Habitat3 Service Level Statement

This Service Level Statement sets out Habitat3's obligations in delivering a service expected by a Habitat3 Client..

Habitat3's obligations, we will;

a) General 

  1. Provide clients with a unique, virtualised private server and charge fees for the use of that server which include software licensing and all hard drive space required by the server to function and to store client data.

  2. Ensure clients’ Virtual Private Servers (VPS) are available 24 hours a day, 7 days a week at 99.9% availability across a 12 month period (this does not include advertised maintenance windows which will be completed outside of business hours whenever possible).

  3. Host clients’ VPS on a server hardware cluster located in an Australian data-centre facility.

  4. Ensure a minimum of 14 days history of VPS backups is available for restores.

  5. Provide support between 8am and 6pm (Sydney time) Monday to Friday excluding national public holidays.

  6. Provide support for a server which is not accessible due to a Habitat3 fault 24 hours a day, 7 days a week (after hours).

  7. Arrange with clients to complete VPS specific technical work that clients require to be done after hours for an agreed service fee (over and above the monthly subscription fees).

  8. Respond to client requests within 4 business hours of logging the request via the Habitat3 website.

  9. At it's own discretion charge additional support fees to provide support for clients’ local computers and networks to allow connectivity between the local network and the hosted server.

  10. Provide comprehensive training on how clients’ are to request support.

  11. Setup clients’ VPS including;

    1. Windows Server 2016 operating system - installation and configuration

    2. MS Office installation

    3. SQL Server installation

    4. Partner Software Applications and associated tools

    5. Printer drivers

    6. FTP folders to allow for scanning

    7. Virtual Private Networks if required

    8. All AntiVirus and other security tools

  12. Migrate client data from the local network to the VPS on a scheduled weekday at (or prior to) 2pm at no charge . If a date and time outside of these hours is selected by the client additional fees will apply.

  13. Charge a rescheduling fee if the data migration date is changed by the client.

  14. Charge additional fees if more than one set of data is required to be migrated. 

  15. Provide sufficient RAM and CPU for the VPS to function at a sufficient performance level in an ongoing way at all times.

  16. Ensure a minimum of 5% of Hard Drive space is available to the VPS at all times.

  17. Reserve the right to

    1. restrict access to unlawful or unreasonable online information (websites) and other file sharing or internet based services from the VPS. However, internet access from onsite PCs will not be restricted in any way.

    2. disconnect access to your VPS if any activities are found to be initiated on that VPS that negatively impact the overall service including denial of service or other activities including uploading or downloading large data sets.

    3. restrict access to your Habitat3 VPS to any entity that would be considered a competitor of ours or our HSVPs.

    4. temporarily deactivate a server in the event that its storage is full and you are unwilling to delete data or increase your storage.

  18. Complete technical support only when a web-based support ticket has been submitted

  19. Complete training with you to ensure that you are sufficiently briefed in how to use the Habitat3 support service.

  20. Attempt to enable access to your Habitat3 VPS from Apple OSX and IOS but we may be unsuccessful. In addition we cannot ensure all Windows based printing functionality will function as expected from a Mac OS as printer drivers on the server and on Windows PCs are needed to provide full printing functionality.

  21. Install supported software into your VPS as user accounts do not have server administrative rights and therefore users will not be able to install some software. In some cases a fee may be charged for this service.
  22. Complete a maximum of 10 full VPS or file restores on request per month. Additional fees will be charged per additional restore requested within that same month.

  23. Export your data from your VPS to an FTP location to allow for download or to an external hard drive and post it to you on request. A fee will be charged to complete this export process. To receive data clients must send us an appropriate sized USB3 hard drive and a self-addressed express post envelope/satchel.

  24. Charge a fee per GB of data that is sent out of the client's VPS over 5GB per active user in a single calendar month charged on the 1st of the month for the prior month's usage at a rate of $0.55 per GB (inc GST) over the 5GB per active user level. Example: If you have 5 users you have a 5 x 5GB allocation = 25GB of outgoing data. More than 25GB will be charged at $0.55 per GB.

  25. Provide a report to clients on request to show outgoing client VPS data traffic volumes. 
  26. Hold the appropriate levels of Cyber Insurance

  27. Email clients via a subscriber email list to provide information about the service including price increases and service notifications. If a client unsubscribes from the list they will no longer receive these important updates. 

b) Software Support within the VPS

  1. Software hosted by clients within their VPS is only supported by the Habitat3 HelpDesk if the software is supported by the associated software vendor under the operating system used by Habitat3 (eg. Windows Server 2016 using Windows Remote Desktop).

  2. Habitat3 does not accept any responsibility for application or data related problems associated with any software you choose to host within your Habitat3 VPS.

  3. We reserve the right to refuse to support and may uninstall any software you have installed or requested to be installed on the Habitat3 VPS other than provided by a Habitat3 HSPV.

  4. Habitat3 may charge additional fees to host a non-HSPV provided software. Examples include CCH, MYOB and Reckon.

  5. MYOB Specific Support - Habitat3 provides support for MYOB when hosted within a client VPS for a monthly fee based on the application year version (2016, 2017) and the application edition (eg AccountRight and Essentials).  

  6. If you use the OzBiz/Optomate/MYOB link solution OzBiz are responsible for ensuring your MYOB is functioning correctly and can import the data from Optomate (via OzBiz). If you use sync software to receive your Optomate export data to be imported into MYOB via OzBiz a monthly fee will apply.

  7. Habitat3 supports the VPS to ensure your software performs as expected. In some cases if you require Habitat3 to complete software maintenance activities that are not related to the server's functionality or a standard upgrade process we will charge an hourly rate to complete the work.

  8. We expect you to have a basic working understanding of Windows PC operating systems and the basic functions required to access the Habitat3 service.

  9. Video or voice conferencing and/or remote access software are not supported on your VPS. These types of programs can negatively impact your internet quota, can reduce bandwidth and performance, can introduce a range of trojans and malware/viruses and ultimately can allow your data to be sent to external server outside of Australia which we specifically do not allow as part of our commitment to ensure all data stored on our system does not leave Australian borders.

  10. If you do not use Microsoft's MS Exchange online email service we may not be able to restore emails due to your email service provider's functionality. We strongly recommend the use of MS Exchange online.

  11. Although in some cases we complete software upgrades for our clients, there are occasions where our clients do need to complete parts of an upgrade process specific to their needs (eg. Roll-Over of clients in HandiSoft

  12. We reserve the right to charge additional fees if you wish to host two or more instances and associated databases of your primary software (eg. HandiSoft, Optomate, FittingWizard, MedicalDirector, FilePro etc).

  13. We reserve the right to introduce additional support fees to maintain software hosted on your VPS which is in addition to your primary software.

  14. we reserve the right to introduce additional support fees to host and maintain SQL databases.

  15. Connecting your Noah software on your PC to your Noah Database on your Habitat3 server is not officially tested or supported by Noah and therefore is not recommended by Habitat3 and Habitat3 does not accept any responsibility for any security or data loss related issues associated with the Noah database. However, Habitat3 will implement the solution as securely as possible at all times. Therefore Habitat3 requires all clients to use a Habitat3 provided VPN connection to link the Noah software on their PCs to the Noah database on the Habitat3 server. Habitat3 also expects you to use a unique password to protect your Noah database (functionality provided by Noah) when hosted on your Habitat3 server and setup a Noah specific backup (also functionality provided by Noah).

  16. Software associated with VOIP and Video Conferencing (eg. SKYPE) is not support on the Habitat3 virtual servers. This software is designed to be used only on a PC operating system and will also generate large amounts of data download and negatively impact server access and performance.

  17. All HandiSoft software updates released/published via the HandiSoft website can be completed by you our client. 

  18. MedicalDirector/PracSoft/Bluechip updates are completed on your behalf at no additional charge.

  19. FilePro updates are completed by FilePro .

  20. FittingWizard updates are completed by Biotronic.

  21. Optomate has an auto-update feature which automatically upgrades the software to the latest version.

  22. If you require us to complete any software upgrades for you a fee may apply.

  23. We do not support file syncing applications including Dropbox, Google Drive and OneDrive. These applications will be blocked unless approved by Habitat3 and the Account Holder.

  24. Third party cloud backup services can be used if authorised by Habitat3 but clients must complete all file selections, scheduling and monitoring of backup success. Habitat3 is in no way responsible for ensuring the correct files are backed up and that the backup facility is functioning as expected. 

  25. We do support the use of all i360 Cloud Services within the Habitat3 remote desktop environment.

c) Habitat3 Security - Secure support web-portal website

  1. Account Holders are provided with access to a secure, support web-portal to make requests relating to security (eg. updating a password) and billing (eg. adding a user account)

  2. Account Holders can nominate an Authorised Representative (AR) to act on their behalf. This is done via the support web-portal or on the initial service activation web-form. An Authorised Representative can only be nominated on the service activation form if the Account Holder is completing the form. Authorised Representatives can be nominated by the Account Holder at a later date.

  3. Authorised Representatives can access the support web-portal and therefore can make all billing and security requests.

  4. Exceptions are that Authorised Representatives cannot; 

    1. cancel a subscription/service

    2. nominate another Authorised Representative

    3. remove an Account Holder

    4. request a full copy of data via FTP or Hard Drive

    5. change the password of the Account Holder on the VPS

  5. The requests above must be made by the Account Holder not an Authorised Representative.

  6. Authorised Representatives must have an email address that uses the same domain name as the Account Holder and the Account Holder must provide the first and last name and the mobile phone number of the nominated Authorised Representative.  

  7. Habitat3 does not record the password set by Account Holders for the support web-portal.

  8. The support web-portal and all associated support ticket information (including Habitat3 client personal details are hosted by FreshWorks - privacy policy located at: https://www.freshworks.com/security/

  9. It is the client's responsibility to advise Habitat3 that an Authorised Representative has left the client's employment and should be disabled. This is done via a ticket in the Habitat3 web portal.

  10. If Habitat3 determines an Authorised Representative has left the client's employment we will automatically revoke that Authorised Representative's web portal account and they will no longer be able to make requests.

d) Habitat3 Server & Data Security

Habitat3 is committed to keeping your VPS and the data stored within the VPS environment secure and we take all reasonable precautions to protect it from unauthorised access, modification or disclosure.

DataCentre and Geolocation

  1. Habitat3 uses DataCentres located in Australia only to store VPS data. At no time does Habitat3 send VPS data outside of Australia.

  2. VPS and all associated data and primary backups are stored by Habitat3’s infrastructure partner – Rackspace in specialist HVAC operator Digital Realty’s Sydney DataCentre which maintains both ISMS ISO 27001:2013 and EMS ISO 14001:2015 accreditation. 

  3. Rackspace holds IRAP Certification - https://acsc.gov.au/infosec/irap/certified_clouds.htm 

 

Data Ownership and Control

  1. Account Holder's warrant that the data they upload (or ask Habitat3 to upload) to their Habitat3 VPS is lawfully theirs to access and control.

  2. Habitat3 clients’ store, modify and delete their business data as required and are able to request Habitat3 provide a full copy of their complete data set at any time. Fees do apply to complete these requests.

  3. Habitat3 provides clients with the ability to nominate and Authorised Representative to control their account as per Section D part A.

  4. Habitat3 may grant Habitat3 HPSV entities permanent admin level access to clients’ VPS when formally requested to do so by clients.

  5. Under all and any circumstances client data stored on Habitat3 servers remains the property of the organisation (identified by the ABN) recorded in the Hosted Virtual Private Server signup form.

  6. The account is controlled by the Account Holder nominated on the Hosted Virtual Private Server signup form.


Habitat3 access

  1. Habitat3 staff have access to the Hypervisor and VPS layers to provide support and therefore do have access to information stored on the VPS unless password protected by clients. Hypervisor access is via a VPN protected Gateway VPS with two factor authentication enabled.

  2. Habitat3 completes rigorous background checks on all Habitat3 staff including an Australian National Police Check.

 

Passwords

  1. Habitat3 recommends all clients password protect all their applications and data for additional security.

  2. It is the client's responsibility to select strong passwords for all Habitat3 related services (eg; servers and secure web-portal), to change them regularly and to safeguard them appropriately.

 

Third Party Access

  1. Habitat3 grants third party entities (eg. software vendors) temporary access to clients’ VPS when requested to do so by Account Holders and Authorised Representatives.

  2. If the third party entities require administrative rights Habitat3 will require the third party to make an appointment with Habitat3 and the remote session will be supervised by Habitat3 throughout the access period to ensure no damage is done to the Habitat3 server environment.

  3. In some cases, although difficult, it may be possible for third parties to copy data from the server even under supervision. Only trusted persons should be granted access - even under supervision.

  4. Habitat3 may make an exception for Habitat3 HPSV entities and other trusted third parties.


Data Backups

  1. Each VPS is backed up once every 24 hours allowing for full server and granular file restores.

  2. Full VPS backups provide for a 14 day history of data restores.

  3. Email stored within an Outlook OST file (Office365) is not restorable but a separate backup service is offered and recommended.

  4. Full VPS backups are encrypted and duplicated to a second Sydney DataCentre which holds EMS ISO 14001:2015 accreditation.

  5. Each client's main database (eg. HandiSoft or Optomate) is also backed up internally within the VPS.

  6. That backed up database is also sent to a secure data storage location with Microsoft Azure's Australian Datacentre to create a secondary database backup separate to the full VPS backup. Clients may opt out of this additional database backup service if required.

 

Data Provision

  1. Habitat3 will provide data to Account Holders on request. A small administration fee may be charged.

  2. If a full set of data is requested on service cancellation this will be provided by us sending you a link to a secure FTP download. Data will be made available for 30 days from the date the link is provided. The data will be deleted after 30 days.

Data Synchronization 

  1. Habitat3 may facilitate the connection of applications hosted on the Habitat3 server with external cloud based applications on request from the Account Holder.

  2. In some cases users may be able to create data synchronizations without the assistance or knowledge of Habitat3.

  3. In all cases any application (including API based) synchronizations are controlled and managed by the Client and it is the responsibility of the Client to ensure the cloud based applications are appropriate and secure. 

 

Server Security

  1. Each VPS is a fully complete installation of Windows Server (2012R2 or 2016) using Microsoft’s Remote Desktop Services.

  2. Each VPS is made accessible via Windows Remote Desktop using a unique (non-standard) RDP port number.

  3. If VPS passwords are entered incorrectly 3 times the user account will be “locked” to prevent brute force access.

  4. Each VPS server’s access can be limited to Virtual Private Network access if requested.

  5. Each VPS access can be limited to source IP address if requested.

  6. Habitat3 segregates and separates client VMs using Access Control Lists (ACLs) based on each individual VPS network adapter.

  7. Each VPS is protected by a secure firewall as well as mandatory web filtering, anti-virus and anti-spyware.

  8. Cryptolocking trojans (often called Ransomware) are activated by user actions (eg. malicious website or email attachment) and cannot always be detected by Habitat3's security protocols. If clients identify any encrypted files or know they have activated this type of attack on your VPS clients must advise Habitat3 as soon as possible as restoring encrypted files from backup is the only solution (each nightly backup is retained for a maximum of 14 days).

  9. Each VPS has a unique set of user passwords for user access which can be changed by you on demand by accessing the Habitat3 support portal.

  10. Habitat3 conducts penetration testing which is completed on a regular basis to identify any potential security risks.

  11. Each VPS logs when users on that specific VPS log in and log out

  12. Each VPS is accessible using two-factor authentication and it is our recommendation that two factor authentication is used at all times. You may choose not to use this security feature against our recommendation. If you do choose to not use two factor authentication Habitat3 does not accept any liability for any damages incurred due not using this feature.

 

Data Breach

  1. Habitat3 will always notify you via email as soon as possible if a data security breach affecting your data is identified.

  2. The Office of the Australian Information Commissioner’s Guide to securing personal information: ‘Reasonable steps’ to protect personal information discusses security considerations that may be relevant under APP 11 when outsourcing your server hosting requirements.

  3. If any illegal activities (eg. copyright infringement) are conducted by any Habitat3 clients within any Habitat3 hosting services then Habitat3 holds the Habitat3 client responsible and liable to all relevant authorities.​

PC Security

  1. Habitat3 requires that all PCs that connect to the Habitat3 Virtual Private Server are protected by business grade, paid for AntiVirus software. In the pre go live Audit, PC security will be tested. If no AntiVirus is detected Habitat3 can quote on and arrange for the appropriate software to be installed.

 

e) Data Protection Laws

  1. Habitat3 is an Australian company with Australian shareholders focused on providing Australian based companies only with Australian-based technology services.

  2. Habitat3 does not consider itself an APP Entity based on the criteria set by the Office of the Australian Information Commissioner.

  3. Habitat3 does not warrant compliance with Data Protection Laws designed to protect those located in jurisdictions outside Australia including Europe.

  4. Habitat3 does not have a Data Processing Addendum in place with the providers of its Australian (Sydney) located infrastructure – Rackspace International GmbH.

  5. Habitat3 clients as personal information controllers must not store the personal information of individuals located in the EU on Habitat3’s Hosted Virtual Private Servers (personal information processor) as Habitat3 does not warrant compliance with the GDPR.

f) Microsoft SQL Licensing

  1. Some software may require the use of Microsoft SQL 

  2. Habitat3 is able to install, support and license SQL

  3. Habitat3 supports SQL WebEdition, Standard Edition and Express 

  4. Where software vendors recommend the use of SQL Standard Edition Habitat3 will always install and charge for SQL Standard to ensure the performance, reliability and security of software databases. 

  5. Clients are able to apply to Habitat3 for an exemption but any exemptions can be revoked at any time.

  6. We reserve the right to introduce additional hosting fees if an additional server is required to host SQL Databases.

 

g) Microsoft Webservers and MS Exchange Online

  1. Webservers will have as standard a non-default RDP port open to allow administrative access.

  2. Webservers will have port 80 open to allow http traffic.

  3. A static IP on administrator’s internet connection will be required to ensure RDP access is locked down to source IP.

  4. If 3 unsuccessful attempts are made to access the administrative RDP account the account will be temporarily locked for 30 minutes and can be unlocked by our helpdesk on request.

  5. All encryption of data stored is either your responsibility or the responsibility of the web server manager/administrator. This can be done via a number of methods and our support team can assist you to implement the method of your choice. http://support.microsoft.com/kb/316898 for how to enable SSL encryption for an instance of SQL Server.

  6. Web site functionality built on a habitat3 virtual web server is your responsibility as a web server manager/administrator but our support staff will provide assistance to restore the SQL server, server operating system and network environment functionality as it was when first deployed to you.

  7. We will not be liable if a web server is compromised via Port 80 due to insufficient security measures put in place by you or the manager of your web server. This includes accessing encrypted or unencrypted data stored within your web server and/or database/s.

1.     Habitat3 provides a service to setup new MS Exchange accounts on behalf of our clients.

2.     All MS Exchange subscription fees are paid by Habitat3 clients directly to Microsoft

3.     If MS Exchange Online accounts are setup on behalf of our clients, our clients consent to allow Habitat3 access to their MS Exchange accounts for the purposes of setup and ongoing support and maintenance.   

4.     All setup fees are outlined on the Habitat3 website and by completing the Migrate to MS Exchange Online form clients agree to make payment via Direct Debit.

5.     All email is hosted by Microsoft  

h) Virtual Private Networks

  1. We will assist you in creating an IPSEC VPN link between your office and your Habitat3 VPS via ADSL2+ connections.

  2. We are able to do so via hardware (modem) or software (installed on your PC)

  3. You will be charged a monthly fee for VPN connections which will be quoted prior to proceeding with the setup.

  4. You will be responsible for purchasing your own VPN modem/router and we will provide details of a recommended router.

  5. Using the recommended router is important as we will not provide additional assistance in connecting a non-recommended router to the your VPS.

  6. You must ensure a static IP is provided for your internet connection by your internet service provider (ISP).

  7. We will provide the required VPN configuration details to allow you (or your onsite technical representative) to complete the router VPN setup.

  8. If you are using the modem/router we have recommended and cannot establish a functional VPN connection for the first time we will work with you to complete a successful connection.

  9. If you are not using a recommended router and we are unable to successfully create a VPN connection then we can provide your onsite technical representative with the appropriate details to attempt to make the connection via the non-recommended router.

  10. If you are not using the recommended router and we are unable to successfully create a VPN connection to the VPS then we will require you to obtain the recommended router before further assistance can be provided.

  11. Using an Internet connection to access your VPS that is also used for VOIP services is not recommended due to the negative impact each service will have on the other.

  12. Accessing your Habitat3 VPS via a VPN will incur monthly fees.

i) Miscellaneous 

  1. Habitat3 can provide specific information to assist end users (and their local IT support provider) in completing the Printer Vendor’s Installation forms however Habitat3 does not complete the Printer Vendor’s Installation form on their behalf.

  2. Scanning can be completed direct to the hosted virtual server via FTP.

  3. Internet service must not be a shared service with a 3rd party

  4. Internet service must not be shared with a VOIP service

  5. Recommended VPN modem/router if VPN connections are requested

  6. Although access to your VPS is available from Apple OSX 10.11 and above we are unable to ensure optimal performance from these devices. In additional Habitat3 cannot ensure all Windows based printing functionality will function as expected from a Mac OS as printer drivers on the server and on Windows PCs are needed to provide full printing functionality.

  7. Any data drives sent to Habitat3 by a Habitat3 Client for data uploading into the data centre must be clearly labelled with your business name. If this is not done we cannot guarantee the return of your drive (eg. flash or USB external hard drive). To allow for return of your drive please enclose an Express Post envelope fully addressed to the location you wish to have it sent.

  8. If the Habitat3 service is cancelled by either party Habitat3 will not deploy any additional services (eg. new user accounts) within the last 30 days of the service being provided.