APU CLOUD HOSTING, MONITOR NEXUS CLOUD & 360 ENTERPRISE-WIDE PERFORMANCE AND WORKFLOW OPTIMIZATION SUITE SUBSCRIPTION AGREEMENT
By subscribing to the Monitor Nexus Cloud and Nexus 360 Enterprise-wide Performance and Workflow Optimization Suite (the "Services") provided by APU Commercial Information Systems ("APU") or an authorized distributor of the APU products and/or services, hosted on Monitor Nexus Cloud platforms (the "Cloud Platform") or on-premises ("Self-Hosting"), you (the "Customer") are agreeing to be bound by the following terms and conditions (the "Agreement").
1. Term of the Agreement
The duration of this Agreement (the “Term”) shall be specified in writing on conclusion of this Agreement, beginning on the date of conclusion. It is automatically renewed for an equal Term, unless either party provides a written notice of termination minimum 30 days before the end of the Term to the other party.
This Agreement shall become into effect when both parties have affixed their signature to a commercial proposal subject to this Agreement (“Effective Date”).
Unless sooner termination as provided herein, this Agreement shall be valid and enforced for period of minimum one (1) year, commencing on the Effective Date.
After the initial period, the Agreement shall be automatically renewed for additional one (1) year period unless terminated by one party with sixty (60) days written notice prior to the expiration of the initial term or – thereafter – to the end of the respective renewal period.
User: Any active user account with access to the Software in creation and/or edition mode.
App: An "App" is a group of features available for installation.
Bug: Is any failure of the Software that results in a complete stop, error traceback or security breach, and is not directly caused by a defective installation or configuration. Non-compliance with specifications or requirements will be considered as Bugs at the discretion of APU (typically, when the Software does not produce the results or performance it was designed to produce, or when a country-specific feature does not meet legal accounting requirements anymore).
Covered Versions: Unless specified otherwise, the Services provided under this Agreement are applicable only to the Covered Versions of the Software. To be covered by the current Agreement, the Customer has to run the most recent Covered Version at the time of conclusion of this Agreement. When this is not the case, additional costs are applicable, as described in 5 Charges and Fees.
3.1 Access to the Software
The Customer can use the Software hosted on the Cloud Platform, or choose the Self-Hosting option. The Cloud Platform is hosted and fully managed by APU, and accessed remotely by the Customer. With the Self-Hosting option, the Customer instead hosts the Software on computer systems of their choice, that are not under the control of APU.
For the duration of this Agreement, APU gives the Customer a non-exclusive, non-transferable license to use (execute, modify, execute after modification) the Nexus 360 Enterprise-wide Performance and Workflow Optimization Suite, under the terms set forth.
The Customer agrees to take all necessary measures to guarantee the unmodified execution of the part of the Software that verifies the validity of the Nexus 360 Enterprise-wide Performance and Workflow Optimization Suite usage and collects statistics for that purpose, including but not limited to the running of an instance, the number of Users and installed Apps.
APU commits to apply the security remedies for any security Bug discovered in a version of the Software hosted on the Cloud Platform, on all systems under its control, as soon as the remedy is available, without requiring any manual action of the Customer.
Upon expiration or termination of this Agreement, this license is revoked immediately and the Customer agrees to stop using the Nexus 360 Enterprise-wide Performance and Workflow Optimization Suite and the Cloud Platform.
Should the Customer breach the terms of this section, the Customer agrees to pay APU an extra fee equal to 250% of the applicable list price for the actual number of Users and installed Apps.
3.2 Third-Party Software
APU may furnish customer software and related materials that are licensed by third parties (“Third-Party Software”). Such Third-Party Software is licensed under the terms and conditions of this Agreement. Customer may use the Third-Party Software only in conjunction with the Software.
APU warrants to customer that it has obtained the Third Party Software from suppliers purporting to have enough rights to grant such third party licenses to permit the customer to use the Third Party Software in accordance with this Agreement and agrees to pass through and assign to customer any third party warranties APU receives in connection with the Third Party Software (“Third Party Software Warranty”).
No title to or ownership of the Software is transferred to customer. APU and/or its third party licensors retain all right, title in and to all Intellectual Property Rights in the Software. Title and ownership rights in and to the content accessed through the Software are the property of the applicable content owner.
4.1 Bug Fixing Service
For the duration of this Agreement, APU commits to making all reasonable efforts to remedy any Bug of the Software submitted by the Customer through the appropriate channel (typically, APU's service desk email address or website form), and to start handling such Customer submissions within 2 business days.
The Customer understands that Bugs caused by a modification or extension that is not part of the official Software will not be covered by this service.
When a Bug is fixed in any Covered Version, APU commits to fixing the Bug in all more recent Covered Versions of the Software.
The Customer understands that the Bug and the information in the Security Advisory must be treated as Confidential Information as described in 6.4 Confidentiality during the embargo period prior to the public disclosure.
Both parties acknowledge that as specified in the license of the Software and in the 7.3 Limitation of Liability section of this Agreement, APU cannot be held liable for Bugs in the Software.
4.2 Upgrade Services
Upgrade Service for the Software
For the duration of this Agreement, the Upgrade Service is limited to the technical conversion and adaptation of the Customer's database to make it compatible with the Target Version, and the correction of any Bug directly caused by the upgrade operation and not normally occurring in the Target Version.
It is the sole responsibility of the Customer to verify and validate the upgraded database in order to detect Bugs, to analyze the impact of changes and new features implemented in the Target Version, and to convert and adapt for the Target Version any third-party extensions of the Software that were installed in the database before the upgrade (except where applicable as foreseen in section Upgrade Service for third-party extensions).
Upgrade Service for third-party extensions
For the duration of this Agreement, the Customer may request optional upgrade services for third-party extension modules of the Software, in addition to the regular Upgrade Services. This optional service is subject to additional fees (as described in 5 Charges and Fees) and includes the technical adaptation of third-party modules installed in the Customer's database and their corresponding data in order to be compatible with the Target Version. The Customer will receive an upgraded version of all installed third-party modules along with the upgraded database.
4.3 Cloud Hosting Services
For the duration of this Agreement, when the Customer chooses to use the Cloud Platform, APU commits to providing at least the following services:
- Choice of multiple hosting regions
- Hosting in Tier-III data centers or equivalent, with 99.9% network uptime
- Grade A SSL (HTTPS) Encryption of communication
- Fully automated, verified backups, replicated in multiple regions
- Disaster Recovery Plan, tested regularly
The details of the Cloud Hosting Services are described on the Appendix 1: APU Cloud Hosting - Service Level Agreement.
4.4 Support Services
Scope: For the duration of this Agreement, the Customer may open an unlimited number of support tickets submitted online free of charge, exclusively for questions regarding Bugs or guidance with respect to the use of the standard features of the Software and Services (functionalities, intended use, configuration, troubleshooting).
Other assistance requests, such as questions related to development, customizations, installation for Self-Hosting, or services requiring to access the Customer's database, may be covered through the purchase of a separate Implementation & Workflows Optimization Launch Pack. In case it’s not clear if a request is covered by this Agreement or a Service Pack, the decision is at the discretion of APU.
5. Charges and Fees
5.1 Standard charges
The standard charges for the Nexus 360 Enterprise-wide Performance and Workflow Optimization Suite subscription and the Services are based on the number of Users, and the installed Apps, and for the Monitor Next Cloud on the number of users.
When during the Term, the Customer has more Users or more installed Apps than specified at the time of conclusion of this Agreement, the Customer agrees to pay an extra fee equivalent to the applicable list price (at the beginning of the Term) for the additional Users or Apps, for the remainder of the Term.
If at the time of the conclusion of this Agreement, the Customer uses a Covered Version that is not the most recent one, the standard charges may be increased by 50% for the duration of the first Term, at the sole discretion of APU, to cover the extra maintenance costs.
5.2 Renewal charges
Upon renewal as covered in section 1 Term of the Agreement, if the charges applied during the previous Term are lower than the most current applicable list price, these charges will increase by up to 10%.
5.3 Charges for Upgrade Services of third-party modules
APU reserves the right to reject an upgrade request for third-party modules under the above conditions if the quality of the source code of those modules is too low, or if these modules constitute an interface with third-party software or systems.
All fees and charges are exclusive of all applicable federal, provincial, state, local or other governmental taxes, fees or charges (collectively, "Taxes"). The Customer is responsible for paying all Taxes associated with purchases made by the Customer under this Agreement, except when APU is legally obliged to pay or collect Taxes for which the Customer is responsible.
6. Conditions of Services
6.1 Customer Obligations
The Customer agrees and undertakes to use the Website and the Service only to post and upload messages and material that are proper. By way of example, and not as a limitation, you agree and undertake that when using a Service, you will not:
1. defame, abuse, harass, stalk, threaten or otherwise violate the legal rights of others
2.publish, post, upload, distribute or disseminate any inappropriate, profane, defamatory, infringing, obscene, indecent or unlawful topic, name, material or information
3. upload files that contain software or other material protected by intellectual property laws unless you own or control the rights thereto or have received all necessary consents.
4. upload or distribute files that contain viruses, corrupted files, or any other similar software or programs that may damage the operation of the Website or another's computer.
5. conduct or forward surveys, contests, pyramid schemes or chain letters;
6.download any file posted by another user of a Service that you know, or reasonably should know, cannot be legally distributed in such manner.
7. falsify or delete any author attributions, legal or other proper notices or proprietary designations or labels of the origin or source of software or other material contained in a file that is uploaded.
8.violate any code of conduct or other guidelines, which may be applicable for or to any particular Service
9. violate any applicable laws or regulations for the time being in force in or outside India
10. violate any of the terms and conditions of this Agreement or any other terms and conditions for the use of the Website contained elsewhere herein.
11. exploit any of the services. Moreover, we might refuse any of our services, terminate accounts, and/or cancel orders at our discretion, including but not limited to, if we believe that customer conduct violates applicable law or is harmful to our interests.
12. You shall not make any derogatory, defamatory, abusive, inappropriate, profane or indecent statement/s and/or comment/s about APU, its associates and partners on any property owned by APU.
As per these Terms, users are solely responsible for every material or content uploaded on to the Website. APU does not review the contents in any way before they appear on the Website. APU does not verify, endorse or otherwise vouch for the contents of any user or any content generally posted or uploaded on to the Website. Users can be held legally liable for their contents and may be held legally accountable if their contents or material include, for example, defamatory comments or material protected by copyright, trademark, etc.
The customer further agrees to:
- pay APU any applicable charges for the Services of the present Agreement, in accordance with the payment conditions specified in the corresponding invoice;
- immediately notify APU when their actual number of Users or their installed Apps exceed the numbers specified at the conclusion of the Agreement, and in this event, pay the applicable additional fee as described in section 5.1 Standard charges;
- take all measures necessary to guarantee the unmodified execution of the part of the Software that verifies the validity of the Nexus 360 Enterprise-wide Performance and Workflow Optimization Suite usage, as described in 3 Access to the Software;
- appoint 1 dedicated customer contact person for the entire duration of the Agreement;
When the customer chooses to use the Cloud Platform, the customer further agrees to:
- take all reasonable measures to keep their user accounts secure, including by choosing a strong password and not sharing it with anyone else;
- make a reasonable use of the Hosting Services, to the exclusion of any illegal or abusive activities, and strictly observe the rules outlined in the Acceptable Use Policy published below: Appendix 3: Monitor Nexus Cloud | Acceptable Use Policy
When the customer chooses the Self-Hosting option, the customer further agrees to:
- take all reasonable measures to protect customer’s files and databases and to ensure customer’s data is safe and secure, acknowledging that APU cannot be held liable for any data loss;
- grant APU the necessary access to verify the validity of the Enterprise Suite Edition usage upon request (e.g. if the automatic validation is found to be inoperant for the customer);
6.2 No Soliciting or Hiring
Except where the other party gives its consent in writing, each party, its affiliates and representatives agree not to solicit or offer employment to any employee of the other party who is involved in performing or using the Services under this Agreement, for the duration of the Agreement and for a period of 12 months from the date of termination or expiration of this Agreement. In case of any breach of the conditions of this section that leads to the termination of said employee toward that end, the breaching party agrees to pay to the other party an amount of AED د.إ 200000.00 (two hundred thousand euros AED).
Except where notified otherwise in writing, each party grants the other a non-transferable, non-exclusive, royalty free, worldwide license to reproduce and display the other party’s name, logos and trademarks, solely for the purpose of referring to the other party as a customer or supplier, on websites, press releases and other marketing materials.
Definition of "Confidential Information": All information disclosed by a party (the "Disclosing Party") to the other party (the "Receiving Party"), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. In particular any information related to the business, affairs, products, developments, trade secrets, know-how, personnel, customers and suppliers of either party should be regarded as confidential.
Each party acknowledges that, during the Term of this Agreement, it will receive information from the other party that the other party regards as confidential and proprietary (“Confidential Information”).
Neither party shall disclose, provide or otherwise make available to any third party (including a prospective customer) any Confidential Information of the other party and shall utilise such Confidential Information only on any internal organization need-to-know basis and only to the extent necessary to effect the provisions of this Agreement as contemplated herein. For all Confidential Information received during the Term of this Agreement, the Receiving Party will use the same degree of care that it uses to protect the confidentiality of its own similar Confidential Information, but not less than reasonable care. The Receiving Party may disclose Confidential Information of the Disclosing Party to the extent compelled by law to do so, provided the Receiving Party gives the Disclosing Party prior notice of the compelled disclosure, to the extent permitted by law.
6.5 Data Protection
Definitions: "Personal Data", "Controller", "Processing" take the same meanings as in the Regulation (EU) 2016/679 and the Directive 2002/58/EC, and any regulation or legislation that amends or replaces them (hereafter referred to as “Data Protection Legislation”)
Processing of Personal Data
The parties acknowledge that the Customer's database may contain Personal Data, for which the Customer is the Controller. This data will be processed by APU when the Customer instructs so, by using any of the Services that require a database (e.g. the Cloud Hosting Services or the Database Upgrade Service), or if the Customer transfers their database or a part of their database to APU for any reason pertaining to this Agreement.
This processing will be performed in conformance with Data Protection Legislation. In particular, APU commits to:
- (a) only process the Personal Data when and as instructed by the Customer, and for the purpose of performing one of the Services under this Agreement, unless required by law to do so, in which case APU will provide prior notice to the Customer, unless the law forbids it;
- (b) ensure that all persons within APU authorised to process the Personal Data have committed themselves to confidentiality;
- (c) implement and maintain appropriate technical and organizational measures to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure;
- (d) forward promptly to the Customer any Data Protection request that was submitted to APU with regard to the Customer's database;
- (e) notify the Customer promptly upon becoming aware of and confirming any accidental, unauthorized, or unlawful processing of, disclosure of, or access to the Personal Data;
- (f) notify the Customer if the processing instructions infringe applicable Data Protection Legislation, in the opinion of APU;
- (g) make available to the Customer all information necessary to demonstrate compliance with the Data Protection Legislation, allow for and contribute reasonably to audits, including inspections, conducted or mandated by the Customer;
With regard to points (d) to (f), the Customer agrees to provide APU with accurate contact information at all times, as necessary to notify the Customer's Data Protection responsible.
APU has the right to verify customer’s compliance with this Agreement. Customer agrees to:
a) keep records sufficient to certify its compliance with this Agreement, and, upon request of APU, for no more than once a year, provide and certify metrics and/or reports based upon such records and account for the numbers of users as they may reasonably relate to Customer’s Subscription Package; and
b) allow a APU representative or an independent auditor ("Auditor"), upon ten (10) days written notice to customer, to inspect and audit customer (including any subsidiaries or affiliates or contractors with access) computers and records, during customer’s normal business hours, for compliance with the licensing terms for the Subscription. Upon the Auditor’s presentation of their signed written confidentiality statement form to safeguard customer’s confidential information, customer shall fully cooperate with such audit and provide any necessary assistance and access to records and computers. If an audit reveals that customer has or at any time has had unlicensed use of, or access to Subscription, customer will, within 30 days, purchase sufficient Subscriptions to cover any shortfall without benefit of any otherwise applicable discount and subject to fees reflecting the duration of the shortfall. If a shortfall of 5% or more is found, customer must reimburse APU for the costs incurred in the audit.
In the event that either Party fails to fulfill any of its obligations arising herein, and if such breach has not been remedied within 30 calendar days from the written notice of such breach, this Agreement may be terminated immediately by the non-breaching Party.
Further, APU may terminate the Agreement immediately in the event the Customer fails to pay the applicable fees for the Services within the due date specified on the corresponding invoice.
After the initial period, either party may terminate this Agreement by written notice to the other party, if:
a) the other party materially defaults in the performance of its obligations contained in this Agreement which defaults continues for a period of thirty (30) days after written notice is given by the non-defaulting party to the other party; or
b) the other party shall file a voluntary petition in bankruptcy or other insolvency proceedings, or shall file any petition or answer seeking reorganization, composition, readjustment, liquidation or similar relief for itself under any present or future statute, law or regulation, or shall seek or consent to or acquiesce in the appointment of any trustee, or shall admit in writing its inability to pay its debts generally as they become due; or
c) a petition is filed against the other party seeking any reorganization, composition, readjustment, liquidation or similar relief under any present or future statute, law or regulation, and the same remains undismissed or unstayed for an aggregate of sixty (60) days (whether or not consecutive), or if any trustee, receiver or liquidator of either party is appointed, which appointment shall remain unvacated or unstayed for an aggregate of ninety (90) days (whether or not consecutive).
d) the other party becomes subject to a change in its ownership that is not reasonably acceptable to the other party.
The sections "6.4 Confidentiality”, “7.1 Warranties”, “7.2 Disclaimers”, “7.3 Limitation of Liability”, and “8 General Provisions” will survive any termination or expiration of this Agreement.
7. Warranties, Disclaimers, Liability
For the duration of this Agreement, APU commits to using commercially reasonable efforts to execute the Services in accordance with the generally accepted industry standards provided that:
- the Customer’s computing systems are in good operational order and, for Self-Hosting, that the Software is installed in a suitable operating environment;
- the Customer provides adequate troubleshooting information and, for Self-Hosting, any access that APU may need to identify, reproduce and address problems;
- all amounts due to APU have been paid.
The Customer's sole and exclusive remedy and APU's only obligation for any breach of this warranty is for APU to resume the execution of the Services at no additional charge.
Except as expressly provided herein, neither party makes any warranty of any kind, whether express, implied, statutory or otherwise, and each party specifically disclaims all implied warranties, including any implied warranty of merchantability, fitness for a particular purpose or non-infringement, to the maximum extent permitted by applicable law.
APU does not warrant that the Software complies with any local or international law or regulations.
7.3 Limitation of Liability
To the maximum extent permitted by law, the aggregate liability of each party together with its affiliates arising out of or related to this Agreement will not exceed 50% of the total amount paid by the Customer under this Agreement during the 12 months immediately preceding the date of the event giving rise to such claim. Multiple claims shall not enlarge this limitation.
In no event will either party or its affiliates be liable for any indirect, special, exemplary, incidental or consequential damages of any kind, including but not limited to loss of revenue, profits, savings, loss of business or other financial loss, costs of standstill or delay, lost or corrupted data, arising out of or in connection with this Agreement regardless of the form of action, whether in contract, tort (including strict negligence) or any other legal or equitable theory, even if a party or its affiliates have been advised of the possibility of such damages, or if a party or its affiliates' remedy otherwise fails of its essential purpose.
7.4 Force Majeure
Neither party shall be liable to the other party for the delay in any performance or failure to render any performance under this Agreement when such failure or delay is caused by governmental regulations, fire, strike, war, flood, accident, epidemic, embargo, appropriation of plant or product in whole or in part by any government or public authority, or any other cause or causes, whether of like or different nature, beyond the reasonable control of such party as long as such cause or causes exist.
8. General Provisions
8.1 Governing Law
Both parties agree that the laws of Belgium will apply, should any dispute arise out of or in connection with this Agreement, without regard to choice or conflict of law principles. To the extent that any lawsuit or court proceeding is permitted hereinabove, both parties agree to submit to the sole jurisdiction of the Nivelles (Belgium) court for the purpose of litigating all disputes.
In case any one or more of the provisions of this Agreement or any application thereof shall be invalid, illegal or unenforceable in any respect, the validity, legality and enforceability of the remaining provisions of this Agreement and any application thereof shall be in no way thereby affected or impaired. Both parties undertake to replace any invalid, illegal or unenforceable provision of this Agreement by a valid provision having the same effects and objectives.
Appendix 1: APU Cloud Hosting (Monitor Nexus Cloud) - Service Level Agreement
- Each customer database is replicated in real-time on redundant storage located in the same data center
- We work with different hosting providers worldwide that always deliver at least 99.9% uptime guarantee.
- So we can guarantee a minimum of 99.9% uptime (3 nines, excluding planned maintenance)*
- This corresponds to a maximum unplanned downtime of 1.44min/24h or 8h/year.
- We usually deliver much better uptime than this (100% most months), as our providers always deliver a much better uptime than their SLA too.
* these metrics refer to the availability of the platform itself for all customers. Individual databases may be temporarily unavailable for specific reasons, typically related to the customer's actions or customizations.
- Our data centers are Tier-III certified or equivalent, with N+1 redundancy for power, network and cooling
- Each customer database is replicated in real-time on redundant storage located in the same data center, so a failover can happen quickly in case of hardware failure, with no data loss.
The safety of your data is very important to us, and we design our systems and procedures to guarantee it.
You can learn more about it on Appendix 2: Monitor Nexus Cloud | System & Software Security
Here are some highlights:
- SSL - All web connections to client instances are protected with 256-bit SSL encryption (HTTPS with a 2048-bit modulus SSL certificate), and running behind Grade A SSL stacks. All our certificates chains are using SHA-2 already.
- Reliable Platform - Servers with full hardware guarantee, redundant data storage, network and electrical supplies
- Passwords - Customer passwords are protected with industry-standard PBKDF2+SHA512 encryption (salted + stretched for thousands of rounds)
- Safe System - Our servers are running recent Linux distribution with up-to-date security patches, with firewall and intrusion counter-measures (not disclosed for obvious reasons)
- Isolation - Client data stored in dedicated databases - no sharing of data between clients, no access possible from one database to another
Backups & Disaster Recovery
Backups / Disaster Recovery
- We keep full backups of each APU database for up to 3 months: 1/day for 7 days, 1/week for 4 weeks, 1/month for 3 months
- Backups replicated on different machines in different data centers on different continents
- You can also download manual backups of your live data at any time using the control panel
- You can contact our Helpdesk to restore any of those backups
Hardware failover: for services hosted on bare metal, where hardware failure is possible, we implement local hot standby replication, with monitoring and a manual failover procedure that takes less than 5 minutes
Disaster recovery: in case of complete disaster, with a data center entirely down for an extended period, preventing the failover to our local hot-standby (never happened so far, this is the worst-case plan), we have the following objectives:
For a permanent disaster impacting one server only, our Disaster Recovery Plan has the following metrics:
- RPO (Recovery Point Objective) = 5 minutes, i.e. can lose maximum 5 minutes of work
- RTO (Recovery Time Objective) = 30 minutes, i.e the service will be back online after maximum 30 minutes (Standby promotion time + DNS propagation time included)
For data center disasters (one entire data center is completely and permanently down), Disaster Recovery Plan has these metrics:
- RPO (Recovery Point Objective) = 24h. This means you can lose max 24h of work if the data cannot be recovered and we need to restore your latest daily backup
- RTO (Recovery Time Objective) = 24h for paid subscriptions. This is the time to restore the service in a different data center if a disaster occurs and a datacenter is completely down.
- How is this accomplished: we actively monitor our daily backups, and they are replicated in multiples locations on different continents. We have automated provisioning to deploy our services in a new hosting location. Restoring the data based on our backups of the previous day can then be done in a few hours (for the largest clusters), with priority on the paid subscriptions.
We routinely use both the daily backups and provisioning scripts for daily operations, so both parts of the disaster recovery procedure are tested all the time.
Appendix 2: Monitor Nexus Cloud | System & Software Security
- Customer data is stored in a dedicated database - no sharing of data between clients
- Data access control rules implement complete isolation between customer databases running on the same cluster, no access is possible from one database to another
- Customer passwords are protected with industry-standard PBKDF2+SHA512 encryption (salted + stretched for thousands of rounds)
- APU staff does not have access to your password, and cannot retrieve it for you, the only option if you lose it is to reset it
- Login credentials are always transmitted securely over HTTPS
- Other password policies like required character classes are not supported by default because they have been proven counter-productive – see: [Shay et al. 2016]).
- APU helpdesk staff may sign into your account to access settings related to your support issue. For this they use their own special staff credentials, not your password (which they have no way to know)
- This special staff access improves efficiency and security: they can immediately reproduce the problem you are seeing, you never need to share your password, and we can audit and control staff actions separately
- Our Helpdesk staff strives to respect your privacy as much as possible, and only access files and settings needed to diagnose and resolve your issue
- All APU Cloud servers are running with up-to-date security patches
- Installations are ad-hoc and minimal to limit the number of services that could contain vulnerabilities (no PHP/MySQL stack for example)
- Only a few trusted APU engineers have clearance to remotely manage the servers - and access is only possible using an encrypted personal SSH keypair, from a computer with full-disk encryption.
APU Cloud servers are hosted in trusted data centers in various geographic regions and they must all exceed our physical security criterions:
- Restricted perimeter, physically accessed by authorized data center employees only
- Physical access control with security badges or biometrical security
- Security cameras monitoring the data center locations 24/7
- Security personnel on site 24/7
- All web connections to client instances are protected with state-of-the-art 256-bit SSL encryption
- Our servers are kept under a strict security watch, and always patched against the latest SSL vulnerabilities
- All our SSL certificates use robust 2048-bit modulus with full SHA-2 certificates chains
- All data center providers used by APU Cloud have very large network capacities, and have designed their infrastructure to withstand the largest Distributed Denial of Service (DDoS) attacks. Their automatic and manual mitigation systems can detect and divert attack traffic at the edge of their multi-continental networks, before it gets the chance to disrupt service availability.
- Firewalls and intrusion prevention systems on APU Cloud servers help detect and block threats such as brute-force password attacks.
- Database administrators have the option to configure the rate limiting and cooldown duration for repeated login attempts.
APU Software Security
The APU R&D processes have code review steps that include security aspects, for new and contributed pieces of code.
APU is designed in a way that prevents introducing most common security vulnerabilities:
- SQL injections are prevented by the use of a higher-level API that does not require manual SQL queries
- XSS attacks are prevented by the use of a high-level templating system that automatically escapes injected data
- The framework prevents RPC access to private methods, making it harder to introduce exploitable vulnerabilities
Open Web Application Security Project (OWASP) Top Vulnerabilities
Security ihandling for web applications, as listed by the Open Web Application Security Project (OWASP):
- Injection Flaws: Injection flaws, particularly SQL injection, are common in web applications - emerging when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data.
APU relies on an object-relational-mapping (ORM) framework that abstracts query building and prevents SQL injections by default. Developers do not normally craft SQL queries manually, they are generated by the ORM, and parameters are always properly escaped.
- Malicious File Execution: Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise.
APU does not expose functions to perform remote file inclusion. However it allows privileged users to customize features by adding custom expressions that will be evaluated by the system. These expressions are always evaluated by a sandboxed and sanitized environment that only allows access to permitted functions.
- Cross Site Scripting (XSS): XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.
The APU framework escapes all expressions rendered into views and pages by default, preventing XSS. Developers have to specially mark expressions as "safe" for raw inclusion into rendered pages.
- Cross Site Request Forgery (CSRF): A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
The APU website engine includes a built-in CSRF protection mechanism. It prevents any HTTP controller to receive a POST request without the corresponding security token. This is the recommended technique for CSRF prevention. This security token is only known and present when the user accessed the relevant website form, and an attacker cannot forge a request without it.
- Insecure Direct Object Reference: A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.
APU access control is not implemented at the user interface level, so there is no risk in exposing references to internal objects in URLs. Attackers cannot circumvent the access control layer by manipulation those references, because every request still has to go through the data access validation layer.
- Insecure Cryptographic Storage: Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.
APU uses industry-standard secure hashing for user passwords (by default PKFDB2 + SHA-512, with key stretching) to protect stored passwords. It is also possible to use external authentication systems such as OAuth 2.0 or LDAP, in order to avoid storing user passwords locally at all.
- Insecure Communications: Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications.
APU Cloud runs on HTTPS by default. For on-premise installations, it is recommend to run APU behind a web server implementing the encryption and proxying request to APU, for example Apache, Lighttpd or nginx.
- Failure to Restrict URL Access: Frequently an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly
- Attackers cannot circumvent the access control layer by reusing or manipulating any URL, because every request still has to go through the data access validation layer. In rare cases where a URL provides unauthenticated access to sensitive data, such as special URLs customer use to confirm an order, these URLs are digitally signed with unique tokens and only sent via email to the intended recipient.
Appendix 3: Monitor Nexus Cloud | Acceptable Use Policy
Usage of APU Cloud Services is subject to this Acceptable Use Policy (AUP). This Acceptable Use Policy is incorporated by reference into, and governed by the APU Cloud Hosting, Monitor Nexus Cloud & 360 Enterprise-wide Performance and Workflow Optimization Suite Subscription Agreement between you (Customer) and APU. Customers who are found to be violating these rules may see their subscriptions suspended without prior notice. The subscription fees will not be refunded.
You may not use APU Cloud services for storing, displaying, distributing or otherwise processing illegal or harmful content. This includes:
- Illegal Activities: promoting gambling-related sites or services, or child pornography.
- Harmful or Fraudulent Activities: Activities harmful to others, promoting fraudulent goods, services, schemes, or promotions (e.g., make-money-fast schemes, ponzi and pyramid schemes, phishing), or engaging in other deceptive practices.
- Infringing Content: Content that infringes the intellectual property of others.
- Offensive Content: Content that is defamatory, obscene, abusive, invasive of privacy, or otherwise objectionable, including content that constitutes child pornography, relates to bestiality, or depicts non-consensual sex acts.
- Harmful Content: Malicious and malware content, such as viruses, trojan horses, worms, etc.
- Spam Content: Content that is published for "black hat SEO" purposes, using tricks such a link building / link spam, keyword spam, in order to exploit the reputation of APU services for promoting third-party content, goods or services.
You may not use APU Cloud services for spamming. This includes:
- Unsolicited messages: sending or facilitating the distribution of unsolicited bulk emails and messages, either directly via APU Cloud or indirectly via third-party email services. This includes the use of bulk emails lists. Any mass-mailing activity is subject to the applicable legal restrictions, and you must be able to show evidence of consent/opt-in for your bulk email distribution lists.
- Spoofing: sending emails or messages with forged or obfuscated headers, or assuming an identity without the sender's permission
You may not attempt to compromise APU Cloud services, to access or modify content that does not belong to you, or to otherwise engage in malicious actions:
- Unauthorized access: accessing or using any APU Cloud system or service without permission
- Security research: conducting any security research or audit on APU Cloud systems without written permission to do so, including via scanners and automated tools.
- Eavesdropping: listening to or recording data that does not belong to you without permission
- Other attacks: non-technical attacks such as social engineering, phishing, or physical attacks against anyone or any system
You may not abuse the resources and systems of APU Cloud. In particular the following activities are prohibited:
- Network abuse: causing Denial of Service (DoS) by flooding systems with network traffic that slows down the system makes it unreachable, or significantly impacts the quality of service
- Unthrottled RPC/API calls: sending large numbers of RPC or remote API calls to our systems without appropriate throttling, with the risk of impacting the quality of service for other users.
Note: APU provides batch APIs for imports, so there should be no need for this. Throttled calls are typically acceptable at a rate of 1 call/second, with no parallel calls.
- Overloading: voluntarily impacting the performance or availability of systems with abnormal content such as very large data quantities, or very large numbers of elements to process, such as email bombs.
- Crawling: automatically crawling resources in a way that impacts the availability and performance of the systems
- Attacking: using the APU Cloud services to attack, crawl or otherwise impact the availability or security of third-party systems
- Abusive registrations: using automated tools to repeatedly register or subscribe to APU Cloud services, or registering or subscribing with fake credentials, or under the name of someone else without their permission.