SaaS Services 6.1 Our SaaS Services are audited at least yearly in accordance with the AICPA’s Statement on Standards for Attestation Engagements (“SSAE”) No. 18. We have attained, and will maintain, SOC 1 and SOC 2 compliance, or its equivalent, for so long as you are timely paying for SaaS Services. Upon execution of a mutually agreeable Non-Disclosure Agreement (“NDA”), we will provide you with a summary of our compliance report(s) or its equivalent. Every year thereafter, for so long as the NDA is in effect and in which you make a written request, we will provide that same information.
6.2 You will be hosted on shared hardware in a Tyler data center or in a third-party data center. In either event, databases containing your Data will be dedicated to you and inaccessible to our other customers.
6.3 Our Tyler data centers have fully-redundant telecommunications access, electrical power, and the required hardware to provide access to the Tyler Software in the event of a disaster or component failure. In the event any of your Data has been lost or damaged due to an act or omission of Tyler or its subcontractors or due to a defect in Tyler’s software, we will use best commercial efforts to restore all the Data on servers in accordance with the architectural design’s capabilities and with the goal of minimizing any Data loss as greatly as possible. In no case shall the recovery point objective (“RPO”) exceed a maximum of twenty-four (24) hours from declaration of disaster. For purposes of this subsection, RPO represents the maximum tolerable period during which your Data may be lost, measured in relation to a disaster we declare, said declaration will not be unreasonably withheld.
6.4 In the event we declare a disaster, our Recovery Time Objective (“RTO”) is twenty-four (24) hours. For purposes of this subsection, RTO represents the amount of time, after we declare a disaster, within which your access to the Tyler Software must be restored.
6.5 We conduct annual penetration testing of either the production network and/or web application to be performed. We will maintain industry standard intrusion detection and prevention systems to monitor malicious activity in the network and to log and block any such activity. We will provide you with a written or electronic record of the actions taken by us in the event that any unauthorized access to your database(s) is detected as a result of our security protocols. We will undertake an additional security audit, on terms and timing to be mutually agreed to by the parties, at your written request. You may not attempt to bypass or subvert security restrictions in the SaaS Services or environments related to the Tyler Software. Unauthorized attempts to access files, passwords or other confidential information, and unauthorized vulnerability and penetration test scanning of our network and systems (hosted or otherwise) is prohibited without the prior written approval of our IT Security Officer.
6.6 We test our disaster recovery plan on an annual basis. Our standard test is not client-specific. Should you request a client-specific disaster recovery test, we will work with you to schedule and execute such a test on a mutually agreeable schedule. At your written request, we will provide test results to you within a commercially reasonable timeframe after receipt of the request.
6.7 We will be responsible for importing back-up and verifying that you can log-in. You will be responsible for running reports and testing critical processes to verify the returned Data.
6.8 We provide secure Data transmission paths between each of your workstations and our servers.
6.9 Tyler data centers are accessible only by authorized personnel with a unique key entry. All other visitors to Tyler data centers must be signed in and accompanied by authorized personnel. Entry attempts to the data center are regularly audited by internal staff and external auditors to ensure no unauthorized access.
6.10 Where applicable with respect to our applications that take or process card payment data, we are responsible for the security of cardholder data that we possess, including functions relating to storing, processing, and transmitting of the cardholder data and affirm that, as of the Effective Date, we comply with applicable requirements to be considered PCI DSS compliant and have performed the necessary steps to validate compliance with the PCI DSS. We agree to supply the current status of our PCI DSS compliance program in the form of an official Attestation of Compliance, which can be found at ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇.▇▇▇/about- us/compliance, and in the event of any change in our status, will comply with applicable notice requirements.