SERVICE LEVEL AGREEMENTS FOR

TRUSTWAVE MANAGED SECURITY SERVICES

Service Level Agreements (SLAs)
Managed
Security Standard Managed
Device Other
Managed Service Incident Policy Device
Outage Changes
Notification Change Replacement
Notification
Managed Unified Threat 3 Business 1 Business
Management (“UTM”) N/A 30 Minutes 24 Hours
Days Day1

Internal Vulnerability 3 Business 1 Business

Scanning (“IVS”) N/A 30 Minutes N/A
Days Day

Managed Cloud Log 3 Business 1 Business

N/A 30 Minutes 24 Hours
Monitoring Days Day

Managed Compliance 3 Business 1 Business

Monitoring N/A 30 Minutes 24 Hours
Days Day

3 Business 1 Business
Managed Threat Detection 30 Minutes 30 Minutes 24 Hours
Days Day

3 Business 1 Business
Managed SIEM Appliance N/A 30 Minutes 24 Hours
Days Day

Managed Network Access 3 Business 1 Business

Control (“NAC”) N/A 30 Minutes 24 Hours
Days Day

24 Hours
Managed Web Application (Limit 5 per 3 Business 1 Business
30 Minutes 30 Minutes
Firewall (“WAF”) week) Days Day

Managed Secure Email

1 Business
Gateway N/A N/A N/A N/A
Day
(“SEG”) Cloud

Managed Secure Web 24 Hours 3 Business 1 Business

30 30 Minutes (Limit 5 per
Gateway (SWG) week)
Days Day
Minutes

Managed Secure Web 24 Hours 3 Business

30 N/A (Limit 5 per N/A
Gateway (SWG) Cloud week)
Days
Minutes

Copyright © 2017 Trustwave Holdings, Inc. All rights reserved. Trustwave Confidential. Version 3 5/2/2018 8:23 PM 1
Service Level Agreements for Trustwave Managed Security Services

Managed Detection & 3 Business

30 Minutes NA 24 Hours NA
Response for Endpoints Days

Managed Application 3 Business

30 Minutes NA 24 Hours NA
Control Days

3 Business 1 Business
MSS Device Management3 30 Minutes2 30 Minutes 24 Hours
Days Day1

1. One Business day replacement is limited to the Trustwave UTM/IDS only.

2. SLA applies only for MTD option.
3. MSS Device management includes the following device categories:
a. Enterprise Firewall
b. IDPS (Including Trustwave IDS)

Descriptions and Terms for Service Level Agreements (SLAs)

Trustwave agrees to provide the SLAs set forth in the table above in accordance with the following
descriptions and terms:

1. Security Incident Notification

For services in which Trustwave is providing real-time threat analysis, Trustwave will provide a
notification to Client of a potential security compromise within 30 minutes of Trustwave’s
determination of such potential security compromise. If Client provided a notification policy to
Trustwave prior to such potential security compromise, Trustwave will provide such notification
according to that notification policy.
2. Managed Device Outage Notification
Trustwave will provide a notification to Client of an outage of a managed device within 30 minutes of
Trustwave’s determination of such outage. If Client provided a notification policy to Trustwave prior to
such potential security compromise, Trustwave will provide such notification according to that
notification policy.
3. Standard Policy Change
Trustwave will implement standard policy changes, standard signature tuning changes, standard
configuration changes, and standard end user access changes within 24 hours of receipt of a properly
authorized and authenticated policy change request.
• For SEG:

o Trustwave will implement spam tagging configuration and End-User Attachment Policy
changes within one (1) business day of receipt of a properly authorized and authenticated
request.
• For Managed SIEM Appliance Service:

o Examples of Standard Change Requests:

Copyright © 2015 Trustwave Holdings, Inc. All rights reserved. Trustwave Confidential. 2
Service Level Agreements for Trustwave Managed Security Services
▪ Addition of new users to, or removal of users from, the Trustwave Log Management
appliance

▪ Re-setting user passwords for those users that no longer remember their passwords

▪ Creation and/or modification of system-level dynamic lists

• For Managed WAF:

o Examples of Standard Change Requests:

▪ Disabling/enabling of events or change in the actions to be taken following such an

event.

▪ Configuration changes such as changes to site properties, change blocking method,

change profile etc.

Managed WAF services are for OWASP Top Ten events only. Any other event that
will be enabled with the WebDefend Policy applied on the protected site will not be
monitored, analyzed or tuned by Trustwave and will not be included in the WAF
Alerts.

4. Other Changes
Trustwave will implement other managed device and/or network configuration changes within three
(3) business days, provided that at the time of the request Trustwave has received all information
necessary to make such change. This only applies to straightforward managed device and/or
network configuration changes and does not apply to complex or time-intensive changes (such as
new architectures or new systems).

• For Managed SIEM Appliance Service:

o Examples of Other Changes

▪ Adding all new code patches (SPs) to the system that Trustwave has made generally
available

▪ Adding all new content releases, including new or updated device support (DMs /
NUs) that Trustwave has made generally available

▪ Updating of device configuration for currently deployed and supported devices

5. Managed Device Replacement
Trustwave will ship a replacement managed device within one (1) business day of Trustwave’s
determination of such managed device’s failure, provided that Trustwave’s shipping provider must be
open to accept and ship deliveries at such time. Trustwave cannot be held responsible for shipping
delays due to major shipping providers not being open (e.g., Sundays and holidays) or any delays
due to customs when shipping managed devices outside the United States.

Claims Process and Remedies for Service Level Agreements (SLAs)

The process for Client to make claims for any SLAs that are not met and the remedies in connection
therewith are set forth below. Client agrees that its sole and exclusive remedy for any SLA that is not met
is as set forth below.

Copyright © 2015 Trustwave Holdings, Inc. All rights reserved. Trustwave Confidential. 3
Service Level Agreements for Trustwave Managed Security Services
a. Claim Submission. In order to receive a credit, Client must electronically submit a claim for the
credit to mss@trustwave.com within seven (7) business days of the date on which the SLA was
not met. The claim must contain the following information:
• “SLA Credit Request” in the email subject line

• Client’s name

• Client’s contact name

• Client’s contact phone number

• Description of the SLA not met and the date of such failure
b. Claim Review and Determination. Trustwave will make all credit determinations in its reasonable
discretion and will notify the designated contact(s) in writing (which may be in the form of an
email) of its decision. If any request is rejected, the notification from Trustwave will contain the
reasons for such rejection.
c. Service Level Credits. For all accepted claim requests, Trustwave shall provide a service level
credit to Client equal to the pro-rated charges for one (1) full day of the affected services (i.e.,
1/30 of the monthly fee, assuming a thirty (30) day month) for each day during which one or more
of the SLAs was not met. Any service level credits accrued hereunder shall be credited against
the fees owed by Client to Trustwave. In the event that service level credits are still owed as of
the termination or expiration of the applicable agreement, Trustwave shall pay to Client the total
amount of outstanding service level credits.
d. Service Level Credit Exceptions. Service level credits shall not be available to Client if failure to
meet the SLAs set forth above results in any way from (i) Client’s failure to meet its obligations set
forth in its agreement or statement of work with Trustwave for the applicable service; (ii) Client’s
material impediment of Trustwave’s efforts to meet the SLAs; (iii) the negligent acts or omissions
of Client, its employees, contractors, agents or end users; (iv) the failure or malfunction of
equipment, applications or systems not owned or controlled by Trustwave; (v) circumstances or
causes beyond the control of Trustwave; or (vi) scheduled services maintenance, alteration, or
implementation. In addition, service level credits shall be granted only if Client provides
Trustwave full and free access to Client’s facilities and personnel to make necessary repairs and
perform necessary maintenance, testing, etc. to the managed device.
e. Maximum Credits. In the event that Client is entitled to multiple service level credits arising on the
same day, such service level credits shall not be cumulative, and Client shall be entitled to receive
only a service level credit equal to no more than the pro-rated service charges for that day. Under
no circumstances shall Trustwave be required to issue service level credits to Client in any one (1)
calendar month totaling more than fifteen (15) days of service fees. A service level credit earned in
a particular month may not be carried over to another month.

Copyright © 2015 Trustwave Holdings, Inc. All rights reserved. Trustwave Confidential. 4