SERVICE DESCRIPTION AND SECURITY

Effective Date: 1/15/2019
Version 1.6

1. Introduction

1.1 Purpose of the Document

Commvault is now offering features delivered as a service where customers can subscribe to software, infrastructure, storage, maintenance, and management services together on a term basis. This document describes, at a high level, the available services and their features. All such services are provided in accordance with Commvault’s standard managed services master terms and conditions and related policies and are qualified in their entirety by the detailed services descriptions contained or referenced therein.

2. Available Services

2.1 Common Services

All Commvault SaaS services include the following features:

  • Commvault is now offering features delivered as a service where customers can subscribe to software, infrastructure, storage, maintenance, and management services together on a term basis. This document describes, at a high level, the available services and their features. All such services are provided in accordance with Commvault’s standard managed services master terms and conditions and related policies and are qualified in their entirety by the detailed services descriptions contained or referenced therein.
  • Authentication via Commvault service specific usernames and passwords or through customer’s active directory
  • Encryption for data in transmission as well as at rest
  • The ability to select the encryption algorithm used for customer data
  • The option to leverage Gemalto SafeNet KeySecure or other supported key management software to manage encryption keys outside of the service
  • Two factor authentication as an option
  • Access to a customer-specific web portal for device management and restoring data

2.3 Edge Drive (Enterprise File Sync & Share)

The Edge Drive service includes the following services in the base cost of the service:

  • Up to 1TB of storage per licensed end user
  • A web console that allows for accessing data stored in the service from anywhere
  • Optional local synchronization of data
  • Locally synchronized data may be encrypted to prevent unauthorized access
  • Support for devices running Windows and MacOS
  • Access to apps for iOS, Android, and Windows Modern apps to access and manage data
  • Ability to share files and/or folders with users inside and/or outside of the customer
  • All versions are retained for 60 days
  • Retention of all versions for 60 days and deleted items for 1 year
  • Data will remain available for restoration for 120 days after the end of the subscription term. The customer will be responsible for preserving and protecting the data at the end of such period.

2.4 Search And Discovery – Endpoint Data Protection And Edge Drive

Optionally and for an additional charge, search and discovery service is available to complement the Endpoint Data Protection and Edge Drive services.

2.4.1 End User Search

End users can search their own data by content. Access is governed by an active directory policy that is set by customer administrators.

  • HTML previews are available to ensure that the desired file has been found before starting restores
  • End user searches can span Edge backups as well as Edge Drive files in a single search
  • Searches may be refined using facets
  • Metadata, such as name, file location, size, and modified time, may be searched in addition to content

2.4.2 Compliance Search

  • Designated customer compliance users can search all data owned by that customer
  • Searches may be refined using facets
  • Metadata, such as name, file location, size, and modified time, may be searched in addition to content
  • Complex search queries, custodian facets, and range queries are supported
  • Identified documents can be added to a review set and legal hold capabilities are available

2.5 Office 365 Data Protection

The Office 365 Data Protection service includes the following features in the base package:

  • Support for Office 365 Exchange Online data protection with unlimited backup capacity per user
  • Support for Office 365 with Sharepoint with unlimited backup capacity per user
  • Support for Onedrive for Business with unlimited backup capacity per user
  • A minimum of 1 backup per day and a maximum of 6 backups per day
  • Retention of backups for 1 year

2.6 Commvault Complete As A Service

Commvault Complete as a Service is fully managed data protection for heterogeneous applications and operating systems running in any physical topology. The service includes:

  • All Commvault software product features and support which are included in the Commvault Complete bundle
  • All Commvault Professional Services required to design, implement, and maintain the Commvault software environment
  • All servers/virtual machines and storage required to run Commvault software server components. The brand, type, and specifications of the servers and storage are at Commvault’s sole discretion and may change at any time and will be owned by Commvault
  • Maintenance, patching, and upgrade of the Commvault software and any Commvault servers and storage required
  • Public cloud capacity for secondary and/or primary storage for data protected by Commvault. The choice of public cloud provider is at the sole discretion of Commvault. Data sovereignty requirements can be fulfilled if public cloud datacenters are located in appropriate countries.
  • Commvault Remote Managed Services for day to day management of Commvault software and hardware
  • Two copies of backup data. This may take the form of one copy on-premises and one cloud copy or two copies in the cloud. The mechanism for creating the copies is at Commvault’s discretion. The fee for the service will be based on the size of the larger of the two copies.
  • Data is retained in active storage for 30 days. After that period, data may be moved to cold storage at Commvault’s discretion and will be retained for 1 year from date of backup.

2.7 Incident Response And Support

Commvault response to incidents will be based on the assigned severity level.

Severity Impact Example Targeted Initial Response Time
1 Customer’s system is inoperable, or is at a severely reduced level of functionality resulting in an adverse impact on normal business operations and no immediate workaround or resolution is available. Customer agrees the incident will be worked continuously until resolved. 1 Hour
2 Customer is experiencing intermittent failure or performance degradation which has limited Customer’s normal business operations. These incidents are time sensitive and critical to productivity, but do not cause an immediate work stoppage. No workaround is available and operations can continue in a limited capacity. 4 Hours
3 Conditions are defined as a minor Incident that can be worked around without major impact to Customer’s normal business operations. 1 Business Day

3. Service Level Agreements

3.1 Service Availability

Commvault undertakes that the services will be accessible at least 99.9% of the time*. In order to submit a claim for service credit for a failure to meet the accessibility guarantee, you must submit the claim to Commvault Customer Support with all information necessary for Commvault to validate the claim, including but not limited to: (i) a detailed description of the incident; (ii) information regarding the time and duration of the downtime; and (iii) descriptions of the attempts to resolve the incident at the time of occurrence.

Commvault must receive the claim within 60 days of the end of the billing month in which the incident that is the subject of the claim occurred. Commvault will evaluate all information reasonably available and will make a final, good faith determination of whether a Service Credit is owed.

* This service level agreement (“SLA”) does not apply to any performance or availability issues due in whole or in part to:

  1. routine or planned maintenance, repair and upgrade;
  2. issues or failures with customer’s environment, hardware, software, communications and internet providers or security settings;
  3. issues or failures of third-party services or applications, software, hardware or other components not supplied by Commvault;
  4. third-party attacks, intrusions, distributed denial of service attacks or other third party actions;
  5. issues related to third party domain name systems (DNS) errors or failures;
  6. customer’s acts or omissions; or
  7. Force majeure events, including at the customer site or between the customer site and Commvault/Azure datacenters.

3.2 Credits For Breach Of Service Availability SLA

If monthly accessibility percentage is less than 99.9% and a claim is timely and properly filed and determined by Commvault to be valid, then a 10% service credit for that month applies and will be awarded as an extension of the subscription term.

If the monthly accessibility percentage is less than 99% and a claim is timely and properly filed and determined by Commvault to be valid, then a 25% service credit for that month applies and will be awarded as an extension of the subscription term.

These credits are customers’ sole and exclusive remedy for a breach of any SLA.

4. Security Considerations

Security for the SaaS environment can be categorized into two main areas – (1) the datacenter resources used for hosting the services and (2) the administrative/user access to those resources and the data stored by the services.

4.1 Data Center Resources

The Commvault services are hosted in Microsoft Azure data centers and leverage Azure virtual machines, networking, storage and security. Azure security and privacy policies as well as datacenter compliance standards can be found at https://azure.microsoft.com/en-us/support/trust-center/ Commvault is not responsible for any failure by the Azure datacenters, virtual machines or other platforms to adhere to Azure’s security or privacy policies or protocols or applicable laws and regulations.

  • By default, data for U.S. customers is managed and stored in US Azure data centers.
  • For customers with data located in other countries, the location of the stored data may be tailored by the customer according to Azure datacenter availability. The customer remains responsible for compliance with all applicable laws and policies, including Commvault’s acceptable use policy.

4.2 Administrative/End User Access

  • All data is encrypted in transmission and at rest using Commvault technology, in addition to any encryption that is offered by Azure itself. By default, Blowfish 128 is leveraged. The encryption keys are kept in the Commvault service in Azure. The full list of available encryption methods can be found at http://documentation.commvault.com/commvault/v11/article?p=features/data_encryption/r_data_encryption_algorithms.htm
  • Customers may choose to leverage SafeNet KeySecure or other supported key management software to preserve encryption keys outside of the Commvault service. This gives the customer complete control over whether data stored in Commvault may be accessed by any means.
  • Commvault administrators cannot access or view customer data in any way – only customer end users and customer administrators can perform restores and/or searches, or access or view the data; the customer remains solely responsible for all data, access, legal and compliance requirements.
  • Integration with customer active directory deployments allows customers to control data visibility on their own. Active directory rights can be set for individual users and/or groups – end users will only see data if they have been granted the permissions to do so.
  • No inbound network connections to customer networks and/or clients is required. All communication is outbound on port 443 only.
  • Active directory information is not stored by Commvault in any location. All lookups are against the customer’s active directory only.
  • Access to the Commvault services environment is only granted to a dedicated team at Commvault.
  • All access to Commvault services infrastructure is controlled via two-factor authentication.
  • All communication to Commvault services infrastructure is encrypted and recorded.

5. Privacy

5.2 Data Ownership

Customers own all data that is stored in the services. Commvault will not acquire any interest in any data stored in the services.

Commvault will use customer data only to provide the services agreed upon and for purposes required for providing those services, such as troubleshooting and performance monitoring.

Access to data will only be provided to government entities at customer’s direction or if Commvault is served with a court order for content or a subpoena for account information. If compelled to disclose customer data, Commvault will promptly notify the affected customer(s) unless prohibited from doing so by court order or applicable law.

5.3 Data And Services Locations

Commvault will provide information to customers about the location of the datacenters from which the services are provided and where customer data is stored. For disaster recovery purposes, data is replicated between datacenters and may cross country borders. Customers who are required to comply with data protection laws and regulations governing the international transfer of data may specify the country of the datacenters where they need to store data. Commvault will comply to the best of its ability depending on the availability of datacenters in those countries with the customers’ understanding that the SLA may be impacted. Customer waives any claims to service credits resulting from any SLA failure due to a customer request regarding the location of stored data. Where possible, Commvault will advise the customer in those situations of the SLA impact.

The current data center replication pairings can be found at the following link: https://azure.microsoft.com/en-us/documentation/articles/best-practices-availability-paired-regions/