Support, Maintenance, and Availability Agreement


February 20, 2020.

Table of contents

Definitions
Schedules
Scope of Support, Maintenance and Availability
Support Services
Maintenance
Availability

This Support, Maintenance and Availability Agreement shall govern the support and maintenance provided to customers in relation to the COVR Products as well as the availability of the Services. This document forms an integral part of the Agreement between the Parties.

Definitions

Terms not defined herein shall be given the meaning as otherwise is set out in the Agreement.

Agreed Time of Service” means the minutes when the agreed service level is measured. The Agreed Time of Service is 24/7 365 days a year.
Availability” means that the Services are made available at the Connection Point. Availability is calculated using the following formula:

Availability (%)=  ((AS-TB-AB) / (AS-TB)) * 100

AS = Agreed Time of Service 
TB = Permitted downtime
AB = Downtime (this does not include downtime for which the Service Provider is not responsible, in accordance with Section 6.2).

Business Days” means Monday through Friday, save for (i) Swedish public holidays and (ii) Trettondagsafton, Skärtorsdag, Pingstafton, Midsommarafton, Allhelgonadagen, Julafton and Nyårsafton.
Business Hours” means 9-17 CET on Business Days.
Connection Point” the point or points where the Service Provider connects the Services to a general electronic communications network; API, the COVR mobile app, SDK.
COVR Product Specification” means the product and function specification for the COVR Products as available at https://www.covrsecurity.com/covr-app-requirements/. The COVR Product Specification may be updated from time to time as changes are made to the COVR Products, including Updates and Upgrades.
COVR Products” shall mean the COVR App, COVR SDK, COVR Software and the Services.
Service Provider Support Services” means the support services set out in Section 4.2
Critical Update” shall have the meaning set out in section 4.8.
Customer Support Services” means the COVR Products support services set out in Section 4.1.
COVR Products” means the Services, the COVR Software and the COVR App.
Delivery Date” means the date on which the Services are made available to the Customer in accordance with what has been agreed between the Parties.
Downtime” means the period of downtime within the Agreed Time of Service that Availability has not been met with a deduction for the time of Permitted Downtime. Down­ time is calculated from the moment in time the failure in Availability is reported in accordance with Section 6.3 until the Services become Available. When determining Availability in accordance with the formula in the definition of “Availability” above, Downtime shall not include downtime that is not the responsibility of the Service Provider in accordance with Section 6.2.
Helpdesk Service” shall be given the meaning set out in Section 4.4.
Incident Resolution Assistance” shall be given the meaning set out in Section 4.6.
Incident” means a material non-conformance between a COVR Product and the COVR Product Specification.
Incident Report” shall have the meaning assigned to it in Section 4.5.2.
Incident Report Number” shall have the meaning assigned to it in Section 4.5.4.
Permitted Downtime” a) planned service and maintenance about which the Customer has been informed in advance where commercially reasonable, or b) other downtime at the request of the Customer or with the Customer’s approval. The number of occasions of Permitted Downtime as referred to in a) above shall not exceed two per month, except where otherwise agreed. The Service Provider may notify the Customer of planned Service and Maintenance through e-mail. Such notification shall be deemed received when sent by Service Provider. 
SMA Agreement” shall mean this Support, Maintenance, and Availability Agreement and its Schedules.
Service Request” shall mean requests that not are related to Incidents but to usage of the COVR Products, any audit-related requests to prove that the COVR Products are compliant with rules and regulatory requirements as specified in the submitted Service Request and ad hoc queries from Users.
Service Request Number” shall be given the meaning set out in Section 4.7.
Support Manager” means Service Provider’s overall responsible person for support issues in relation to Customer, as provided in Section 4.9.1.
Support Website” shall be given the meaning set out in Section 4.3.
Technical Contacts” means Customer’s contact persons to whom Service Provider’s Support Services will be provided, as further defined in Section 4.9.1.
Updates” shall mean the Service Provider’s published corrections of the Covr Products, which will be provided to the Customer in accordance with the Service Specification. 
Upgrades” shall mean the Service Provider’s published versions of the Covr Products including new or better functionality, which will be provided to the Customer in accordance with the Service Description.

3. Scope of Support, Maintenance and Availability

3.1 Service Provider agrees to use commercially reasonable efforts to provide COVR Support Services to Customer in respect of the COVR Products. the Service Provider may engage subcontractors to execute the COVR Support Services. The Service Provider’s maintenance undertaking is described in Section 5. 

3.2 The Customer shall provide the Customer Support Services in relation to the COVR Products. For the avoidance of doubt, the Customer is also responsible for the Customer systems, software, equipment and network access necessary for the COVR Products to function in accordance with the Agreement. 

3.3 This SMA Agreement also regulates the service level for the Services.

4. Support Services

4.1 Customer Support Services
The Customer shall provide and maintain an internal organisation that to a reasonable extent can manage, basic requests for assistance from Users related to the COVR Products and other queries related to the Customer’s use of the COVR Products, including but not limited to user access management, issues with Customer Data and bugs in the COVR Products. In case the Customer is unable to solve or provide an adequate answer to the request, the Customer may escalate the issue to the Service Provider in accordance with the Agreement. 

4.2 COVR Support Services

As from the Delivery Date, Service Provider will make available to Customer the following support services in respect of the COVR Products:

  1. Support Website;
  2. Helpdesk Service; and
  3. Incident Resolution Assistance.

4.3 Support Website

4.3.1 Service Provider will give Customer access to a website that will contain a knowledge database, product information and release information.

4.3.2 The website will also offer a frequently asked questions service enabling Customer to review answers to questions put forward by other customers.

4.4 Helpdesk Service

4.4.1 Service Provider will provide consultation and advice to Customer’s Technical Contact directly over the telephone and/or by e-mail for technical questions regarding issues related to the COVR Products and the use thereof.

4.4.2 Helpdesk Service will be provided 24/7 365 days per year.

4.5 Incident Reporting and Classification

4.5.1 shall be reported by Customer’s Technical Contacts by using the COVR support tool available at https://support.covrsecurity.com/hc/en-us/requests/new (“Incident Report“). The Incident Report shall contain a detailed description of the nature of the Incident, the conditions under which it occurs and other relevant data sufficient to enable Service Provider to reproduce the reported Incident, to verify its existence and diagnose its cause. The Incident Report shall also contain Reseller recommended priority (1-4) of the Incident and contact information to the Reseller and the Customer (e-mail and telephone number);

4.5.2 Any Incident for which Customer requests such services as mentioned in Section 4.5.1 shall be reported by Customer’s Technical Contacts in the format and to the addressee set out in Schedule 2 – Incident Report and Service Request (“Incident Report“). The Incident Report shall contain a detailed description of the nature of the Incident, the conditions under which it occurs and other relevant data sufficient to enable Service Provider to reproduce the reported Incident, to verify its existence and diagnose its cause. 

4.5.3 All COVR Support Services will be provided in English and Swedish. Therefore, any Incident Reports shall be drafted in English or Swedish.

4.5.4 Customer shall propose that the Incident shall be assigned to one of the below four Incident classes. Service Provider shall then decide, in its reasonable opinion, to which class the Incident shall be assigned. Furthermore, Service Provider shall assign an incident report number to the Incident Report (“Incident Report Number“). Service Provider may re-classify an Incident.

4.5.5 Any Incident shall be assigned to one of the following Incident classes.

a) Critical Incident (P1)
An Incident that renders a COVR Product inoperable or causes a COVR Product to substantially fail for all or majority of the Users.
b) Serious Incident (P2)
An Incident that renders a COVR Product inoperable or causes the COVR Product to substantially fail for 5-50 % of the Users.
c) Moderate Incident (P3)
An Incident reported by one or a few of the Users but that causes major limitations in the use of a COVR Product. 
d) Minor Incident (P4)
An Incident that does not qualify as a Critical, Serious or Moderate Incident.

4.6 Application Incident Resolution Assistance

Service Provider will acknowledge receipt of Customer’s Incident Report and will use commercially reasonable efforts (i) to classify and assign an Incident Report Number to the Incident Report, (ii) provide Customer with progress updates, and (iii) provide appropriate assistance to correct or alleviate the Incident reported, e.g. by implementing or furnishing an avoidance procedure, bypass, work-around or patch in accordance with below objectives:

Incident Class Initial e-mail or telephone response, incl.
Classification and numbering
Progress Update ActionWork around , Patch or similar COVR Product updates
Critical (P1)30 minutesEvery Business Day or as mutually agreed Work continuously during business hoursAs requiredNext
Serious (P2)30 minutesEvery Business Day or as mutually agreed Work continuously during business hours As requiredNext
Moderate (P3) 8 hours Every Business Day or as mutually agreed Starts immediately after initial telephone response and will be worked on during Business Hours As requiredNext
Minor (P4)8 hoursMonthly or as mutually agreed As reasonably required No As reasonably required

4.6.2 For the avoidance of doubt, the timelines set out in the table of this Section 4.6 are estimates only, and Customer shall not be entitled to any compensation in case such timelines cannot be met. Furthermore, Service Provider shall have no obligation to provide Application Incident Resolution Assistance where the Customer has not implemented any Critical Update released by the Service Provider.

4.7 Service Requests

4.7.1 Helpdesk Service will also be provided upon the Customer’s Technical Contact submitting a Service Request, in the format and to the addressee set out in the COVR support tool available at https://support.covrsecurity.com/hc/en-us/requests/new. Such requests shall be in English or Swedish. Service Requests will be assigned a number by the Service Provider (“Service Request Number”).

4.7.2 Service Provider will acknowledge receipt of Customer’s Service Request and will use commercially reasonable efforts to provide an appropriate initial answer to the Service Request within 8 Business Hours. For the avoidance of doubt, the timeline set out in this Section 4.7.2 is an estimate only, and Customer shall not be entitled to any compensation in case such timeline cannot be met.

4.8 Updates and Upgrades

Service Provider may continuously make Updates and Upgrades to the COVR Products. Changes that would have a material impact on the Availability of the Services during Business Hours shall be subject to reasonable prior notification. Updates and Upgrades of the COVR Product shall be made available to the Customer in an agreed manner and form. Updates and Upgrades that are issued to address critical issues  (“Critical Updates”) may be provided and shall be installed at such times as determined by the Service Provider in its discretion.

4.9 Customer’s Single Point of Contact for Support

4.9.1 Customer shall designate one primary and one delegate individual (“Technical Contacts“) to serve as liaisons with Service Provider. Customer’s designated Technical Contacts shall be the sole liaison between the Customer and Service Provider for COVR Support Services. To avoid interruption of the COVR Support Services, Customer shall notify Service Provider whenever a Technical Contact is replaced by another individual.

4.9.2 Service Provider will assign one individual to be overall responsible for all operational support issues in relation to Customer (“Support Manager“)

4.10 Customer’s Obligations

4.10.1 Customer agrees and undertakes to:

  1. provide the Customer Support Services to Users;
  2. ensure that only Customer’s Technical Contacts contact Service Provider with respect to COVR Support Services;
  3. ensure that Customer’s Technical Contacts are aware of Service Provider’s support number, e-mail and web site address, the information required when reporting an event, and the contracted hours of operation of Service Provider Support Services;
  4. maintain up-to-date lists of software, installation history, hardware equipment, and other relevant information which may reasonably be required to enable the Service Provider to fulfil its obligations;
  5. on Service Provider’s request, promptly provide reasonable information and assistance necessary for Service Provider’s performance of the COVR Support Services;
  6. always refer to the applicable Incident Report Number or Service Request Number in contacts with Service Provider;
  7. ensure that relevant and reasonable processes and procedures related to the COVR Products recommended by Service Provider are implemented and adhered to by Customer;
  8. provide Service Provider’s Support Manager with copies of Customer’s processes and procedures relevant for the COVR Products and provide reasonable information necessary for the understanding of such processes and procedures; 
  9. integrate and install the Updates and Upgrades for the COVR Products as made available to Customer by the Service Provider in accordance with the Service Provider’s instructions and, where any Critical Update is concerned, within such time as notified by the Service Provider; and   
  10. attend all service review meetings provided for in Section 4.15.

4.11 System Access

4.11.1 To enable Service Provider to efficiently provide COVR Support Services, Customer shall grant Service Provider and if applicable, a subcontractor of the Service Provider, if Service Provider so deems appropriate, access to Customer’s systems relevant for the COVR Products on a case-by-case basis. Service Provider shall use such system access only for the purposes of carrying out its obligations under this Agreement. In such use, Service Provider shall comply with Customer’s reasonable internal security instructions and procedures.

4.11.2 Provided that Service Provider complies with such reasonable instructions and procedures, Service Provider shall not be liable to Customer for any damage that may arise out of Service Provider’s use of and access to Customer’s systems, unless such damages are caused by Service Provider’s gross negligence or wilful misconduct.

4.12 Remuneration

The remuneration for the COVR Support Services is included in the Service Fee.

4.13 Support Services Not Related to the COVR Products

4.13.1 Prior to sending Service Provider an Incident Report, Customer shall ensure that the reported Incident is attributable to one or more of COVR Products.

4.13.2 Notwithstanding what is set out in the main agreement document and Section 4.12 of this Agreement, Service Provider shall be entitled to reasonable compensation for any work carried out or time spent by Service Provider as a consequence of reported Incidents that are not attributable to the COVR Products or which fall under Section 4.14.2.

4.14 Scope of Support

4.14.1 COVR Support Services will be provided to Customer only. Service Provider shall be under no obligation to provide COVR Support Services Customer’s customers or sub-contractors, if any.

4.14.2 Service Provider’s obligation to provide COVR Support Services shall not apply to the COVR Products if they have been used in a manner that fails to conform to Service Provider’s written instructions or to the provisions of the Agreement.

4.14.3 The Service Provider’s obligation to provide COVR Support Services shall only apply to the most updated version of the COVR Products. Except for in case of Critical Updates, the Customer shall be given a period of three (3) months from when an Update or Upgrade was made available during which the Update or Upgrade, as applicable, shall be integrated and/or installed prior to the relevant COVR Products ceasing to be seen as the most updated version. Where a Critical Update has been released, the Customer shall integrate and/or install such Critical Update within the time frame notified by the Service Provider.

4.15 Support Service Review Meetings

On either Party’s request, and no more frequent than twice per calendar year, the Parties will review the Service Provider Support Services rendered, and the performance under this Agreement of either Party in relation to the support services, since the previous review. Such service review will be carried out by Customer’s Technical Contacts and Service Provider’s Support Manager in a telephone conference, unless Customer’s Technical Contact and Service Provider’s Support Manager agree to meet in person, on each Party’s own expense.

4.16 Limited Warranty for Service Provider Support

4.16.1 Service Provider warrants that COVR Support Services will be provided in a professional and workmanlike manner, in accordance with well-established software support business standards. Service Provider makes no other warranties to Customer with respect to the COVR Support Services furnished hereunder, and no other warranties of any kind, whether written, oral, implied or statutory, including warranties of merchantability or fitness for a particular purpose, non-infringement or arising from course of dealing or usage in trade, shall apply.

4.16.2 In the event of breach of the warranty set out in Section 4.16.1 Customer is entitled to re-performance of the COVR Support Services, or if Service Provider reasonably cannot perform the COVR Support Services as warranted, Customer is entitled to terminate this Agreement and recover the part of the Service Fee for the COVR Support Services paid during a period of three calendar months prior to the termination of the Agreement. Such remedies shall be Customer’s exclusive remedy and shall constitute fulfilment of all obligations and liabilities of Service Provider with respect to the warranty under Section 4.16.1.

5. Maintenance

The Service Provider strives to keep the COVR Products up to date and functioning in accordance with relevant technology. Therefore, the Service Provider may continuously perform maintenance on the COVR Products. The Service Provider shall give the Customer reasonable notice of any maintenance to be performed during Business Hours that may affect the Availability of the Services. Updates and Upgrades of the COVR Products shall be made available in a mutually agreed form and manner. 

6. Availability

6.1 Agreed Availability 

6.1.1 The agreed Availability of the Services is measured per calendar month and is 99 %. For the avoidance of doubt, the service level set out in this Section 6 does not apply to Customer if the Customer’s use of the Service is a part of a preview, pre-release, beta or trial version of the Services or if the payment for access to the Services has been made using Microsoft Subscription credits or if the license has been ordered but yet not paid for by Customer.

6.1.2 The Services are hosted by a third party. More information about the third party’s hosting service and the availability of such service can be found on Microsoft Azure webpage. For the avoidance of doubt, the Service Provider does not provide any warranties, implied or expressed, in relation to the availability of the third party hosting service.

6.2 Downtime for Which the Service Provider Is Not Responsible

The Service Provider is not responsible for downtime or any other failure to satisfy the agreed service level if the Service Provider can show that it was caused by any of the following circumstances and provided that the said circumstance was not directly attributable to the Service Provider:

  1. circumstances outside the Service Provider’s area of responsibility for the Services, such as failure of communications or it is due to other products or services from Customer or third parties for which the Service Provider has not specifically taken responsibility;
  2. any other circumstances for which the Customer has responsibility for under the terms of the Agreement, including but not limited to, the obligation to implement Critical Updates, complying with reasonable instructions of the Service Provider or attempts to perform operations that exceed quotas prescribed by the Service Provider; or
  3. virus or other attack on security, despite the Service Provider having taken professional security measures, any Force Majeure Event or Service Provider restricting the Customer’s access to the Services in accordance with the main document of this Agreement.

6.3 Reporting of Downtime

Downtime is only reported after it has been registered by the Service Provider. Downtime may be registered by means of an automatic alarm, a report by the Customer in a manner agreed between the Parties or upon discovery by the Service Provider. The Customer is responsible for ensuring that if it reports the Incident, that it is reported in a manner compliant with the Agreement. 

6.4 Measurement

Except where otherwise agreed, the Service Provider has responsibility for defraying the cost of and implementing tools capable of measuring the agreed service levels. The measuring point for the Availability is the Connection Point.

6.5 Follow-Up

6.5.1 Within fifteen (15) days of the end of each calendar month or other agreed period, the Service Provider shall provide the Customer with a report on the measurements made of the agreed service level

6.5.2 The Technical Contacts are to receive the report referred to in Section 6.5.1 except where otherwise is agreed between the Parties. 

6.5.3 The Parties may agree on a specific plan describing how non-conformities and disturbances are to be reported between the two Parties.

6.6 Price Reductions in Event of Failure to Reach Agreed Level of Service

6.6.1 If the Availability is below the agreed level of Availability for the Services, the Customer is entitled to a price reduction of the percentage of the monthly Service Fee as shown in the table below:

Percentage or part thereof below the agreed level % rate price reduction
<99 %10 %
<95 %30 %
<90 %100 %

6.6.2 The maximum price reduction per month in the event of failure to meet Availability that can be credited to the Customer is 100 % of the monthly Service Fee.

6.6.3 To avoid losing the right to a price reduction, the Customer shall submit a claim for price reduction by no later than the end of the calendar month following the month in which the report is sent to Customer as a referred to in Section 6.5.1.

6.6.4 The Service Provider is responsible for failure to satisfy the agreed level of service only in accordance with the conditions of this Section 6. Over and above this the Customer has no right to damages or any other compensation on account of deviations from the service level, except in the event of wilful misconduct or gross negligence.