MICROSTRATEGY CLOUD ENVIRONMENT SERVICE GU I DE
microstrategy.com
01
MicroStrategy
CloudEnvironment
SERVICE
GUIDE
UPDATE PUBLISHED APRIL 2023
microstrategy.com
02
MICROSTRATEGY CLOUD ENVIRONMENT SERVICE GUIDE
CopyrightInformation
All
Contents
Copyright
©
2023
MicroStrategy
Incorporated.
All
Rights
Reserved.
TrademarkInformation
The
following
are
either
trademarks
or
registered
trademarks
of
MicroStrategy
Incorporated
or
its
affiliates
in
the
United
States
and
certain
other
countries:
Dossier, Enterprise Semantic Graph, Expert.Now, Hyper.Now, HyperIntelligence, HyperMobile, HyperScreen, HyperVision, HyperVoice, HyperWeb, Intelligent Enterprise,
M
icr
oStrat
egy
,
MicroStrategy
2019, MicroStrategy 2020, MicroStrategy 2021, MicroStrategyAnalyst Pass, MicroStrategy Architect, MicroStrategy Architect Pass, MicroStrategy Badge, MicroStrategy Cloud, MicroStrategy Cloud
Intelligence, MicroStrategy Command
M
anager
,
MicroStrategy Communicator, MicroStrategy Consulting, MicroStrategy Desktop, MicroStrategy Developer, MicroStrategy Distribution Services,
MicroStrategy Education, MicroStrategy Embedded Intelligence, MicroStrategy Enterprise
M
anager
,
MicroStrategy Federated Analytics, MicroStrategy Geospatial Services, MicroStrategy Identity,
MicroStrategy Identity
M
anager
,
MicroStrategy Identity Server, MicroStrategy Integrity
M
anager
,
MicroStrategy Intelligence Server, MicroStrategy Library, MicroStrategy
M
obile
,
MicroStrategy
Narrowcast
Server,
MicroStrategy
Object
M
anager
,
MicroStrategy
Office,
MicroStrategy
OLAP
Services,
MicroStrategy
Parallel
Relational
In-Memory
Engine
(MicroStrategy
PRIME),
MicroStrategy
R Integration, MicroStrategy Report Services, MicroStrategy SDK, MicroStrategy System
M
anager
,
MicroStrategy Transaction Services, MicroStrategy Usher, MicroStrategy Web, MicroStrategy
Workstation, MicroStrategy World, Usher, and Zero-Click Intelligence.
The
following
design
mark
is
a
registered
trademark
of
MicroStrategy
Incorporated
or
its
affiliates
in
the
United
States
and
certain
other
countries:
Other product and company names mentioned herein may be the trademarks of their respective owners.
Specifications subject to change without notice. MicroStrategy is not responsible for errors or omissions. MicroStrategy makes no warranties or commitments concerning the availability of future
products or versions that may be planned or under development.
microstrategy.com
03
MICROSTRATEGY CLOUD ENVIRONMENT SERVICE GU I DE
TABLE OF CONTENTS
1.
Overview...............................................................................................................................................................................04
2.
Cloud Support......................................................................................................................................................................04
3.
Cloud Architecture................................................................................................................................................................05
3.1
Cloud Infrastructure ............................................................................................................... 05
3.1.1
Enterprise
MCE
Architecture
.................................................................................................. 05
3.1.2
High-Availability
MCE
Architecture
.......................................................................................... 08
3.2
Cloud Environment Support ..................................................................................................... 08
3.2.1
Service
Availability
............................................................................................................
08
3.2.2
Root
Cause
Analysis
(RCA)
.................................................................................................... 08
3.2.3
24/7
Cloud
Hotline
............................................................................................................ 08
3.2.4
24/7
Monitoring
and
Alerting
................................................................................................ 08
3.2.5
Backups ........................................................................................................................ 09
3.2.6
Platform
Analytics ............................................................................................................. 09
3.2.7
Maintenance ................................................................................................................... 09
3.2.8
Quarterly
Service
Reviews
..................................................................................................... 09
3.2.9
Infrastructure
Availability
.....................................................................................................
09
3.2.10
Fail-Over
and
Disaster
Recovery
............................................................................................ 09
3.2.11
Disaster
Recovery ............................................................................................................ 10
3.2.12
Updates and Upgrades .............................................................................................................................. 10
3.2.13
Roles and Responsibilities .......................................................................................................................... 11
3.2.14
Non-Migrated MicroStrategy Components........................................................................................................ 11
3.2.15
MCE Migration Licensing ............................................................................................................................ 12
3.2.16
Security ................................................................................................................................................ 12
3.2.16.a
Service
Organization
Controls
(SSAE-18)
................................................................................ 12
3.2.16.b
Health
Insurance
Portability
and
Accountability
Act
(HIPAA)
......................................................... 12
3.2.16.c
Payment
Card
Industry
Data
Security
Standards
(PCI
DSS)
............................................................ 12
3.2.16.d
International
Organization
for
Standardization
(ISO
27001-2)
........................................................ 12
3.2.17
Cloud
Shared
Services
Components
........................................................................................ 13
4.
Service
Availability...............................................................................................................................................................13
4.1
Service
Definition .................................................................................................................. 13
4.2
Service
Remedies .................................................................................................................. 14
4.3
Service
Credits ..................................................................................................................... 14
4.4
Service
Credits
Procedure
......................................................................................................... 14
5.
Terms
Applicable
to
Processing
Personal
Data................................................................................................................15
5.1
Definitions .......................................................................................................................... 15
5.2
Data Processing .................................................................................................................... 16
5.3
Confidentiality ..................................................................................................................... 17
5.4
Sub-Processing ..................................................................................................................... 17
5.5
Transfers of Personal Data by Region ........................................................................................... 17
5.6
Security of Data Processing ...................................................................................................... 19
5.7
Security
Breach
Notification
....................................................................................................... 19
5.8
Audit ................................................................................................................................. 20
5.9
Independent Determination ..................................................................................................... 20
5.10
Data Subject Rights .............................................................................................................. 20
5.11
Return or Deletion of Customer Data ......................................................................................... 21
Appendix A - Cloud Support Offerings ............................................................................................. 22
Appendix B - RACI Diagram ........................................................................................................... 23
microstrategy.com
04
MICROSTRATEGY CLOUD ENVIRONMENT SERVICE GUIDE
1.
Overview
The MicroStrategy Cloud Environment service (“MCE” or “MCE Service”) is a platform-as-a-service (“PaaS”) offering that MicroStrategy manages on its
customers’ behalf in an Amazon Web Services or Microsoft Azure environment that includes access to, collectively, (a) the “Cloud Platform” version of
MicroStrategy software products (an optimized version of the MicroStrategy software platform built specifically for deployment in an Amazon Web
Services or Microsoft Azure environment) licensed by the customer; (b) Cloud Support, as described below; and (c) Cloud Architecture, as described
below.
M
icr
oStrat
egy
s
PaaS delivery model is designed to allow businesses to consume the MicroStrategy Analytics and Mobility platform in a single
tenant architecture without the need to deploy and manage the underlying infrastructure.
MCE offers a distributed compute architecture using cloud-native services provided by either Microsoft Azure or Amazon Web Services. As this
technology evolves, MicroStrategy continually incorporates new services that allow for increased availability, security, or performance to ensure the
latest architecture is available to our customers. At the core of the solution are MicroStrategy Analytics and Mobility, a secure, scalable, and resilient
business intelligence enterprise application platform.
MCE also includes the elements needed to operate, access, and manage the intelligence architecture. Users are provisioned with their own dedicated
intelligence architecture based on a reference architecture. Once provisioned, users can develop, tailor, and manage the application components to
meet their respective needs.
Based on this operating model, customers administer and control the Analytics and Mobility solution while MicroStrategy maintains the supporting
cloud-based infrastructure.
2.
CloudSupport
As an MCE Service customer, you will receive “Cloud Application Support”(“Cloud Support”) in which our Cloud Support engineers will provide ongoing
support over your MCE Service term to assist in maximizing the performance and agility—and minimizing the cost— of your MicroStrategy Cloud
Platform deployment. Cloud Support includes environment configuration (setting up customer accounts in a selected region and CIDR for VPC/VNETs),
enterprise data warehouse integration (including modifying the MicroStrategy configuration for data warehouse connections and opening up any
connectivity for external data warehouses), authentication (SSO/LDAP), and application integration (creating connectivity for the new Office Plugin).
Additionally, Standard Support for the Cloud Platform version of MicroStrategy Products is provided with the licenses for such Products pursuant to
your contract with MicroStrategy and our
TechnicalSupportPoliciesand
P
r
oc
edur
es
,
except that all MCE customers are entitled to four Support
Liaisons (as defined in the Technical Support Policies and Procedures). MicroStrategy Cloud Elite Support is sold to MCE Service customers as an add-on
offering to standard Cloud Support. A subscription to Cloud Elite Support provides MCE Service customers, among other benefits, with enhanced initial
response times for P1 and P2 issues, four additional Support Liaisons (eight total), weekly case management meetings, and customizable system alerts.
Cloud Elite Support customers may also be eligible to receive up to 400 dedicated Enterprise Support resource hours per year.
M
icr
oStrat
egy
s
Cloud
Support Offerings are detailed below in Appendix A.
If a production outage issue occurs, MicroStrategy reserves the right to fix the issue on behalf of the customer without pre-authorization. If a support issue
is logged and determined through the diagnosis that the Root Cause Analysis (RCA) that the stated issue is due to a customer-specific customization
of the MicroStrategy application, the Cloud Support team will provide the customer with available options to resolve the issue. These solutions may
require the purchase of MicroStrategy Professional Services for additional assistance depending on the complexity of the issue.
microstrategy.com
05
MICROSTRATEGY CLOUD ENVIRONMENT SERVICE GUIDE
3.
CloudArch itecture
The Cloud Architecture offered as part of the MCE Service is an optimized reference architecture providing enterprise-grade data design and
go
v
er
nance
,
and consists of (a) the Cloud architecture components required to run your PaaS environment, configured through either the Enterprise
MCE Architecture or High-Availability MCE Architecture constructs detailed below, and (b) Cloud Environment Support, the support services and
components needed to successfully run the infrastructure and architecture components of the MCE Service offering. Additionally, all MCE customers
will receive up to 500 GB per month of data egress at no additional charge. As part of the MCE quarterly service review, we will advise you if your
monthly data egress usage is close to or exceeds 500 GB for each MCE environment.
3.1
Cloud Infrastructure
Our MCE Service offers two types of single tenant platform architectures built based on industry best practices for security, compliance, and availability.
The building blocks of these PaaS components are (i) the Cloud Architecture Standard Offering, which includes a base infrastructure package and
optional additional nodes; and (ii) the Cloud Architecture Small Offering, which includes a base infrastructure package and is available for purchase
by certain small to medium sized customers with less complex requirements. Both Cloud Architecture Offerings include 24x7x365 system monitoring
and alerting, daily backups for streamlined disaster recovery, and annual compliance checks and security certifications. These offerings are procured on
your behalf from Microsoft Azure or Amazon Web Services to host the MicroStrategy Cloud Platform in a MicroStrategy Cloud Environment and will be
operated out of a mutually determined data center location.
A.
The
Cloud
Architecture
Standard
Offering
is
a
fully
managed
cloud
environment
with
separate
metadata
servers,
load
balancers,
firewalls,
data
egress,
and
other
services
to
ensure
ease
of
use
that
consists
of
a
base
infrastructure
package
with
the
option
to
purchase
incremental,
additional
nodes as needed.
I.
Cloud
Architecture
Standard
Offering
includes
the
following
components:
one
(1)
production
node
with
up
to
512
GB
RAM
(24x7
availability)
one
(1)
non-production
development
node
with
up
to
64
GB
RAM
(24x7
availability)
one
(1)
non-production
utility
node
with
up
to
32
GB
RAM
(24x7
availability)
II.
Additional nodes are available to purchase as an add-on to the Cloud Architecture Standard Offering. Each additional node purchased is for use
in either production or non-production environments and includes up to 512 GB RAM (24x7 availability). A customer may purchase additional nodes
to create a clustered production instance (inclusive of a high-performance file system) or for use as separate, standalone environments for quality
assurance or development.
B.
The Cloud Architecture Small Offering is one fully managed cloud environment with a metadata server, load balancers, firewalls, data egress, and
other
services
to
ensure
ease
of
use
that
consists
of
a
base
infrastructure
package
only. The
base
infrastructure
package
in
the
Small
Offering
includes
the following components:
I.
one (1) production node with up to 128 GB RAM (24x7 availability)
II.
one (1) non-production utility node with up to 16 GB RAM (24x7 availability)
3.1.1
Enterprise
MCE
Architecture
Customers who purchase the Standard Cloud offering to
M
icr
oStrat
egy
s
Enterprise MCE Architecture which consists of one Production node,
one Development node, and one Utility node from either Microsoft Azure or Amazon Web Services as demonstrated in the diagrams below.
Each node consists of a single server node for MicroStrategy Intelligence Server, Web, Library,
M
obile
,
and Collaboration. There is a distributed
database for the MicroStrategy metadata and statistics. The Enterprise MCE Architecture can scale to thousands of end users.
microstrategy.com
06
MICROSTRATEGY CLOUD ENVIRONMENT SERVICE GUIDE
microstrategy.com
0
7
MICROSTRATEGY CLOUD ENVIRONMENT SERVICE GUIDE
microstrategy.com
0
8
MICROSTRATEGY CLOUD ENVIRONMENT SERVICE GUIDE
3.1.2
High-Availability
MCE
Architecture
M
icr
oStrat
egy
s
High-Availability MCE Architecture consists of a clustered Enterprise Cloud Architecture spanned across multiple Availability
Zones. MicroStrategy Metadata database is highly available through a multi-Availability Zone architecture offered by cloud providers.
3.2
Cloud Environment Support
As part of the Cloud Architecture offering, we will provide Cloud Environment Support to you by maintaining one or more production and/or non-
production environments for the total number of nodes purchased as part of an MCE Service subscription, by providing the following:
3.2.1
Service
Availability
The standard availability for production nodes will be 24x7 and for non-production nodes is a minimum of 12x5 in the customer’s local time
zone. These parameters may be changed based upon mutual agreement.
3.2.2
Root
Cause
Analysis
(RCA)
For
production
outages,
an
RCA
is
generated
by
the
Cloud
Support
team.
For
other
P1
cases
(outside
of
a
production
outage)
that
are
logged,
an RCA can be requested by the customer. Customers will receive the RCA report within 10 business days of the production outage or the
requested RCA. The final analysis is conducted during business hours on the Eastern Time Zone to allow for management and peer approvals
before formal communication of the stated issues.
Cloud Support will cover all support regarding diagnosis of the RCA. It will also cover product defects, security updates, operating system
updates, and changes. As noted in Section 2, if an RCA determines an issue to be created by a customer-specific customization, MicroStrategy
will provide options outside of Cloud Support, such as Professional Services engagements, to remedy the issue.
3.2.3
24/7
Cloud
Hotline
For Production Node outages where system restoration is paramount, all alerts are sent to a global team for prompt resolution. MicroStrategy
Cloud team functions around the clock to support customers and maintain service SLA’s. All MicroStrategy Cloud customers are assigned
a Cloud Technical Account Manager (CTM) to help escalate cases along with a continuous engagement to ensure customer success.
3.2.4
24/7
Monitoring
and
Alerting
Key system parameters are monitored for all production and non-production nodes. MicroStrategy has alerts on CPU utilization, RAM utilization,
disk space, application-specific performance counters, VPN Tunnel, and ODBC warehouse sources monitoring. As part of
M
icr
oStrat
egy
s
Cloud
Elite Support Offering customers are eligible to receive custom alerts. System performance is logged over time to give the customer and Cloud
Support team the ability to maintain a performant cloud platform.
microstrategy.com
09
MICROSTRATEGY CLOUD ENVIRONMENT SERVICE GUIDE
3.2.5
Backups
Daily backups are performed for all customer systems, including system state, metadata, customizations, and performance characteristics.
MicroStrategy retains five consecutive days of full backups. Backups are dispersed across a region to ensure single points of failure (for example,
a
single
cloud
data
center).
Please
reach
out
to
your
Account
Executive
for
additional
cost
estimates
if
you
require
backups
longer
than
5
days
or need to receive metadata backups.
3.2.6
Platform
Analytics
MicroStrategy Platform Analytics is set up for all MicroStrategy customers on MCE and maintained to allow for instant access to system
performance metrics. MicroStrategy will monitor the MCE Service-based data repository and/or cube memory requirement of the Platform
Analytics database. In the event the space availability is less than 20% of the allocated storage, MicroStrategy will purge older data from the
MCE Service-based Platform Analytics database in 30-day increments until the disk availability is below the 80% capacity threshold upon
customer’s consent. The amount of data that the customer chooses to keep may have a corresponding cost to the customer. Contact your
Account team for a cost estimate to modify the MCE Service, including increases to the data repository and/or cube memory requirements.
3.2.7
Maintenance
Maintenance windows are scheduled monthly to allow for third-party security updates to be applied to the MCE platform. During these
scheduled interruptions, the MCE systems may be unable to transmit and receive data through the provided services. Customers should plan
to create a process that includes the pause and restart of applications, rescheduling subscriptions, and including but not limited to, related
data load routines. When it is necessary to execute emergency maintenance procedures, MicroStrategy will notify customer-specific support
liaisons via email as early as possible—identifying the nature of the emergency and the planned date and time of execution. Customers will
normally
receive
a
minimum
of
two
weeks’ advance
notification
for
planned
maintenance
windows.
However,
if
emergency
maintenance
work
is required, we will use commercially reasonable efforts to give 24 to 48 hour notice before applying a remedy.
3.2.8
Quarterly
Service
Reviews
The assigned designated Cloud Technical Account Manager (CTM) for your MCE will conduct the Quarterly Service Reviews (QSR) with the
business and technical contacts on a quarterly cadence.
3.2.9
Infrastructure
Availability
The MCE Service is architected to withstand the failure of an individual service or process to achieve availability. For clustered environments,
this is achieved by utilizing underlying application features and building on best practices. For single-node environments and clustered
environments, MicroStrategy Cloud also utilizes the advantages of AWS and Azure—allowing the splitting of a particular Region into multiple
Availability Zones (“AZ”) to withstand AZ-wide failure.
3.2.10
Fail-Over
and
Disaster
Recovery
Standard
fail-over
routines
allow
for
backups
and
system
state
data
with
storage
spanning
AZs. The
use
of
multiple
AZs
for
clustered
production
microstrategy.com
10
MICROSTRATEGY CLOUD ENVIRONMENT SERVICE GUIDE
environments creates a physical separation of data between the machines storing production and backup environments. MicroStrategy
provides an RPO (Recovery Point Objective) of 24 hours with an RTO (Recovery Time Objective) of 48 hours upon an Availability Zone failure.
3.2.11
Disaster
Recovery
M
icr
oStrat
egy
s
MCE offering does not provide region failover in its standard offering. However, customers do have the option to purchase
Disaster Recovery (DR) as an add-on to the standard offering at an additional cost. MicroStrategy recommends for a DR purchase there is
a secondary data warehouse site that can be leveraged for failover. MicroStrategy provides the below options for DR:
Hot-
Cold:
Customer environment in the failover Region has been provisioned and shut down and is only started when the disaster occurs in the primary
region. This provides an estimated targeted RPO of 24 hours and an RTO of 6 hours.
Hot-
Warm:
Customer environment in the failover Region has been provisioned and has a daily Metadata refresh. The environment is shut down after the
refresh. This provides a targeted RPO of 24 hours and an RTO of 4 hours.
Hot-
Hot:
Customer environment in the failover Region is running 24/7 and has a daily Metadata refresh. This provides a targeted RPO of 24 hours and
an RTO of 2 hours.
3.2.12
Updates
and
Upgrades
For each Product license, we will deliver to you, at no charge and at your request, an Update as part of the Technical Support Services
subscription. Major version upgrades are completed in a free parallel environment for up to 30 days to allow for customer testing. Updates will
not include any new, separately marketed products. Customers requiring longer than 30 days to complete the upgrade should contact their
Account Executive.
Starting MicroStrategy 2021, all updates are done in place which may include new features and functionalities. MicroStrategy is committed
to providing the latest updates with security fixes, therefore all customers are required to take advantage of the fixes and new features every
quarter. Your CTM will work with you each quarter to schedule the updates. The updates are seamless and carry over all customizations in
your MicroStrategy environment. Customer is responsible for ensuring SDK Mobile apps are recompiled to comply with newer versions of
M
icr
oStrat
egy
.
Customers are also encouraged to perform regression testing on the updated environment along with data validation and
testing other custom workflows.
microstrategy.com
11
MICROSTRATEGY CLOUD ENVIRONMENT SERVICE GUIDE
3.2.13
Roles
and
Responsibilities
The RACITable below in Appendix B highlights the roles and responsibilities of customers and
M
icr
oStrat
egy
.
Please note that some responsibility
relies
on
Cloud
service
providers
and,
therefore,
MicroStrategy
will
comply
with
cloud
providers
Service
level
Agreement
for
service
availability.
3.2.14
Non-Migrated
MicroStrategy
Components
Stated below are MicroStrategy components that will not be hosted in cloud. Customers are highly encouraged to move away from legacy
components and leverage newer and modern replacement of such tools:
1)
MicroStrategy
Narrowcast
Server
replaced
with
Distribution
services
2)
MicroStrategy
Enterprise
Manager
replaced
with
Platform
Analytics
The following items below are supported only for connectivity to MCE. MicroStrategy will not host them in cloud. These solutions may require
additional assistance from MicroStrategy Professional Services.
ApplicationUsers
SecurityandCompliance
Virtualization Layer
ClientDevices
CloudSoftware&Administration
PhysicalServer
MicroStrategyProjects,Warehouse,ETL
Environment & Operating System
Networking&Firewalls
DataCenter&Utilities
microstrategy.com
12
MICROSTRATEGY CLOUD ENVIRONMENT SERVICE GUIDE
1)
IIS web server to support MDX
2)
Customizations not in plugin form
Please contact your Account Executive if you require use of the above components when migrating to MCE.
DistributionServices
All MicroStrategy Cloud customers are required to use their own SMTP server for delivery of email and history list subscriptions. File
subscriptions are pushed to AWS S3 bucket or Azure BLOB Storage provided to the customer as part of the MCE infrastructure to all
customers. Customers may pull file subscriptions from the storage locations provided during the on-boarding process with their CTMs.
3.2.15
MCE Migration Licensing
Two
additional
licenses
are
provided
for
Cloud
operations
and
maintenance.
These
accounts
are
the
‘mstr’
and
‘mstr_svc’
account.
The ‘Administrator’ and ‘Axx-administrator’ or ‘Cxx-administrator’ accounts do not consume licenses.
3.2.16
Security
Various security tools are employed to perform penetration testing and remediation, system event logging, and vulnerability management.
The MCE Service maintains a high security posture in accordance with the following security standards:
3.2.16.a
Service
Organization
Controls
(SSAE-18)
SSAE-18 is the service organization auditing standard maintained by the AICPA. It evaluates Service Organization Controls over the
security, availability, and processing integrity of a system and the confidentiality and privacy of the information processed by the
system. Our MCE Service maintains a SOC2 Type 2 report.
3.2.16.b
Health
Insurance
Portability
and
Accountability
Act
(HIPAA)
Controls
designed
to
protect
health
information.
3.2.16.c
Payment
Card
Industry
Data
Security
Standards
(PCI
DSS)
Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle
cardholder information. MCE maintains a SAQ-D for Service Providers.
3.2.16.d
International
Organization
for
Standardization
(ISO
27001-2)
International Organization for Standardization (ISO 27001-2) is a security management standard that specifies security management best
practices and comprehensive security controls following the ISO 27002 best practice guidance.
microstrategy.com
13
MICROSTRATEGY CLOUD ENVIRONMENT SERVICE GUIDE
)
]
3.2.17
Cloud
Shared
Services
Components
As part of the MCE Service’s platform architecture and in support of the Cloud Environment, we incorporate other solutions to assist in the
management, deployment, and security of the infrastructure, and to complete operational tasks. These include management and detection
response solutions, cloud security posture management solutions, application/infrastructure monitoring, alerting and on call management
solutions, and workflow and continuous integration tools.
4.
Service Availability
M
CE offers a service level agreement of 99.9% for clustered production environments and 99% service level for signal node non-clustered
production environments. Availability is calculated per calendar month as follows:
TotalMinutes*#ofProductionInstances‐Unavailability

TotalMinutes*#ofProductionInstances
*
100
4.1
Service Definition
“Total
M
inut
es
:
the total number of minutes in a calendar month.
“Production
I
nstanc
e
:
an MCE Intelligence Architecture that users are running in production, in support of an operational business process.
“Una
v
ailabilit
y
:
for each Production Node, the total number of minutes in a calendar month during which (1) the Production Node(s) has no external
connectivity; (2) the Production Node(s) has external connectivity but is unable to process requests (i.e., has attached volumes that perform zero read-
write IO, with pending IO in the queue); or (3) all connection requests made by any component of the Production Node(s) fail for at least five consecutive
minutes. “Unavailability” does not include minutes when the MCE is unavailable due to issues related to applications built on the MicroStrategy software
platform, including project, report, and document issues; migration problems related to user design; ETL application problems; improper database
logical design and code issues; downtime related to scheduled maintenance; downtime experienced as a result of user activity; general internet
unavailability; and other factors out of
M
icr
oStrat
egy
s
reasonable control.
“Total
Una
v
ailabilit
y
:
the
aggregate
unavailability
across
all
Production
Instances.
For any partial calendar month during which customers subscribe to the MCE, availability will be calculated based on the entire calendar month, not
just the portion for which they subscribed.
[(
microstrategy.com
14
MICROSTRATEGY CLOUD ENVIRONMENT SERVICE GUIDE
4.2
Service Remedies
If the availability standard of 99.9% (for clustered Production Nodes) and 99% (for non-clustered Production Node) is not met in any given calendar
month, customers may be eligible for a Service Credit, according to the definitions below. Each Service Credit will be calculated as a percentage of the
total
fees
paid
by
customers
for
the
MCE
Service,
managed
by
MicroStrategy
within
the
calendar
month
that
a
Service
Credit
has
been
accrued. This
is
the exclusive remedy available to customers in the event MicroStrategy fails to comply with the service level requirements set forth in the availability
designed in Section 4.
4.3
Service Credits
ClusteredProductionNode:
Availability
less
than
99.9%
but
equal
to
or
greater
than
99.84%:
1%
Service
Credit
Availability
less
than
99.84%
but
equal
to
or
greater
than
99.74%:
3%
Service
Credit
Availability
less
than
99.74%
but
equal
to
or
greater
than
95.03%:
5%
Service
Credit
Availability
less
than
95.03%:
7%
Service
Credit
NonClustered Production Node:
Availability
less
than
99%
but
equal
to
or
greater
than
98.84%:
1%
Service
Credit
Availability
less
than
98.84%
but
equal
to
or
greater
than
98.74%:
3%
Service
Credit
Availability
less
than
98.74%
but
equal
to
or
greater
than
94.03%:
5%
Service
Credit
Availability
less
than
94.03%:
7%
Service
Credit
4.4
Service Credits Procedure
To
receive
a
Service
Credit,
customers
must
submit
a
MicroStrategy
case
on
or
before
the
15th
day
of
the
calendar
month
following
the
calendar
month
in which the Service Credit allegedly accrues that includes the following information: (a)the words “SLA Credit Request” in the “Case Summary/ Error
Message” field; (b) a detailed description of the event(s) that resulted in unavailability; (c) the dates, times, and duration of the unavailability; (d) the
affected
system
or
component
ID(s)
provided
to
customers
by
MicroStrategy
during
onboarding
and
Intelligence
Architecture
delivery
activities;
and
(e)
a detailed description of the actions taken by users to resolve the unavailability. Once MicroStrategy receives this claim, MicroStrategy will evaluate the
information
provided
and
any
other
information
relevant
to
determining
the
cause
of
the
Unavailability
(including,
for
example,
information
regarding
the availability performance of the Intelligence Architecture, third-party software or services, dependencies on customer-hosted or subscribed software
or
services,
operating
system,
and
software
components
of
the
MCE). Thereafter,
MicroStrategy
will
determine
in
good
faith
whether
a
Service
Credit
has
accrued
and
will
notify
customers
of
its
decision.
If
MicroStrategy
determines
that
a
Service
Credit
has
accrued,
then
at
its
discretion,
it
will
either
(1) apply the Service Credit to the next MCE Service invoice sent or (2) extend the MCE Service Term for a period commensurate to the Service Credit
amount. Customers may not offset any fees owed to MicroStrategy with Service Credits.
microstrategy.com
15
MICROSTRATEGY CLOUD ENVIRONMENT SERVICE GUIDE
5.
TermsApplicabletoProcessingPersonalData
This Section 5 will apply only to the extent there is no other executed agreement in place regarding the same subject between MicroStrategy and
the customer (“Customer”), including any order(s) and/or a master agreement between the customer and MicroStrategy (collectively, the “Governing
Agreement”), and shall be considered a Data Processing Addendum (DPA). Except as amended by this DPA, the Governing Agreement will remain
in full force and effect.
5.1
Definitions
“Applicable Data Protection Law” means all applicable laws and regulations where these apply to
M
icr
oStrat
egy
,
its group and third parties who may
be utilized in respect of the performance of the MCE Service relating to the processing of personal data and privacy, including, without limitation, the
General Data Protection Regulation (EU) 2016/679, the United Kingdom General Data Protection Regulation, and the California Consumer Protection Act
(Cal. Civ.
Code
§§
1798.100
et.
seq.)
(CCPA),
as
amended
and
expanded
by
the
California
Privacy
Rights
Act
(CPRA). The
terms “Controller,”“Commissioner,”
“Business,” “Processor,” “Data Subject,” “Supervisory Authority,” “process,” “processing,” and “personal data” shall be construed in accordance
with
their
meanings as defined under Applicable Data Protection Law.
“Customer Group” means Customer and any affiliate, subsidiary, subsidiary undertaking and holding company of Customer (acting as a Controller)
accessing or using the MCE Service on Customer’s behalf or through Customer’s systems or any other third party who is permitted to use the MCE
Service pursuant to the Governing Agreement between Customer and
M
icr
oStrat
egy
,
but who has not signed its own Order Form with
M
icr
oStrat
egy
.
“EU Standard Contractual Clauses” means Module 3 those clauses comprised within the European Commission Decision (2021/914) of
4 June 2021
on standard contractual clauses for the transfer of personal data to processors established in third countries under General Data Protection Regulation
(EU) 2016/679, as may be updated, supplemented, or replaced from time to time under Applicable Data Protection Law and which are incorporated
by reference herein forming part of this DPA and a copy of which can be accessed at www.microstrategy.com/en/legal/contract-hub, subject to the
provisions of Section 5.5
belo
w
.
“International Transfer” means a transfer of personal data from a country within the European Economic Area (EEA) or Switzerland or the United Kingdom
(both countries not in the EEA or the EU) to a country or territory not recognized by the European Commission, Switzerland or the United Kingdom as
providing
an
adequate
level
of
protection
for
personal
data
or
subject
to
any
requirement
to
take
additional
steps
to
adequately
protect
personal
data.
“MCE Service” means the MicroStrategy Cloud Environment service, a platform-as-a-service offering that we manage on the Customer’s behalf in an
Amazon Web Services or Microsoft Azure environment that includes access to, collectively: (a) the“Cloud Platform” version of our Products (an optimized
version
of
the
MicroStrategy
software
platform
built
specifically
for
deployment
in
an
Amazon
Web
Services
or
Microsoft
Azure
environment)
licensed
by
the
Customer;
(b)
Cloud
Support;
and
(c)
the
Additional
PaaS
Components
(as
defined
in
the
MicroStrategy
Cloud
Environment
Service Terms
section
of
M
icr
oStrat
egy
s
Standard Software License and Services Agreement) Customer has purchased for use with such Products.
“Sub-Processor” means
any
third
party
appointed
by
MicroStrategy
to
process
personal
data.
“UK Addendum” means the addendum to the EU Standard Contractual Clauses for the transfer of personal data to third countries compliant with
the United Kingdom General Data Protection Regulation, which has Module 3 of the EU Standard Contractual Clauses incorporated and engaged by
reference.
microstrategy.com
16
MICROSTRATEGY CLOUD ENVIRONMENT SERVICE GUIDE
5.2
Data Processing
As a Processor, MicroStrategy will process the personal data that is uploaded or transferred to the MCE Service as instructed by Customer or provided
by
Customer
as
Controller
(collectively, “Customer
Data”)
in
accordance
with
Customer’s
documented
instructions.
Customer
authorizes
M
icr
oStrat
egy
,
on its own behalf and on behalf of the other members of its Customer Group, to process Customer Data during the term of this DPA as a Processor for
the purpose set out in the table below.
CustomerDatainrelationtoMCEService
Subjectmatterofprocessing
Storage
of
data,
including
without
limitation
personal
data,
provided
by
Customer
for
its
business
purpose
Durationofprocessing
MCE Service Term and 90 days following expiry of such term
Natureofprocessing
Storage, back-up, recovery, and processing of Customer Data in connection with the MCE Service.
All data is encrypted at rest.
Purposeofprocessing
Provision of the MCE Service
Typeofpersonaldata
The Customer Data uploaded or transferred for processing through the MCE Service by the Customer
Categoriesofdatasubject
Employees or agents of the Customer and Customer’s customers, prospects, business partners and vendors,
and those individuals who have been authorized to use the MCE Service by the Customer
The parties agree that this DPA is Customer’s complete and final documented instructions to MicroStrategy in relation to Customer Data. Additional
instructions outside the scope of this DPA (if any) require prior written agreement between MicroStrategy and Customer, including agreement on any
additional fees payable by Customer to MicroStrategy for carrying out such instructions. Customer shall ensure that its instructions comply with all laws,
rules, and regulations applicable in relation to Customer Data, and that the processing of Customer Data in accordance with Customer’s instructions will
not cause MicroStrategy to be in breach of Applicable Data Protection Law and/or this DPA or applicable agreements with Sub-Processors, including the
EU Standard Contractual Clauses and UK Addendum. MicroStrategy will not process Customer Data outside the scope of this DPA.
MicroStrategy
will:
1.
Process
Customer
Data
only
on
documented
instructions
from
Customer
(unless
MicroStrategy
or
the
relevant
Sub-Processor
(see
Section
5.4
below)
is
required
to
process
Customer
Data
to
comply
with
applicable
laws,
in
which
case
MicroStrategy
will
notify
Customer
of
such
legal
requirement
prior
to such processing unless such applicable laws prohibit notice to Customer on public interest grounds);
2.
Promptly
inform
the
Customer
if,
in
its
reasonable
opinion,
any
instruction
received
from
the
Customer
infringes
Applicable
Data
Protection
Law;
3.
Ensure
that
any
individual
authorized
by
MicroStrategy
to
process
Customer
Data
complies
with
Section
5.2(1)
above;
and
4.
At
the
option
of
Customer,
delete
or
return
to
Customer
all
Customer
Data
after
the
end
of
the
provision
of
the
MCE
Service,
relating
to
processing,
and delete any remaining copies. MicroStrategy will be entitled to retain any Customer Data which it has to keep
to comply with any applicable law
or which it is required to retain for insurance, accounting, taxation, or record keeping purposes. Section 5.3 will continue to apply to retained Customer
Data.
MicroStrategy will not“sell” Customer Data as that term is defined in the CCPA, nor will it retain, use, or disclose Customer Data for any purpose other than
for the specific purpose of performing the services specified in the Governing Agreement, or as otherwise permitted by the CCPA or its implementing
regulations. MicroStrategy certifies that it understands the restrictions and obligations under the CCPA, including the restrictions and obligations in the
previous sentence, and will comply with CCPA. In addition, MicroStrategy will comply with any applicable amendments to the CCPA or its regulations.
microstrategy.com
1
7
MICROSTRATEGY CLOUD ENVIRONMENT SERVICE GUIDE
5.3
Confidentiality
MicroStrategy will not disclose Customer Data to any government or any other third party, except as necessary to comply with the law or a valid
and binding order of a government or law enforcement agency (such as a subpoena or court order). If a government or law enforcement agency
sends MicroStrategy a demand for Customer Data, MicroStrategy will attempt to redirect the government or law enforcement agency to request that
data directly from the Customer. As part of this effort, MicroStrategy may provide Customer’s basic contact information to the government or law
enforcement agency. If compelled to disclose Customer Data to a government or law enforcement agency, then MicroStrategy will give the Customer
reasonable notice of the demand to allow the Customer to seek a protective order or other appropriate remedy, unless MicroStrategy is legally prohibited
from doing so. MicroStrategy restricts its personnel from processing Customer Data without authorization by
M
icr
oStrat
egy
,
and imposes appropriate
contractual
obligations
upon
its
personnel,
including,
as
appropriate,
relevant
obligations
regarding
confidentiality,
data
protection,
and
data
security.
If the EU Standard Contractual Clauses or UK Addendum apply, nothing in this Section 5.3 varies or modifies the EU Standard Contractual Clauses or UK
Addendum, including without limitation the obligations within clause 5(a).
5.4
SubProcessing
Customer
provides
general
authorization
to
MicroStrategy
to
engage
its
own
affiliated
companies
for
the
purposes
of
providing
the
MCE
Service
and
to
use Sub-Processors to fulfill its contractual obligations under this DPA or to provide certain services on its behalf. The MicroStrategy website at https://
community.microstrategy.com/s/article/GDPR-Cloud-Sub-Processors list the Sub- Processors appointed by MicroStrategy that are currently engaged to
carry out specific processing activities on behalf of Customer. Customer hereby consents to
M
icr
oStrat
egy
s
use of Sub-Processors as described in this
Section 5.4.
Before MicroStrategy engages any new Sub-Processor to carry out specific processing activities, MicroStrategy will update the applicable
website. If Customer objects to a new Sub-Processor, Customer shall inform MicroStrategy in writing within thirty (30) days following the update of
the applicable Sub-Processors list and such objection shall describe Customer’s legitimate reasons for objection. If Customer objects to the use of
a new Sub-Processor pursuant to the process provided under this Section 5.4, MicroStrategy will not engage such Sub-Processor to carry out specific
processing activities on behalf of Customer without Customer’s written consent. Further, MicroStrategy shall have the right to cure any objection by,
in its sole discretion, either choosing to a) take any corrective steps requested by Customer in its objection (which steps will be deemed to resolve
Customer’s objection) and proceed to use such Sub-Processor or b) suspend and/or terminate any product or service that would involve the use of
such Sub-Processor.
If MicroStrategy appoints a Sub-Processor, MicroStrategy will (i) restrict the Sub-Processor’s access to Customer Data only to what is necessary to provide
the MCE Service to Customer and will prohibit the Sub-Processor from accessing Customer Data for any other purpose; (ii) will enter into a written
agreement with the Sub- Processor; (iii) to the extent the Sub-Processor is performing the same data processing services that are being provided by
MicroStrategy under this DPA, impose on the Sub-Processor substantially similar terms to those imposed on MicroStrategy in this DPA; and (iv) comply
with the EU Standard Contractual Clauses and/or UK Addendum (where applicable), which separately contain obligations in respect of the terms
to be imposed in respect of an onward transfer of Personal Data to a Sub-Processor. MicroStrategy will remain responsible to the Customer for the
performance of the Sub-Processor’s obligations.
5.5
Transfers of Personal Data by Region
With respect to Customer Data containing personal data that is uploaded or transferred to the MCE Service, Customer may specify the geographic
region(s) where that Customer Data will be processed within
M
icr
oStrat
egy
s
Sub-Processor’s network (e.g., the EU-Dublin region). A Sub-Processor will
not transfer that Customer Data from Customer’s selected region except as necessary to maintain or provide the MCE Service, or as necessary to comply
with a law or binding order of a law enforcement agency.
To
provide
the
MCE
Service,
Customer
acknowledges
and
confirms
MicroStrategy
may
make
International
Transfers
of
Customer
Data
including
onward
microstrategy.com
1
8
MICROSTRATEGY CLOUD ENVIRONMENT SERVICE GUIDE
transfers to its affiliated companies and/ or Sub-Processors. MicroStrategy has signed (as data exporter) with its Sub-Processors (as data importers)
(a) a copy of the EU Standard Contractual Clauses and where applicable, (b) a copy of the UK Addendum to safeguard those International Transfers
which occur. In the event that the form of the EU Standard Contractual Clauses or UK Addendum is changed or replaced by the relevant authorities
under Applicable Data Protection Law, MicroStrategy shall complete the updated form of the EU Standard Contractual Clauses and/or UK Addendum
and notify the Customer as Controller of such form. Provided that such form is accurate and applicable to MicroStrategy as Processor, such form
shall be binding on the parties (which may include the Customer and/or Sub-Processor dependent on the changed or revised document) when the
relevant
parties
have
executed
the
revised
form,
subject
to
the
expiration
of
a
grace
period,
if
any,
determined
by
the
relevant
Supervisory
Authority.
If the Customer does not enter to and execute the EU Standard Contractual Clauses or UK Addendum, where it is required to do so under Applicable
Data Protection Law (either out of a failure to provide the appropriate form or because, in
M
icr
oStrat
egy
s
sole discretion, Customer is unreasonably
withholding, delaying or conditioning execution of such form), MicroStrategy shall have the right to suspend and/or terminate any product or service
requiring International Transfer of Customer Data upon giving the Customer thirty (30) days written notice.
For International Transfers which are subject to the Applicable Data Protection Law of Switzerland, the additional clauses below shall be added as an
annex to this DPA:
1.
“The
term
EU
Member
State
in
this
DPA
shall
always
include
the
EEA
Member
Countries
and
Switzerland.”
2.
“The data transfer is subject to the provisions of the GDPR. The provisions of the Swiss Data Protection Act are additionally applicable on a secondary
basis.”
3.
“With regard to data transfers of personal data from Switzerland, the Federal Data Protection and Information Commissioner is the competent
Supervisory Authority.”
4.
“Pursuant to the current Swiss Data Protection Act and until the revised Swiss Data Protection Act enters into force, the term personal data also
includes the data of legal entities and not only natural persons.”
Notwithstanding the foregoing, the EU Standard Contractual Clauses and/or UK Addendum (or obligations the same as those under the EU Standard
Contractual Clauses or the UK Addendum) will not apply if MicroStrategy has adopted an alternative recognized compliance standard for the lawful
transfer of personal data outside the EEA, UK
or Switzerland, to protect Customer Data.
In
respect
of
other
International Transfers,
(outside
of
those
covered
by
the
EU
Standard
Contractual
Clauses
and/or
the
UK
Addendum)
MicroStrategy
will only make a transfer of Customer Data if:
1.
Adequate safeguards are in place for that transfer of Customer Data in accordance with Applicable Data Protection Law, in which case Customer will
execute any documents (including without limitation EU Standard Contractual Clauses, the UK Addendum, or other such accepted transfer mechanism)
relating to that International Transfer, which MicroStrategy or the relevant Sub-Processor reasonably requires it to execute from time to time; or
2.
MicroStrategy or the relevant Sub-Processor is required to make such an International Transfer to comply with applicable laws, in which case
MicroStrategy will notify Customer of such legal requirement prior to such International Transfer unless applicable laws prohibit notice to Customer on
public interest grounds; or
3.
Otherwise
lawfully
permitted
to
do
so
by
Applicable
Data
Protection
Law.
microstrategy.com
19
MICROSTRATEGY CLOUD ENVIRONMENT SERVICE GUIDE
5.6
Security of Data Processing
MicroStrategy
has
implemented
and
will
maintain
appropriate
technical
and
organizational
measures,
including,
as
appropriate:
1.
Security
of
the
MicroStrategy
network;
2.
Physical
security
of
the
facilities;
3.
Measures
to
control
access
rights
for
MicroStrategy
employees
and
contractors
in
relation
to
the
MicroStrategy
network;
and
4.
Processes for regularly testing,
assessing,
andevaluatingtheeffectivenessofthetechnicalandorganizationalmeasuresimplementedby
M
icr
oStrat
egy
Customer may elect to implement appropriate technical and organizational measures in relation to Customer Data, directly from
M
icr
oStrat
egy
s
Sub-
Processor. Such appropriate technical and organizational measures include:
1.
Pseudonymization
and
encryption
to
ensure
an
appropriate
level
of
security;
2.
Measures
to
ensure
the
ongoing
confidentiality,
integrity,
availability,
and
resilience
of
the
processing
systems
and
services
provided
by
Customer
to
third parties;
3.
Measures to allow Customer to backup and archive appropriately to restore availability and access to Customer Data in a timely manner in the event
of a physical or technical incident; and
4.
Processes
for
regularly
testing,
assessing,
and
evaluating
the
effectiveness
of
the
technical
and
organizational
measures
implemented
by
Customer.
5.7
Security Breach Notification
MicroStrategy will, to the extent permitted by law, notify Customer without undue delay after becoming aware of any actual accidental or unlawful
destruction, loss, alteration, unauthorized disclosure of, or access to, any Customer Data by MicroStrategy or
M
icr
oStrat
egy
s
Sub-Processor(s) (a “Security
Incident”). To the extent such a Security Incident is caused by a violation of the requirements of this DPA by
M
icr
oStrat
egy
,
MicroStrategy will make
reasonable efforts to identify and remediate the cause of such a breach, including steps to mitigate the effects and to minimize any damage resulting
from the Security Incident.
Customer agrees that an unsuccessful Security Incident will not be subject to this Section 5.7. An unsuccessful Security Incident is one that results in no
actual unauthorized access to Customer Data or to any of
M
icr
oStrat
egy
s
or
M
icr
oStrat
egy
s
Sub-Processor’s equipment or facilities storing Customer
Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-in attempts, denial
of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers), or similar incidents; and
M
icr
oStrat
egy
s
obligation to report or respond to a Security Incident under this Section 5.7 is not, and will not, be construed as an acknowledgment by
MicroStrategy of any fault or liability of MicroStrategy with respect to the Security Incident.
Notification(s) of Security Incidents, if any, will be delivered to Customer by any means MicroStrategy selects, including via email. It is Customer’s
responsibility to ensure that they provide MicroStrategy with accurate contact information and secure transmission at all times.
The information made available by MicroStrategy is intended to assist Customer in complying with their obligations under Applicable Data Protection
Law in respect of data protection impact assessments and prior consultation.
microstrategy.com
20
MICROSTRATEGY CLOUD ENVIRONMENT SERVICE GUIDE
5.8
Audit
MicroStrategy will allow for and contribute to audits (including those under the EU Standard Contractual Clauses/UK Addendum where these apply),
which shall include inspections, conducted by Customer or another auditor mandated by Customer, provided that the Customer gives MicroStrategy at
least 30 days’ reasonable prior written notice of such audit and that each audit is carried out at Customer’s cost, during business hours, at MicroStrategy
nominated facilities, and so as to cause the minimum disruption to
M
icr
oStrat
egy
s
business and without Customer or its auditor having any access to
any
data
belonging
to
a
person
other
than
Customer.
Any
materials
disclosed
during
such
audits
and
the
results
of
and/or
outputs
from
such
audits
will
be kept confidential by Customer. Such audit shall be performed not more than once every 12 months, and Customer shall not copy or remove any
materials from the premises where the audit is performed.
Customer acknowledges and agrees (having regard to Section 5.4(iii)) that in respect of
M
icr
oStrat
egy
s
auditing rights of its Sub-Processor providing
infrastructure services for the MCE Service, such Sub-Processor will use external auditors to verify the adequacy of security measures including the
security of the physical data centers from which the Sub-Processor provides the Services. This audit will be performed at least annually according to ISO
27001
standards
or
other
such
alternative
standards
that
are
substantially
equivalent
to
ISO
27001
by
independent
third-party
security
professionals
at
the Sub-Processor’s selection and expense, and will result in the generation of an audit report (“Report”), which will be the Sub-Processor’s confidential
information
or
otherwise
be
made
available
subject
to
a
mutually
agreed
upon
non-disclosure
agreement
covering
the
Report
(“NDA”).
MicroStrategy
will not be able to disclose such Report to Customer without permission from the Sub-Processor. At Customer’s written request during the exercise of
its audit rights under this Section 5.8, MicroStrategy will request the permission of the Sub-Processor to provide Customer with a copy of the Report so
that Customer can reasonably verify the Sub-Processor’s compliance with its security obligations. The Report will constitute confidential information
and the Sub-Processor may require Customer to enter into an NDA with them before releasing the same.
If the EU Standard Contractual Clauses or UK Addendum apply under Section 5.5, then Customer agrees to exercise its audit and inspection right by
instructing
MicroStrategy
to
conduct
an
audit
as
described
in
this
Section
5.8,
and
the
parties
agree
that
notwithstanding
the
foregoing,
nothing
varies
or modifies the EU Standard Contractual Clauses or UK Addendum nor affects any Supervisory Authority’s or Data Subject’s rights under those EU
Standard Contractual Clauses or UK Addendum.
5.9
IndependentDetermination
Customer is responsible for reviewing the information made available by MicroStrategy and its Sub- Processor relating to data security and making
an independent determination as to whether the MCE Service meets Customer’s requirements and legal obligations as well as Customer’s obligations
under this DPA.
5.10
Data Subject Rights
Taking into account the nature of the MCE Service, Customer can utilize certain controls, including security features and functionalities, to retrieve,
correct, delete, or restrict Customer Data. MicroStrategy will provide reasonable assistance to Customer (at Customer’s cost) in:
1.
Complying
with
its
obligations
under
the
Applicable
Data
Protection
Law
relating
to
the
security
of
processing
Customer
Data;
2.
Responding to requests for exercising Data Subjects’ rights under the Applicable Data Protection Law, including without limitation by appropriate
technical and organizational measures, insofar as this is possible;
3.
Documenting any Security Incidents and reporting any Security Incidents to any Supervisory Authority and/or Data Subjects;
4.
Conducting
privacy
impact
assessments
of
any
processing
operations
and
consulting
with
supervisory
authorities,
Data
Subjects,
and
their
representatives accordingly; and
5.
Making
available
to
Customer
information
necessary
to
demonstrate
compliance
with
the
obligations
set
out
in
this
DPA.
microstrategy.com
21
MICROSTRATEGY CLOUD ENVIRONMENT SERVICE GUIDE
5.11
Return or Deletion of Customer Data
Due to the nature of the MCE Service,
M
icr
oStrat
egy
s
Sub-Processor provides Customer with controls that Customer may use to retrieve or delete
Customer Data. Up to the termination of the
Governing Agreement between Customer and
M
icr
oStrat
egy
,
Customer will continue to have the ability
to retrieve or delete Customer Data in accordance with this Section 5.11. For 90 days following that date, Customer may retrieve or delete any remaining
Customer Data from the MCE Service, subject to the terms and conditions set out in the Governing Agreement, unless (i) it is prohibited by law or the
order of a governmental or regulatory body, (ii) it could subject MicroStrategy or its Sub-Processors to liability, or (iii) Customer has not paid all amounts
due under the Governing Agreement. No later than the end of this 90-day period, Customer will close all MicroStrategy accounts. MicroStrategy will
delete Customer Data when requested by Customer through the MCE Service controls provided for this purpose.
microstrategy.com
22
MICROSTRATEGY CLOUD ENVIRONMENT SERVICE GUIDE
Appendix A‐Cloud Support Offerings
CloudSupport
CloudEliteSupport
Issue resolution by dedicated Cloud Technical
Account
Manager
Yes
Yes
Number
of
designated
Support
Liaisons
4
8
Architect
Education
Passes
0
8
Enterprise
Support
from
an
dedicated
Enterprise
Support
(ES)
resource
None
Eligible
for
up
to
400
ES
resource
hours
annually
Initial
response
times
for
P1
and
P2
issues*
*priority definitions as provided in the
Technical Support Policy and Procedures
P1 < 2hr
P2 < 2hr
P1 < 15 minutes
P2 < 1 hour
P1 and P2 issues updates
As status changes or daily
P1
every
1
hour
P2
as
status
changes
or
twice
a
day
Case
management
meetings
No
Weekly
System
alert
notifications
No Customizable
Quarterly
service
reporting
Via
email
Via
meeting
Location based 24x7 support
No Yes
microstrategy.com
23
MICROSTRATEGY CLOUD ENVIRONMENT SERVICE GUIDE
Appendix B‐RACI Diagram
DESCRIPTION
MCE
STANDAR D
CUSTOMER
CloudPlatform
Environment
Build
Automated
build,
security
boundaries,
etc.
RA CI
Infrastructure
Maintenance
Monthly/Emergency
Maintenance Windows,
OS
Updates
RA
I
Environment
Resizing
Upsizing/Downsizing
of
the VMs
RA CI
Infrastructure
Management
All cloud components such as VMs, Storage, DBMS (for MD/PA)
RA
Backups
Compute Nodes, cache/cubes
files, MD Repository, ODBC and
Config
files
RA
Restores
Compute Nodes, cache/cubes
files, MD Repository, ODBC and
Config
files
RA CI
24x7
Support
RA
Security&Compliance
ISO27001
Certifications
with
3rd
party
audit
RA
I
SOC2/Type
2
Certifications
with
3rd
party
audit
RA
I
GDPR
Certifications
with
internal
audit
RA
I
PCI
Certifications
with
internal
audit
RA
I
HIPAA
Certifications
with
3rd
party
audit
RA
I
24x7
Security
Incident
Event
Management
Security
logs
sent
to
SIEM
for
automatic
analyses
RA
I
Vulnerability
Management
Scanning,
remediation
following
the
NIST
standards
RA
I
Penetration
Testing
Quarterly
environmental
external
scanning
RA
I
Data
Encryption
at
Rest
AES
256
encryption
on
storage
volumes
and
MD
DB
RA
I
Monitoring
Cloud
Infra
Components
VMs,
Storage,
DBMS
(for
MD/PA),
Network
components
RA
I
Application
Services
MicroStrategy
Components
like
I-Server,
WebApps,
etc
RA
I
Data
Connectivity
VPN,
PrivateLink
RA CI
Intrusion
Detection SIEM RA
I
Networking
Connections
On-Prem
Connectivity
for
internal
access
RA CI
Networking
Logging
Load
balancer
logs,
etc.
RA
Data source and Databases connections
Deployment/configuration
of
VPN
Tunnels,
Private
Links,
Express
route,
etc.
RA RA
Networking
Connections
On-Prem
Connectivity
for
internal
access
RA RA
MicroStrategy Application Administration
Reference
Architecture
MicroStrategy Cloud Environment Architecture
RA
I
Upgrades
Platform
Upgrades
via
parallel
environments
R
ACI
Desc
Over
the
top
Updates
-
no
parallel
environment
required
R
ACI
Post
Upgrade
QA
(Availability
of
the
Services)
Testing
and Validation
of
Services
health/availability
RA CI
Post Upgrade Regression Testing
Customer Regression and functional tests/certifications
I
RA
ACTIVITY
microstrategy.com
24
MICROSTRATEGY CLOUD ENVIRONMENT SERVICE GUIDE
DESCRIPTION
MCE
STANDAR D
CUSTOMER
Customer
Data
Customer
Data
RA
MicroStrategy
Project
Development
Content
building
and
delivery
RA
MicroStrategy
Project
and
I-Server
Configuration
Project
and
I-Server
specific
settings
RA
Customizations
Custom
workflows,
plugins/SDK
Customizations,
MicroStrategy
Webapps
Customizations
CI RA
MicroStrategy
Application
User
Permissions
Customer controls who has access to what reports
RA
Authentication
set
up
SSO
and
LDAP
Supported
Authentication
Methods
R
ACI
Metadata
Modelling
Building
rules
RA
Platform
Analytics
Initial
configuration
only
+
Monitoring
of
availability
of
the
services
RA
SMTP
Server
for
Distribution
Services
Your MCE’s DS sent via your own SMTP server
CI RA
File
Subscriptions
Customer
configures
to
send
content
to
files
on
disk
(Blob
or
S3)
RA CI
Plugins
CI RA
PreProds/POC
Project
Management
Aligning
internal
resources
to
complete
activities.
Highlighting
areas
of
customer
responsibility
(SE
led)
RA CI
Build
Environment
(Vanilla)
Based on the platform and region of choice
RA CI
MicroStrategy
MD
Restore
Restore MD and other artifacts
RA CI
Environment
Configuration
I-Server
Settings,
URL
customization,
Authentication
setup,
Webapps
Deploy,
Custom
ODBC
Drivers
RA CI
Networking
Connections
On-Prem
Connectivity
for
internal
access
RAC ACI
Customizations
Custom
workflows,
plugins/SDK
Customizations,
MicroStrategy
Webapps
Customizations
CI RAC
Testing
Testing
to
ensure
success
criteria
is
met
(SE
led
with
customer)
CI RA
Migrations
Project
Management
Aligning
internal
resources
to
complete
activities.
Highlighting
areas
of customer responsibility
R
ACI
Application
Upgrade
Upgrade
of
MD
and
other
artifacts
to
the
latest
version
RA CI
MicroStrategy
MD
Restore/Refresh
Restore/Refresh
MD
and
other
artifacts
RA CI
Environment
Configuration
I-Server
Settings,
URL
customization,
Authentication
setup,
Webapps
Deploy,
Custom
ODBC
Drivers
RA CI
Networking
Connections
On-Prem
Connectivity
for
internal
access
RAC ACI
Customizations
Custom
workflows,
plugins/SDK
Customizations,
MicroStrategy
Webapps
Customizations
CI RAC
Post
Upgrade
QA
(Availability
of
the
Services)
Testing
and Validation
of
Services
health/availability
RA CI
Post Upgrade Regression Testing
Customer Regression and functional tests/certifications
CI RA
ACTIVITY
m
i
cro
s
t
r
a
t
e
g
y
.
c
o
m
|
1850
Towers
Crescent
Plaza
|
T
y
s
on
s
,
VA
22182
|
Copyright
©2023.
All
Rights
Reserved.
COLL-723042 1222