mopdf.com

SAP NS2 Cloud Order Form Addendum1.1.1.USE OF THE CLOUD SERVICESAP Analytics Cloud (SAC)(a)SAP Analytics Cloud is available in the following editions: SAP Analytics Cloud forplanning, professional edition; SAP Analytics Cloud for planning, standard edition; andSAP Analytics Cloud for Business Intelligence (BI). The offering can also include SAPDigital Boardroom and SAP Analytics Hub. The functions included in each of theseeditions are described in the feature scope description found in the Documentation.SAP NS2 will control what functionality is made available in the cloud service to thecustomer. Each edition must be ordered separately on an Order Form. For purposesof this Supplement, the Cloud Service shall mean those editions specified in an OrderForm.(b)Customerisresponsiblefor connecting fromSAC to anycustomerowned systems and associated interconnection documentation (e.g. NIST SP 800-47ISA). SAP NS2 is not responsible for any Customer owned systems interfacing withSAC. This includes any information that is being used in the SAC application from theCustomer landscape.(c)SAP NS2 will provision the necessary amount of HANA database memory that does notexceed the SAP limits identified in the Supplemental Terms and Conditions. Adjustmentsmay be required because of hyperscaler limitations.(d)SAP NS2 will provide virtual and/or physical servers and other computing equipmentin AWS GovCloud (US). SAP NS2 reserves the right to change or substitute servermodels of equivalent or better performance ratings dependent upon changes in scopeand availability of hardware.(e)Customer is responsible for the connection to the SAP NS2 Cloudapplication, including the internet connection. The Cloud Services are accessiblethrough secure encrypted communication.(f)The Cloud Services are supported by employees who are U.S. persons on U.S. soil.(g)Subject to the provisions of the Agreement, SAP NS2 will implement reasonable andappropriate measures for the Cloud Services (as determined by SAP NS2) referencedin NIST Special Publication 800-53 rev4. SAP NS2 will maintain physical and logicalaccess controls to limit access by SAP NS2 or Subprocessor personnel to U.S. persons,as defined by 22 CFR part 120.15 (“U.S. Persons”).(h)Customer specific controls/policies are not incorporated into this Agreement. SAPNS2’s Software as a Service (SaaS) Cloud Service Offerings (CSO) will be implementedand operated in adherence to the FedRAMP Moderate security control baseline. SAPNS2 considers the FedRAMP Moderate security control baseline to be the overarchingpolicy and process providing governance to SAP NS2’s CSO rather than a specificFederal Agency’s policy or procedures. It is incumbent upon the Customer to identifyany gaps between Customer’s controls/policies and the SAP NS2 System SecurityPolicy (SSP) and related FedRAMP documentation. SAP NS2 will make commerciallyreasonable efforts through the Authority to Operate (ATO) process to address anycontrol/policy gaps identified by Customer.(i)SAP is committed to delivering software solutions that are accessible to individualswith disabilities. This includes addressing Section 508 standards and W3C WAI WCAG2.0 (Level A and AA) guidelines, both of which are incorporated into the SAPaccessibility standard, which is used for developing SAP products. While the solutionsproposed implement a number of accessibility features, they are currently not fullyoptimized for accessibility. Supported accessibility features are provided by SAPsolutions in combination with third-party assistive technologies such as the screenreader JAWS. JAWS and most other assistive technologies may require SAP and orcustomer furnished client-side software. A detailed VPAT addressing Section 508 ofthe Workforce Rehabilitation Act requirements for the requested SAP application isavailable upon request.SAP NS2 ConfidentialSAP NS2 Addendum for SAP NS2 SAP Cloud Services v.7.1.2021Page 1

1.2.S/4HANA Private Cloud (PCE) – Single Tenant(a)SAP NS2 reserves the right to change or substitute server models of equivalent orbetter performance ratings dependent upon changes in scope and availability ofhardware.(b)SAP NS2 will provide virtual and/or physical servers and other computing equipmentin AWS GovCloud (US). SAP NS2 reserves the right to change or substitute servermodels of equivalent or better performance ratings dependent upon changes in scopeand availability of hardware.(c)SAP NS2 will support Site to Site VPN and/or a DirectConnect connection to the AWSGovCloud site to support the S4 Single Tenant application. This will represent theAWS Endpoint for accessing the Computing Environment. Customer is responsible forconnection from its on premise network to the DirectConnect Point of Presence. TheCloud Services assume a 1 TB per month for inbound and outbound traffic that willleverage Direct Connect from the Customer’s data center. The Cloud Services assumean outbound data transfer of 1 TB for Inter Region Data Transfer Out and 1 TB forData Transfer Out. The Customer will incur additional charges by their serviceproviders to enable connectivity to the DirectConnect. Any additional changes fromthe requirements above will require a Change Order. The NS2 Cloud will setup andconfigure the cloud virtual private clouds (VPCs). The Customer is responsible forproviding the VLAN designation, IP addresses, and identifying the transit routes acrossthe VPCs and any additional sub-netting.(d)The NS2 Cloud will host the applications in AWS GovCloud (US). AWS GovCloud (US)is an isolated region that allows customers to host sensitive Controlled UnclassifiedInformation (CUI) and all types of regulated workloads.(e)The Cloud Services are supported by employees who are U.S. persons on U.S. soil.(f)The Customer is not authorized to install any additional software outside of what iscontracted in the S/4HANA Private Cloud solution landscape. Customizations to theoperating system are not permitted in this offering. The Customer does not haveaccess to the file system or operating system for any purpose.(g)SAP NS2 will have access to the Customer provided IP addresses within a 5 daywindow after contract award to establish an IPSEC connection between customer datacenter and the NS2 Cloud. If this information is not provided within the 5 day window,the provisioning schedule will be delayed.(h)Configuration of SAP online help (local installation) is not included in scope for thisagreement.(i)All DNS and Windows Active Directory management is the responsibility of theCustomer. The Customer is responsible for all user / role / access management andcreation of new users. The Customer must provide the SAP NS2 cloud team withCustomer user IDs with the appropriate access to stand up and support the cloudlandscape within 5 days after contract award.(j)SAP NS2 will provide, apply, and enforce operating systems security configurationsbased off SAP NS2 defined security hardening guidelines. SAP NS2 will leverageautomated mechanisms to enforce the use of Defense Information Systems Agency(DISA) Security Technical Implementation Guidelines (STIGs) only. The Customerdoes not have access to the SAP NS2 STIGs nor are the specific STIGs applied subjectto customer specific requirements.(k)SAP NS2 has defined patch and upgrade cycles for the operating systems which areroutinely updated to ensure compliance with security requirements. Operating systemrelease locked images are not permitted beyond a six month vendor supported graceperiod. Customer landscapes are rebooted on a predefined schedule to ensure thatsecurity patches are applied. The Customer is not permitted to halt the upgrade of theunderlying operating system or applications beyond two maintenance windows.(l)All encryption and other crytographic keys are managed maintain by SAP NS2 andSAP NS2 ConfidentialSAP NS2 Addendum for SAP NS2 SAP Cloud Services v.7.1.2021Page 2

(m)(n)(o)(p)(q)(r)(s)(t)(u)(v)(w)Customer will not be provided any key access and Customers can not bring their owncrytographic keys.Insecure protocols and technologies are not available e.g., CIFS. SAP NS2 reservesthe right to adjust the approved protocols and ports at will. The Customer isresponsible for configuration and enforcement of secure protocols e.g., HTTPS withinthe S/4 HANA PCE solution 15 days prior to go-live. Continued use of insecureprotocols (e.g., unencrypted SAP GUI or Fiori over HTTP) will place the Customer inviolation of security requirements and are subject to risk acceptance.All Managed Cloud Delivery (MCD) are provided remotely by SAP NS2. No softwaredevelopments will be made by the SAP NS2 cloud team.Any data cleansing or data cleanup is wholly the responsibility of the Customer. Dataloading into the NS2 Cloud is not included in the scope of this Agreement.SAP NS2 is responsible for provisioning and installing of the application listed in theS/4HANA Private Cloud Packages listed in the Order Form for SAP NS2 CloudServices. The service levels and upgrades are specifically designed to accommodatethe installation that is setup and maintained by SAP NS2. The underlying technologiesselected by SAP NS2 are not subject to modification.The Customer is responsible for purchasing and configuring single-sign-on with theirown identity provider. Continued use of local application accounts for day-to-day usepost go-live is not permitted.The Customer is not permitted to dictate the use of a specific domain for the backendservers and services.The Application System Availability Service Level will not apply when Customer’s failureto meet Customer’s responsibilities (including remaining current on maintenance forthe Licensed Software, using a version or release of the Licensed Software and/orSubscription Software on current maintenance) as set forth in the Agreement.Downtime caused from Customer activity shall be omitted from the service levelcalculation and no penalties are required to be credited by SAP NS2 to Customer.All references to RISE with SAP S/4HANA PCE in the RISE with SAP S/4HANA, privatecloud edition Supplement will only be relevant to the S/4HANA applicationdeployments. The SAP NS2 S/4HANA PCE cloud offering does not include the Aribaand SCP Cloud Platform Enterprise Agreement (CPEA) credits.During the term of this Agreement for Cloud Services, SAP NS2 shall supply, at itsown expense an audit report by a nationally recognized outside audit firm conformingwith the American Institute of Certified Public Accountants’ Service OrganizationControl (SOC) Reports, or its equivalent, and shall provide or make available toCustomer, at Customer’s request, a copy of applicable SOC reports, which shall beupdated at least annually. After a period of six (6) months after go-live, if a SOCreport is not available, upon Customer’s 120 day prior written request to confirm SAPNS2’s compliance with this Agreement, as well as any applicable laws and regulations,SAP NS2 grants Customer or, upon written agreement by the Customer and SAP NS2,a third party on Customer’s behalf, permission to perform an assessment, audit,examination or review of the controls in SAP NS2’s physical and/or technicalenvironment in relation to Customer Data being handled and/or services beingprovided to Customer pursuant to this Agreement. To the extent allowed by applicableregulations, SAP NS2 shall fully cooperate with such assessment by providing accessto knowledgeable personnel, the SAP NS2 physical premises, documentation,infrastructure and application software that processes, stores or transports CustomerData for Customer pursuant to this Agreement.SAP NS2 shall provide S/4HANA Private Cloud Services, to include an underlyingFedRAMP High with DoD Impact Level 4 authorized IaaS (Infrastructure as a Service),under this Agreement exclusively from the SAP NS2 FedRAMP IaaS certifiedenvironment. SAP NS2 shall inherit the security controls to meet the in-scope FederalRisk and Authorization Management Program (“FedRAMP”) High and IL4 controls.SAP NS2 will maintain logical access controls to limit access by SAP NS2 or subprocessor personnel to U.S. persons, as defined by 22 CFR part 120.15, located withinthe United States. Physical access to the physical data center is governed by the termsSAP NS2 ConfidentialSAP NS2 Addendum for SAP NS2 SAP Cloud Services v.7.1.2021Page 3

of access allowed by the Subprocessors’ policies and their FedRAMP authorizationpackage. Should the SAP NS2 FedRAMP certified IaaS Subprocessor issue a notice ofdiscontinuance of its commercially available Service, SAP NS2 may discontinue theCloud Services as described herein and shall negotiate a mutually agreeablealternative.The customer is responsible for licensing and managing their own security tooling.This includes antivirus, malware, scanning and security information and eventmanagement. SAP NS2 will install the agents in the systems for these tools. If thesecurity tooling impacts system performance, the downtime that resulted from thesetools will be removed from the service level calculation and no penalties are requiredto be credited by SAP NS2 to CustomerThe OpenText cloud solutions are not included in the NS2 cloud services.(x)(y)2.ADDITIONS TO SUPPORT POLICY FOR SAP CLOUD SERVICECustomers subscribing to SAP NS2 SaaS solutions will be provided support in accordance withthe SAP Support Policy which is attached to the Order Form.Additions to the Support Policy for SAP Cloud Services are as follows:(a)Customer Responsibilities. It is the Customer’s responsibility to grant access totheir tenants and Support Systems, as needed, for the performance and delivery ofthe Support Services.(b)SAP Enterprise Support, cloud editions. In addition to SAP Enterprise Support,cloud editions, the following secure support services, provided by SAP NS2 in English, apply:i.Some support services may be delivered by SAP personnel or available via theSAP Launchpad.ii.Note: SAP Chat feature provided by SAP Global Support Organization, andtherefore is not a secure feature.iii.Secure support services performed by U.S. Persons on U.S. Soiliv.Access to named point of contactv.Secure Back Officevi.Secure Remote Connection. A US person-staffed secure backoffice located in aUS facility shall be provided during the standard hours of 9:00AM to 6:00PMUnited States Eastern time, Monday through Friday, excluding holidaysobserved by SAP NS2 (“Standard Hours”) for the Customer site(s).vii.Secure Cloud Support Setup. Customer and SAP NS2 agree to jointly conductan initial Secure Support Setup as part of Secure Support. The SecureSupport Setup includes: (i) securing remote connectivity between Customerand SAP NS2; (ii) reviewing best practices for collaboration with SAP NS2 andSAP Digital Business Services; (iii) reviewing Customer solution landscape;and (iv) review of Customer project roadmap.viii.Contacting Support. Beginning on the effective date of a customer’s agreementfor SAP NS2 SaaS Cloud Solutions, that customer may contact SAP NS2’ssupport organization as primary point of contact for support services. Theavailable contact channels are: Support Backoffice email distribution – details provided during supportkick-offSupport Phone Number: 1-(844)-NS2-SUPP or 1-(844)-672-7877Support Backoffice (After hours) phone number: 1-(610)-492-3040SAP NS2 ConfidentialSAP NS2 Addendum for SAP NS2 SAP Cloud Services v.7.1.2021Page 4

3.ix.SAP NS2 Contact Details. SAP NS2 Customer shall update the CustomerContacts for the SAP NS2 Cloud.x.SAP NS2 may, from time to time, confirm with Customer the correctness ofinformation Customer provides as required herein.ADDITIONS TO THE SERVICE LEVEL AGREEMENT FOR SAP CLOUD SERVICEThe Application System Availability (“ASA SLA”) Service Level for Cloud Service sets forth theSystem Availability applicable to the Computing Environment. The SLA shall be effective 3months after system handover to Customer. The SLA will be calculated solely upon the uptimeof the application and will not pertain to any applications running cloud infrastructure. The SLAwill be immediately not applicable if a Customer installs any other applications on the cloudinfrastructure supporting SAP Cloud services.ExcludedDowntimeTotal Minutes in the Month attributable to:(i) Excluded Downtime as defined in Schedule C of the Order Form(ii) Scheduled Downtime as set forth below(iii) Agreed Downtime(iv) Emergency Downtime(v) Downtime caused by factors outside of SAP NS2’s reasonable control such asunpredictable and unforeseeable events that could not have been avoided evenif reasonable care had been exercised (see examples below this table)ScheduledDowntimeScheduled at a mutually agreed time, not to exceed twelve (12) hours per month persystem, excluding functional updates.In addition to the conditions listed in Excluded Downtime in the preceding table, the followingexamples include, but are not limited to, what is beyond SAP NS2’s reasonable control for theASA SLA:(a)(b)(c)(d)(e)(f)(g)Customer’s failure to meet Customer’s responsibilities (including remaining current onmaintenance for the Licensed Software, using a version or release of the LicensedSoftware and/or Subscription Software on current maintenance) as set forth in theAgreementDowntime caused by Customer and/or the customer source systemsInterruptions as a result of requirements stipulated by a third party manufacturerof the Licensed SoftwareInterruptions or shutdowns of the Computing Environment, or portions thereof (orServers for Server Provisioning) resulting from the quality of the Licensed Softwareprovided by the Customer and/or Customer’s customizations or modifications ofthe Licensed Software, Subscription Software or Computing Environment (orServers for Server Provisioning), unless the customizations or modifications arethe responsibility of SAP NS2 as stated in this Agreement.Restore times of user data (recovery of database data from a media backup)where SAP NS2 was not the root cause for the required restoration.Emergency downtime includes downtime due to the Customer requesting animmediate change in their landscape. It also includes any downtime that is due toSAP NS2 requiring an immediate change to the Customer landscape in order tosafeguard the landscape.Downtime due to a database connection in the customer landscapeSAP NS2 ConfidentialSAP NS2 Addendum for SAP NS2 SAP Cloud Services v.7.1.2021Page 5

(h)(i)(j)If it was discovered from the Root Cause Analysis (RCA) that an outage occurredfrom custom code and/or large automated jobs that was designed and written bythe customer, the downtime from the system will be omitted from the applicationlevel SLA calculation.Any downtime that results from hardware failure from the Hyperscaler will beomitted from the application level SLA. Any potential timeframe required for asystem restart will also be omitted if it was due to hardware failure.Any downtime that occurs from any acts of omissions from the Customer such astime waiting on instructions from Customer in order to prevent an outage.4.CUSTOMER DATA ACCESSSAP NS2 will not disclose Customer Data to any government or third party or access or useCustomer Data; except in each case as necessary to maintain the Cloud Services or to providethe Cloud Services to Customer in accordance with this Agreement, or as necessary to complywith the law or a valid and binding order of a governmental or regulatory body (such as asubpoena or court order). Unless it would be in violation of a court order or other legalrequirement, SAP NS2 will give Customer reasonable notice of any such legal requirement ororder, to allow Customer to seek a protective order or other appropriate remedy.5.EXPORT CONTROLSCustomer may disclose to SAP NS2 as part of any authorized remote access data which may besubject to export controls under 22 United States Code 2751 – 2796 (Arms Export Control Act)and 22 Code of Federal Regulations 120-130 (International Traffic in Arms Regulations) or 50United States Code 2401 - 2420 (Export Administration Act) and 15 Code of Federal Regulations768 - 799 (Export Administration Regulations) and their successor and supplemental laws andregulations (collectively hereinafter referred to as the "Export Laws and Regulations"). ProvidedCustomer identifies the data as being subject to such controls, SAP NS2 shall comply with anyand all Export Laws and Regulations and any license(s) issued thereunder in handling any suchdata. Customer remains responsible for its own handling of export-controlled data. SAP NS2will maintain physical and logical access controls to limit access by SAP NS2 or Subprocessorpersonnel to U.S. persons, as defined by 22 CFR part 120.15 (“U.S. Persons”) on U.S. soil.6.ADDITIONAL TERMS(a) In addition to the provisions provided in the General Terms and Conditions, SAP NS2 mayimmediately upon notice to Customer suspend Customer’s right to access or use anyportion of the Cloud Services if SAP NS2 reasonably concludes that Customer’s continueduse of the Cloud Service (i) poses a security risk to the Cloud Service or any third party,(ii) risks adversely impacting the SAP NS2 or its Subprocessor’s systems or the systemsor data of any other customer of SAP NS2 or its Subprocessors, (iii) risks subjecting SAPNS2 or its Subprocessors or their Affiliates to liability, or (iv) is not in compliance with theAcceptable Use Policy. If SAP NS2 temporarily suspends Customer’s right to access or usethe any portion of the Cloud Services in accordance with the terms of this Agreement,Customer remains responsible for all fees and charges Customer incurs during the periodof suspension and Customer will not be entitled to any service credits under the ServiceLevel Agreements for any period of suspension. SAP NS2 will use commercially reasonableefforts to restore Customer’s rights to use and access those portions of the Cloud Servicesor accounts that gave rise to the suspension promptly after the problem giving rise to thesuspension has been resolved.(b) SAP NS2 may discontinue the Clou

SAP NS2 Confidential Order Form for SAP NS2 SAP Cloud Services_Indirect (v.5-2021) Page 1 of 4 Order Form for SAP NS2 Cloud Services (SAP NS2 Internal Reference # ) Between SAP National Security Services 3809 West Chester Pike Suite 200 Newtown Square, PA 19073 (“SAP