Common use of SERVICE LEVELS AND PERFORMANCE Clause in Contracts

SERVICE LEVELS AND PERFORMANCE. The Authority will measure the quality of the Supplier’s delivery by: KPI/SLA Service Area KPI/SLA description Target 1 Downtime In the event of any downtime, Supplier to notify Authority, to provide an explanation of cause and any immediate or projected impact on Authority’s work Notify within 1 hour of recognition of issue In the event of an ongoing issue, Authority to be updated on progress and projections to resolve twice daily until resolution. Following resolution, details on cause, lessons learned and mitigation to be shared with Authority 2 Response to requests Emails from the authority must be responded to within 30 minutes (9am - 6pm, Mon - Fri, excl. bank holidays 99% achieved within 30 minutes 3 Data recovery Supplier to keep Authority informed as each stage of data recovery process progresses, including projections for the time until recovery is complete As progressed Any difficulties in achieving these targets to be discussed between the Authority and Supplier, in advance where possible. Where poor Supplier performance requires early termination of the Contract, standard G- Cloud termination conditions will apply. SECURITY AND CONFIDENTIALITY REQUIREMENTS All members of Supplier’s staff administering the Authority’s system to have Counter Terrorism Check as a minimum level of National Security Vetting. Staff of supplier or supplier’s subcontractors/processors having any amount of involvement with Authority’s data to sign, return, and adhere to Authority’s confidentiality undertaking. PAYMENT AND INVOICING Invoices should be sent monthly. Payment can only be made following satisfactory delivery of pre-agreed certified products and deliverables. Before payment can be considered, each invoice must include a detailed elemental breakdown of work completed and the associated costs. Invoices should be submitted to: REDACTED TEXT under FOIA Section 40, Personal Information Supplier to provide itemised billing narrative alongside invoices CONTRACT MANAGEMENT Inability to attend contract management meetings to be communicated in advance of any meeting where possible. Attendance at Contract Review meetings shall be at the Supplier’s own expense. LOCATION The location of the Services and the contract review meetings will be carried out at either the Authority or the Supplier’s premises on agreement between Authority and Supplier, or remotely where in-person meetings are not possible.

SERVICE LEVELS AND PERFORMANCE. The Authority will measure the quality of the Supplier’s delivery by: KPI/SLA Service Area KPI/SLA description Target 1 Downtime In the event of any downtime, Supplier to notify Authority, to provide an explanation of cause and any immediate or projected impact on Authority’s work Notify within 1 hour of recognition of issue In the event of an ongoing issue, Authority to be updated on progress and projections to resolve twice daily until resolution. Following resolution, details on cause, lessons learned and mitigation to be shared with Authority 2 Response to requests Emails from the authority must be responded to within 30 minutes (9am - 6pm, Mon - Fri, excl. bank holidays 99% achieved within 30 minutes 3 Data recovery Supplier to keep Authority informed as each stage of data recovery process progresses, including projections for the time until recovery is complete As progressed Any difficulties in achieving these targets to be discussed between the Authority and Supplier, in advance where possible. Where poor Supplier performance requires early termination of the Contract, standard G- Cloud termination conditions will apply. REDACTED TEXT under FOIA Section 43 Commercial Interests SECURITY AND CONFIDENTIALITY REQUIREMENTS All members of Supplier’s The Supplier shall ensure that all staff administering supporting the Authority’s system to have Counter Terrorism Check as a minimum level of authority hold UK National Security VettingVetting to “Security Check” (SC) level. Staff of supplier The Supplier shall maintain compliance with ISO 27001:2013 and ISO 27018:2014 or supplier’s subcontractors/processors having any amount of involvement with Authority’s data to sign, returnequivalent, and adhere shall also ensure that any third parties used by it in the course of the service provision and deemed critical to Authority’s confidentiality undertakingthe service, shall adopt a systematic approach to managing information so that it remains secure. PAYMENT AND INVOICING Invoices should The payment profile for this Call-Off Contract is monthly in arrears. A PO will be sent monthlyraised once the Contract has been signed. The PO is a vehicle for payment and not a firm commitment of spend. There is no guarantee to the Supplier of the volume of services required and the Buyer may increase or decrease the volume of Services to meet its flexible requirements Payment can only be made following satisfactory delivery of pre-agreed certified products and deliverables. Before payment can be considered, each invoice must include a detailed elemental breakdown of work completed and the associated costs. Invoices should be submitted to: REDACTED TEXT under FOIA Section 40, Personal Information Supplier All Invoices must include the WP number and PO number. Each invoice must be accompanied by a breakdown of the deliverables and services, quantity thereof, applicable unit charges and total charge for the invoice period, in sufficient detail to provide itemised billing narrative alongside invoices enable the Customer to validate the invoice. CONTRACT MANAGEMENT Inability to attend contract management The Supplier will facilitate monthly (or as otherwise agreed) status review meetings to be communicated in advance of any meeting where possiblebetween CDIO Cyber Security, the Supplier, and Splunk. Attendance at Contract Review status review meetings shall be at the Supplier’s own expense. LOCATION In months where the Supplier has provided professional services, the Supplier shall provide a written monthly status update to a nominated representative of CDIO Cyber Security. The location monthly status update must be provided no later than the end of the Services first full working week of the next month. The monthly status update shall detail the number of professional services days charged during the month, the cost of those days, the number of contracted professional services days remaining, the tasks delivered during that month, and (if applicable) the contract review meetings will tasks planned for delivery during the next month. LOCATION REDACTED TEXT under FOIA Section 40, Personal Information The Supplier is not required to be carried out at either on site. Schedule 2: Call-Off Contract charges For each individual Service, the Authority or applicable Call-Off Contract Charges (in accordance with the Supplier’s premises Digital Marketplace pricing document) can’t be amended during the term of the Call-Off Contract. The detailed Charges breakdown for the provision of Services during the Term will include: As detailed within the pricing breakdown below, the following table describes the part codes, product titles, associated detail (ingestion charges etc) for the Splunk Cloud License renewal costing. REDACTED TEXT under FOIA Section 43 Commercial Interests This relates to the supplier’s pricing document found on agreement between Authority and Supplier, or remotely where inthe G-person meetings are not possibleCloud 12 Service Page.

SERVICE LEVELS AND PERFORMANCE. 15.1 The Authority will measure the quality of the Supplier’s delivery byby the monthly measure of the following Service Level KPIs: KPI/SLA 1 Customer Service Area KPI/SLA description Target 1 Downtime Supplier to respond to service / help desk desk queries Within one (1) working day 2 Customer Service Client to acknowledge contact to report issues such as bugs Within one (1) working day 3 Customer Service Supplier to share information on potential bugs that may impact on the integrity / available of GC3 Data At earliest opportunity 4 Delivery Minor bugs and technical issues to be identified and a resolution put in place Within one (1) calendar month 5 Delivery Major bugs and technical issues to be identified and resolution put in place Acknowledged within one (1) working day with a resolution in place as agreed with the client 6 Technical Availability and uptime of the site to be kept to a minimum 98% uptime 15.2 The Supplier provides a monthly Performance Report to the Buyer 3 calendar days in advance of the monthly Account Management Meeting. The Performance Report includes: 15.2.1 Details of all Milestones and Deliverables met within the reporting month; 15.2.2 A report of performance against the Service Level KPIs and supporting MI to substantiate the reported performance. 15.3 Where any of the Milestones and/or Deliverables are not achieved in accordance with their Timeframes or Delivery Dates, and/or where the Service Level KPIs are not met in full in the reporting month, the Supplier investigates the reasons for this. The Supplier includes in its monthly Performance Report a summary of its investigation, and reports remedial actions to be undertaken. The Buyer deducts a 10% retention amount from the invoice for the respective reporting month. 15.4 If in the subsequent reporting month, the Supplier can demonstrate it has: ● Achieved: o all Milestones and/or Deliverables falling due within the reporting month in accordance with their Timeframes or Delivery Dates; and o any outstanding Milestone and/or Deliverables that were late in preceding reporting months; and ● met the Service KPIs in full the Buyer will release accrued retention amounts in the invoice for that reporting month. Where the Supplier does not fulfil the requirements of this paragraph 15.4, the Buyer deducts a 10% retention amount from the invoice for the reporting month, and continues to hold the retentions accrued from the previous reporting months. 15.5 If either: ● the Supplier does not achieve Milestones and/or Deliverables that have fallen due in previous reporting months within its respective Default Trigger Durations; or ● the Supplier does not meet a Service KPI for a consecutive period equal to its respective Default Trigger Duration the Buyer may, at its sole discretion, terminate the Contract for reasons of default of the Supplier. 15.6 In the event of any downtime, Supplier to notify Authority, to provide an explanation of cause and any immediate or projected impact on Authority’s work Notify within 1 hour of recognition of issue In the event of an ongoing issue, Authority to be updated on progress and projections to resolve twice daily until resolution. Following resolution, details on cause, lessons learned and mitigation to be shared with Authority 2 Response to requests Emails from the authority must be responded to within 30 minutes (9am - 6pm, Mon - Fri, excl. bank holidays 99% achieved within 30 minutes 3 Data recovery Supplier to keep Authority informed as each stage of data recovery process progresses, including projections for the time until recovery is complete As progressed Any difficulties in achieving these targets to be discussed between the Authority and Supplier, in advance where possible. Where poor Supplier performance requires early termination of the Contract, standard G- Cloud termination conditions will apply. SECURITY AND CONFIDENTIALITY REQUIREMENTS All members Contract for reasons of Supplier’s staff administering the Authority’s system to have Counter Terrorism Check as a minimum level default of National Security Vetting. Staff of supplier or supplier’s subcontractors/processors having any amount of involvement with Authority’s data to sign, return, and adhere to Authority’s confidentiality undertaking. PAYMENT AND INVOICING Invoices should be sent monthly. Payment can only be made following satisfactory delivery of pre-agreed certified products and deliverables. Before payment can be considered, each invoice must include a detailed elemental breakdown of work completed and the associated costs. Invoices should be submitted to: REDACTED TEXT under FOIA Section 40, Personal Information Supplier to provide itemised billing narrative alongside invoices CONTRACT MANAGEMENT Inability to attend contract management meetings to be communicated in advance of any meeting where possible. Attendance at Contract Review meetings shall be at the Supplier’s own expense. LOCATION The location of : ● the Services Buyer pays the Supplier the amounts due for the reporting month in which the Supplier default occurred, subject to a 10% retention deduction amount from the invoice for the respective reporting month; ● the Buyer retains all accrued retention amounts; ● the Service ceases and no further payments are due to the contract Supplier. 15.7 Regular review meetings (at least quarterly) will take place, poor performance and quality will be carried out at either documented with an action plan drawn up during the Authority or the Supplier’s premises on agreement between Authority and Supplier, or remotely where in-person meetings are not possiblereview meeting to improve quality.

SERVICE LEVELS AND PERFORMANCE. 14.1 The Authority Buyer will measure the quality of the Supplier’s delivery by: KPI: 14.1.1 The KPIs referred to in section 6 ‘The requirements’ will be measured alongside the following SLAs KP I/SLA S LA Service Area KPI/SLA description Target Ta rg et 1 Downtime In the event of any downtime, Supplier to notify Authority, to provide an explanation of cause and any immediate or projected impact on Authority’s work Notify within 1 hour of recognition of issue In the event of an ongoing issue, Authority Delivery Outputs to be updated on progress and projections to resolve twice daily until resolution. Following resolution, details on cause, lessons learned and mitigation delivered 90 timescale +/- 5 working days from % s the agreed target date 2 Reporting Progress reports to be shared with Authority 2 Response to requests Emails from 98 frequency submitted 24 hrs before % (workstre the authority must be responded to within 30 minutes (9scheduled meeting am - 6pm, Mon - Fri, excl. bank holidays 99% achieved within 30 minutes level) 3 Data recovery Supplier to keep Authority informed as each stage of data recovery process progresses, including projections for the time until recovery is complete As progressed Any difficulties in achieving these targets Reporting Progress reports to be discussed between 98 frequency submitted 48hrs before % (Exec the Authority and Supplier, scheduled meeting Sponsors) 4 Project Project plan to be 98 oversight updated in advance where possible. Where poor Supplier performance requires early termination real time % 5 Requirem Each KPI to be met 90 ent KPIs within +/- 5 working % days of the Contractagreed milestone 6 Security A security breach to be reported 10 Breach immediately and no less than 24 0 (14.9) hours. % 14.2 Where the Buyer identifies poor performance (3 consecutive agreed failures in any rolling 2- month period against agreed service delivery and SLAs, standard G- Cloud termination conditions will apply. SECURITY AND CONFIDENTIALITY REQUIREMENTS All members of Supplier’s staff administering the Authority’s system to have Counter Terrorism Check as a minimum level of National Security Vetting. Staff of supplier or supplier’s subcontractors/processors having any amount of involvement with Authority’s data to sign, return, and adhere to Authority’s confidentiality undertaking. PAYMENT AND INVOICING Invoices should Supplier shall be sent monthly. Payment can only be made following satisfactory delivery of pre-agreed certified products and deliverables. Before payment can be considered, each invoice must include a detailed elemental breakdown of work completed and the associated costs. Invoices should be submitted to: REDACTED TEXT under FOIA Section 40, Personal Information Supplier to provide itemised billing narrative alongside invoices CONTRACT MANAGEMENT Inability required to attend contract management meetings a performance review meeting to be communicated in advance of any understand the issues and how to rectify them. The performance review meeting where possible. Attendance at Contract Review meetings shall be at an agreed time no later than 5 working days from the date of notification. This may take place virtually or at The Buyers premises. 14.3 The Supplier shall be required to provide a full incident report which describes the issues and identifies the causes. The Supplier will also be required to prepare a full and robust ‘Service Improvement Action Plan’ which sets out its proposals to remedy the service failure. The Service Improvement Plan will be subject to amendment following a performance review meeting and will be agreed by both parties prior to implementation. 14.4 The Buyer will work with the Supplier to resolve any service failures; however, it will remain the Supplier’s own expense. LOCATION The location responsibility to resolve any/all service failure issues to ensure the service is delivered against the agreed milestones. 14.5 A Non-Disclosure Agreement will need to be signed as part of the Services Contract Award. 14.6 Security clearance (BPSS) is required for the Supplier staff to receive access and work on Official Sensitive project information. The Supplier shall provide evidence that this is in place within the first 4 weeks of the contract. 14.7 Physical security checks will also be required to work or visit any of the buyer offices located in Liverpool, Newport, Bristol, Birmingham, Norwich and London. A buyer office-building pass will be granted, if required. 14.8 No Personal data shall be processed or stored on the Service Provider, or sub-contractor infrastructure without the explicit approval of the buyers Data Protection Manager. If approval is given to process personal data, the Supplier shall provide a Data Privacy Impact Assessment (DPIA) defining the privacy-related risk and controls be put in place to ensure it is appropriately protected. 14.9 All information released to the Supplier shall be treated as OFFICIAL and only stored and/ or processed in a manner throughout the contracted period where the security risk exposure is within the risk tolerance of the Buyer and the contract review meetings will Service Provider has obtained ISO27001 and Cyber Essentials certification. 14.10 The Supplier shall provide a Security Management Plan detailing how the Supplier and its Sub contractors shall comply with the requirements set out in this Section [14] (Security and Confidentiality Requirements) in order to ensure the security of the Buyer Data and the Supplier Information Management System. 14.11 All buyer OFFICIAL data provided in support of this agreement shall not be carried out at used for any other purpose than meeting the Buyer’s requirements under this Statement of Requirement. At the end of this contract, the Supplier shall provide evidence, to the satisfaction of the Buyer, that it has securely deleted all OFFICIAL data in accordance with HMG guidance. 14.12 The Supplier shall make provision to provide IT equipment for each of their Team under this agreement. Where the Supplier is provisioned with the Buyer’s IT in support of this agreement, the Supplier shall ensure any individual who is provided with such equipment shall accept all the acceptable use policy. Any failure to comply shall be reported to the Buyer and appropriate action taken to hold the individual accountable. 14.13 If either party becomes aware of a Breach of Security it shall notify the Authority other as soon as reasonably practicable after becoming aware of the breach, and in any event within 24 hours. The Supplier must, upon becoming aware of a Breach of Security or attempted Breach of Security immediately take those steps identified in the Supplier’s premises on agreement between Authority and Supplier, or remotely where in-person meetings are not possible.Security Management Plan. (if applicable)