© 2014 IBM Corporation

Cloud & Smarter InfrastructureLegal, Security & Data Privacy for SaaS offerings for Partners

2 © 2014 IBM Corporation

Agenda

Legal Contracts Key terms Compliance Overview Service Level Agreement

Data Privacy Overview EU Safe Harbor Hosting locations

Security C&SI SaaS Security Practices IBM Standard ITCS104 & Industry Standards Certifications

3 © 2014 IBM Corporation

Legal - C&SI SaaS Contract Options

IBM International Passport Advantage Agreement (IPAA) – includes SaaS terms regarding ownership, customer’s right to use, subscription to SaaS, SaaS technical support, content and termination of SaaS

Option 1 (Passport Advantage customers using direct or e-Commerce to purchase)• Terms of Use (TOU) B – standard terms of use for IBM SaaS offerings. This is in addition

to IBM or IBM IPPA Express Agreement• TOU A – terms of use specific to a SaaS offering (e.g charge metrics, renewal)• Service Level Agreement (SLA) – specific to a SaaS offering

Option 2 (Non-Passport Advantage customers using direct to purchase)• Cloud Service Agreement (CSA)– simplified agreement for SaaS that benefits legacy

customers from acquisitions, new customers and eCommerce (future).• Services Description - similar to TOU A, specific T’s &Cs for each SaaS offering• SLA – specific to a SaaS offering

Applies to IBM Software Value Plus

Kimi - verify that these only apply to IBM Software Value Plus because SSP has its own set of contracts unless SSP contracts are addendums.

4 © 2014 IBM Corporation

Legal - Key Terms

Automatic renewal – contract is automatically renewed unless customer cancels. • Example: Customer purchases a 12 month term with monthly billing and on month 15

decides they no longer need the service they DO NOT have the option to terminate and will be responsible for the remaining 9 months of coverage (the full 12 month term).

Indemnity - Customer agrees to hold IBM harmless against any third party claim arising out of or relating to: 1) violation of the IBM Acceptable Use Policy by Customer or any of Customer’s IBM SaaS Users; or 2) Content made available to the IBM SaaS.

Non-disclosure of Customer Content – TOU B indicates that IBM will not use client data for any reason but to operate SaaS and will be kept confidential

Applies to IBM Software Value Plus

Kimi - verify that these only apply to IBM Software Value Plus because SSP has its own set of contracts unless SSP contracts are addendums.

5 © 2014 IBM Corporation

Legal - Compliance Overview

Compliance = Softlayer Compliance + C&SI SaaS Compliance

Unless both are compliant we can’t claim compliance.

Payment Card Industry Data Security Standard (PCI DSS) - Compliant• Set of requirements designed to ensure that ALL companies that process, store or

transmit credit card information maintain a secure environment.  • C&SI processes credit card information through IBM Payment Systems which is PCI

compliant

Federal Risk and Authorization Management Program (FedRAMP) - Not Compliant (in progress)

Government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

One of the key requirements is  Federal Information Security Management Act of 2002 (FISMA)

EU Safe Harbor (See EU Safe Harbor section) – Certification in process

6 © 2014 IBM Corporation

Legal - Service Level AgreementsOne per CSI SaaS Offering (no charge)

“Availability” percentage is calculated as: (a) the total number of minutes in a Contracted Month, minus (b) the total number of minutes of Downtime in a Contracted Month, divided by (c) the total number of minutes in a Contracted Month, with the resulting fraction expressed as a percentage.

Example: 432 minutes total Downtime during Contracted Month

Availability during a Contracted Month

Availability Credit(% of Monthly Subscription Fee for

Contracted Month which is the subject of a Claim)

Less than 99.8% 2%

Less than 98.8% 5%

Less than 95.0% 10%

43,200 total minutes in a 30 day Contracted Month

- 432 minutes Downtime = 42,768 minutes

_________________________________________

43,200 total minutes in a 30 day Contracted Month

= 2% Availability Credit for 99.0%availability during the Contracted

Month

Terms found in TOU A or Cloud Services Agreement Services Description

7 © 2014 IBM Corporation

Data Privacy - What you need to know

Personal data generally includes information relating to an individual -think business card (e.g. names, email addresses, home address) In some countries, also includes information about identified partnerships, associations, or corporations. IBM is a data processor, entity that processes personal data on behalf of the data controller, who would be the client responsible for entering the data.

In most cases, Passport Advantage agreement covers data privacy for personal data.

EU and Switzerland have additional data privacy regulations but have established the ability to create a framework with the U.S for accessing personal data.

C&SI SaaS is in the process of obtaining EU Safe Harbor certification. This requires a risk assessment after we Go Live. In the meantime, we have security measures in place to restrict access to EU client data and for IBM non-U.S. employee access to Amsterdam hosting center in order to comply.

IBM has an Online Privacy Statement which is another EU Safe Harbor requirement

8 © 2014 IBM Corporation

Data Privacy - EU Safe Harbor Certification

EU and Switzerland have specific data privacy regulations and have established the ability to create a framework with the U.S for accessing personal data called EU Safe Harbor. to prevent accidental information disclosure or loss

C&SI SaaS is in the process of obtaining EU Safe Harbor certification

Benefits:

•Ability to assert Safe Harbor to clients and prospects. •Facilitates selling in the EU and Switzerland. •Makes us competitive in selling situations.

9 © 2014 IBM Corporation

Data Privacy - Where are the C&SI SaaS solutions hosted?

Active Data Centers - SoftLayer

Singapore

Dallas

Amsterdam

Working with local partners to expand into additional regions

10 © 2014 IBM Corporation

Security - C&SI SaaS Security Practices

Data Security – each offering has a Security Practices document• Security Policy – states that IBM has published privacy and security policies and that employees are

trained in security• Access Control

• Only authorized employees can access client data• Support staff for the Cloud Offering use multi-factor authentication and encrypted channels

when accessing client data • Data transfers are logged

• Service Integrity & Availability• Change Management process governs changes to O/S, application s/w and firewall• Data center resources are monitored 24x7 • Internal and external vulnerability scanning and malware detection• Information delivery protocols for transmission of data over public networks (e.g HTTPS, VPN)

• Physical Security• Designed to restrict unauthorized physical access to data center resources.• Entry and removal of equipment is logged

• Compliance• Assessments and audits are conducted regularly by IBM’s team to confirm compliance with its

information security policies. • Conduct workforce security education and awareness training

Note: The Security Practices are also included in the Cloud Service Agreement Service Description for each offering.

11 © 2014 IBM Corporation

Security – ITCS104 & Industry Standards Certifications

C&SI SaaS offerings adhere to the rigorous standards of ITCS104 security

There are many industry standards that require certification. C&SI is evaluating the priority order based on client demand

Health Insurance Portability and Accountability Act (HIPAA) – Not Certified Requires certification through HIPAA Program Office (HPO)

Data Centers do not get certified in HIPPA – SoftLayer Internal HIPPA whitepaper

SSAE 16 - Not Certified SOC2 Type II Compliance - Not Certified Cloud Security Alliance STAR Self Assessment - Not Certified EU Safe Harbor (See EU Safe Harbor section) – Certification in process