequisites.

2.2.2. Scope

Onboarding includes the following services:

Project management: The CoreMedia onboarding team will coordinate activities with the CoreMedia Content Cloud - Service technical team.
Setup of environments: All environments defined in the Agreement will be provisioned, set up and configured.
Professional Services, such as training, implementation, and / or expert consultation services will be provided if stated in the relevant Order Form.

2.2.3. Documentation

The CoreMedia onboarding team will provide the following documentation as part of the onboarding:

Onboarding plan - Covered topics include:
o Tasks
o Prerequisites
o Teamrolesandresponsibilities
System overview:
o SystemURLs
o Configured3rdpartysystems

2.3. CORE PRODUCT

The CoreMedia Content Cloud - Service include the use of the Product Software and may include any Add On as described in the Master Service Agreement taking into account the operational model set out and defined in this Exhibit 2. The Master Service Agreement describes the general scope of functions of the Product Software and the Add Ons. The concrete scope, capabilities, and Usage Limits of the Product Software and any Add On within the CoreMedia Content Cloud - Services rendered to the Subscriber are set out in the Order Form.

The Subscriber agrees that orders in an Order Form do not depend on future functionality if not stated explicitly in the Order Form.

The following is the list of components of CoreMedia Content Cloud – Service available to the Subscriber as part of the Product Software:

CoreMedia Content Management Server
CoreMedia Master Live Server
CoreMedia Replication Live Server
CoreMedia Workflow Server
CoreMedia Studio
CoreMedia Content Application Engine
CoreMedia Content as a Service
CoreMedia Search Engine
CoreMedia Asset Management

The following optional Add-Ons may be used with CoreMedia Content Cloud – Service if ordered in the Order Form:

CoreMedia Commerce Hub
CoreMedia Marketing Automation Hub
CoreMedia Content Hub
CoreMedia Experience Feedback Hub
CoreMedia Connector for HCL Commerce
CoreMedia Connector for SAP Commerce Cloud
CoreMedia Connector for Salesforce Commerce Cloud B2C
CoreMedia Connector for commercetools
CoreMedia Connector for Salesforce Marketing Cloud
Personalization Hub
CoreMedia Campaigns
CoreMedia EventHub
CoreMedia Content Cloud - Service is available for the latest versions of the Product Software and Add-Ons at the time of the signature of this Agreement.

2.4. COREMEDIA CONTENT CLOUD – SERVICE INFRASTRUCTURE

2.4.1. Environments

A CoreMedia Content Cloud - Service Instance comprises at least one Production Environment and one Development Sandbox. The Production Environment is designed to run mission-critical loads, whereas a Development Sandbox has limited processing capacity, is not subject to backup/restore procedures, and does not offer high availability in neither the management nor the delivery tiers.

Additional Pre-Production Environments are provided if ordered in the relevant Order Form. Those environments are designed to resemble the Production Environment in terms of configuration, network topology and general architecture, and therefore are suitable for penetration, connectivity, or security testing by the Subscriber. Such environments are, however, not subject to backup/restore procedures. Content snapshots can be transferred between Production and Pre-Production Environments and Development Sandboxes upon Subscriber request via the support team.

Additional Development Sandboxes can also be subscribed at additional fees.

All environments (Production Environment, Pre-Production Environment, or Development Sandbox) are equivalent in terms of supported functionality of the underlying Services. The capabilities are described in the current version of the Product Specification (Exhibit 1). It is referred to Master Service Agreement.

2.4.2. Data Centers

CoreMedia deploys CoreMedia Content Cloud - Service to data centers operated by public cloud vendors (such as Amazon Web Services). These data centers are operated in alignment with the Tier III+ guidelines (as per the Uptime Institute classification).

Upon subscription, the Subscriber has to choose a Geographic Region that the CoreMedia Content Cloud - Service will be deployed to. The information of the regions that CoreMedia supports will be provided upon Subscriber‘s request.

2.4.3. Backup & Restore

The CoreMedia service stores:

all user-managed non-binary content and content workflow state in a relational database
user managed binary content (e.g., images, videos etc.) either in a relational database or on in cloud storage
some collaborative content metadata in a NoSQL database
the indexes for website search and editorial search on block storage devices, equivalent to physical “disk” storage
application logs in a dedicated log storage service
The backup and restore policies and procedures for this data are described in the subsequent sections.
2.4.3.1. Scope of Backups
In general, unless otherwise agreed, only data from the Production Environment is subject to backup.
Backups are done for all stored data as defined above.
2.4.3.2. Backup Retention
Backups of relational databases, NoSQL databases, block storage, and cloud storage are maintained for at least 1 day by default in a healthy environment. In the case of system failures, longer retention periods are activated automatically to ensure safe restoration once the environment becomes healthy again.

Standard retention periods of up until 15 days can be set up at the request of the Subscriber, and at extra cost.

2.4.3.3. Backup Frequency

The following backup frequencies apply for the respective storage types:

Relational databases: Hourly incremental snapshots, one full back up every 24 hours
NoSQL databases: Full snapshots every six hours
Block storage devices: Daily snapshot every 24 hours
Cloud storage: Continuously as new data arrives
2.4.3.4. Restore Time Objective (RTO) and Restore Point Objective (RPO)
Restore can take up to one business day (RTO). Restore point objective (RPO) for user- managed content is one hour.

2.4.4. Storage

By default, virtual machines (virtual environments) used to host the components of the Product Software, as previously listed, are provisioned with at least 20 GB of total disk space to be used for code deployments and configuration. Depending on the system architecture defined during the onboarding, several components might share a virtual machine, and this provisioned space. More provisioned block storage space is available at Subscriber request, and at extra cost.

The total technical storage limit per Subscriber for all relational database instances combined is 100 TB per Geographic Region.

There is no technical limit on the total size of binary assets stored in one cloud storage instance, however, a single asset’s size may not exceed 2 GB.

Aside from the technical limitations, Usage Limits for storage depends on the Usage Limits stated in the relevant Order Form.

All the Subscriber Content (text, binary assets, technical content like settings, templates managed in the main repository), metadata stored alongside the content, and the search index generated from this content, counts towards Usage Limits for storage. Subscribe Content will be duplicated to allow for resilient delivery and storage. The number of copies is dependent on the number of Pre-Production and Production Environments, and on the number of Delivery Units ordered. Duplicated content also counts towards the storage allowance.

When exceeding the respective Usage Limits for storage, the Service will continue to work normally, provided that the technical limits described above are not violated. However, additional charges will apply, according to the price list.

2.4.5. Access

Access to CoreMedia Content Cloud - Service is facilitated via secure HTTPS connections.

For Development Sandboxes, access is provided by an SSH tunneling solution. To facilitate such access, public keys must be made available. One SSH key provides access to all Development Sandboxes.

On provisioning of an account, a secure, token-based access link is generated and sent to the Subscriber's specified Designated Contacts (either via e-Mail or via another channel, as per agreement between the Subscriber and CoreMedia). The attached root account can invite more backend users via the self-service functionality in CoreMedia cloud manager and assign pre-defined roles for access to CoreMedia Content Cloud - Service's various subservices.

These invited users will be sent an auto-generated, one-time, token-based access link either via e-Mail or SMS/Text message. Users are required to change their password on first login to the cloud manager, the web interface/dashboard for the Subscribers to CoreMedia Content Cloud - Service.

Developers can create an API key based on their password and use the key for programmatic access to the CoreMedia Content Cloud - Service APIs.

2.4.6. Connectivity

2.4.6.1. Internet

A CoreMedia Content Cloud - Service Instance is connected to the internet via the public cloud provider’s global internet backbone.

2.4.6.2. Connection from the Subscriber’s data center to CoreMedia Content Cloud – Service

For eCommerce integration scenarios, the CoreMedia Content Cloud - Service Instance must be able to communicate with the Subscriber’s eCommerce system. This might require any combination of the following measures that the Subscriber must implement in their data center:

Setup of DNS entries
Allow inbound connections from the CoreMedia Content Cloud - Service Instance to the Subscriber’s eCommerce system on several ports
Allow outbound connections from the Subscriber’s data center and office network to the CoreMedia Content Cloud - Service instance
Setup and operation of reverse proxy servers (e.g., Apache HTTP Server), or technically equivalent servers
Modification of the Subscriber’s Load Balancer configurations
The exact Subscriber`s requirements vary depending on the Subscriber’s infrastructure and security policies and are to be jointly agreed upon during the onboarding process.

2.4.7. Support for Custom Domains

To support delivery of content by CoreMedia Content Cloud - Service Instances on behalf of the Subscriber under a domain (DNS zone) controlled by the Subscriber, the Subscriber might have to adjust the following:

Setup of DNS entries.
Setup of web redirects when delivery of content from the Subscriber’s apex domain (root domain) is required. This restriction is imposed by internet DNS specifications.
Subscribers must also make their SSL/TLS certificates available to CoreMedia. Self- service certificate upload is provided in the Cloud Manager. More details on requirements for these certificates are described in detail in the CoreMedia Content Cloud - Service Documentation, also available via the cloud manager.

2.4.8. De-commissioning

CoreMedia will sanitize all Subscriber-managed content and backups, within 1 business day after the effective date of contract termination.

2.5. SUPPORT SERVICES

For Product Software, any Add Ons and Cloud Tools of the CoreMedia Content Cloud – Service Support Services are rendered as set out in Exhibit 3.

As part of Support Services but not subject to Response Times or Service Levels CoreMedia provides monitoring services as stated below in section “Monitoring and Response”. Within this monitoring service CoreMedia continuously monitors the Services. Monitoring services are rendered to facilitate CoreMedia’s operation of the

CoreMedia Content Cloud – Services, to detect and address threats to the functionality, security, integrity, and availability of the CoreMedia Content Cloud – Services as well as any content, data, or applications in the CoreMedia Content Cloud – Services and to detect and address illegal acts or violations.

CoreMedia does not monitor, and does not address issues with, non-CoreMedia software provided by the Subscriber or any of the Subscriber`s Users that is stored in, or run on or through, the PaaS.

Information collected by CoreMedia`s monitoring tools (excluding the Subscriber Content) may also be used to assist in managing CoreMedia’s software and service portfolio, to help CoreMedia address deficiencies in its software and service offerings, and for license management purposes.

As part of Support Services but also not subject to Response Times or Service Levels, CoreMedia provides deployment services for adequate operations of the PaaS if manual intervention from CoreMedia is needed, and no equivalent subscriber self-service functionality exists in the context of the PaaS. Deployment services are provided upon request of the Subscriber. Reference is made to section “Deployment Services”.

2.5.1. Request Management

Requests can be reported by the Subscriber through phone, email or web interface.
To manage Requests, the CoreMedia support team will use a Trouble Ticketing System (“TTS”), which supports all activities concerning request management and problem management processes (“Request Management”). It is also used as repository for information regarding all Incidents and problems of the Services delivered by CoreMedia support team.

The Request Management model adopted by CoreMedia is based on ITIL V3.

2.5.2. Database Services

CoreMedia Content Cloud - Service Instances use managed database services for data stored in relational and NoSQL databases. CoreMedia proactively monitors the health of these Instances (CPU, memory, and disk usage).

Backup / restore procedures on databases need to be authorized, in writing, by the Subscriber before they can be performed.

2.5.3. Network Services

CoreMedia uses monitoring software for key network usage metrics. Total bandwidth usage is reported to the Subscriber monthly.

Network services also include secure configuration of firewalls to prevent unauthorized access to CoreMedia Content Cloud - Service Instances.

2.5.4. Scaling

CoreMedia Content Cloud - Service’s content delivery automatically scales based on dynamic load, but never beyond the capacity limits ordered by the Subscriber. For planned spikes in dynamic load, the Subscriber may order “Burstable” Delivery Units that will add capacity for the arranged times.

2.5.5. Content Delivery Network

CoreMedia Content Cloud – Service utilizes a Content Delivery Network (CDN) for content delivery in production. Content in cache can be delivered independently of the dynamic delivery capacity provided via Delivery Units.

2.6. MONITORING AND RESPONSE 2.6.1. Monitoring

The CoreMedia support team monitors Product Software, any Add Ons and Cloud Tools of the CoreMedia Content Cloud – Service 24/7 and reacts to the alerts triggered by the various system checks.

2.6.1.1. Basic Monitoring

The CoreMedia monitoring checks the availability of all hosts and ports, and the status of the system infrastructure (CPU, memory, disk, network).

2.6.1.2. Advanced Monitoring

For Pre-Production and Production environments, CoreMedia monitors all Services provided.
CoreMedia monitoring includes host and service availability checks, system component status and specific application health checks for the services listed above.

CoreMedia also monitors Subscriber defined data points and health checks implemented by the Subscriber, provided that:

Information on application-specific behavior, custom health checks, or custom data points have been made available by the Subscriber to CoreMedia prior to transitioning to production.
These customizations have been approved by CoreMedia.

2.6.2. Tools

Additional tools are available to help provide deeper error tracing and troubleshooting and detailed insight into system usage.

2.6.2.1. Performance/Monitoring Dashboards

CoreMedia provides role-based access to performance dashboards with detailed information about

CPU,
memory,
disk,
network,
and other various metrics.

2.6.2.2. Log Aggregation

CoreMedia provides access to a log aggregation tool to help Subscribers review logs and correlate events across the landscape, including application logs and related infrastructure logs.

2.6.3. Reports

A Subscriber report is generated monthly to provide the Subscriber with data which measures the Subscriber's website performance for the previous month. This includes the following:

2.6.3.1. Website Availability and Dynamic Load

The uptime percentage and dynamic load (average / max) for the content delivery.

2.6.3.2. Infrastructure Incidents

Detailed reports on Incidents concerning Subscriber related infrastructure.

2.6.3.3. Traffic and Storage

Traffic (CDN) bandwidth and Storage used on a monthly base.

2.7. DEPLOYMENT SERVICES 2.7.1. Definition

As part of Support Services of the CoreMedia Content Cloud – Service CoreMedia provides deployment services to one or more Production Environments of the provided infrastructure (“Deployment Services”).

The CoreMedia Content Cloud - Service the following Deployment Services:

2.7.1.1. Development Sandboxes

CoreMedia performs an initial deployment of the current product version detailed in the Agreement.

After the initial deployment, the Subscriber can perform deployments through the respective self-service offered in the Development Sandboxes and/or cloud manager and is responsible for performing such deployments.

2.7.1.2. Pre-Production Environments

Deployments to Pre-Production Environments can be performed through the respective self-service offered in the cloud manager.

2.7.1.3. Production Environment

CoreMedia performs all deployments to the Production Environment.

Prior to a deployment to the Production Environment the application must pass quality gates that include:

Automated tests that are part of the deployment services
Tests performed by the Subscriber in the staging environment including at least:
o Functionaltests
o Performancetests
Subscriber sign-off of the application in a Pre-Production Environment. The Subscriber must confirm that the application was tested and is correct with regards to functional and non-functional requirements
Up to 2 deployments per month are included in the service.

2.7.2. Infrastructure
2.7.2.1. Source Code Management

The Subscriber is responsible for source code management and provides read access to the source code repository to CoreMedia. The supported source management software is Git.

2.7.2.2. Development Infrastructure

CoreMedia provides development infrastructure for:

Building of deployment packages for deployment to the environments
Performing automated tests
Deployment of packages to the Development Sandboxes

2.7.3. Service Requests

Handling service requests imposed by the Subscriber, and exceeding standard volumes provided with the Service, may be charged for as “Ops-Points”, according to the current price list. The following standard service requests will be charged at the following number of Ops-Points:

1 Self-service interface available

2.7.4. Limitations

Not all configurations and customizations that are technically feasible with the CoreMedia platform can be used with CoreMedia Content Cloud - Service.

2.7.5. Process Definitions

2.7.5.1. Deployment To CoreMedia Content Cloud - Service environments

Deployment services to Production Environment are performed by CoreMedia. All deployments are performed during Business Hours (“Deployment Windows”). Staging environments might be unavailable during deployment windows. In Production Environment, backend processes and editorial work may be interrupted. CoreMedia will apply reasonable effort to avoid delivery component downtimes, but temporary performance degradations might occur during deployment.

Subscriber requests a deployment with Deployment Window and additional deployment instructions.
Subscriber provides a pointer to the location where the custom application code is hosted and available for CoreMedia (for example, by means of a signed Git tag or similar) for software release and confirms software fulfills requirements for the environment.
CoreMedia evaluates requests and confirms request or requests changes from the Subscriber.
Within Deployment Window, CoreMedia performs deployment.
CoreMedia notifies the Subscriber on completed deployment.

2.7.5.2. CoreMedia Platform Version Upgrades

CoreMedia provides to the Subscriber a workspace as source code that can be configured and customized to the Subscriber needs, as well as secure access to binary software artifacts as required. The Subscriber manages the source code for its configured and customized workspace in its own source code management system. When CoreMedia releases a new Product Software version, it makes a new version of the workspace available to its Subscribers. Code-level dependencies on versioned platform artifacts are included in the workspace releases.

The Subscriber is responsible for upgrading their configured and customized workspace to the new release. The custom applications resulting from building the upgraded workspace can then be deployed to the provided environments.

2.8. MAINTENANCE SERVICES

For Product Software and Add Ons of the CoreMedia Content Cloud – Service CoreMedia provides Maintenance Services as set out in Master Service Agreement, in section Product Maintenance. Maintenance services make available versioned upgrades. The Subscriber may choose the versioned upgrades to be utilized as outlined in this section “CoreMedia Platform Version Upgrades”

CoreMedia may also perform regular scheduled infrastructure maintenance activities to ensure functionality of the Cloud Tools, to reflect changes in technology, industry practices and secure operations (the “Infrastructure Maintenance”).

Whenever CoreMedia expects required Infrastructure Maintenance activity, CoreMedia will use reasonable efforts to provide advance notice to the Subscriber. CoreMedia Content Cloud – Service downtimes occurring due to such scheduled Infrastructure Maintenance shall not deemed to be a Service Downtime as set out in Exhibit 3, Service Level.

The maintenance activities are scheduled to be done during Business Hours (according to Hamburg Time). The regular maintenance window is approximately an hour. This is a downtime for the editorial backend only, the data delivery continues.

2.8.1. Impacting Maintenance

Whenever service impact is expected during any maintenance activity scheduled by CoreMedia, CoreMedia will use commercially reasonable efforts to provide at least 3 business days notice to the Subscriber.

2.8.2. Emergency Maintenance

In the event of a critical security patch which endangers CoreMedia Content Cloud’s service delivery, CoreMedia reserves the right to execute the patch work, informing the Subscriber at least 48 hours before the necessary downtime. This downtime is not counted towards the system availability as per the Service Level Objectives for CoreMedia Content Cloud - Service.

2.9. SECURITY

2.9.1. Access to CoreMedia Content Cloud - Service Instances

Only permanent and specially trained members of the CoreMedia Content Cloud - Services operations team and CoreMedia support are given access to a Subscriber’s cloud resources (virtual machines, load balancers, networking and CDN configuration, etc.). Access to the environments is always secured by Two-Factor-Authentication.

2.9.2. Network Infrastructure Security

Network-related security measures include network firewalls and a Web application firewall to detect and mitigate DDoS attacks.

In general, network components are configured prohibitively, meaning that only those network routes and ports are configured that are required for the components to communicate properly, and that correct function of the service is ensured.

Each environment is deployed into separate virtual private clouds to ensure isolation of the components of the CoreMedia Content Cloud – Service. The components may rely on Shared Services outside the virtual private clouds. Data transfer to these services is secured by transport encryption methods and authentication. If required, secure peering is used to facilitate communications between virtual private cloud instances.

CoreMedia employs industry best practices to mitigate typical attack scenarios, which includes:

Cross-site scripting attacks
Distributed Denial-of-Service attacks (DDoS)
Volumetric Attacks
SQL injection
Default rules are in place in the application firewalls to mitigate those attacks. At the request of the Subscriber, additional specific rules (for example, URL pattern matching, IP-range or geo-based constraints, size constraints) can be put in place.

2.9.3. Application Security

CoreMedia employs industry best practices to detect typical vulnerabilities in both core and Subscriber-supplied code, which includes automated static code analysis and regular scans for dependencies on third-party software with known vulnerabilities as per the common vulnerabilities and exposures (“CVE”) database.

In the case of detected vulnerabilities, CoreMedia will inform the Subscriber and jointly decide on mitigation strategies.

2.9.4. Penetration Testing

Internet-facing systems of the CoreMedia Content Cloud - Service are subject to penetration testing. A third party performs these penetration tests regularly on a CoreMedia Content Cloud - Service reference environment.

Subscribers may perform their own penetration tests or vulnerability assessments, provided that they inform CoreMedia, via a ticket or in writing, no less than 10 business days before scheduled start of the test procedures.

2.10. Roles and Responsibilities

The following roles and responsibilities shall apply for the CoreMedia Content Cloud - Services provided by CoreMedia to the Subscriber. Only Services where CoreMedia is marked with “R” (for responsible) are part of CoreMedia’s Content Cloud Services obligations to the Subscriber. All other responsibilities are the Subscriber’s obligation.

R – Responsible
A – Accountable
C – Consulted
I – Informed

3. CoreMedia Engagement Cloud

3.1. CONTEXT

This chapter of this Service Description provides information on cloud services for CoreMedia Engagement Cloud provided by CoreMedia pursuant to the Agreement between CoreMedia and the Subscriber.

3.2. ONBOARDING

3.2.1. Introduction

The onboarding is the initial stage of the project. It starts with an introductory meeting to share the vision and expectations. After the goals for the contracted period are defined there will be an activation plan created, with a series of proposed actions to be implemented.

The onboarding team will initiate the onboarding following the signature of the Agreement.

Onboarding will start with a kick-off session to discuss Subscriber’s challenges and to define the goals to be achieved during the contracted period. The Subscriber will get to know the team and the assigned account manager for the project. In this meeting, it is also important for the Subscriber to share how the company is structured and who will take part in the project.

3.2.2. Activation Plan

Based on the information obtained in the activation meeting, CoreMedia may create an activation plan. This document explains the strategy with the proposal of a series of initiatives to address the defined goals, each with their own KPIs and targets.

3.2.3. Onboarding Handover

The final part of the onboarding is the preparation and transition for production. Our teams will set up the account, and when ready, the Account Manager will send the onboarding guide, a document providing user access to our platform and implementation instructions. During this phase, the Account Manager will also schedule the first training sessions with the Subscriber.

3.2.4. Scope

Onboarding can include (a subset of) the following

• Set goals and initiatives
• Start service integration
• Get familiar with the platform
• Activate touchpoints
• Optimize campaigns
• Launch new features
• Apply A/B tests
• Analyze campaign conversion rates • Evaluate achievements
• Work on long term actions

3.3. COREMEDIA ENGAGEMENT CLOUD INFRASTRUCTURE

3.3.1. Data Centers

The CoreMedia Engagement Cloud platform is deployed in 2 data centers managed by third-party vendors using an IaaS (Infrastructure as a Service) setup. There are also some services which are deployed into data centers from public cloud vendors (such as Amazon Web Services or Google Cloud Platform). These data centers are operated in alignment with the Tier III+ guidelines (as per the Uptime Institute classification) and all vendors are ISO-27001 certified.

The CoreMedia Engagement Cloud runs 3 production zones and Subscriber will be assigned into 1 of the production zones according to the geographic location and time zone of the Subscriber – in order to align with the maintenance time windows.

3.3.2. Data Backup and Restore

3.3.2.1. Backup Scope

The CoreMedia Engagement Cloud’s infrastructure is designed with active data replication in high-availability (HA) architecture to provide resilience and data availability in disaster recover scenarios, reducing the dependency on backups. This robust system is engineered to provide maximum uptime and reliability, effectively handling most potential disruptions without significant impact.

When such a setup is not possible, or keeping multiple restore points of a dataset is required, filesystem and/or dataset backups are performed. Currently, the following systems are backed up:

• Relational databases.
• Subscriber files (public and private files, service configurations, etc.). • Applicational logs (using external log collection system).

These backup processes are strategically organized by zones, encompassing both production services and CoreMedia`s designated service zones. This comprehensive approach ensures that all critical data within these areas are systematically backed up, maintaining the integrity and availability of CoreMedia`s essential services.

3.3.2.2. Data Retention

Backup retention policies are specific to each data storage system. As a rule, the following retention policies are applied:

Relational databases – 5 daily backups, 4 weekly backups, 3 monthly backups.
Subscriber files – 5 daily backups, 4 weekly backups, 3 monthly backups.
Applicational logs – CoreMedia has different retention periods depending on the source of logs (service, application) that range from a minimum of 7 days to a maximum of 6 months.
Additionally, in the event of system failures (such as disaster recovery scenarios), longer retention periods are automatically activated to ensure safe restoration once the environment returns to a healthy state.

3.3.2.3. Backup Frequency

Backup frequency is configured as follows:

• Relational databases – daily snapshots.

• Subscriber files – daily snapshots.

• Application logs – continuously stored.

3.3.2.4. Restore Point Objective (“RPO”) and Restore Time Objective (“RTO”)

In a situation where data needs to be restored from backup, Subscriber has a RPO of 24 hours and an RTO of up to 12 hours.

3.3.3. Monitoring

The CoreMedia Engagement Cloud monitors its systems 24/7, using a wide range of monitoring solutions and tools internally, using a proactive approach and ensuring the swift identification and resolution of potential issues.
The CoreMedia Engagement Cloud’s monitoring can be separated into two levels:

Basic: includes any hardware/virtual machine/application checks (such as availability, CPU usage, disk health, memory utilization and network performance), as well as external system checks, licenses and certificate expiration, etc.
Advanced: Adds business intelligence key performance indicators (KPIs), often in a Subscriber specific configuration.

3.3.3.1. Monitoring Tools

The following tools are used internally by CoreMedia Operations team:

Zabbix – Utilized for its robust monitoring capabilities, Zabbix helps in tracking
various system metrics, alerting us to any irregularities in real time.
Atlas – CoreMedia`s custom-developed monitoring tool, Atlas, is specifically
designed to provide detailed monitoring of the services CoreMedia offers to the Subscribers. It plays a crucial role in ensuring the correct functioning of all services, allowing us to maintain high service quality and reliability. With Atlas, CoreMedia can closely observe and manage the nuances of CoreMedia`s service delivery, ensuring that CoreMedia meets the Subscribers' needs effectively.
Grafana – A powerful tool for visualizing real-time data, Grafana aids in the analysis and interpretation of complex data sets, allowing for quick identification of trends and potential issues.

Additionally, CoreMedia provides a powerful data-exploration functionality where dashboards and reports can be built to extract and monitor important business KPIs that are relevant for each Subscriber business operation. Those dashboards can be accessed by the Subscriber to follow the performance of the operation.

3.3.4. Maintenance Services

The CoreMedia Engagement Cloud platform has been architected with high-availability in mind and most of the Maintenance Services such as deployment of new releases, hot- fixes, patches can be done without any disruption to the Service or downtime.
In the event a Service impact or downtime is expected for a Maintenance Service, CoreMedia has defined maintenance time windows depending on the Production Zone. These maintenance windows were chosen to fit with the time where less traffic is expected, and contact center operations are not active in the majority of the Subscribers:

• WE1 (Western Europe 1) and WE2 (Western Europe 2): 00h00-06h00 (WET)

• SA1 (South America 1): 00h00-06h00 (BRT)
In case of downtime during planned Maintenance Services occurring during the maintenance window, that downtime will not count towards the SLA for System Availability (%).

3.3.4.1. Impacting Maintenance

Whenever Service impact is expected during a planned maintenance activity scheduled by CoreMedia, CoreMedia will use commercially reasonable efforts to provide at least 3 business days notice to the Subscriber.

3.3.4.2. Emerging Maintenance

In the event of a critical security patch which endangers the CoreMedia Engagement Cloud platform, CoreMedia will execute the patch work, informing the Subscriber at least 24 hours before the emergency maintenance is carried on.

3.3.5. Security

CoreMedia’s security protocols are rigorously enforced to safeguard data and systems, limiting access to resources only to authorized CoreMedia personnel.

Key security measures applied at CoreMedia:

• Restricted Access – In alignment with the least privilege principle, CoreMedia’s security protocols mandate that access to CoreMedia`s systems is strictly limited to CoreMedia team members and only to those team members who need to access the systems to perform maintenance activities. We adhere to a clear policy of granting only the essential level of access necessary for everyone's job responsibilities. This strategy effectively minimizes potential risks by ensuring that sensitive information and critical systems are safeguarded against unauthorized access.

• Data Center Access Control – CoreMedia’s data centers (“DCs”) have stringent access control measures in place, where entry and exit are closely monitored and regulated. Access is granted exclusively to employees who require direct interaction with the DCs as part of their job roles. Every access event is meticulously recorded, and the list of authorized personnel undergoes a rigorous annual review and update. This practice not only ensures that we maintain an up-to-date and precise record of individuals with physical access to CoreMedia`s critical infrastructure but also aligns with CoreMedia`s annual review and update process.

3.3.5.1. Network Infrastructure Security

CoreMedia’s network infrastructure leverages advanced security measures like VLAN and VPN for secure, segmented environments, reducing unauthorized access risks. A key component is CoreMedia`s SIEM system, providing real-time security alert analysis and aiding in the early detection of incidents. Additionally, access to CoreMedia`s services may be restricted to pre-approved IP addresses (upon Subscriber request), enhancing security. Collectively, these measures form a robust security framework, crucial in protecting CoreMedia`s digital assets and ensuring service integrity.

3.3.5.2. Application Security

Multiple vulnerability disclosure channels, including general purpose, operating system, cloud provider, specific software/libraries, etc., are actively monitored for applicable reports. Reports are assessed to determine their impact on CoreMedia`s systems and mitigations are deployed and validated with a time objective in accordance with their severity.

3.3.5.3. Penetration Testing

CoreMedia ensures the security and resilience of CoreMedia`s internet-facing systems through regular penetration testing. These tests are conducted by a specialized certified third-party organization in a CoreMedia reference environment. This process involves a rigorous assessment where testers simulate cyberattacks to identify vulnerabilities in CoreMedia`s systems. By doing so, CoreMedia can proactively discover and address potential security weaknesses, thereby strengthening CoreMedia`s defenses against real-world cyber threats.

3.3.6. Request Management

Annex 1 – The CoreMedia Content Cloud - Service

The CoreMedia Content Cloud – Service is a Platform as a Service (“PaaS”) and depicted in the diagram below.

Annex 2 – Acceptable Use Policy

Subscriber agrees not to, and not to allow third parties to use the Services:

to violate, or encourage the violation of, the legal rights of others (for example, this may include allowing Subscriber`s Users and End Users to infringe or misappropriate the intellectual property rights of others in violation of the Digital Millennium Copyright Act);
to engage in, promote or encourage illegal activity;
for any unlawful, invasive, infringing, defamatory or fraudulent purpose (for example, this may include phishing, creating a pyramid scheme or mirroring a website);
to intentionally distribute viruses, worms, Trojan horses, corrupted files, hoaxes, or other items of a destructive or deceptive nature;
to interfere with the use of the Services, or the equipment used to provide the Services, by customers, authorized resellers, or other authorized users;
to disable, interfere with or circumvent any aspect of the Services;
to generate, distribute, publish or facilitate unsolicited mass email, promotions, advertisings or other solicitations (“spam”).

Service Description

Download this document in PDF format.

Exhibit 2 - Service Description - 072024 PDF

Top searches

Exhibit 2: Service Description

Exhibit 2 - Service Description 072024