ANNEX B - SAAS TECHNICAL DOCUMENTATION
Introduction
This document provides standards and features applicable to the Compri SaaS (“Compri”) provided to Customer under the Commercial Agreement.
Table of Contents.
1. BILLING DETAILS.
2. DATA STORAGE.
3. PROVISION OF THE SERVICE.
4. SECURITY REQUIREMENTS AND AUDITS.
5. PERFORMANCE AND AVAILABILITY.
6. SERVICE LEVEL AVAILABILITY (SLA).
7. ALS MEASUREMENT METHOD.
8. BACKUP AND DATA STORAGE.
9. DISASTER RECOVERY (“DR”)
1. Billing details.
Compri's SaaS solution can be purchased by signing a valid Commercial Agreement with Compri.
The offer, in addition to the necessary implementation of services, may include various packages/modules.
Each package/module has a defined license fee, depending on its complexity. The prices for individual packages/modules, as well as the implementation fee, are specified in the Commercial Offer, which is drawn up based on the number of packages/modules the customer is interested in and the size of their organization.
The implementation fee is a one-time payment and must be paid in accordance with the terms set out in the Commercial Offer.
The license fee covering the packages/modules selected by the Customer must be paid annually in the manner set out in the Commercial Offer and will have a duration equal to the duration of the Commercial Agreement between Compri and the Customer.
2. Data storage.
All Compri data and infrastructure will be deployed in the AWS eu-west-1 Region (Dublin, Ireland), ensuring compliance with EU data residency requirements.
To minimize the risk of data loss from local failures and simplify disaster recovery procedures, all backups will be distributed to a different AWS Region within the European Union (EU).
Compri reserves the right to change the location of data within the countries indicated and will notify customers of any changes with at least 30 days' notice.
3. Provision of the service.
Versions : Compri will distribute to the customer the latest generally available version of the service.
Environments : Compri will provide all customers with a production environment; Compri will also use a sandbox production environment to validate and test interactions with customer systems (ERP and other services). Only sections 3 and 4 of this document apply to the sandbox environment.
SLA : The SLA section applies to the production environment only.
Security measures or access methods : To ensure secure authentication of administrators/users and proper access control, we use a passwordless approach. Single sign-on (SSO) with the customer's identity provider is recommended for authentication. Alternatively, we use email authentication via magic links. Each administrator/user must have a valid email address for this purpose. This is in line with the Data Minimization principle. Customer users will provide their first and last name upon first login.
4. Security requirements and audits.
To ensure the verifiable confidentiality, integrity, and availability (RID) of the service, Compri logs connections and actions associated with user IDs. This data is used only for further analysis and support case resolution and is retained for no longer than 90 days.
Vulnerability assessments are self-managed by the Compri team according to the following indicative schedule:
External Dynamic Scans: Quarterly
Internal Vulnerability Scans: Quarterly
Internal Static Scans: Quarterly
New infrastructure components inserted
5. Performance and availability.
To maintain system availability and performance for all customers, Compri reserves the right to restrict access to the API to preserve application uptime.
To provide customers with adequate advance notice of scheduled maintenance activities that result in system downtime, Compri will provide 1 week (7 calendar days) advance notice of all upcoming activities. If an emergency maintenance window is required, Compri will make a reasonable effort to provide 48 hours' advance notice.
6. Service Level Availability (SLA).
The Availability Service Level is guaranteed as indicated in the table below for Purchases during the term of the contract. In the event that the Availability Service Level falls below the threshold for the default service level indicated below in a given quarter, the Customer may be entitled to take the actions described in this document.
Components / Features
Uptime Guarantee (Availability time during business hours, 9:00 AM - 6:00 PM, Monday to Friday, excluding holidays in the customer's region)
Total Availability (time outside of business hours)
compri
99.9%
99%
7. SLA measurement method.
Service level objectives are measured as described below:
Compri runs test scripts using application monitoring tools on the production system to verify that the software is available. Test scripts run approximately every five (5) minutes, twenty-four (24) hours a day, seven days a week, for the entire contractual term of the software.
Scheduled downtime is defined as the time the solution is not available for periodic and necessary maintenance events in which Compaq provides notice to the Customer.
Type of service
Definition
Credit
compri
1 month of commissions
8. Data backup and archiving.
The following data backup and replication is guaranteed during the subscription period:
Data Backup: All Compri customers will have their data backed up daily. Backups are securely replicated to an alternate location (see data location), limiting data loss to no more than 24 hours in the event of a disaster at the primary data location.
Daily backups are kept for 21 days
Removable media is not used for data storage or backups
All customer data is encrypted at rest with AES-256
9. Disaster Recovery ( DR ).
Compri is configured with a DR site and a plan to switch to the DR site in the event the primary site is inoperable. The DR site is a replica of the primary site to provide consistent performance and availability. Compri periodically switches between sites to verify the functionality of the DR site as outlined in the DR plan.
Below are the key measures of the DR plan:
What is covered
Recovery Time Objective (RTO)
Recovery Point Objective (RPO)
compri
24 hours
Recovery Time Objective or RTO is defined as the time within which a service must be restored after a major outage or incident.
Recovery Point Objective or RPO is defined as the maximum period during which data could be lost from a service due to a major outage or incident.