Service Level Agreement (RTI Master Subscription Agreement Annex D)

This summarizes RUSH's escalation matrix and business continuity framework.

1. Escalation Matrix

1.1 Table 1: Contact Information and Resolution Time for Incidents and Requests. For incidents that concern third-party enablers of the Service such as but not limited to Logistics Providers and Payment Gateways, these incidents are not covered by the prescribed resolution time indicated on Table 1.

L1 Support shall be provided by the Merchant while RTI shall provide L2 and L3 Support through the following channels and operating schedule:

Email: support@rush.ph
Availability: 8:00AM to 5:00PM, Mondays to Fridays
Helpdesk Link: https://help.rush.ph/knowledge
Availability: Anytime

Complete information regarding Resolution Time based on severity can be found in this link: https://help.rush.ph/knowledge/resolution-time-based-on-severity

1.2 Table 2: Escalation Matrix for Incidents and Requests. In the event that RTI fails to respond within the given response time based on Table 1, the following escalations shall apply:

Escalation Level	Designation	Email/URL	How/When to Escalate
1	Merchant Support	Solution Support support@rush.ph	Once the issue is identified to be under the scope of RUSH
2	Merchant Support Manager	Julia Dane Ubaldo julia@rush.ph	If escalation 1 is unresponsive given the time frame of the resolution SLA table.
3	Chief Operations Officer	Jeff Alejandrino jeffrey@rush.ph	If escalations 1 and 2 are unresponsive given the time frame of the resolution SLA table.
4	Chief Executive Officer	Stephanie Kubota steph@rush.ph	If escalations 1, 2, and 3 are unresponsive given the time frame of the resolution SLA table.

2. Business Continuity Framework

Rush Technologies, Inc. Business Continuity Plan

Introduction

This Business Continuity Plan (BCP) was developed to enable Rush Technologies, Inc. to maintain and/or resume critical operations and services to clients at functional levels following major disruptions and recover to full capabilities within prescribed timeframes.

RTI reserves the right at any time, and from time to time, to modify this BCP as the RUSH Software may reasonably require according to RTI sole discretion with or without notice (unless otherwise required by applicable law). Said revisions or modifications shall be posted in the RUSH website, and once published therein, shall become binding on Merchant. It shall be Merchant’s obligation to be informed thereof by
accessing, from time to time, such website where the latest version of this BCP may be found.

Policy Statement

This document provides information and guidance for maintaining critical business operations and protecting staff health and safety, as well as information needed during a recovery.

This document is primarily addressed to the senior and middle-management teams to enable them to prepare for ‘disasters and crises’ that disrupt normal business operations and/or threaten the access and availability of resources -- personnel, records, information, and physical facilities.

Key Principles

This document aims to:

Ensure that all Rush Technologies, Inc. employees understand their responsibilities in relation to the BCP
Provide contingency arrangements are appropriate, agile and cost-effective
Align all decisions following disruptions in all departments
Enable disaster recovery capabilities as applicable to key customers, vendors and other stakeholders

Crisis Management process

The President/CEO will notify his/her Mancom team of an emergency situation and the company’s immediate plans and they, in turn, will notify their top-tier managers. The top-tier managers will serve as the focal points for their departments and will call the people they have been assigned to call. The call tree continues until all affected personnel have been contacted.

Call Tree Flow and Guidelines

Call Tree

No one person should call more than 5 names. By keeping each call to less than 3 minutes, 100+ employees can be contacted in less than 51 minutes.
If person called is available, relay the information
- disaster status
- action to be taken
If a person called is not available, call the next in the list. If a person remains uncontactable for 20 minutes,
- call the alternate coordinator or POC or
- If there is no alternate POC, call the next person that this person is assigned to notify
Report list of uncontactable persons to your coordinator/POC

Key Business Process and BCP Strategy

Key business processes and the agreed BCP strategy for each are listed below. The strategy chosen for 24/7 operation is to work alternatively from home (teleworking) or a temporary site that will be provided by management if office building facility recovery will take longer. Monitoring tools, knowledge base and relevant documents are hosted and secured in the cloud.

Systems and IT infrastructure are deployed in a multi-site cloud providing high availability. In case one of the availability zones becomes inaccessible, the affected server can be easily restored to another availability zone using snapshots.

Key Business Process	BCP Strategy
Rush Technologies, Inc. Operations
Workstations/Workplace	Laptop Computer / Work from home
Internet connection	Pocket Wifi / Mobile Phone / VPN
Storage	Google Drive / AWS S3
Telephone	Mobile Phone
Systems & Infrastructure
Servers	AWS Multi-zone deployment / Snapshots / S3 / AWS Terraform
Databases	AWS Multi-zone deployment / Replication / Snapshots / Backups
Office Facilities	Alternative Site - 917Ventures in The W Fifth Avenue, 5th Ave, BGC, Taguig, Metro Manila, Philippines Secondary - The Globe Tower in 32nd St, BGC, Taguig, Metro Manila, Philippines Teleworking (Work from Home)
Communications
Internal Meetings	Google Meet / Zoom
External Meetings	Google Meet / Zoom / MS Teams / AWS Chime

Event Categories
Potential disasters have been assessed as follows:

Potential Disaster	Probability Rating	Impact Rating
Flood	1	2
Fire	3	1
Earthquake	5	1
Civil Unrest	2	4
Typhoon	2	2
Infectious Disease Outbreak	5	2
Data/Hacking	1	2

Probability: 1 = very high, 5 = very log Impact: 1 = total destruction, 5 = minor annoyance

Business Continuity Points of Contact

People and Governance Director
Merchant Experience Director
Solutions Head
Infrastructure Head
Testing Center of Excellence (TCOE) Head

Emergency Response

Plan Triggering Events

Key trigger issues at main office that would lead to activation of the Emergency Response are:

Total loss of all communications due to fire, earthquake and typhoon
Total loss of power due to fire, earthquake and typhoon
Flooding of the premises / Inaccessible premise
Loss of the building due to fire and earthquake
Infectious Disease Outbreak
Emergency Response Guideline

Emergency Response Guideline

Alert Level	Response
Severity 3	Business As Usual Management: to monitor and provide information about the current Situation necessary Employee: to take necessary precautions and be informed of the current situation
Severity 2	Discretionary Management: to convene and assess current situation, review and activate comm plan BU heads to make decisions based on the current situation and outline actions to be taken (whether to send employee home or allow them to work from home) BU heads to release appropriate communications as necessary Employee: affected employees to report their situation to their IS and if assistance is needed ask for IS approval if work from home is possible
Severity 1	Activate BCP Management: to convene and assess current situation, review and activate comm plan to decide whether to declare emergency and activate the Call Tree to provide information about disaster status and action plan to be taken (whether evacuation is needed or to suspend work or to work from home or split operation) depending on the nature of disaster to activate M360 SMS broadcast as alternative platform to communicate Employee: to assess their safety and report back their status during call tree to be informed and aware of the current situation to keep constant status update with IS or BU head and take instructions about the contingency plan

When an incident occurs the Emergency Response Team (ERT) must be activated. The ERT will then decide the extent to which the Disaster Recovery Plan must be invoked. All employees must be issued a Quick Reference card containing ERT contact details to be used in the event of a disaster. Responsibilities of the ERT are to:

Respond immediately to a potential disaster and call emergency services;
Assess the extent of the disaster and its impact on the business, cloud asset, data center, etc.;
Decide which elements of the DR Plan should be activated;
Establish and manage disaster recovery team to maintain vital services and return to normal operation;
Ensure employees are notified and allocate responsibilities and activities as required.

Evacuation and Assembly Points

Where the premises need to be evacuated due to Earthquake or Fire, the DRP invocation plan identifies evacuation assembly point:

Primary – Nearest mall (Highstreet in BGC; Pioneer Center in Globe Pioneer, etc)

Alternate Recovery Facilities

If necessary, the hot site at 917Ventures in The W Fifth Avenue, 5th Ave, BGC, Taguig, Metro Manila, Philippines will be activated and notification will be given with managers. Hot site staffing will consist of members of the disaster recovery team only for the first 24 hours, with other staff members joining at the hot site as necessary.

Secondary hot site will be The Globe Tower in 32nd St, BGC, Taguig, Metro Manila, Philippines.

Activation of Disaster Recovery Team

The Disaster Recovery Team (DRT) is responsible for activating the Disaster Recovery Plan for potential disasters identified in this document as well as in the event of any other occurrence that affects the company’s capability to perform normally. These include but are not limited to office building structures, information systems or IT infrastructures. The DRT will then decide the extent to which the DRP must be invoked.

Responsibilities of the DRT are to:

Assess the extent of the disaster and its impact on the business, cloud asset, data center, etc.;
Decide which elements of the DR Plan should be activated;
Ensure employees are notified and allocate responsibilities and activities as required.
Establish facilities for an emergency level of service within 1.0 business hours;
Restore key services within 4.0 business hours of the incident;
Recover to business as usual within 8.0 to 24.0 hours after the incident;
Coordinate activities with the disaster recovery team, first responders, etc.

The DR plan will rely principally on key members of management and staff who will provide the technical and management skills necessary to achieve a smooth technology and business recovery. Suppliers and service providers should continue to support recovery of business operations as the company returns to normal operating mode.

Disaster Recovery Plan
DRP

Crisis Communications and Flowchart

RUSH Organizational Chart V2

The Rush Technologies, Inc’s President/CEO will notify his/her Mancom team of an emergency situation and the company’s immediate plans and they, in turn, will notify their top-tier managers. The top-tier managers will serve as the focal points for their departments and will call the people they have been assigned to call. The call tree continues until all affected personnel have been contacted.

Business Continuity Documentation Maintenance

Document Review
To ensure that BCP is implemented and operated in accordance with the company’s policies and procedures approach to managing information security and its implementation (i.e. policies, processes and procedures for information security) shall be reviewed at planned intervals (at least once a year) or when significant changes occur.