Service description STACKIT Cloud

1 General information

1.1 Introduction

Under the STACKIT brand, Schwarz Digits Cloud GmbH & Co. KG, Stiftsbergstraße 1, 74172 Neckarsulm, Register Court Stuttgart, HRA 741347 ("STACKIT") provides professional Infrastructure- & Platform-as-a-Service services ("STACKIT Cloud Services") based on OpenStack as a national provider, which are provided as a public cloud variant exclusively to companies ("Customers"). STACKIT is the cloud service provider of the Schwarz Group.

STACKIT Cloud Services are based on the international standard ISO/IEC 27001:2013 and an ITIL-supported operating model and are provided by specialized experts.

1.2 Location of the data centers

STACKIT Cloud Services are provided and operated in STACKIT data centers in Germany and, in future, in other member states of the European Union. All data centers are operated in compliance with ISO27001, ISO20000 and TÜV Level 3. As a European cloud service provider, STACKIT is subject to the European General Data Protection Regulation (EU GDPR).

1.3 Scope of application

This generally applicable service description ("Service Description") forms an integral part of the contract for the purchase of a STACKIT Cloud Service in addition to the separately regulated Terms of Use and the service certificate(s) selected by the Customer.

In the event of contradictions between the Terms of Use, the Service Description and the applicable Service Certificate, the Service Certificate shall take precedence over the Service Description and the Terms of Use in this respect and to this extent; the Service Description shall take precedence over the Terms of Use in this respect and to this extent.

1.4 Amendment of the Service Description

STACKIT shall also be entitled to amend the Service Description for an ongoing contractual relationship regarding the purchase of a STACKIT Cloud Service with effect for the future; reference is made to Section 6 of the Terms of Use, which applies accordingly here.

2 Service Level Agreement

2.1 Service delivery point

The service responsibility for STACKIT Cloud Services to be provided by STACKIT ends at the Internet transfer point between the respective data center operated by STACKIT and the Internet service provider of the respective region.

2.2 Operating times

The operating hours of STACKIT Cloud Services are Monday to Sunday, "24/7", 365 days a year (excluding scheduled maintenance work).

2.3 Availability

The general availability of a STACKIT Cloud Service is 99.9% (99.5% for non-redundant STACKIT Cloud Services) on a monthly calendar average - after deduction of the Excluded Events in accordance with Section 2.4 - unless otherwise specified in the respective service certificate on which the STACKIT Cloud Service is based ("Availability"). Availability information applies exclusively to contractually agreed STACKIT Cloud Services and their components; no availability commitment is made for the availability of customer-owned components or third-party components (software and hardware).

The availability achieved per calendar month is calculated as follows:

Availability always refers to a calendar month, is charged on a calendar-monthly basis and is shown as a percentage.
"Total service minutes" is to be understood as the total number of calendar month minutes (calculation: 60 minutes x 24 hours x number of calendar days in the month)
"Total downtime minutes" is to be understood as the number of minutes per month in which the contractually owed STACKIT Cloud Service was not provided. The number of minutes per month that are not included in the calculation of availability as Excluded Events within the meaning of Section 2.4 shall be deducted from the value of the total downtime minutes.

The general availability of the STACKIT Portal and the STACKIT Application Programming Interface (API) is not subject to any availability commitment by STACKIT. However, STACKIT strives for a monthly average availability of 99.5% for the STACKIT Portal and the STACKIT Application Programming Interface (API). Outages, malfunctions or other unavailability of the STACKIT Portal or the STACKIT Application Programming Interface (API) do not affect the calculation of the availability of a STACKIT Cloud Service.

2.4 Excluded events

Excluded events refer in particular to periods in which the contractual provision of STACKIT Cloud Services cannot be guaranteed due to the following outages and disruptions ("Excluded Events"). Excluded events do not count as downtime. Excluded events include in particular

Failures and disruptions for which STACKIT is not responsible, in particular DNS, routing problems or unauthorized interference from third parties, such as virtual attacks on the network or mail infrastructure (,e.g. DoS, viruses or spam).
Outages and disruptions resulting from the implementation of countermeasures against unauthorized interference or due to security incidents.
Failures and malfunctions of third-party services outside the control of STACKIT or which are not attributable to the service provided by STACKIT or the network structure outside the sphere of influence of STACKIT.
Failures and malfunctions that are due to improper use of programs or devices by the customer. This includes, for example
- Incorrect entries or non-compliance with instructions.
- Actions or omissions by the customer which exceed the prescribed and/or booked quotas.
- Actions or omissions by the customer to make and/or comply with required configurations.
Failures and malfunctions caused by the customer.
Failures and disruptions caused by force majeure. Force majeure is an event that could not have been foreseen by either party using the utmost care that could reasonably be expected; in this sense, force majeure may include the following events in particular: Fires, explosions, power failures, earthquakes, floods, severe storms, strikes, embargoes, labor disputes, acts of civil or military authorities, war, terrorism (including cyber-terrorism), epidemics and pandemics, acts or omissions of internet providers, acts or omissions of regulatory or administrative bodies (including the enactment of laws or regulations or other governmental actions affecting the provision of STACKIT Cloud Services).
Outages and disruptions that occur due to maintenance work in accordance with section 2.8.

STACKIT Cloud Services that are made available to the Customer free of charge or explicitly designated and distributed as a test version, beta or in a similar manner are not subject to any availability guarantee. Failures or malfunctions that occur through the use of such services by the Customer shall be deemed to be excluded events.

2.5 Supported software versions

STACKIT Cloud Services may have specific software versions ("major versions") at the time of conclusion of a contractual relationship. In order to keep STACKIT Cloud Services and the provision of services to the Customer secure and up-to-date, STACKIT reserves the right to replace the main versions of the software used with successor versions ("successor versions") - also for contractual relationships already concluded.

In such a case, the following shall apply in particular:

STACKIT shall inform the affected customers about the upcoming change and the end of the support period of main versions in the release notes at https://docs.stackit.cloud/display/STACKIT/Release+Notes ("Release Notes").
The main version affected by the change will be supported for at least another 180 calendar days, calculated from the announcement of the change by STACKIT in the release notes, and then migrated successively to the successor version in a timely manner ("transition period").
The Customer may object to an upcoming change until the end of the transition period. If the Customer objects to the replacement of a main version by the successor version by the end of the transition period, STACKIT may terminate the subscription to a STACKIT Cloud Service affected by the change with due notice at the end of the transition period.
During this transition period, it will still be possible to conclude contracts based on the main version, but these must also be converted to the successor version at the end of the transition period. Customers are therefore required to inform themselves about any announced changes to the main versions in the release notes before taking out a subscription to a STACKIT Cloud Service; for customers who subscribe to or renew the STACKIT Cloud Service affected by a change within the transition period, the affected STACKIT Cloud Service will only be available in the subscribed main version until the end of the transition period, which may be significantly less than 180 calendar days depending on the time of subscription.
If offered, technically possible and requested by the Customer, the Customer also has the option to migrate main versions affected by a change to the successor versions before the end of the transition period or - depending on the STACKIT Cloud Service - to have them migrated by STACKIT. However, the Customer shall not be entitled to premature migration.
After the end of the transition period, STACKIT will successively migrate main versions not yet migrated by the Customer to the successor versions in a timely manner.
In some cases of migration of the main version to the successor version, STACKIT may not be able to migrate automatically and properly (in particular the customer data) without the cooperation of the customer. In such cases, STACKIT will inform the affected customers of any required cooperation in the release notes. The customer has until the end of the transition period - calculated from the publication of the required cooperative actions within the release notes - to carry out the required cooperative actions.
After expiry of the transition period, the main version is no longer supported by STACKIT and may no longer be used by the Customer; STACKIT is entitled, if and insofar as technically possible for STACKIT, to carry out an automatic migration of the main version to the successor version, even if the Customer has not previously carried out the necessary cooperative actions; this may result in particular in data loss and loss or restriction of functions of the affected STACKIT Cloud Service and the Customer's own hardware and software or hardware and software of third parties used in connection with this. STACKIT assumes no liability for damages incurred by the Customer due to a migration not carried out or an automatic migration, except in the cases of Section 15.1 of the Terms of Use.
After conversion of a software from its main version to the successor version, the successor version shall then be understood as the (new) main version within the meaning of this clause.

2.6 Backup

STACKIT does not back up data by default, unless otherwise specified in the individual service level agreements.

If a data backup takes place for individual STACKIT Cloud Services according to the contractually underlying service certificate, the data backup of the corresponding STACKIT Cloud Service is based on the following standards, unless otherwise specified in the individual service certificate or configured by the customer:

Backup parameters	Characteristic
Recovery point objective (RPO)	4 h
Recovery Time Objective (RTO)	4 h
Retention Period (RP)	14 days, daily storage after the first 4 h

"Recovery Point Objective" (RPO): The RPO, or the maximum permissible data loss, includes the specification of how old the status of the last current, consistent data backup may be. In the event of data loss and a necessary data restore, this backup status can be used.
"Recovery Time Objective" (RTO): The RTO, or maximum recovery time, describes the period of time in which a data restore to a functionally available system, including operating system data and required (application) data, can be consistently restored using the restore.
"Retention Period" (RP): The RP describes the maximum duration of the retention of backups.

2.7 Support

STACKIT provides its customers with qualified personnel and supporting resources for troubleshooting in accordance with the parameters below.

Incoming support cases are evaluated by STACKIT according to their criticality, which results in different response times.

Malfunctions ("incidents"): STACKIT Cloud Services are not available or their use is restricted.
Service or support requests ("Service Requests"): All other support cases, e.g. problems with user registration or system support.

STACKIT reserves the right to downgrade the criticality if the STACKIT Cloud Service is available and the cause of the disruption is the responsibility of the customer.

STACKIT points out that in the course of processing a support case - depending on the customer's request - it may be necessary for STACKIT to access the customer's STACKIT Cloud Services in order to be able to adequately process the support case.

Support level	Standard level
Channels	Status website (status.stackit.cloud) Knowledge Database (docs.stackit.cloud) Help Center (support.stackit.cloud)
Availability of the fault display	24/7
Response times*	Incidents: < 4 h Service Requests: Best Effort
Resolution time**	Best Effort
Price	Free of charge

*"Response time": Is the period of time within the service time from receipt of the customer's report by STACKIT until the start of processing of the report by qualified personnel (visual inspection).
**"Resolution time": Is the period of time within the service time from receipt of the customer's report by STACKIT, by the end of which STACKIT must have restored the contractually owed availability of the STACKIT Cloud Service.

STACKIT points out that it may be necessary for STACKIT to access the customer's STACKIT Cloud Services, including the data stored there, as part of the provision of support services and to maintain the STACKIT Cloud Services. This is done exclusively for the purpose of rectifying faults, ensuring service performance, processing incidents or investigating security incidents. The Customer agrees that such access may take place without prior separate consent if this is necessary to fulfill the aforementioned purposes. STACKIT shall always take appropriate measures to ensure the confidentiality and integrity of the Customer Data and to limit access to the necessary minimum.

2.8 Maintenance work

STACKIT regularly carries out maintenance work (for example in the form of updates, patches, bug fixes or hardware replacements and hardware extensions) to ensure the function, quality and security of the STACKIT Cloud Services.

STACKIT usually announces maintenance work that is likely to impair the usability of the STACKIT Cloud Services for the Customer two weeks before it is carried out via the STACKIT Cloud Status website. For urgent maintenance work, the announcement can also be made at much shorter notice or, depending on the individual case, not at all. STACKIT recommends that customers regularly inform themselves about maintenance work on the STACKIT Cloud Status website.

During the performance of maintenance work, access to STACKIT Cloud Services may be temporarily suspended or restricted, in particular if this is absolutely necessary due to the type of maintenance work to be performed.

Downtimes resulting from maintenance work carried out shall be treated as Excluded Events within the meaning of Section 2.4.

2.9 Service payback

If the agreed availability for STACKIT Cloud Services is not met as described, the Customer shall receive a credit in the form of a credit to its customer account ("Service Payback") as part of the subsequent processing:

In order to claim a Service Payback, the Customer must assert in text form within two (2) weeks of receipt of the invoice for the STACKIT Cloud Service concerned, stating the customer number, invoice number and the STACKIT Cloud Service concerned, that the agreed availability of the booked STACKIT Cloud Service has not been met. A claim not received within two (2) weeks cannot be considered.
If the claim is justified, the customer shall receive a Service Payback credit to their customer account for the following billing period.
The amount of the Service Payback always refers to the pro rata invoice amount of the STACKIT Cloud Service whose promised availability was not met.
If a Service Payback claimed by the customer is rejected, it is the customer's responsibility to demonstrate the breach of the agreed availability of a STACKIT Cloud Service.
Credited Service Payback shall be offset against remuneration claims for the provision of STACKIT Cloud Services in the subsequent billing period, so that the fee to be paid by the customer is reduced accordingly.
Payment or other reimbursement of the credited Service Payback is excluded.
The following service paybacks apply, unless otherwise specified in the STACKIT Cloud Service service certificate:

Availability (month)	Service payback
< 99.9% (99.5% for non-redundant STACKIT Cloud Services)	10%
< 99,0%	20%
< 98,5%	50%
< 95,0%	100%

3. incidents & security incidents

3.1 Information

STACKIT regularly provides customers with information aboutincidentsvia the STACKIT Cloud status website (status.stackit.cloud).

In the event ofsecurity incidents, Customers shall be informed directly.

STACKIT recommends that customers continuously check the status of incidents and security incidents on the STACKIT Cloud Status website.

For further analysis by the Customer, STACKIT does not provide any data that could allow conclusions to be drawn about the security architecture, infrastructure or other customers of STACKIT Cloud Services.

3.2 Possibility of analysis by STACKIT

For STACKIT Cloud Services provided by STACKIT and used by the Customer purchasing the STACKIT Cloud Services, STACKIT may take measures at its own discretion to detect vulnerabilities at an early stage both in STACKIT's area of responsibility and in the Customer's area of responsibility. The Customer's area of responsibility includes in particular all hardware, applications and software of third parties that are not provided by STACKIT ("Customer's area of responsibility").

If security incidents in the Customer's area of responsibility are detected by STACKIT or external service providers of STACKIT, the Customer shall be informed of these. Depending on the severity of the Security Incident, the Customer is obliged to take appropriate measures to prevent the Security Incident for its area of responsibility in a timely manner (e.g. by patching an affected application). If, for example, the Customer's area of responsibility is not secured with the latest patches or workarounds, if the area of responsibility harbors security risks for STACKIT or the Customer itself, or if the quality of the STACKIT Cloud Services is negatively influenced or endangered by a Security Incident in the Customer's area of responsibility, STACKIT reserves the right to take appropriate countermeasures in accordance with Section 3.4.

3.3 Data collection for analysis options by STACKIT

To detect possible security incidents in the Customer's area of responsibility, log data of the Customer systems or perimeters (e.g. firewalls, switches, routers and others) can be analyzed for anomalies and potential security incidents based on rules. Appropriate vulnerability scans (proactive and reactive) can also be carried out for systems available on the Internet.

3.4 Possible countermeasures for security incidents

In order to protect the Customer and the STACKIT Cloud Services, STACKIT reserves the right to take appropriate measures without prior notice or consultation with the Customer in the event of suspected or proven security incidents and corresponding severity ("countermeasures"). Of course, the Customer will be informed separately at the latest afterwards. The countermeasures include in particular

Disconnecting affected systems and STACKIT Cloud Services from the network, shutting them down or pausing them in order to avoid damage to systems and STACKIT Cloud Services.
Forensic analysis of possible affected systems and STACKIT Cloud Services (in particular to gain insights for law enforcement, criticality or damage assessment).
Other activities to prevent or reduce the impact on other customer systems of STACKIT Cloud Services or external systems.

3.5 Technical changes to resolve security incidents

The Customer shall be informed promptly of any technical changes that were necessary and implemented to resolve security incidents from STACKIT's perspective. If the customer does not object to these technical changes within a period of 14 calendar days from receipt of the information by the customer, these technical changes shall be deemed to have been accepted by the customer.

The Customer shall only have a right of objection if the scope of performance of the STACKIT Cloud Service has not only deteriorated insignificantly following the technical change made or if the use of the STACKIT Cloud Service or the Customer's ability to access the STACKIT Cloud Service is no longer possible as agreed due to the technical change made.

In the event of an effective objection, the Customer shall grant STACKIT the opportunity to rectify the defect. As part of the rectification, STACKIT shall take commercially reasonable measures to achieve a more customer-friendly solution with regard to the rectification of the security incident. If STACKIT justifiably refuses to rectify the security incident (e.g. due to technical impracticability, persistence of the security incident or economic inappropriateness) or if the Customer's reason for objection persists after rectification, STACKIT shall continue to provide the affected STACKIT Cloud Service with the technical changes made and the Customer shall be entitled to extraordinary termination of the affected subscribed STACKIT Cloud Service with immediate effect.

Version: 1.3, valid from 28.10.2024