WIXLIB

Cloud service provider disclosureThe form is to be completed for each cloud service provided. For questions not applicable or notdisclosed, indicate accordingly in the remarks.Cloud Service Provider Contact InformationCompany name: SoftLayer, Technologies Inc.Primary address: 14001 Dallas PkwyDallas TX 75240Web address: http://www.softlayer.comContact name:Brandon T Beadel14001 Dallas PkwyDallas TX 75240Contact number: 1 (214) 442-0600Information Security Liason:SoftLayer Trust and Assurance14001 North Dallas PkwySuite M100Dallas TX 75240trust and assurance@wwpdl.vnet.ibm.com 1 (214) 442-0600Abuse Requests:Abuse Department14001 North Dallas PkwySuite M100Dallas TX 75240abuse@softlayer.com 1 (214) 442-0605Other Related Affiliates for MTCS Services:SoftLayer Technologies Asia Private Limited (Singapore Operations)Registration# 201118816K29A International Business ParkS180Jurong East, Singapore 609934SoftLayer Technologies Hong Kong Limited (Hong Kong Operations)

Registration# 6239348333 Chun Choi StreetSuites 210 and 230Tseung Kwan O Industrial Estate, NT, HKSoftLayer Dutch Holdings, B.V. (SoftLayer Contracting Entity)Registration# NL 52461041Paul van Vlissingenstraat 161096BK AmsterdamThe NetherlandsIBM Singapore Pte. Ltd, c/o Jason Teo (IBM Contracting Entity)9 Changi Business Park Central 1The IBM PlaceSingapore 486048Certification Body Contact InformationCompany name: ISC Pte LtdWeb address: http://isc-worldwide.com/Contact name: Indranil MukherjeeContact email: indy@isc-global.netCloud Service Provider BackgroundOverview of service offering:SoftLayer provides Infrastructure as a Service (IaaS) to customers worldwide.SoftLayer offers bare metal servers that are dedicated to single customers.SoftLayer offers multi-tenant public cloud instances, single-tenant privateinstances, and dedicated physical servers through its bare metal offering.Service model:Virtual machine instances owned by the userNetwork facilitiesCompliance with applicable standardsDeployment model:Private cloudCommunity cloud

Hybrid cloudPublic cloudTier:Level 1Level 2Level 3No.CriteriaDescriptionRemarksLegal and Compliance1.Right to auditThe user has the right to audit:Virtual machine instances owned by the userNetwork facilitiesCompliance with applicable standardsCustomers canperform their owncompliance audit ontheir virtualinfrastructure(servers, network,storage, etc.).Technical controlsPolicies and governanceData centre facilitiesOthersNoneRegulators recognised by Singapore law have the right to audit:Virtual machine instances owned by the userNetwork facilitiesCompliance with applicable standardsTechnical controlsPolicies and governanceData centre facilities (see SoftLayer documents)OthersNoneAudit / assessment reports that can be made available on request:Penetration testThreat and vulnerability risk assessmentSoftLayer makesnumerouscertifications andattestations availableto customers to verifycompliance such asSOC 2, multiple ISOstandards, PCI, etc.Regulators get fullaccess to SoftLayer.Physical access isallowed if there is ademonstrated needafter review ofcertifications,documentation, andevidence has beenperformed.

Vulnerability scanAudit reports (e.g. Statement on Standards for AttestationEngagements (SSAE) No. 16, Reporting on Controls at a ServiceOrganisation)2.ComplianceThe following guidelines / standards / regulations are adhered to:Seehttp://www.softlayer.com/complianceSingapore Personal Data Protection ActISO / IEC 27001ISO 9000ISO / IEC 20000CSA Open Certification FrameworkPCI-DSSOthers SSAE 16 SOC1 Type IISoftLayer also hasISO 27017 and27018 certificates,and FedRAMPAgency Authority toOperate in the UnitedStates.The SingaporePersonal DataProtection Act wasassessed and theappropriateagreements wereexecuted in early2015. SoftLayer usesIBM’s SingaporeDPO, Lorinne Yoong.Data Control3.DataownershipAll data on the cloud service is owned by the cloud user exceptfor: log data related to the infrastructure stackThe cloud User retains the ownership on the derived data orattributes of cloud usage except for the following:SoftLayer customersown all right, title, andinterest on their data.Seehttp://www.softlayer.com/legalfor more information.Advertising or marketingStatistics analysis on usageOthers4.DataretentionData deleted by the user is retained as follows:Minimum data retention period is:Maximum data retention period is:Deleted immediatelyLog data is retained for a period of:Minimum data retention period as follows: 1 yearMaximum data retention period is:Not retained (Customer data)Data on deprovisioned serversor failed hard disks isoverwritten using USDoD 7-pass wipealgorithms beforereturned into a poolof availableresources.Internal IaaS log datafrom incidents,access controls, orchange managementis kept for a minimumof one year. This logdata is not sharedwith customers, but

User data is retained for a period of:Minimum data retention period is:Maximum data retention period is:with regulators whenrequired.Log data for customerowned virtual serversis in the responsibilityof the customer.Not retainedThe following types of data are available for download by the clouduser:Log dataOther5.DatasovereigntyThe primary data locations are:SingaporeAsia Pacific Hong KongEuropeUnited StatesOtherThe backup data locations are:SingaporeAsia Pacific Hong KongEuropeUnited StatesOtherNo. of countries in which data centres are operated: 11 (all), 2(MTCS certified)The user’s data stored in the cloud environment will never leavethe locations specified in item 5:YesYes, except as required by lawYes, except as noted:NoLog data related tothe customerworkload on thedelivery network andcustomer portal usagelogs are available forcustomer review anddownload and are thecustomer’sresponsibility.Customers will beable to choosebetween two MTCScertified data centres(Hong Kong,Singapore) asprimary and backupdata locations.SoftLayer will nevermove data out of theselected data t) unlessasked by thecustomer. In case ofmaintenance orhardware failuresvirtual machines maybe migrated to otherservers at thecustomer’s direction,but will always stay inthe selected datacentre.For a complete list ofall data centres andtheir accreditationstatus seewww.softlayer.com/data-centersIt is the customer’sresponsibility to setup high availabilityand disaster recoveryprocedures.SoftLayer offers loadbalancers, storagereplication services,and free-of-charge

User’s consent is required prior to transferring data to a locationnot specified in item 5 or a third party:YesYes, except as required by lawprivate virtualnetwork interlinksbetween the datacentres enable thesesolutions tocustomers.Yes, except as noted:.NoNote: Cloud users are responsible for determining the impact of dataprotection and data sovereignty laws on the locations where data isstored. In addition, users should understand the risks associated withrelevant laws that may allow for law enforcement or other governmentaccess to data in-transit or storage with Cloud Service Providers.6.NondisclosureNon-disclosure agreement template can be provided by CloudService ProviderCloud Service Provider may use customer’s NDA (pending legalreview)Provider Performance7.AvailabilityThe committed network uptime is:100 %Varies according to price planThe committed system uptime is:100 % (for the cloud management portal and infrastructure,excluding the virtual machine or bare-metal server managed by aclient – see right side)Varies according to price planThe cloud environment has the following single points of failure:Physical infrastructure in each data centre is redundant (N 1model), including the network connections from client access pointsto data centre (“Point of Presence”) and between data centres. Thecloud management infrastructure and customer portal are activeactive configured and fail over seamlessly in case of an outage.Customer servers can be ordered with redundant power supply andredundant network cards. Storage can optionally be ordered asRAID array. The Power Distribution Units and Hypervisors arepotential single points of failure. However, client best practiceseliminate these points of failure. Clients are encouraged toimplement their own backup and recovery strategies for suchsituations, or to implement active-active or active-standbyclustering via a second application instance at a backup/secondarydata centre leveraging SoftLayer’s storage replication and loadbalancing features. Another potential single point of failure can bethe uplink from customer’s data centre to SoftLayer’s access points.SoftLayer providesthe cloudinfrastructure up tothe provisionedoperating systemabove the hypervisorfor virtual servers,and up to thephysical server forbare-metal servers.SoftLayer’s SLA forthose parts of thecloud environment itcontrols (as stated onhttp://www.softlayer.com/legal ) is 100%.Unavailability causedby misconfigurationof the operatingsystem or acomponent abovecaused by the clientare not included asan SLA violation.

It is recommended that customer establish two direct links toprimary and secondary/backup data centre to mitigate that risk.none8.BCP / DRDisaster recovery protectionBackup and restore serviceUser selectable backup plansEscrow arrangementsNo BCP / DR is availableRPORTOOthers, please specify:.9.LiabilityThe following terms are available for the users on failure of theprovider to meet the service commitment:Network failureLiability: http://cdn.softlayer.com/SoftLayer MSA.pdfInfrastructure failureLiability: http://cdn.softlayer.com/SoftLayer MSA.pdfVirtual machine instance failureLiability:MigrationsLiability:Unscheduled downtimeLiability:Database failureLiability:Monitoring failureSoftLayer offersvarious ways tobackup customer’sdata (seehttp://www.softlayer.com/backup), anddisaster recoveryplans (see alsoquestion #5).However asSoftLayer does notown or have accessto customer’s data, itis in the responsibilityof the customer tochoose the rightoptions for anappropriate backupand disaster recoveryplan. SoftLayer doesnot determine ormanage backups forcustomers.SoftLayer guaranteesthe availability of itsIaaS infrastructure asdescribed inhttp://cdn.softlayer.com/SoftLayer MSA.pdfHandling of failuresabove the providedvirtual or bare-metalserver are theresponsibility of thecustomer.

Liability:Service Support10.ChangemanagementThe Cloud Service Provider has established the following forchanges, migrations, downtime, and other potential interruptions tocloud services:Communication plan and procedures for proactive notificationAssistance in migration to new services when legacy solutionsare discontinuedAbility to remain on old versions for a defined time periodAbility to choose timing of alProvide self-service provisioning and management portal for usersto manage cloud services:YesNoIf yes, describe the functions of the self-service provisioning andmanagement portal provided:Allow role-based access control (RBAC)Manage resource pools (e.g. VMs, storage, and network) andservice templatesSoftLayer has acommunication planin place as describedin the SOC2 reportavailable to allcustomers.Communicationbetween customerand SoftLayer staffare managed via thenotification systemaccessible via thecustomer self-serviceportal.In addition,unplanned eventsand incidents areannounced via email,twitter, forum posts,or “yellow”notifications at theportal he self-serviceportal is available athttp://www.softlayer.com/portal. Customerscan add new cloudadministrators/operators for their virtualinfrastructure andgrant each usercontrol over certainSoftLayer services(storage, network,etc.) or restrictmanagementcapabilities to certainservers.Track and manage the lifecycle of each serviceTrack consumption of servicesOthers:12.Incident andproblemmanagementDelivery mode of support:Access via emailSeehttp://www.softlayer.com/support.In addition to phoneand email, supportteam can be reached