1. CONTEXT
This Service Description provides information on cloud services for CoreMedia Content Cloud - Service provided by CoreMedia pursuant to the Agreement between CoreMedia and the Subscriber.
2. ONBOARDING
2.1. Introduction
The CoreMedia onboarding team will initiate the onboarding following the signature of the Agreement.
Onboarding will start with a kick-off session to identify:
· Scope
· Subscriber`s key stakeholders of the project phase
After the kick-off, the CoreMedia onboarding team will provide an onboarding plan detailing the tasks and prerequisites.
2.2. Scope
Onboarding includes the following services:
· Project management: The CoreMedia onboarding team will coordinate activities with the CoreMedia Content Cloud - Service technical team.
· Setup of environments: All environments defined in the Agreement will be provisioned, set up and configured.
Professional Services, such as training, implementation, and / or expert consultation services will be provided if stated in the relevant Order Form.
2.3. Documentation
The CoreMedia onboarding team will provide the following documentation as part of the onboarding:
· Onboarding plan - Covered topics include:
· Tasks
· Prerequisites
· Team roles and responsibilities
· System overview:
· System URLs
· Configured 3rd party systems
3. CORE PRODUCT
The CoreMedia Content Cloud - Service include the use of the Product Software and may include any Add On as described in the Master Service Agreement taking into account the operational model set out and defined in this Exhibit 2. The Master Service Agreement describes the general scope of functions of the Product Software and the Add Ons. The concrete scope, capabilities, and Usage Limits of the Product Software and any Add On within the CoreMedia Content Cloud - Services rendered to the Subscriber are set out in the Order Form.
The Subscriber agrees that orders in an Order Form do not depend on future functionality if not stated explicitly in the Order Form.
The following is the list of components of CoreMedia Content Cloud – Service available to the Subscriber as part of the Product Software:
· CoreMedia Content Management Server
· CoreMedia Master Live Server
· CoreMedia Replication Live Server
· CoreMedia Workflow Server
· CoreMedia Studio
· CoreMedia Content Application Engine
· CoreMedia Content as a Service
· CoreMedia Search Engine
· CoreMedia Asset Management
The following optional Add-Ons may be used with CoreMedia Content Cloud – Service if ordered in the Order Form:
· CoreMedia Commerce Hub
· CoreMedia Marketing Automation Hub
· CoreMedia Content Hub
· CoreMedia Experience Feedback Hub
· CoreMedia Connector for HCL Commerce
· CoreMedia Connector for SAP Commerce Cloud
· CoreMedia Connector for Salesforce Commerce Cloud B2C
· CoreMedia Connector for commercetools
· CoreMedia Connector for Salesforce Marketing Cloud
· Personalization Hub
· CoreMedia Campaigns
· CoreMedia EventHub
CoreMedia Content Cloud - Service is available for the latest versions of the Product Software and Add-Ons at the time of the signature of this Agreement.
4. COREMEDIA CONTENT CLOUD – SERVICE INFRASTRUCTURE
4.1. Environments
A CoreMedia Content Cloud - Service Instance comprises at least one Production Environment and one Development Sandbox. The Production Environment is designed to run mission-critical loads, whereas a Development Sandbox has limited processing capacity, is not subject to backup/restore procedures, and does not offer high availability in neither the management nor the delivery tiers.
Additional Pre-Production Environments are provided if ordered in the relevant Order Form. Those environments are designed to resemble the Production Environment in terms of configuration, network topology and general architecture, and therefore are suitable for penetration, connectivity, or security testing by the Subscriber. Such environments are, however, not subject to backup/restore procedures. Content snapshots can be transferred between Production and Pre-Production Environments and Development Sandboxes upon Subscriber request via the support team.
Additional Development Sandboxes can also be subscribed at additional fees.
All environments (Production Environment, Pre-Production Environment, or Development Sandbox) are equivalent in terms of supported functionality of the underlying Services. The capabilities are described in the current version of the Product Specification (Exhibit 1). It is referred to Master Service Agreement.
4.2. Data Centers
CoreMedia deploys CoreMedia Content Cloud - Service to data centers operated by public cloud vendors (such as Amazon Web Services). These data centers are operated in alignment with the Tier III+ guidelines (as per the Uptime Institute classification).
Upon subscription, the Subscriber has to choose a Geographic Region that the CoreMedia Content Cloud - Service will be deployed to. The information of the regions that CoreMedia supports will be provided upon Subscriber‘s request.
4.3. Backup & Restore
The CoreMedia service stores:
· all user-managed non-binary content and content workflow state in a relational database
· user managed binary content (e.g., images, videos etc.) either in a relational database or on in cloud storage
· some collaborative content metadata in a NoSQL database
· the indexes for website search and editorial search on block storage devices, equivalent to physical “disk” storage
· application logs in a dedicated log storage service
The backup and restore policies and procedures for this data are described in the subsequent sections.
4.3.1. Scope Of Backups
In general, unless otherwise agreed, only data from the Production Environment is subject to backup.
Backups are done for all stored data as defined above.
4.3.2. Backup Retention
Backups of relational databases, NoSQL databases, block storage, and cloud storage are maintained for at least 1 day by default in a healthy environment. In the case of system failures, longer retention periods are activated automatically to ensure safe restoration once the environment becomes healthy again.
Standard retention periods of up until 15 days can be set up at the request of the Subscriber, and at extra cost.
4.3.3. Backup Frequency
The following backup frequencies apply for the respective storage types:
· Relational databases: Hourly incremental snapshots, one full back up every 24 hours
· NoSQL databases: Full snapshots every six hours
· Block storage devices: Daily snapshot every 24 hours
· Cloud storage: Continuously as new data arrives
4.3.4. Restore Time Objective (RTO) and Restore Point Objective (RPO)
Restore can take up to one business day (RTO). Restore point objective (RPO) for user-managed content is one hour.
4.4. Storage
By default, virtual machines (virtual environments) used to host the components of the Product Software, as previously listed, are provisioned with at least 20 GB of total disk space to be used for code deployments and configuration. Depending on the system architecture defined during the onboarding, several components might share a virtual machine, and this provisioned space. More provisioned block storage space is available at Subscriber request, and at extra cost.
The total technical storage limit per Subscriber for all relational database instances combined is 100 TB per Geographic Region.
There is no technical limit on the total size of binary assets stored in one cloud storage instance, however, a single asset’s size may not exceed 2 GB.
Aside from the technical limitations, Usage Limits for storage depends on the Usage Limits stated in the relevant Order Form.
All the Subscriber Content (text, binary assets, technical content like settings, templates managed in the main repository), metadata stored alongside the content, and the search index generated from this content, counts towards Usage Limits for storage. Subscribe Content will be duplicated to allow for resilient delivery and storage. The number of copies is dependent on the number of Pre-Production and Production Environments, and on the number of Delivery Units ordered. Duplicated content also counts towards the storage allowance.
When exceeding the respective Usage Limits for storage, the Service will continue to work normally, provided that the technical limits described above are not violated. However, additional charges will apply, according to the price list.
4.5. Access
Access to CoreMedia Content Cloud - Service is facilitated via secure HTTPS connections.
For Development Sandboxes, access is provided by an SSH tunneling solution. To facilitate such access, ssh-rsa public keys must be made available. One SSH key provides access to all Development Sandboxes.
On provisioning of an account, a secure, token-based access link is generated and sent to the Subscriber's specified Designated Contacts (either via e-Mail or via another channel, as per agreement between the Subscriber and CoreMedia). The attached root account can invite more backend users via the self-service functionality in CoreMedia cloud manager and assign pre-defined roles for access to CoreMedia Content Cloud - Service's various subservices.
These invited users will be sent an auto-generated, one-time, token-based access link either via e-Mail or SMS/Text message. Users are required to change their password on first login to the cloud manager, the web interface/dashboard for the Subscribers to CoreMedia Content Cloud - Service.
Developers can create an API key based on their password and use the key for programmatic access to the CoreMedia Content Cloud - Service APIs.
4.6. Connectivity
4.6.1. Internet
A CoreMedia Content Cloud - Service Instance is connected to the internet via the public cloud provider’s global internet backbone.
4.6.2. Connection from the Subscriber’s data center to CoreMedia Content Cloud – Service
For eCommerce integration scenarios, the CoreMedia Content Cloud - Service Instance must be able to communicate with the Subscriber’s eCommerce system. This might require any combination of the following measures that the Subscriber must implement in their data center:
· Setup of DNS entries
· Allow inbound connections from the CoreMedia Content Cloud - Service Instance to the Subscriber’s eCommerce system on several ports
· Allow outbound connections from the Subscriber’s data center and office network to the CoreMedia Content Cloud - Service instance
· Setup and operation of reverse proxy servers (e.g., Apache HTTP Server), or technically equivalent servers
· Modification of the Subscriber’s Load Balancer configurations
The exact Subscriber`s requirements vary depending on the Subscriber’s infrastructure and security policies and are to be jointly agreed upon during the onboarding process.
4.7. Support for Custom Domains
To support delivery of content by CoreMedia Content Cloud - Service Instances on behalf of the Subscriber under a domain (DNS zone) controlled by the Subscriber, the Subscriber might have to adjust the following:
· Setup of DNS entries.
· Setup of web redirects when delivery of content from the Subscriber’s apex domain (root domain) is required. This restriction is imposed by internet DNS specifications.
Subscribers must also make their SSL/TLS certificates available to CoreMedia. Self-service certificate upload is provided in the Cloud Manager. More details on requirements for these certificates are described in detail in the CoreMedia Content Cloud - Service Documentation, also available via the cloud manager.
4.8. De-commissioning
CoreMedia will sanitize all Subscriber-managed content and backups, within 1 business day after the effective date of contract termination.
5. SUPPORT SERVICES
For Product Software, any Add Ons and Cloud Tools Support Services are rendered as set out in Exhibit 3.
As part of Support Services but not subject to Response Times or Service Levels CoreMedia provides monitoring services as stated below in section “Monitoring and Response”. Within this monitoring service CoreMedia continuously monitors the Services. Monitoring services are rendered to facilitate CoreMedia’s operation of the CoreMedia Content Cloud – Services, to detect and address threats to the functionality, security, integrity, and availability of the CoreMedia CoreMedia Content Cloud – Services as well as any content, data, or applications in the CoreMedia CoreMedia Content Cloud – Services and to detect and address illegal acts or violations.
CoreMedia does not monitor, and does not address issues with, non-CoreMedia software provided by the Subscriber or any of the Subscriber`s Users that is stored in, or run on or through, the PaaS.
Information collected by CoreMedia`s monitoring tools (excluding the Subscriber Content) may also be used to assist in managing CoreMedia’s software and service portfolio, to help CoreMedia address deficiencies in its software and service offerings, and for license management purposes.
As part of Support Services but also not subject to Response Times or Service Levels, CoreMedia provides deployment services for adequate operations of the PaaS if manual intervention from CoreMedia is needed, and no equivalent subscriber self-service functionality exists in the context of the PaaS. Deployment services are provided upon request of the Subscriber. Reference is made to section “Deployment Services”.
5.1. Request Management
Requests can be reported by the Subscriber through phone, email or web interface.
To manage Requests, the CoreMedia support team will use a Trouble Ticketing System (“TTS”), which supports all activities concerning request management and problem management processes (“Request Management”). It is also used as repository for information regarding all Incidents and problems of the Services delivered by CoreMedia support team.
The Request Management model adopted by CoreMedia is based on ITIL V3.
5.2. Database Services
CoreMedia Content Cloud - Service Instances use managed database services for data stored in relational and NoSQL databases. CoreMedia proactively monitors the health of these Instances (CPU, memory, and disk usage).
Backup / restore procedures on databases need to be authorized, in writing, by the Subscriber before they can be performed.
5.3. Network Services
CoreMedia uses monitoring software for key network usage metrics. Total bandwidth usage is reported to the Subscriber monthly.
Network services also include secure configuration of firewalls to prevent unauthorized access to CoreMedia Content Cloud - Service Instances.
5.4. Scaling
CoreMedia Content Cloud - Service’s content delivery automatically scales based on dynamic load, but never beyond the capacity limits ordered by the Subscriber. For planned spikes in dynamic load, the Subscriber may order “Burstable” Delivery Units that will add capacity for the arranged times.
5.5. Content Delivery Network
CoreMedia Content Cloud – Service utilizes a Content Delivery Network (CDN) for content delivery in production. Content in cache can be delivered independently of the dynamic delivery capacity provided via Delivery Units.
6. MONITORING AND RESPONSE
6.1. Monitoring
The CoreMedia support team monitors Product Software, any Add Ons and Cloud Tools 24/7 and reacts to the alerts triggered by the various system checks.
6.1.1. Basic Monitoring
The CoreMedia monitoring checks the availability of all hosts and ports, and the status of the system infrastructure (CPU, memory, disk, network).
6.1.2. Advanced Monitoring
For Pre-Production and Production environments, CoreMedia monitors all Services provided.
CoreMedia monitoring includes host and service availability checks, system component status and specific application health checks for the services listed above.
CoreMedia also monitors Subscriber defined data points and health checks implemented by the Subscriber, provided that:
· Information on application-specific behavior, custom health checks, or custom data points have been made available by the Subscriber to CoreMedia prior to transitioning to production.
· These customizations have been approved by CoreMedia.
6.2. Tools
Additional tools are available to help provide deeper error tracing and troubleshooting and detailed insight into system usage.
6.2.1. Performance/Monitoring Dashboards
CoreMedia provides role-based access to performance dashboards with detailed information about
· CPU,
· memory,
· disk,
· network,
· and other various metrics.
6.2.2. Log Aggregation
CoreMedia provides access to a log aggregation tool to help Subscribers review logs and correlate events across the landscape, including application logs and related infrastructure logs.
6.3. Reports
A Subscriber report is generated monthly to provide the Subscriber with data which measures the Subscriber's website performance for the previous month. This includes the following:
6.3.1. Website Availability And Dynamic Load
The uptime percentage and dynamic load (average / max) for the content delivery.
6.3.2. Infrastructure Incidents
Detailed reports on Incidents concerning Subscriber related infrastructure.
6.3.3. Traffic And Storage
Traffic (CDN) bandwidth and Storage used on a monthly base.
7. DEPLOYMENT SERVICES
7.1. Definition
As part of Support Services CoreMedia provides deployment services to one or more Production Environments of the provided infrastructure (“Deployment Services”).
The CoreMedia Content Cloud - Service the following Deployment Services:
7.1.1. Development Sandboxes
CoreMedia performs an initial deployment of the current product version detailed in the Agreement.
After the initial deployment, the Subscriber can perform deployments through the respective self-service offered in the Development Sandboxes and/or cloud manager and is responsible for performing such deployments.
7.1.2. Pre-Production Environments
Deployments to Pre-Production Environments can be performed through the respective self-service offered in the cloud manager.
7.1.3. Production Environment
CoreMedia performs all deployments to the Production Environment.
Prior to a deployment to the Production Environment the application must pass quality gates that include:
· Automated tests that are part of the deployment services
· Tests performed by the Subscriber in the staging environment including at least:
· Functional tests
· Performance tests
· Subscriber sign-off of the application in a Pre-Production Environment. The Subscriber must confirm that the application was tested and is correct with regards to functional and non-functional requirements
Up to 2 deployments per month are included in the service.
7.2. Infrastructure
7.2.1. Source Code Management
The Subscriber is responsible for source code management and provides read access to the source code repository to CoreMedia. The supported source management software is Git.
7.2.2. Development Infrastructure
CoreMedia provides development infrastructure for:
1. Building of deployment packages for deployment to the environments
2. Performing automated tests
3. Deployment of packages to the Development Sandboxes
7.3. Service Requests
Handling service requests imposed by the Subscriber, and exceeding standard volumes provided with the Service, may be charged for as “Ops-Points”, according to the current price list. The following standard service requests will be charged at the following number of Ops-Points:
| Content transfer from Production to Pre-Production | 10 |
| Content transfer from Pre-Production or Production to Development Sandbox | 5 |
| Content transfer from Development Sandbox to Pre-Production or Production | 5 |
| Deployment to Production Environment | 5 |
| Deployment to Pre-Production Environment | 51 |
| Custom workflow upload | 2 |
| Custom user role reconfiguration | 5 |
| Custom CDN cache reconfiguration | 3 |
| Custom domain support initial setup | 10 |
| Custom domain support reconfiguration | 5 |
| Commerce Adapter reconfiguration | 5 |
| Other requests | Depending on effort |
1 Self-service interface available
7.4. Limitations
Not all configurations and customizations that are technically feasible with the CoreMedia platform can be used with CoreMedia Content Cloud - Service.
7.5. Process Definitions
7.5.1. Deployment To CoreMedia Content Cloud - Service environments
Deployment services to Production Environment are performed by CoreMedia. All deployments are performed during Business Hours (“Deployment Windows”). Staging environments might be unavailable during deployment windows. In Production Environment, backend processes and editorial work may be interrupted. CoreMedia will apply reasonable effort to avoid delivery component downtimes, but temporary performance degradations might occur during deployment.
1. Subscriber requests a deployment with Deployment Window and additional deployment instructions.
2. Subscriber provides a pointer to the location where the custom application code is hosted and available for CoreMedia (for example, by means of a signed Git tag or similar) for software release and confirms software fulfills requirements for the environment.
3. CoreMedia evaluates requests and confirms request or requests changes from the Subscriber.
4. Within Deployment Window, CoreMedia performs deployment.
5. CoreMedia notifies the Subscriber on completed deployment.
7.5.2. CoreMedia Platform Version Upgrades
CoreMedia provides to the Subscriber a workspace as source code that can be configured and customized to the Subscriber needs, as well as secure access to binary software artifacts as required. The Subscriber manages the source code for its configured and customized workspace in its own source code management system.
When CoreMedia releases a new Product Software version, it makes a new version of the workspace available to its Subscribers. Code-level dependencies on versioned platform artifacts are included in the workspace releases.
The Subscriber is responsible for upgrading their configured and customized workspace to the new release. The custom applications resulting from building the upgraded workspace can then be deployed to the provided environments.
8. MAINTENANCE SERVICES
For Product Software and Add Ons CoreMedia provides Maintenance Services as set out in Master Service Agreement, in section Product Maintenance. Maintenance services make available versioned upgrades. The Subscriber may choose the versioned upgrades to be utilized as outlined in this section “CoreMedia Platform Version Upgrades”
CoreMedia may also perform regular scheduled infrastructure maintenance activities to ensure functionality of the Cloud Tools, to reflect changes in technology, industry practices and secure operations (the “Infrastructure Maintenance”).
Whenever CoreMedia expects required Infrastructure Maintenance activity, CoreMedia will use reasonable efforts to provide advance notice to the Subscriber. CoreMedia Content Cloud – Service downtimes occurring due to such scheduled Infrastructure Maintenance shall not deemed to be a Service Downtime as set out in Exhibit 3, Service Level.
The maintenance activities are scheduled to be done during Business Hours (according to Hamburg Time). The regular maintenance window is approximately an hour. This is a downtime for the editorial backend only, the data delivery continues.
8.1.1. Impacting Maintenance
Whenever service impact is expected during any maintenance activity scheduled by CoreMedia, CoreMedia will use commercially reasonable efforts to provide at least 3 business days notice to the Subscriber.
8.1.2. Emergency Maintenance
In the event of a critical security patch which endangers CoreMedia Content Cloud’s service delivery, CoreMedia reserves the right to execute the patch work, informing the Subscriber at least 48 hours before the necessary downtime. This downtime is not counted towards the system availability as per the Service Level Objectives for CoreMedia Content Cloud - Service.
9. SECURITY
9.1. Access to CoreMedia Content Cloud - Service Instances
Only permanent and specially trained members of the CoreMedia Content Cloud Services operations team and CoreMedia support are given access to a Subscriber’s cloud resources (virtual machines, load balancers, networking and CDN configuration, etc.). Access to the environments is always secured by Two-Factor-Authentication.
9.2. Network Infrastructure Security
Network-related security measures include network firewalls and a Web application firewall to detect and mitigate DDoS attacks.
In general, network components are configured prohibitively, meaning that only those network routes and ports are configured that are required for the components to communicate properly, and that correct function of the service is ensured.
Each environment is deployed into separate virtual private clouds to ensure isolation of the components of the CoreMedia Content Cloud – Service. The components may rely on Shared Services outside the virtual private clouds. Data transfer to these services is secured by transport encryption methods and authentication. If required, secure peering is used to facilitate communications between virtual private cloud instances.
CoreMedia employs industry best practices to mitigate typical attack scenarios, which includes:
· Cross-site scripting attacks
· Distributed Denial-of-Service attacks (DDoS)
· Volumetric Attacks
· SQL injection
Default rules are in place in the application firewalls to mitigate those attacks. At the request of the Subscriber, additional specific rules (for example, URL pattern matching, IP-range or geo-based constraints, size constraints) can be put in place.
9.3. Application Security
CoreMedia employs industry best practices to detect typical vulnerabilities in both core and Subscriber-supplied code, which includes automated static code analysis and regular scans for dependencies on third-party software with known vulnerabilities as per the common vulnerabilities and exposures (“CVE”) database.
In the case of detected vulnerabilities, CoreMedia will inform the Subscriber and jointly decide on mitigation strategies.
9.4. Penetration Testing
Internet-facing systems of the CoreMedia Content Cloud - Service are subject to penetration testing. A third party performs these penetration tests regularly on a CoreMedia Content Cloud - Service reference environment.
Subscribers may perform their own penetration tests or vulnerability assessments, provided that they inform CoreMedia, via a ticket or in writing, no less than 10 business days before scheduled start of the test procedures.
10. Roles and Responsibilities
The following roles and responsibilities shall apply for the Services provided by CoreMedia to the Subscriber. Only Services where CoreMedia is marked with “R” (for responsible) are part of CoreMedia’s Content Cloud Services obligations to the Subscriber. All other responsibilities are the Subscriber’s obligation.
· R – Responsible
· A – Accountable
· C – Consulted
· I – Informed
| Topic | Subscriber | CoreMedia |
| Provisioning | | |
| System sizing | R/A | C |
| Cloud instance provisioning: dev, staging, prod | I | R/A |
| Network configuration | I | R/A |
| Security configuration | C | R/A |
| Security | | |
| Network infrastructure security | I | R/A |
| Operating system security | I | R/A |
| Application access security | R | R/A |
| Security of customizations | R/A | C |
| Incident Management | | |
| Capturing of Incidents (phone/email/ticket) | I | R/A |
| Categorization of Incidents | I | R/A |
| Incident Management infrastructure | I | R/A |
| Development and QA | | |
| Customization development | R/A | C |
| Customization functional testing | R/A | I |
| Customization load testing | R/A | I |
| Customization penetration testing (security) | R/A | C |
| CI for test and production environments | C | R/A |
| Application handover, staging and go-live | | |
| Code deployment to Dev | R/A | C |
| Code deployment to Staging | R/A | C |
| Code transition to production | C | R/A |
| User acceptance test spec and implementation | R/A | C |
| Production and staging operations | | |
| Platform-level monitoring (CPU, Memory, Network, Disk) | I | R/A |
| Application-level monitoring | C | R/A |
| Ensuring platform uptime (CMS Servers, Search, CAE, Studio) | I | R/A |
| Ensuring function of customizations | R/A | I |
| Infrastructure and OS-level maintenance | I | R/A |
| Customization maintenance and upgrades | R/A | I |
| Prod instance scaling | C | R/A |
| Prod backups/restore, disaster recovery | I | R/A |
Annex 1 – The CoreMedia Content Cloud - Service
The CoreMedia Content Cloud – Service is a Platform as a Service (“PaaS”) and depicted in the diagram below.
Annex 2 – Acceptable Use Policy
Subscriber agrees not to, and not to allow third parties to use the Services:
· to violate, or encourage the violation of, the legal rights of others (for example, this may include allowing Subscriber`s Users and End Users to infringe or misappropriate the intellectual property rights of others in violation of the Digital Millennium Copyright Act);
· to engage in, promote or encourage illegal activity;
· for any unlawful, invasive, infringing, defamatory or fraudulent purpose (for example, this may include phishing, creating a pyramid scheme or mirroring a website);
· to intentionally distribute viruses, worms, Trojan horses, corrupted files, hoaxes, or other items of a destructive or deceptive nature;
· to interfere with the use of the Services, or the equipment used to provide the Services, by customers, authorized resellers, or other authorized users;
· to disable, interfere with or circumvent any aspect of the Services;
· to generate, distribute, publish or facilitate unsolicited mass email, promotions, advertisings or other solicitations (“spam”).
