Annex 2


1.1. This service level agreement (“SLA”) is an inseparable part of the DreamApply and Services Agreement concluded between the Provider and the Institution (“Agreement”).

1.2. Capitalised words and phrases used in the SLA shall have the same meanings as in the Agreement, unless new terms or definitions are introduced in the text of the SLA.

1.3. The SLA will enter into force on the same date as the Agreement became effective. The SLA will be valid for the term of the Agreement.


2.1. The SLA governs the service levels for the operation of DreamApply and for the provision of Support to the Institution in the following areas: (a) maintenance, preventive measures, upgrades and backups of DreamApply; (b) questions and consultation concerning the daily operation of the DreamApply; (c) handling of any bugs or other issues which result in a disruption of the normal functioning and operational use of DreamApply (jointly “Errors”);

2.2. The Provider shall operate the DreamApply and provide Support according to the service levels agreed in the SLA.


3.1. Access to the DreamApply is provided through an online solution specially configured for the Institution’s needs and requirements (“Instance”). The configuration shall be made by the Institution or upon ordering additional Support by the Provider.

3.2. The Institution shall appoint a high-level administrator to oversee and manage the use of DreamApply and Services on behalf of the Institution (“Supervisor”).

3.3. The Institution and the Supervisor are responsible for ensuring that its Members use the DreamApply and Services in accordance with the Agreement. The Supervisor’s responsibility is (a) to act as a single point of contact towards the Provider regarding the daily operation of DreamApply and provision of Services; (b) provide basic technical assistance and consultation to the Members of the Institution regarding the use of DreamApply; (c) administer the Member Accounts (delete, add new, configure access rights and settings etc). The Supervisor has the right to order Services from the Provider, make binding decisions on behalf of the Institution and perform other duties in his/her area of responsibility.

3.4. The provision of Services and delivery of items that fall outside the scope of the Price Offer shall be subject to separate negotiations between the Parties. The agreement reached as a result of such negotiations shall be formed in a format which can be reproduced in writing (e.g. e-mail, Skype etc) and shall form an inseparable part of the Agreement, unless expressly agreed otherwise between the Parties


4.1. Operation of DreamApply

4.1.1. Responsiveness: the DreamApply shall respond to all requests within no more than 1 (one) second (without accounting for network latency) unless this cannot be reasonably expected (processing of large uploads, extended searches, export operations etc).

4.1.2. Preventive measures: the DreamApply is monitored to detect any anomalies or interruptions in the performance of the DreamApply and provide information for possible maintenance work. Provider (or its selected third party partners) regularly performs the following maintenance operations:
(a) maintenance of the server hardware and network equipment;
(b) software version and security updates;
(c) log management;
(d) configuration maintenance, versioning and backup;
(e) change management and documentation.

4.1.3. Upgrades: the Provider shall in the event of necessity update DreamApply to improve the usability, management, efficiency, security and capability of the DreamApply.

4.1.4. Back-ups: the Provider will take any reasonable measures to safeguard the User Content, the DreamApply and the DreamApply’s configuration against being lost or corrupted, including, but not limited to:
(a) hourly off-site backups of the User Content with a retention period of no less than 3 (three) days;
(b) nightly off-site backups of the User Content with a retention period of no less than 30 (thirty) days.

4.1.5. Planned maintenance work: normally the installation of updates affect the operation of the DreamApply for up to 15 minutes and take place in average once per month. Users are notified at least 3 (three) working days in advance of any planned maintenance work which will affect the availability of the DreamApply for more than 1 hour. The total allowed duration of planned maintenance that affects the availability of the DreamApply must not exceed 48 (forty eight) hours per year or 8 (eight) hours in any single month; any single planned maintenance session that affects the availability of the DreamApply may not exceed 4 (four) hours; any planned maintenance is usually performed between 00:00 and 07:00 CET unless a valid reason is present.

4.1.6. Unplanned service disruptions: the total allowed duration of unplanned disruptions that affect the availability of the DreamApply must not exceed 48 (forty eight) hours per year; the maximum time for restoring the DreamApply’s functionality after a service disruption must not exceed 24 (twenty four) hours.

4.2. Support

4.2.1. The Provider shall offer Support remotely by email or telephone during 9:00 – 17:00 CET on working days. Outside of these hours, the DreamApply will be operated “as is”. Prior to submitting Support request the Institution shall visit the Provider´s help portal for first hand assistance and information.

4.2.2. Support is provided in English. The react time to any Support requests and volumes of Support are brought out in Annex 1. The contact details for submitting Support requests are as follows:

(a) e-mail: [email protected];
(b) Skype: dreamapply
(c) telephone: +3726314625

4.3. Error management

4.3.1. The Institution shall inform the Provider of any Errors that may come to its attention. The Institution shall make available to the Provider all relevant information that is reasonably necessary in order to describe, detail or replicate the Error.

4.3.2. If the Institution wishes to change or make additions to the existing content, features or functionality of the DreamApply, to integrate the DreamApply with third party systems or technologies, or to customise the DreamApply for the Institution’s needs and requirements, then this is not considered an Error and can be purchased from the Provider as Development service in accordance with the Agreement.

4.3.3. Error severity levels: Any Errors will be handled depending on the level of severity as defined below:

(a) High – major functionality is impacted or significant performance degradation is experienced. The Error is persistent and affects many users and/or major functionality. The DreamApply cannot perform its main intended purpose. No reasonable workaround is available.

(b) Medium – the Error is affecting some but not all users. The DreamApply can still perform its main intended purpose, but requires additional effort on part of the users. A short-term workaround is available, but not scalable.

(c) Trivial – a defect that affects a small proportion of users. The DreamApply’s ability to perform its main intended purpose is not affected.

4.3.4. Reaction times: Provider will acknowledge Errors by (a) receipt of a report of an Error from the Institution, demonstrating its occurrence, or (b) discovery of an Error by other means, such as preventive measures taken by the Provider (“Acknowledgement”). The Provider shall start resolving the Error as of the moment of Acknowledgement, depending on the level of severity:

(a) High – at the first possibility but no later than within 1 (one) working day as of Acknowledgement and must resolve the Error within no more than 3 (three) days;

(b) Medium – within 3 (three) working days as of Acknowledgement, must provide a workaround within 2 (two) working days and resolve the Error within no more than 5 (five) working days;

(c) Trivial – within 1 (one) month as of Acknowledgement and must resolve the Error within no more than 6 (six) months.


5.1. Should the planned maintenance work or unplanned service disruptions exceed the allowed duration limits, the Parties shall negotiate regarding the compensation. However, if the planned maintenance work or unplanned service disruptions exceed the allowed duration limits by up to 50%, provided it occurs between 00:00 and 07:00 CET, it will not be considered a breach of the Agreement.

5.2. Errors that do not affect the availability of the DreamApply’s primary functionalities or affect said functionalities in a non-significant way, will not count towards the allowed duration limits and will not be considered a breach of the Agreement.

5.3. The Provider’s obligations under the SLA shall cease if an Error was caused by any factor outside the control of the Provider, including, but not limited to, any problem with:

5.3.1. the functioning or use of external systems or supplies, which are not part of the DreamApply, including the Institution’s infrastructure, operating system software and any updates and fixes thereto;

5.3.2. parts, accessories or products not delivered by the Provider;

5.3.3. unexpected serious accidents and/or health issues with the employees of the Provider;

5.3.4. configurations and specifications of the devices and infrastructure used by the Institution or other users of DreamApply (mobile phones, servers etc);

5.3.5. utility supplies (electricity, availability of internet and telecommunications networks etc);

5.3.6. other services not provided by the Provider (e.g. data communication services etc).

5.4. The work spent for resolving issues which do not fall under the scope of the SLA may be subject to additional fees. The Provider shall inform the Institution of the possibility that the SLA does not cover the reported issue as soon as possible and may provide a cost estimate for resolving it.


6.1. In the event of a suspected or actual personal data breach; loss of confidential information or successful cyber-attack the Provider shall notify the Institution immediately, but no later than 5 working days after the incident was first discovered. The Provider shall take all measures reasonably necessary to prevent or limit (further) unauthorised examination, change, and provision or otherwise unlawful processing and to stop and prevent any future breach of security measures, breach of the confidentiality obligation or further loss of confidential Data.

6.2. The Provider is also obliged to notify the Institution in case of breach of the Institution instructions.

6.3. The Provider agrees and warrants:

6.3.1. that it has implemented the technical and organisational security measures specified in in the Agreement and its Annexes and the Providers data protection internal documentation (available upon request) before processing the personal data transferred;

6.3.2. that it will promptly notify the Institution about: any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation, any unauthorised access, and any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

6.3.3. to deal promptly and properly with all inquiries from the Institution relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

6.3.4. at the request of the Institution to submit its data processing facilities for audit of the processing activities covered by the Agreement which shall be carried out by the Institution or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority. The Institution will cover the expenses directly caused by the audit, including the working hours of the Providers´ employees (based on the hourly amount brought out in of the Agreement). The Provider may refuse from being audited if the Providers data processing facilities have been audited by other client or an inspection body within twelve (12) months when the Provider shares the results of that audit with the Institution. The Provider may refuse from being audited when the Institution requests it more than once per twelve (12) months. The Institution has an obligation to inform the Provider about the wish to conduct audit 21 days prior to the audit.

6.4. The Provider is obligated to immediately inform the Institution regarding any future changes in the performance of the Agreement, so that the Institution can monitor compliance with arrangements made with the Provider. This also includes the engagement of new Auxiliary Suppliers who have access to the data inserted for the Institution. If new Auxiliary Suppliers (who have access to the data inserted for the Institution) are engaged, or changes are made, the Provider must inform the Institution in advance and set a term for making an objection.

6.5. The Provider:

6.5.1. processes the personal data only on documented instructions from the Institution, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Provider is subject; in such a case, the Provider shall inform the Institution of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

6.5.2. ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

6.5.3. takes all measures required pursuant to Article 32 of the Regulation (EU) 2016/679 of the European Parliament and of the Council;

6.5.4. respects the conditions referred to in paragraphs 2 and 4 of Article 28 of the Regulation (EU) 2016/679 of the European Parliament and of the Council for engaging another processor;

6.5.5. taking into account the nature of the processing, assists the Institution by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Institution’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the Regulation (EU) 2016/679 of the European Parliament and of the Council;

6.5.6. assists the Institution in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the Regulation (EU) 2016/679 of the European Parliament and of the Council taking into account the nature of processing and the information available to the Provider;

6.5.7. at the choice of the Institution, deletes or returns all the personal data to the Institution after the end of the provision of Services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;

6.5.8. makes available to the Institution all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the Regulation (EU) 2016/679 of the European Parliament and of the Council.


7.1. The Provider’s total liability arising out of or in connection with the performance of its rights and obligations under the Agreement (whether in contract, tort, negligence, product liability or otherwise) is limited to the Service fee paid by the Institution for the use of the DreamApply pursuant to the Agreement during the 12 (twelve) months prior to the event that gave rise to liability.

7.2. In case of a failure to perform its contractual obligation under the Agreement, the Provider may cure the non-performance at its own expense within a reasonable period of time after notifying the Institution of the intention to cure and of the proposed manner and timing of the cure (e.g. free technical support or discount from the Service fee).

7.3. Neither party should be regarded as liable to the other party for circumstances beyond the party’s control and which the party, when signing the Agreement, could not have foreseen or could not have avoided or overcome, including strikes (force majeure). Circumstances of a subcontractor will only be regarded as force majeure if the subcontractor is faced with an obstacle falling within the first sentence of this provision and which the Supplier ought not to have avoided or overcome. The party who wishes to invoke force majeure must inform the other party thereof in writing not later than ten Working Days after the force majeure event was discovered and provide information about the expected scope and duration.

7.4. Cyber-attacks are considered to be force majeure. The Provider has an obligation to meet the necessary industry average security requirements in order to avoid breach of its obligations (including breach of data protection rules).

8. Data overview and Data secrecy

8.1. The Provider shall ensure that any personnel entrusted with processing the data inserted by the data subjects have undertaken to comply with the principle of data secrecy and have been duly instructed on the protective regulations. The undertaking to secrecy shall continue after the termination of the Agreement.



1. 一般

1.1. このサービスレベル契約(SLA)は、プロバイダおよび機関との間で締結されました


1.2. SLAで使用されている大文字の単語やフレーズは、SLAの本文に新しい用語や定義が導入さ


1.3. SLAは、契約の発効日と同日に効力を発揮します。SLAは契約期間中有効とします。

2. SLAの目的

2.1. SLAは、以下の分野におけるDreamApplyの運用および機関へのサポートの提供に関するサ





2.2. プロバイダは、DreamApplyを運営し、SLAで合意されたサービスレベルに従ってサポート


3. DreamApplyの使用

3.1. DreamApplyへのアクセスは、機関のニーズおよび要件に合わせて特別に構成されたオンラ



3.2. 機関は、機関に代わってDreamApplyおよびサービスの使用を監督および管理する高レベル


3.3. 機関および監督者には、そのメンバーが契約に従ってDreamApplyおよびサービスを使用す







3.4 本サービスの提供および価格オファーの範囲外の品目の納品は、当事者間の個別の交渉に従





4.1 DreamApplyの運用

4.1.1. 応答性:DreamApplyは、合理的に予想できない場合(大量のアップロード、拡張検索、




4.1.2. 予防措置:DreamApplyは、DreamApplyのパフォーマンスの異常または中断を検出し、メ



(a) サーバーハードウェアおよびネットワーク機器の保守。

(b) ソフトウェアバージョンおよびセキュリティアップデート。

(c) ログ管理。

(d) 構成の保守、バージョン管理、およびバックアップ。

(e) 管理の変更および記録。

4.1.3. アップグレード:プロバイダは、必要に応じてDreamApplyのユーザビリティ、管理、効


4.1.4. バックアップ:プロバイダは、ユーザーコンテンツ、DreamApply、およびDreamApplyの



(a) 保存期間が3日以上のユーザーコンテンツの1時間ごとのオフサイトバックアップ。

(b) 保存期間が30日以上のユーザーコンテンツの夜間のオフサイトバックアップ。

4.1.5. 計画的なメンテナンス作業:通常、アップデートのインストールはDreamApplyの動作に








4.1.6. 計画外のサービス中断:DreamApplyの可用性に影響を与える計画外の中断の合計許容期



4.2. サポート

4.2.1. プロバイダは、営業日の 9:00〜17:00(CET)の間、電子メールまたは電話で遠隔サポ




4.2.2. サポートは英語で提供されます。サポート依頼およびサポートの量に対する応答時間は、


(a) メール: [email protected];

(b) スカイプ: dreamapply

(c) 電話: +3726314625

4.3. エラー管理

4.3.1. 機関は、注意を喚起するエラーについてプロバイダに通知するものとします。機関は、エ



4.3.2. 機関がDreamApplyの既存のコンテンツ、特徴または機能の変更または追加、DreamApply





4.3.3. エラーの重大度レベル:エラーは、以下の定義に従い、重大度のレベルに応じて処理され


(a) 大-機能に影響があるか、またはパフォーマンスが大幅に低下している。エラーは永続的で



(b) 中 – エラーは一部のユーザーに影響を及ぼしているが、すべてのユーザーには影響していな



(c) 些細 – 少数のユーザーに影響を与える欠陥。DreamApplyの本来の目的を実行する能力には影


4.3.4. 反応時間:プロバイダは、(a)機関からのエラーの報告を受け取り、その発生を実証す




(a) 高 – 可能な限り迅速に、ただし確認から遅くとも1(一)営業日以内に開始、3(三)日以内


(b) 中 – 確認から3(三)営業日以内に開始、2(二)営業日以内に回避策を提供し、5(五)営


(c) 些細- 確認から1(一)か月以内に開始、6(六)か月以内にエラーを解決しなければならな


5. 制限事項

5.1. 計画的なメンテナンス作業または計画外のサービス中断が許容期間限度を超えた場合、当事




5.2. DreamApplyの主要機能の可用性、またはその機能に重大な影響を及ぼさないエラーに関し


5.3. SLAに基づくプロバイダの義務は、エラーがプロバイダの管理外の何らかの要因によって引


5.3.1. 機関のインフラストラクチャ、オペレーティングシステムソフトウェア、およびそれらに



5.3.2. プロバイダが納入していない部品、付属品、または製品。

5.3.3. プロバイダの従業員の予期しない重大な事故および/または健康上の問題。

5.3.4. 機関または他のDreamApplyユーザー(携帯電話、サーバーなど)が使用するデバイスお


5.3.5. 電気、インターネットおよび電気通信ネットワークの利用可能性など。

5.3.6. プロバイダによって提供されていない他のサービス(例:データ通信サービスなど)。


5.4. SLAの範囲にない問題の解決に費やされた作業には、追加料金がかかる場合があります。プ



6. プロバイダの義務

6.1. 個人情報の漏洩が疑われる、または実際に発生した場合、機密情報の喪失またはサイバー攻





6.2. プロバイダはまた、機関の指示に違反した場合には機関に通知する義務を負います。

6.3. プロバイダは以下に同意し、保証します。

6.3.1. 転送された個人データの処理以前の、本契約およびその付録およびプロバイダのデータ保



6.3.2.以下に関して機関に速やかに通知すること。 法執行機関による調査の機密保持のための刑法の禁止など、他に禁止されていない限り

、法執行機関による個人データの開示の法的拘束力のある要求。 不正アクセス。 別の方法によって許可されていない限り、その要求に応答せずにデータ主体から直接受


6.3.3. 譲渡の対象となる個人データの処理に関する機関からのすべての問い合わせに迅速かつ適


6.3.4. 機関または独立した構成員で構成され、該当する場合、監督当局との合意のもとにデータ



ら要求された場合。 機関は、(に記載されている契約書の1時間あたりの金


する。 プロバイダのデータ処理施設が他のクライアントまたは検査機関によって監査の結果を


ができる。 機関が12(十二)か月に2回以上要求した場合、プロバイダは監査を拒否することがで

きる。 機関は、監査の21日前に監査を実施したい旨を提供者に通知する義務を負う。

6.4. 機関は、機関がプロバイダとの取り決めの順守を監視できるよう、本契約の履行における将






6.5. プロバイダは以下を実行します。

6.5.1. プロバイダが対象としている連合または加盟国の法律で必要とされている場合を除き、個





6.5.2. 個人データの処理を許可された個人が機密保持を厳守し、または機密保持の適切な法的義


6.5.3. 欧州議会および理事会の規則(EU)2016/679の第32条に従って必要なすべての措置を講


6.5.4. 欧州議会および理事会規則(EU)No.2016/679の第28条の第2および第4項で言及されて


6.5.5. 処理の性質を考慮して、欧州議会および理事会規則(EU)No.2016/679の第3章に定めら



6.5.6. 処理の性質および提供者が入手可能な情報を考慮して、欧州議会および理事会規則


6.5.7. 機関の選択により、処理に関連するサービスの提供の終了後にすべての個人データを削除



6.5.8. 欧州議会および理事会規則(EU)No.2016/679の第28条に定められた義務の遵守を証明す


7. 責任

7.1. 本契約に基づく権利および義務の履行から生じる、またはそれに関連して発生するプロバイ




7.2. 本契約に基づく契約上の義務の履行に失敗した場合には、プロバイダは、機関に対するその



7.3. どちらの当事者も、当事者の制御を超えた状況、およびストライキを含む当事者が予見でき






7.4. サイバー攻撃は不可抗力と見なされます。 プロバイダは、その義務の違反(データ保護規



8. .データの概要と機密性


8.1. プロバイダは、データ主体によって挿入されたデータの処理を委託された職員が、データの


るものとします。 秘密保持の約束は、契約の終了後も継続するものとします。