This GLN Services Delivery Policy (the “Policy”) shall apply to any GLN Services agreement (each, an “Agreement”) between The Descartes Systems Group Inc. or one of its’ subsidiaries or affiliates (“Descartes”) and Customer (as such term is defined in an Agreement) that references the Policy and incorporates it by reference. By entering into an Agreement with Descartes that incorporates the Policy, Customer acknowledges that this Policy shall apply to the delivery of GLN Services under the Agreement. In the event of any inconsistency between the Policy and the terms and conditions of the Agreement, the terms and conditions of the Agreement shall govern to the extent of that inconsistency. The Policy is subject to change at Descartes’ discretion; however, changes to the Policy will not lead to a material reduction in performance, security or availability of the GLN Services provided to Customer during the term of the Agreement. Capitalized terms that are not otherwise defined in the Policy shall have the meaning ascribed to such terms in the Agreement or Master Terms, as applicable.
1. GLN Services
1.1 The Policy shall consist of the services described herein, related to the hosting, operation, delivery support and related management of the GLN Services.
1.2 In connection with the provision of the GLN Services, Descartes shall collect and store such information relating to the use of the GLN Services by Customer and its Permitted Users (“Usage Data”) as may be necessary or, as may be mutually agreed upon to: (i) support and track the use of the GLN Services by Customer and its Permitted Users; (ii) measure the direct and indirect costs reasonably attributable to provision of the GLN Services; (iii) capture and allocate usage and costs relating to the provision of the GLN Services; or (iv) calculate the GLN Service fees. Nothing contained herein shall prevent Descartes from including aggregated and anonymized, Usage Data as part of its overall, undifferentiated data related to its services for statistical purposes, which it may share with other customers or potential customers.
1.3 Customer acknowledges that the GLN Services provided to Customer hereunder are delivered over a shared infrastructure environment and that, except in the case where Customer has contracted for a GLN Service from Descartes under an Agreement that expressly includes a dedicated hosting environment nothing contained herein, shall not require Descartes to dedicate separate servers or other hardware to the provision of services solely for Customer; however, Descartes shall at all times during the provision of the GLN Services to Customer use commercially reasonable efforts to ensure that any data stored or processed by the Descartes GLN in respect of the Customer is appropriately logically or physically segregated and protected from any unauthorized access by any party other than those authorized by the Customer.
1.4 Certain of the GLN Services may require Descartes to transmit electronic messages and electronic documents to and from Customer and its various trading partners as relevant to the specific GLN Service being provided. Descartes does not provide any representations, warranties or assurances, or accept any responsibility or liability for the contents or accuracy of any electronic messages, notifications, filing, status or other documents transmitted to or from the GLN Services.
2. Descartes GLN Operations
2.1 (i) Descartes shall use commercially reasonable efforts to provide the GLN Services Availability of 99.7% (excluding time necessary for scheduled preventative maintenance, upgrades and emergency maintenance as contemplated below), calculated on a monthly basis. Preventative maintenance that may cause the GLN Services to be unavailable will not exceed twelve occurrences of unavailability in a rolling twelve month period. “Available” or “Availability” shall mean GLN Services are able to be accessed by Customer. For greater clarity GLN Services shall be considered Available unless a Priority Level 1 issue results in a complete loss of access to the GLN Service by Customer.
(ii) For the purposes of this Availability measure, unplanned downtime means any time during which the GLN Services are not Available, but does not include any time during which the GLN Services or any component of the GLN Services are not Available due to:
- a failure or reduction in performance or malfunction resulting from Customer’s or its Permitted Users actions, conduct, equipment, negligence or breach of contractual obligations that has caused a failure, reduction in performance or malfunction in the GLN Services;
- preventative system and hardware maintenance initiated by Descartes or at Customer’s request;
- unavailability that is limited to management or administration services, including administration tools, utilities, reporting services, utilities, third party software, third party equipment, Customer’s equipment, or other services supporting the continued operation that are not within the sole control of Descartes;
- denial of service attacks, natural disasters or force majeure events outside of Descartes’ control;
- an interruption or shutdown of the GLN Services for circumstances reasonably believed by Descartes to constitute a significant threat to the operation of the GLN Services, the Descartes GLN or the facility where the GLN Services or Descartes GLN is provided;
- Customer’s failure to timely respond to incidents that require Customer’s participation for resolution.
(iii) Descartes periodically updates its systems and hardware to improve the reliability, performance, and security of its infrastructure. The purpose of these updates ranges from patching software components to upgrading networking components or hardware. Updates rarely affect the availability of the GLN Services. When updates do have an effect or when there is an increased risk that an update will have an effect, Descartes will perform these updates on a Sunday between 07:00 am EST and 11:00 am EST. During the service window, certain GLN Services may not be available in part or in whole. Descartes shall use commercially reasonable efforts to advise Customer ninety-six (96) hours prior to any scheduled maintenance period in the event that the GLN Services will not be available during such service window. Although Descartes’ operates and designs the Descartes GLN to avoid emergency disruption of service, in unusual circumstances emergency maintenance may be required where less notice may be provided and the maintenance needs to be performed at a time other than a reserved maintenance window. In these unusual circumstances, Descartes will use commercially reasonable efforts to provide as much advance notice of the outage as practicable. Emergency maintenance includes maintenance required to ensure the security, performance, availability or stability of the GLN Services for Customer, including, for example, the application of a security patch to remedy a newly discovered critical security patch or immediate intervention to remedy failing of critical hardware components.
(iv) Descartes may migrate the delivery of the GLN Services from various data centres utilized by Descartes from time to time provided that the operational and security commitments set out in the Policy remain unaffected. For data centre migrations other than for the purposes of disaster recovery, Descartes will provide a minimum of thirty (30) days notice to Customer. In the event the GLN Services involve the processing of any personal information, any migration of data centres shall be subject to the terms of any personal information processing agreement in place between Customer and Descartes.
2.2 The overall performance of the Descartes GLN utilized to deliver the GLN Services to Customer is largely dependent upon the performance of non-Descartes information technology and communication networks, including Customer’s own systems, the general internet, dedicated networks, associated networks, business document exchange networks and the connections between these networks, as well as the infrastructure supporting the operation of such networks (collectively, “Third Party Networks”). Descartes assumes no responsibility for downtime or performance latency associated with or caused by Third Party Networks.
2.3 Descartes uses a variety of software tools and applications to monitor the performance and availability of the GLN Services, including the operation of the supporting GLN Services infrastructure and network components; however, Descartes does not monitor or address issues experienced by non-Descartes managed equipment or software used by the Customer or its Permitted Users in conjunction with the GLN Services.
2.4 Descartes may update any software that is being operated by Descartes in the delivery of the GLN Services from time to time and Descartes’ obligations under the Policy are dependent on Descartes retaining the discretion to operate the latest versions of any applicable software in the delivery of the GLN Services. Unless otherwise expressly agreed by Descartes in an Agreement that Descartes will support an earlier version of any software utilized in the GLN Services, Descartes will not have any responsibility for any performance, functionality, availability, security issues experienced with the delivery of the GLN Services if the Customer requests that Descartes continue to operate an earlier version of software in connection with the delivery of the GLN Services to Customer.
2.5 Descartes may, at its election, subcontract all or a portion of the delivery of the GLN Services to a third party, including an affiliate of Descartes or a third party electronic messaging service provider; provided that, Descartes shall at all times remain principally liable to Customer under this Agreement for the acts and omissions of such third parties pursuant to the terms of this Agreement as if they were acts or omissions of Descartes.
3. GLN Services Continuity
3.1 Descartes periodically makes backups of the data stored and flowing through Descartes GLN for Descartes’ sole use to help minimize data loss in the event of an incident. A backup is generally stored for at least fourteen (14) days and no longer than thirty-one (31) days after the date the backup is made. Descartes does not update, insert, delete or restore backup data on the Customer’s behalf unless otherwise specified in an Agreement. However, Descartes may assist Customer in restoring Customer’s backup data, which the Customer may have lost as a result of its own actions at Descartes’ then current rates.
4. Security and Access
4.1 Security Approach – Descartes uses a combination of security techniques and measures designed to protect the confidentiality, integrity and availability of data stored or flowing through the GLN Services.
4.2 Security Practices – Descartes information security practices establish and govern areas of security applicable to the GLN Services and to Customer’s use of such GLN Services. Descartes personnel (including employees, contractors and temporary employees) are subject to Descartes information security practices and any additional policies that govern their employment or the services they provide to Descartes.
4.3 Physical Security – Descartes uses state-of-the-art data center facilities for customer computer operations. All data center facilities include primary and backup controls for fire and climate control, including but not limited to Very Early Smoke Detection Systems (VESDA), advanced fire suppression systems, HVAC systems for air handling and moisture control. Access to the data center facilities is controlled, recorded and logged and uses multi-factor authentication.
4.4 Network Security – Descartes maintains connections to several major backbone networks and internet service providers. The boundary between external networks and the infrastructure used by Descartes to operate the GLN Services is protected by a security perimeter. Network traffic passing through this perimeter undergoes a dual level of inspection and conformance check: screening border routers and stateful inspection firewalls and is subject to a necessary-services-and-protocols principle. For administrative purposes, Descartes uses out-of-band access mechanisms, a separate network access path than used for regular user access, to gain administrative access to systems and network devices.
4.5 System Security – All systems and applications are administered by personnel of Descartes and/or its affiliates. All systems are hardened using industry standard procedures and multi-factor authentication is mandatory for administrative access.
4.6 Security Monitoring - Descartes maintains a central and on-line security monitor that correlates the log data derived from network devices, systems, firewalls, intrusion detection systems and monitors for suspicious or inappropriate activities.
4.7 Standards for IT Service Management and Information Security – Descartes follows the guidelines of the ISO 20000 framework for IT Service Management and the ISO 27000 framework for Information Security.
4.8 Maintenance & Support – All software, systems and network devices used for security purposes are maintained at appropriate revision and patch levels.
4.9 Passcodes – Permitted Users may access the GLN Services via “application-level” Passcodes (as opposed to “system- level” Passcodes). Each Passcode will have an attached security profile which will determine both the GLN Services available to that particular Permitted User as well as the data to which that Permitted User has authorized access. Customer’s Administrative User(s) shall be responsible for determining the authorization levels of Customer’s Permitted Users and for either advising Descartes in writing of any change in authorization levels or administering such changes using the delegated user management functions available.
4.10 Administrative User – User Access credentials to the GLN Services are issued to Permitted Users only by the Administrative User. It is the Customer’s responsibility to either notify Descartes in writing when a Permitted User is no longer authorized or disable the Permitted User’s access using the delegated user management functions.
4.11 Supported Encryption - To secure communication over public data networks (i.e. Internet) Descartes GLN utilizes session encryption per TLS specification and/or content encryption using S/MIME or PGP.
4.12 Development Standards – Descartes maintains a formal Product Lifecycle process including guidelines on requirements definition, functional specifications, technical specifications, QA and test procedures and policies, use of industry standard and vendor specific best practices (OWASP Top 10 in Descartes’ case) for secure application development, secure application code reviews, segregation of duties and defensive programming.
5. Support Services
5.1 Support Fees. The Fees paid by Customer for the GLN Services under the Agreement include the Business Hours Support services described below. Additional fees are applicable for additional Descartes support services, including 24x7 Support described below, requested by Customer beyond those set out herein.
5.2 Support Period. The GLN Services support becomes available upon the date that the GLN Services are made available to Customer and ends upon the expiration or termination of the Agreement (the “Support Period”). Descartes is not obligated to provide the support described in this Policy beyond the conclusion of the Support Period.
5.3 Customer contacts. The Customer’s technical contacts are the liaison between the Customer and Descartes support for the GLN Services. As such, the Customer’s technical contacts must have reasonable knowledge about the GLN Services in order to help resolve issues and to assist Descartes in analyzing and resolving issues. When submitting a support request, the Customer’s technical contact must have a baseline understanding of the issues in relation to the incident and the ability to reproduce the incident in order to assist Descartes in its diagnosis and potential resolution.
5.4 Support Hours and Levels. Descartes shall make available to Customer support services in accordance with the support region corresponding to the Customer’s office address noted in the Agreement via the Support Portal (https://servicedesk.descartes.com), by email (email@example.com) or, for critical incidents, by telephone (within North America +1-877-786-9339 and outside North America +800-786-3990) ("First Level Support") for the GLN Services. First Level Support shall be the initial point of contact and response for addressing Customer incidents and will be offered in accordance with one of two options.
(i) Business Hours Support
Excluding local statutory or civic holidays, First Level Support will be offered from Monday to Friday between the hours of 8:00 AM and 6:00 PM for the specified support regions in accordance with the specified time zones: (i) North America – Eastern Standard Time; (ii) EMEA – Central European Time; and (iii) APAC – Hong Kong Time.
(ii) 24x7 Support
If expressly contracted for under an Agreement, and subject to the applicable fees, Customers may receive 24x7 First Level Support, 24 hours a day, 7 days a week, inclusive of local statutory or civic holidays for Priority Level 1 incidents only.
5.5 First And Second Level Support. The First Level Support response may be a notification that the incident has been closed or information indicating the status of the incident determination and resolution process. In the event that the incident cannot be closed, First Level Support will provide a status update to the Customer and log the report within Descartes’ Problem Tracking system. First Level Support will stay ‘incident-owner’ until the incident has been resolved and closed.
Higher levels of support for incidents that must be resolved through physical configuration changes and data setup changes shall be considered “Second Level Support” and shall fall within the scope of Descartes’ service execution team. Descartes’ service execution team will provide Second Level Support resolution based on more updated information about the application, its components and functions, and its behavior under certain circumstances.
Escalation to Second Level Support will depend on the nature of the incident. In cases where an incident is identified within the scope of the GLN Services design, Second Level Support will be provided through an emergency fix. In these cases, the fix is tested and installed into production - in accordance with the quality assurance procedures adopted by Descartes from time to time. In some cases, incident circumvention may be appropriate resolution at Second Level Support. Circumvention may include restarting applications or restarting the entire server or application to resolve incidents as expediently as possible. In cases where an incident is identified but the GLN Service continues to function as designed, a determination is made as to whether the design is consistent or appropriate for use in the business environment. If the design is considered acceptable to the Customer, the incident report is closed. When the design allows opportunity for improvement or is considered unacceptable to Customer, the incident is documented, taken out of the incident resolution flow, and submitted as a Product Enhancement Request (“PER”) for review by Descartes Product Development.
5.6 Response and Resolution Times. All communications to report an incident in the operation of the GLN Services will be made to First Level Support and will be addressed through a return email or call within thirty (30) minutes of the original communication received from Customer subject to the support options contracted for by Customer in the Agreement and the support region corresponding to the Customer’s office address noted in the Agreement. In the event that Descartes is not able to respond to Customer within thirty (30) minutes due to the closure of the support window for Business Hours Support on a given business day in the Customer’s support region or the issue is not a Priority 1 Level issue where Customer has contracted for 24x7 Support, Descartes will respond to Customer’s original communication within thirty (30) minutes as of the commencement of the next business day. Descartes will gather such information from Customer as may be necessary to assess or replicate the reported incident and to determine whether the reported incident is a Priority Level 1, 2, 3 or 4. Descartes’ targeted resolution times for any reported incidents arising in connection within the operation of the GLN Services are set out below. The commitment for incident management responses is determined from the time of the initial notification to Descartes during the business hours set forth in Section 5.4 above, which can be accomplished through systems alerts, portal, e-mail, telephone or entry of a call into the Descartes’ Incident Tracking System. For the purposes of these response times, incident priority levels are defined as follows:
- "Priority Level 1 - Urgent/Critical" is an incident in the operation of the GLN Services, which causes the destruction or corruption of Customer data or otherwise results in the GLN Services being totally unavailable for use or access by a Permitted User in connection with mission-critical business processes with no immediately available workaround.
- "Priority Level 2 - High" is an incident in the operation of the GLN Services, which causes performance issues which adversely affect the normal business operations of Permitted Users but for which there may be a temporary workaround.
- "Priority Level 3 - Medium" is an incident in the operation of the GLN Services, which does not have an immediate adverse impact on the business operations of Permitted Users.
- “Priority Level 4 – Low” is a question(s) or request(s) for information in relation the GLN Services.
5.7 Problem Resolution Service Times
(i)Target Resolution Time – Descartes will target to Resolve a reported incident within the following time frames, where “Resolve” means that the reported incident has been rectified or that the cause of the incident has been identified, a workaround has been put in place and/or a change request has been escalated to Second Level Support to fix the incident:
- Priority Level 1 - 12 hours
- Priority Level 2 - 48 hours
- Priority Level 3 - 5 days
- Priority Level 4 - Addressed in upgrade to future release
(ii) Reporting – On request, Descartes will provide a report within five (5) business days setting out the number of incidents reported by Customer and the elapsed time from confirmation by Descartes of sufficient information to identify that there is an incident to the time the incident is Resolved.
6. Effect of GLN Termination
6.1 Unless Customer has purchased an archiving service under an Agreement, Descartes will delete Customer’s data residing in the GLN within thirty one (31) days following the termination or expiration of the GLN Services under the Customer’s Agreement.