PERFORMANCE STANDARDS
1. Service Level Standards. Toolio will at all times during the term of this Agreement exercise reasonable efforts to maintain the following service levels for the Products (collectively, the “Service Levels”):
1.1. System Availability Service Level. Toolio will exercise reasonable efforts to provide 99.5% System Availability over one-month periods, excluding any Maintenance or Force Majeure Events (as defined below) that result in the Products not being available to any User, as measured and monitored from Toolio’s facilities. “System Availability” will be calculated on a monthly basis using the following formula: [(Actual Availability divided by Total Availability) multiplied by 100%]. The following definitions will apply with respect to the calculation of System Availability:
1.1.1. “Actual Availability” means Total Availability minus Downtime, in minutes.
1.1.2. “Downtime” means the time (in minutes) that users of the Products are not able to (a) access the Products, (b) perform ordinary functions to use or receive Products in accordance with specifications, or (c) utilize the Products for normal business operations due to failure malfunction or delay. Downtime does not include any unavailability of the Products due to scheduled maintenance or a failure or delay arising out of a Force Majeure Event.
1.1.3 “Force Majeure Event” means any failure or delay caused by or the result of causes beyond the reasonable control of a Party and which could not have been avoided or corrected through the exercise of reasonable diligence, including, but not limited to, acts of God, fire, flood, hurricane or other natural catastrophe, terrorist actions, pandemics, epidemics, laws, orders, regulations, directions or actions of governmental authorities having jurisdiction over the subject matter hereof, or any civil or military authority, national emergency, insurrection, riot or war, or other similar occurrence.
1.1.4. “Maintenance” means time (in minutes) that the Products are not available to Customer due to maintenance of the Products, including for maintenance and upgrading of the software and hardware used by Toolio to provide the Products. Maintenance includes scheduled maintenance and unscheduled, emergency maintenance. Toolio will provide Customer with at least ten business days’ prior written notice of any scheduled maintenance or sixty minutes’ advance written notice for unscheduled, emergency maintenance. Toolio will provide such notices to Customer by email to an address provided by Customer. Maintenance in any given month will not exceed ten minutes per month, and will only be performed on Friday or Saturday between the hours of 1:00 a.m. and 3:00 a.m. (EST). Any time during which the Products are unavailable to Customer due to emergency maintenance or other activity by Toolio for which Toolio fails to give notice, which exceeds the permitted time allotment, or which occurs outside of the foregoing permitted hours will be included in the calculation of Downtime.
1.1.5. “System Availability” or “available” means the percentage of total time during which the Products are available to Customer and data transmission are fully operational and able to receive, process, store and transmit Customer Data accurately.
1.1.6. “Total Availability” means 7 days per week, 24 hours per day in minutes.
2. Backups. Toolio will backup all Customer Data entered into the Products since the last backup daily to Toolio’s backup location. Toolio will create a full backup (complete copy) at least once a day at such backup location. Toolio will maintain all backup files for at least 30 days. Upon Customer’s request, Toolio will restore Customer Data from backup files within 24 hours of Customer’s written request.
SECURITY MEASURES
Toolio, at a minimum, shall maintain the following information security controls:
Vulnerability Management
1. At least quarterly, scan information assets with industry-standard security vulnerability scanning software to detect security vulnerabilities. The scan must cover all information assets utilized to provide services to Customer.
2. At least quarterly, scan system source code with industry-standard vulnerability scanning software to detect source code vulnerabilities. The scan must cover all source code used to provide services to Customer.
3. At least annually, Toolio must engage a qualified third-party to perform an external penetration test. The scope of the penetration test must include information assets utilized to provide services to Customer.
4. Maintain and adhere to a documented process to remediate at least all critical, high, and medium risk vulnerabilities identified.
Identification and Authentication
1. Toolio will require multi-factor authentication for all personnel authenticating to information assets utilized to provide services to Customer.
2. Password and general account settings must at least meet the following requirements:
a. Be a minimum of eight (8) characters in length
b. Include characters from at least two (2) of the following categories: alpha, numeric, and special characters.
c. Password expiration must occur at least every one hundred eighty (180) days.
d. Password history requirements will not allow the same password to be used for the last five (5) passwords.
e. Limit failed login attempts by no more than ten (10) consecutive failed login attempts. The account must be locked for at least thirty (30) minutes or permanently locked until unlocked by a system administrator.
f. Interactive sessions on a user’s workstation will be locked (i.e., activating a secure locking screensaver) after a period of inactivity not to exceed fifteen (15) minutes.
3. Toolio will assign unique user IDs to authorized individual users and assign ownership to each system or service account.
4. Administrative accounts must be separate from general use accounts.
Encryption
1. Toolio will ensure all Customer Data in transit (i.e., Customer Data communicated over the Internet) is encrypted via TLS 1.2.
2. For any Customer Data at rest, Toolio will ensure strong encryption is used to protect Customer Data.
Endpoint Protection
1. Toolio will run current antivirus software on all employee endpoints and upon detection, will promptly remove or quarantine viruses or malware.
2. Toolio will ensure employee endpoints are restricted from installing unauthorized software, or if unauthorized software is installed, Toolio can disable immediately.
3. All employee endpoints will utilize full disk encryption.
Disaster Recovery
1. Toolio shall maintain a business continuity and/or disaster recovery plan that is reviewed, updated (as needed), and approved at least annually.
2. Toolio must ensure the business continuity and/or disaster recovery plans are tested at least annually. Tests must include relevant contingency teams and any corrective action plans that were a result from the test must be incorporated into the plan.
Monitoring and Logging
1. Critical information system activity for all information assets must be logged.
2. Logs must be monitored and reviewed daily. Such reviews may initially be performed by automated processes that promptly issue alerts when such processes detect significant anomalies. Toolio personnel must promptly respond to and investigate these alerts.
3. Access to security logs must be restricted to authorized individuals, and security logs must be protected from unauthorized modification.
Incident Response
1. Toolio shall maintain an incident response plan that is reviewed, updated (as needed), and approved at least annually. The plan shall include procedures for investigation, resolution, and external communication requirements.
Supplier Management
1. Toolio must maintain a supplier management program, which includes the following requirements:
a. Annual review of key suppliers to ensure compliance with key security controls and/or certifications; and
b. Formal process for the evaluation of information security controls for potential / new suppliers.
