Annex 2

1. GENERAL

1.1. This service level agreement (“SLA”) is an inseparable part of the DreamApply and Services Agreement concluded between the Provider and the Institution (“Agreement”).

1.2. Capitalised words and phrases used in the SLA shall have the same meanings as in the Agreement, unless new terms or definitions are introduced in the text of the SLA.

1.3. The SLA will enter into force on the same date as the Agreement became effective. The SLA will be valid for the term of the Agreement.

2. OBJECT OF THE SLA

2.1. The SLA governs the service levels for the operation of DreamApply and for the provision of Support to the Institution in the following areas: (a) maintenance, preventive measures, upgrades and backups of DreamApply; (b) questions and consultation concerning the daily operation of the DreamApply; (c) handling of any bugs or other issues which result in a disruption of the normal functioning and operational use of DreamApply (jointly “Errors”);

2.2. The Provider shall operate the DreamApply and provide Support according to the service levels agreed in the SLA.

3. USE OF DREAMAPPLY

3.1. Access to the DreamApply is provided through an online solution specially configured for the Institution’s needs and requirements (“Instance”). The configuration shall be made by the Institution or upon ordering additional Support by the Provider.

3.2. The Institution shall appoint a high-level administrator to oversee and manage the use of DreamApply and Services on behalf of the Institution (“Supervisor”).

3.3. The Institution and the Supervisor are responsible for ensuring that its Members use the DreamApply and Services in accordance with the Agreement. The Supervisor’s responsibility is (a) to act as a single point of contact towards the Provider regarding the daily operation of DreamApply and provision of Services; (b) provide basic technical assistance and consultation to the Members of the Institution regarding the use of DreamApply; (c) administer the Member Accounts (delete, add new, configure access rights and settings etc). The Supervisor has the right to order Services from the Provider, make binding decisions on behalf of the Institution and perform other duties in his/her area of responsibility.

3.4. The provision of Services and delivery of items that fall outside the scope of the Price Offer shall be subject to separate negotiations between the Parties. The agreement reached as a result of such negotiations shall be formed in a format which can be reproduced in writing (e.g. e-mail, Skype etc) and shall form an inseparable part of the Agreement, unless expressly agreed otherwise between the Parties

4. SERVICE LEVEL STANDARDS

4.1. Operation of DreamApply

4.1.1. Responsiveness: the DreamApply shall respond to all requests within no more than 1 (one) second (without accounting for network latency) unless this cannot be reasonably expected (processing of large uploads, extended searches, export operations etc).

4.1.2. Preventive measures: the DreamApply is monitored to detect any anomalies or interruptions in the performance of the DreamApply and provide information for possible maintenance work. Provider (or its selected third party partners) regularly performs the following maintenance operations:
(a) maintenance of the server hardware and network equipment;
(b) software version and security updates;
(c) log management;
(d) configuration maintenance, versioning and backup;
(e) change management and documentation.

4.1.3. Upgrades: the Provider shall in the event of necessity update DreamApply to improve the usability, management, efficiency, security and capability of the DreamApply.

4.1.4. Back-ups: the Provider will take any reasonable measures to safeguard the User Content, the DreamApply and the DreamApply’s configuration against being lost or corrupted, including, but not limited to:
(a) hourly off-site backups of the User Content with a retention period of no less than 3 (three) days;
(b) nightly off-site backups of the User Content with a retention period of no less than 30 (thirty) days.

4.1.5. Planned maintenance work: normally the installation of updates affect the operation of the DreamApply for up to 15 minutes and take place in average once per month. Users are notified at least 3 (three) working days in advance of any planned maintenance work which will affect the availability of the DreamApply for more than 1 hour. The total allowed duration of planned maintenance that affects the availability of the DreamApply must not exceed 48 (forty eight) hours per year or 8 (eight) hours in any single month; any single planned maintenance session that affects the availability of the DreamApply may not exceed 4 (four) hours; any planned maintenance is usually performed between 00:00 and 07:00 CET unless a valid reason is present.

4.1.6. Unplanned service disruptions: the total allowed duration of unplanned disruptions that affect the availability of the DreamApply must not exceed 48 (forty eight) hours per year; the maximum time for restoring the DreamApply’s functionality after a service disruption must not exceed 24 (twenty four) hours.

4.2. Support

4.2.1. The Provider shall offer Support remotely by email or telephone during 9:00 – 17:00 CET on working days. Outside of these hours, the DreamApply will be operated “as is”. Prior to submitting Support request the Institution shall visit the Provider´s help portal http://help.dreamapply.com for first hand assistance and information.

4.2.2. Support is provided in English. The react time to any Support requests and volumes of Support are brought out in Annex 1. The contact details for submitting Support requests are as follows:

(a) e-mail: [email protected];
(b) Skype: dreamapply
(c) telephone: +3726314625

4.3. Error management

4.3.1. The Institution shall inform the Provider of any Errors that may come to its attention. The Institution shall make available to the Provider all relevant information that is reasonably necessary in order to describe, detail or replicate the Error.

4.3.2. If the Institution wishes to change or make additions to the existing content, features or functionality of the DreamApply, to integrate the DreamApply with third party systems or technologies, or to customise the DreamApply for the Institution’s needs and requirements, then this is not considered an Error and can be purchased from the Provider as Development service in accordance with the Agreement.

4.3.3. Error severity levels: Any Errors will be handled depending on the level of severity as defined below:

(a) High – major functionality is impacted or significant performance degradation is experienced. The Error is persistent and affects many users and/or major functionality. The DreamApply cannot perform its main intended purpose. No reasonable workaround is available.

(b) Medium – the Error is affecting some but not all users. The DreamApply can still perform its main intended purpose, but requires additional effort on part of the users. A short-term workaround is available, but not scalable.

(c) Trivial – a defect that affects a small proportion of users. The DreamApply’s ability to perform its main intended purpose is not affected.

4.3.4. Reaction times: Provider will acknowledge Errors by (a) receipt of a report of an Error from the Institution, demonstrating its occurrence, or (b) discovery of an Error by other means, such as preventive measures taken by the Provider (“Acknowledgement”). The Provider shall start resolving the Error as of the moment of Acknowledgement, depending on the level of severity:

(a) High – at the first possibility but no later than within 1 (one) working day as of Acknowledgement and must resolve the Error within no more than 3 (three) days;

(b) Medium – within 3 (three) working days as of Acknowledgement, must provide a workaround within 2 (two) working days and resolve the Error within no more than 5 (five) working days;

(c) Trivial – within 1 (one) month as of Acknowledgement and must resolve the Error within no more than 6 (six) months.

5. LIMITATIONS

5.1. Should the planned maintenance work or unplanned service disruptions exceed the allowed duration limits, the Parties shall negotiate regarding the compensation. However, if the planned maintenance work or unplanned service disruptions exceed the allowed duration limits by up to 50%, provided it occurs between 00:00 and 07:00 CET, it will not be considered a breach of the Agreement.

5.2. Errors that do not affect the availability of the DreamApply’s primary functionalities or affect said functionalities in a non-significant way, will not count towards the allowed duration limits and will not be considered a breach of the Agreement.

5.3. The Provider’s obligations under the SLA shall cease if an Error was caused by any factor outside the control of the Provider, including, but not limited to, any problem with:

5.3.1. the functioning or use of external systems or supplies, which are not part of the DreamApply, including the Institution’s infrastructure, operating system software and any updates and fixes thereto;

5.3.2. parts, accessories or products not delivered by the Provider;

5.3.3. unexpected serious accidents and/or health issues with the employees of the Provider;

5.3.4. configurations and specifications of the devices and infrastructure used by the Institution or other users of DreamApply (mobile phones, servers etc);

5.3.5. utility supplies (electricity, availability of internet and telecommunications networks etc);

5.3.6. other services not provided by the Provider (e.g. data communication services etc).

5.4. The work spent for resolving issues which do not fall under the scope of the SLA may be subject to additional fees. The Provider shall inform the Institution of the possibility that the SLA does not cover the reported issue as soon as possible and may provide a cost estimate for resolving it.

6. OBLIGATIONS OF THE PROVIDER

6.1. In the event of a suspected or actual personal data breach; loss of confidential information or successful cyber-attack the Provider shall notify the Institution immediately, but no later than 5 working days after the incident was first discovered. The Provider shall take all measures reasonably necessary to prevent or limit (further) unauthorised examination, change, and provision or otherwise unlawful processing and to stop and prevent any future breach of security measures, breach of the confidentiality obligation or further loss of confidential Data.

6.2. The Provider is also obliged to notify the Institution in case of breach of the Institution instructions.

6.3. The Provider agrees and warrants:

6.3.1. that it has implemented the technical and organisational security measures specified in in the Agreement and its Annexes and the Providers data protection internal documentation (available upon request) before processing the personal data transferred;

6.3.2. that it will promptly notify the Institution about:

6.3.2.1. any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,

6.3.2.2. any unauthorised access, and

6.3.2.3. any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

6.3.3. to deal promptly and properly with all inquiries from the Institution relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

6.3.4. at the request of the Institution to submit its data processing facilities for audit of the processing activities covered by the Agreement which shall be carried out by the Institution or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority.

6.3.4.1. The Institution will cover the expenses directly caused by the audit, including the working hours of the Providers´ employees (based on the hourly amount brought out in https://dreamapply.com/pricing/ of the Agreement).

6.3.4.2. The Provider may refuse from being audited if the Providers data processing facilities have been audited by other client or an inspection body within twelve (12) months when the Provider shares the results of that audit with the Institution.

6.3.4.3. The Provider may refuse from being audited when the Institution requests it more than once per twelve (12) months.

6.3.4.4. The Institution has an obligation to inform the Provider about the wish to conduct audit 21 days prior to the audit.

6.4. The Provider is obligated to immediately inform the Institution regarding any future changes in the performance of the Agreement, so that the Institution can monitor compliance with arrangements made with the Provider. This also includes the engagement of new Auxiliary Suppliers who have access to the data inserted for the Institution. If new Auxiliary Suppliers (who have access to the data inserted for the Institution) are engaged, or changes are made, the Provider must inform the Institution in advance and set a term for making an objection.

6.5. The Provider:

6.5.1. processes the personal data only on documented instructions from the Institution, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Provider is subject; in such a case, the Provider shall inform the Institution of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

6.5.2. ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

6.5.3. takes all measures required pursuant to Article 32 of the Regulation (EU) 2016/679 of the European Parliament and of the Council;

6.5.4. respects the conditions referred to in paragraphs 2 and 4 of Article 28 of the Regulation (EU) 2016/679 of the European Parliament and of the Council for engaging another processor;

6.5.5. taking into account the nature of the processing, assists the Institution by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Institution’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the Regulation (EU) 2016/679 of the European Parliament and of the Council;

6.5.6. assists the Institution in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the Regulation (EU) 2016/679 of the European Parliament and of the Council taking into account the nature of processing and the information available to the Provider;

6.5.7. at the choice of the Institution, deletes or returns all the personal data to the Institution after the end of the provision of Services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;

6.5.8. makes available to the Institution all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the Regulation (EU) 2016/679 of the European Parliament and of the Council.

7. LIABILITY

7.1. The Provider’s total liability arising out of or in connection with the performance of its rights and obligations under the Agreement (whether in contract, tort, negligence, product liability or otherwise) is limited to the Service fee paid by the Institution for the use of the DreamApply pursuant to the Agreement during the 12 (twelve) months prior to the event that gave rise to liability.

7.2. In case of a failure to perform its contractual obligation under the Agreement, the Provider may cure the non-performance at its own expense within a reasonable period of time after notifying the Institution of the intention to cure and of the proposed manner and timing of the cure (e.g. free technical support or discount from the Service fee).

7.3. Neither party should be regarded as liable to the other party for circumstances beyond the party’s control and which the party, when signing the Agreement, could not have foreseen or could not have avoided or overcome, including strikes (force majeure). Circumstances of a subcontractor will only be regarded as force majeure if the subcontractor is faced with an obstacle falling within the first sentence of this provision and which the Supplier ought not to have avoided or overcome. The party who wishes to invoke force majeure must inform the other party thereof in writing not later than ten Working Days after the force majeure event was discovered and provide information about the expected scope and duration.

7.4. Cyber-attacks are considered to be force majeure. The Provider has an obligation to meet the necessary industry average security requirements in order to avoid breach of its obligations (including breach of data protection rules).

8. Data overview and Data secrecy

8.1. The Provider shall ensure that any personnel entrusted with processing the data inserted by the data subjects have undertaken to comply with the principle of data secrecy and have been duly instructed on the protective regulations. The undertaking to secrecy shall continue after the termination of the Agreement.