Cloud & Smarter Infrastructure Legal, Security & Data Privacy for SaaS offerings for Partners

1. Cloud & Smarter InfrastructureLegal, Security & Data Privacy for SaaS offerings for Partners

2. Agenda • Legal • Contracts • Key terms • Compliance Overview • Service Level Agreement • Data Privacy • Overview • EU Safe Harbor • Hosting locations • Security • C&SI SaaS Security Practices • IBM Standard ITCS104 & Industry Standards Certifications

3. Kimi - verify that these only apply to IBM Software Value Plus because SSP has its own set of contracts unless SSP contracts are addendums. Legal - C&SI SaaS Contract Options • IBM International Passport Advantage Agreement (IPAA) – includes SaaS terms regarding ownership, customer’s right to use, subscription to SaaS, SaaS technical support, content and termination of SaaS • Option 1 (Passport Advantage customers using direct or e-Commerce to purchase) • Terms of Use (TOU) B – standard terms of use for IBM SaaS offerings. This is in addition to IBM or IBM IPPA Express Agreement • TOU A – terms of use specific to a SaaS offering (e.g charge metrics, renewal) • Service Level Agreement (SLA) – specific to a SaaS offering • Option 2 (Non-Passport Advantage customers using direct to purchase) • Cloud Service Agreement (CSA)– simplified agreement for SaaS that benefits legacy customers from acquisitions, new customers and eCommerce (future). • Services Description - similar to TOU A, specific T’s &Cs for each SaaS offering • SLA – specific to a SaaS offering Applies to IBM Software Value Plus

4. Kimi - verify that these only apply to IBM Software Value Plus because SSP has its own set of contracts unless SSP contracts are addendums. Legal - Key Terms • Automatic renewal – contract is automatically renewed unless customer cancels. • Example: Customer purchases a 12 month term with monthly billing and on month 15 decides they no longer need the service they DO NOT have the option to terminate and will be responsible for the remaining 9 months of coverage (the full 12 month term). • Indemnity - Customer agrees to hold IBM harmless against any third party claim arising out of or relating to: 1) violation of the IBM Acceptable Use Policy by Customer or any of Customer’s IBM SaaS Users; or 2) Content made available to the IBM SaaS. • Non-disclosure of Customer Content – TOU B indicates that IBM will not use client data for any reason but to operate SaaS and will be kept confidential Applies to IBM Software Value Plus

5. Legal - Compliance Overview Compliance = Softlayer Compliance + C&SI SaaS Compliance Unless both are compliant we can’t claim compliance. • Payment Card Industry Data Security Standard (PCI DSS) - Compliant • Set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment.  • C&SI processes credit card information through IBM Payment Systems which is PCI compliant • Federal Risk and Authorization Management Program (FedRAMP) - Not Compliant (in progress) • Government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. • One of the key requirements is  Federal Information Security Management Act of 2002 (FISMA) • EU Safe Harbor (See EU Safe Harbor section) – Certification in process

6. Legal - Service Level AgreementsOne per CSI SaaS Offering (no charge) Terms found in TOU A or Cloud Services Agreement Services Description • “Availability” percentage is calculated as: (a) the total number of minutes in a Contracted Month, minus (b) the total number of minutes of Downtime in a Contracted Month, divided by (c) the total number of minutes in a Contracted Month, with the resulting fraction expressed as a percentage. • Example: 432 minutes total Downtime during Contracted Month

7. Data Privacy - What you need to know Personal datagenerallyincludes information relating to an individual -think business card (e.g. names, email addresses, home address) In some countries, also includes information about identified partnerships, associations, or corporations. IBM is a data processor, entity that processes personal data on behalf of the data controller, who would be the client responsible for entering the data. In most cases, Passport Advantage agreement covers data privacy for personal data. EU and Switzerland have additional data privacy regulations but have established the ability to create a framework with the U.S for accessing personal data. C&SI SaaS is in the process of obtaining EU Safe Harbor certification. This requires a risk assessment after we Go Live. In the meantime, we have security measures in place to restrict access to EU client data and for IBM non-U.S. employee access to Amsterdam hosting center in order to comply. IBM has an Online Privacy Statement which is another EU Safe Harbor requirement

8. Data Privacy - EU Safe Harbor Certification • EU and Switzerland have specific data privacy regulations and have established the ability to create a framework with the U.S for accessing personal data called EU Safe Harbor. to prevent accidental information disclosure or loss • C&SI SaaS is in the process of obtaining EU Safe Harbor certification • Benefits: • Ability to assert Safe Harbor to clients and prospects. • Facilitates selling in the EU and Switzerland. • Makes us competitive in selling situations.

9. Data Privacy - Where are the C&SI SaaS solutions hosted? Active Data Centers - SoftLayer Amsterdam Dallas Singapore • Working with local partners to expand into additional regions

10. Security - C&SI SaaS Security Practices • Data Security – each offering has a Security Practices document • Security Policy – states that IBM has published privacy and security policies and that employees are trained in security • Access Control • Only authorized employees can access client data • Support staff for the Cloud Offering use multi-factor authentication and encrypted channels when accessing client data • Data transfers are logged • Service Integrity & Availability • Change Management process governs changes to O/S, application s/w and firewall • Data center resources are monitored 24x7 • Internal and external vulnerability scanning and malware detection • Information delivery protocols for transmission of data over public networks (e.g HTTPS, VPN) • Physical Security • Designed to restrict unauthorized physical access to data center resources. • Entry and removal of equipment is logged • Compliance • Assessments and audits are conducted regularly by IBM’s team to confirm compliance with its information security policies. • Conduct workforce security education and awareness training Note: The Security Practices are also included in the Cloud Service Agreement Service Description for each offering.

11. Security – ITCS104 & Industry Standards Certifications C&SI SaaS offerings adhere to the rigorous standards of ITCS104 security There are many industry standards that require certification. C&SI is evaluating the priority order based on client demand • Health Insurance Portability and Accountability Act (HIPAA) – Not Certified • Requires certification through HIPAA Program Office (HPO) • Data Centers do not get certified in HIPPA – SoftLayer Internal HIPPA whitepaper • SSAE 16 - Not Certified • SOC2 Type II Compliance - Not Certified • Cloud Security Alliance STAR Self Assessment - Not Certified • EU Safe Harbor (See EU Safe Harbor section) – Certification in process