STACKIT
Service Description STACKIT Cloud
1. General
1.1 Introduction
STACKIT GmbH & Co. KG, Stiftsbergstraße 1, 74172 Neckarsulm, Registry court Stuttgart, HRA 741347 (“STACKIT”) as a national provider of professional infrastructure & platform-as-a-service provides services under the brand STACKIT (“STACKIT Cloud Services”) based on OpenStack, which is made available exclusively as Public Cloud version to entrepreneurs (“Customers”). STACKIT is the Cloud-Service provider for the Schwarz Group.
The STACKIT Cloud Services follow the international ISO/IEC 27001:2013 norm and an ITIL based operating model and are provided by specialized experts.
1.2 Data center location
The STACKIT Cloud Services are provided and operated in the STACKIT data center in Germany and in the future also in other member states of the European Union. All data centers are operated in compliance with ISO27001, ISO20000 and TÜV Level 3. As a European Cloud Service Provider, STACKIT is subject to the European General Data Protection Regulation (GDPR).
1.3 Scope
This general service description (“service description”) forms an essential element of the contract regarding the subscription of STACKIT Cloud Services in addition to the separately regulated terms of use and the service certificate(s) selected by the customer.
In the case of inconsistencies between the terms of use, the service description and the valid service certificate, the service certificate takes priority over the service description and the terms of use; the service description takes priority over the terms of use.
1.4 Change to the service description
STACKIT has the right to adapt the service description. This also applies to a current contractual relationship on the purchase of STACKIT Cloud Services with effect in the future; we refer to number 6 of the terms of use which applies here.
2. Service Level Agreement
2.1 Service transfer point
The service responsibility for STACKIT Cloud Services to be provided by STACKIT ends at the point of Internet transfer between the respective data center operated by STACKIT and the Internet Service Provider from the respective region.
2.2 Operating Times
The operating times of STACKIT Cloud Services are Monday through Sunday, “24/7”, 365 days a year (with the exception of planned maintenance work).
2.3 Availability
The general availability of STACKIT Cloud Services is – after deducting the excluded events according to number 2.4 – 99.9% (99,5% for non-redundant STACKIT Cloud Services) in the calendar month average, provided nothing else is regulated in the respective service certificate underlying STACKIT Cloud Services (“availability”). Availability information is only valid for contractually agreed STACKIT Cloud Services and their components; the availability consent does not cover the availability of the customer’s own components or components from a third party (both software and hardware).
The availability target per calendar month is calculated as follows:
- The availability also refers to a calendar month, is recorded on a calendar month basis and is accounted for as a percentage.
- “Total service minutes” means the total number of calendar month minutes (calculation: 60 minutes x 24 hours x number if calendar days in the month).
- “Total downtime minutes” means the number of minutes per month in which the contractually agreed STACKIT Cloud Services were not provided. The numbers of minutes per month that are not included in the calculation of availability as they are excluded events within the meaning of clause 2.4 shall be deducted from this value of the total downtime minutes.
The general availability of the STACKIT Portal and the STACKIT Application Programming Interface (API) are not subject to the STACKIT availability consent. STACKIT aims however to attain availability for the STACKIT Portal and the STACKIT Application Programming Interface (API) of 99.9% respectively on a monthly average. Downtime, malfunctions or other inaccessibility in the STACKIT Portal or the STACKIT Application Programming Interface (API) do not influence the calculation of the availability of a STACKIT Cloud Service.
2.4 Excluded events
Excluded events denote in particular those periods of time in which contractually agreed availability of STACKIT Cloud Services could not be provided (“excluded events“) due to the following downtime and malfunctions. Excluded events do not count as downtime. Excluded events include in particular:
- Downtime and malfunctions that have not been caused by STACKIT, in particular DNS, routing problems or unauthorized effects from a third party such as virtual attacks to the network or mail infrastructure (DoS/Viruses/Spam).
- Downtime and malfunctions that have taken place due to the performance of countermeasures against unauthorized effects or due to security incidents.
- Failures and disruptions of third party services beyond STACKIT’s control or which are not attributable to the service provided by STACKIT or the network structure beyond STACKIT’s control.
- Downtime and malfunctions that are due to incorrect use of programs or devices by the customer. This includes:
- Incorrect entries or non-adherence to instructions.
- Acts or omissions by the customer which exceed the stipulated and/or subscribed contingents.
- Acts or omissions by the customer to perform required configurations and/or to adhere to these.
- Downtime and malfunctions caused by the customer.
- Downtime and malfunctions that are the result of force majeure. Force majeure is an event that was unforeseeable for both parties even when practicing the greatest diligence that is reasonably to be expected; force majeure can include the following events in particular in this sense: Fire, explosions, power cuts, earthquakes, floods, severe storms, strikes, embargos, labor disputes, action taken by civil or military authorities, war, terrorism (including cyber terrorism), epidemics and pandemics, acts and omissions by Internet providers, acts and omissions by supervisory boards or administrative bodies (including passing laws or regulations or other acts of government that restrict the provision of STACKIT Cloud Services).
- Downtime and malfunctions which occurred due to maintenance work according to clause 2.8.
STACKIT Cloud Services that are made available to the customer free of charge or are explicitly designated and distributed as a test version, beta or in a similar manner are not subject to an availability promise. Failures or malfunctions that occur due to the use of such services by the customer are considered as excluded events.
2.5 Supported software versions
STACKIT Cloud Services can be provided under a specific software version at the time of contract conclusion (“main versions“). To keep STACKIT Cloud Services and the service provision to the customer secure and up-to-date, STACKIT retains the right to replace main versions of the software used with follow-up versions (“follow-up versions“) – also for subscriptions already concluded.
In this case the following applies in particular:
- STACKIT informs the affected customer of the pending change and the end of the support period for main versions as part of the release notes under https://docs.stackit.cloud/display/STACKIT/Release+Notes (“release notes”).
- The main version affected by the change is supported by STACKIT as part of the Release Notes for at least a further 180 calendar days, calculated from the notification of the change, and shortly after is successively migrated to the follow-up version (“transition period“).
- The customer can disagree with a pending change until the end of the transition period. If the customer disagrees with the replacement of a main version with a follow-up version by the end of the transition period, STACKIT has the right to terminate the subscription to the STACKIT Cloud Services affected by the change by the end of the transition period.
- Within this transition period, it will continue to be possible to conclude contracts based on the main version, but these will also have to be converted to the follow-up version at the end of the transition period. Customers are therefore advised to inform themselves about any announced changes to the main versions in the release notes before taking out a subscription to a STACKIT Cloud Service; for customers who subscribe to or extend the STACKIT Cloud Service affected by a change within the transition period, the STACKIT Cloud Service affected will only be available in the subscribed main version until the end of the transition period, which may correspond to significantly less than 180 calendar days, depending on when a subscription was taken out.
- If offered, technically possible and at the request of the customer, the customer also has the option to migrate from the main version to the follow-up version even before the end of the transition period or –depending on the STACKIT Cloud Services – have it migrated by STACKIT. The customer does not, however, have entitlement to early migration.
- After the transition period has elapsed, STACKIT converts any main versions not yet migrated by the customer successively to the follow-up version.
- In several cases during migration from the main version to the follow-up version it can occur that STACKIT cannot perform a proper automatic migration (in particular with customer data) without the cooperation of the customer. In these cases, STACKIT will inform the affected customer of any necessary cooperation as part of the release notes. The customer has time up to the end of the transition period – calculated from the publication of the required cooperation within the release notes – to perform the necessary cooperation.
- After the transition period has elapsed, the main version will no longer be supported by STACKIT and can as such also no longer be used by the customer; STACKIT has the right, if technically possible for STACKIT, to conduct an automatic migration of the main version to the follow-up version, even if the customer did not previously perform the necessary cooperation; this can, in particular, cause data loss and functional loss or restriction of the affected STACKIT Cloud Services, as well as in connection with this used customer hardware and software or hardware and software from a third party. STACKIT does not assume liability, with the exception of the cases in number 15.1 of the terms of use for damage which arises for the customer due to non-performance of migration or automatic migration.
- After conversion of a software from its main version to the follow-up version, the follow-up version shall then be understood as the (new) main version within the meaning of this clause.
2.6 Backup
Data backup by STACKIT is not performed as standard, unless something else is regulated in the individual service certificate.
If there is a data backup for an individual STACKIT Cloud Services according to the contractual underlying service certificate, the data backup complies with the corresponding STACKIT Cloud Services in line with the following standards, provided there is no other regulation in the individual service certificate or nothing else has been configured by customers:
| Backup Parameter | Characteristic |
|---|---|
| Recovery Point Objective (RPO) | 4 h |
| Recovery Time Objective (RTO) | 4 h |
| Retention Period (RP) | 14 days, day-by-day retention after the first 4 h |
- “Recovery Point Objective” (RPO): The Recovery Point Objective (RPO), or the maximum permissible data loss, consists of the specification of how old the version of the last current, consistent data backup can be. If data is lost and can be restored to the backup version with a required data backup.
- “Recovery Time Objective” (RTO): The Recovery Time Objective (RTO), or the maximum recovery time, describes the time period in which a data restoration to a functionally available system, including operating system data and required (application) data, can be consistently restored based on the backup.
- “Retention Period” (RP): The RP describes the maximum period of retention of safeguards.
2.7 Support
STACKIT provides their customers with qualified staff as well as supporting resources for trouble-shooting according to the parameters below.
Incoming support cases are assessed according to their critical status, which results in different response times.
- Incidents: STACKIT Cloud Services are not available or their use is restricted.
- Service or support requests: All remaining support cases, e.g. problems in user registration or system support.
STACKIT retains the right to downgrade in the critical level if the STACKIT Cloud Service is available and the reason for the malfunction is in the customer’s area of responsibility.
STACKIT points out that as part of the processing of a support case it may be necessary – depending on the customer matter – for STACKIT to access the customer’s STACKIT Cloud Services to be able to process the support case adequately.
| Support level | Standard |
|---|---|
| Channels | Status Website (status.stackit.cloud) Knowledge Database (docs.stackit.cloud) Help Center (support.stackit.cloud) |
| Availability of the malfunction indicator | 24/7 |
| Response times* | Incidents: < 4 h Service Requests: Best Effort |
| Solution time** | Best Effort |
| Price | Free |
- *“Response time“: Is the time period within the service time from the receipt of the customer notification at STACKIT until the start of processing the notification by qualified staff (Visual inspection).
- **“Solution time“: Is the time period within the service time from the receipt of the customer notification at STACKIT until the time elapses in which STACKIT must have restored the contractually owed availability of the STACKIT Cloud Services.
2.8 Maintenance
STACKIT conducts regular maintenance (for example in the form of updates, patches, bug fixes or hardware exchange and hardware extensions) to provide the function, quality and security of the STACKIT Cloud Services.
STACKIT usually informs the customer of maintenance work, which is likely to restrict the level of use of the STACKIT Cloud Services for the customer, two weeks before it is conducted, using the STACKIT Cloud Status website. In the case of urgent maintenance work, the notification may be made within a significantly shorter time period or may be omitted entirely, depending on the individual case. STACKIT recommends to the customer that they regularly check for any pending maintenance work on the STACKIT Cloud Status website.
During the performance of maintenance work, access to STACKIT Cloud Services may be temporarily suspended or restricted, in particular if this is mandatory due to the nature of the maintenance work to be performed.
Downtimes that occur due to maintenance work carried out shall be treated as excluded events within the meaning of clause 2.4.
2.9 Service Payback
If the agreed availability for STACKIT Cloud Services is not adhered to as described, the customer receives a credit within the following transaction in the form of credit onto their customer account (“service payback“):
- In order to claim a service payback, the Customer must assert in text form within two (2) weeks after receipt of the invoice of the STACKIT Cloud Service concerned, stating the customer number, invoice number and the STACKIT Cloud Service concerned, that the agreed availability of the STACKIT Cloud Service subscribed has not been complied with. A claim not received within two (2) weeks cannot be considered.
- If the claim is justified, the customer will receive a service payback credit for the following billing period onto their customer account.
- The amount of the service payback always refers to the pro rata invoice amount of the STACKIT Cloud Service whose availability was not met.
- In the event of rejection of a service payback claimed by the customer, it is the customer’s responsibility to demonstrate the breach of the agreed availability of a STACKIT Cloud Service.
- Credited service payback shall be offset against remuneration claims for the provision of STACKIT Cloud Services in the subsequent billing period, so that the remuneration payable by the customer shall be reduced accordingly.
- Payment or other compensation for credited service paybacks is excluded.
- The following service paybacks apply provided that no other regulation has been made in the STACKIT Cloud Services service certificate:
| Availability (month) | Service Payback |
|---|---|
| < 99,9% (99,5% for non-redundant STACKIT Cloud Services) | 10% |
| < 99,0% | 20% |
| < 98,5% | 50% |
| < 95,0% | 100% |
3. Incidents & Security Incidents
3.1 Information
STACKIT regularly provides customers with information about disruptions (“incidents“) via the STACKIT Cloud Status website (status.stackit.cloud).
In case of security incidents (“security incidents”), customers will be informed directly.
STACKIT recommends that customers continuously check the status of incidents & security Incidents on the STACKIT Cloud Status website.
3.2 Analysis option from STACKIT
For STACKIT Cloud Services provided by STACKIT and subscribed by the customer, STACKIT may take measures at its own discretion to detect vulnerabilities in the area of responsibility of STACKIT as well as in the area of responsibility of the customer at an early stage. In particular, all hardware, applications and software of third parties which are not provided by STACKIT (“customer’s area of responsibility“) are within Customer’s Area of Responsibility.
If security incidents in the customer’s area of responsibility are detected by STACKIT or external service providers of STACKIT, the customer will be informed about them. Depending on the severity of the security incident, customer is obliged to take appropriate measures for its area of responsibility in a timely manner to avoid the security incident (e.g. by patching an affected application). If, for example, the customer’s area of responsibility is not secured with the latest patches or workarounds, if the area of responsibility harbors security risks for STACKIT or the customer itself, or if the quality of the STACKIT Cloud Services is negatively affected or jeopardized by a security incident in the customer’s area of responsibility, STACKIT reserves the right to take appropriate countermeasures pursuant to clause 3.4.
3.3 Data collection for analysis options by STACKIT
To detect potential security incidents in the customer’s area of responsibility, log data of customer systems or perimeter data (e.g. firewalls, switches, routers and others) can undergo a rules-based evaluation for anomalies and potential security incidents. Appropriate vulnerability scans (proactive and reactive) can also be performed for systems available on the Internet.
3.4 Possible countermeasures in the case of security incidents
To protect the customer and STACKIT Cloud Services, STACKIT reserves the right to take appropriate measures without prior consultation with the customer (“countermeasures”) in the event of suspected cases or proven security incidents and corresponding severity. Of course a separate notification will be sent to the customer on this subject at the latest in the follow-up. Countermeasures may include:
- Disconnecting affected systems and STACKIT Cloud Services from the network, shutting them down or halting them to avoid damage to the systems and STACKIT Cloud Services.
- Forensic analysis of possible affected systems and STACKIT Cloud Services (in particular to gain knowledge for law enforcement, criticality or damage assessment).
- Other activities to avoid or reduce restrictions to other customer systems of the STACKIT Cloud Services or external systems.
Version: 1.3, valid from 28.10.2024