Service Level Agreement (RTI Master Subscription Agreement Annex C)

This summarizes RUSH's escalation matrix and business continuity framework.

1. Escalation Matrix


1.1 Table 1: Contact Information and Resolution Time for Incidents and Requests. For incidents that concern third-party enablers of the Service such as but not limited to Logistics Providers and Payment Gateways, these incidents are not covered by the prescribed resolution time indicated on Table 1.

L1 Support shall be provided by the Merchant while RTI shall provide L2 and L3 Support through the following channels and operating schedule:


● Email: support@rush.ph
● Availability: 8:00AM to 5:00PM, Mondays to Fridays
● Helpdesk Link: https://help.rush.ph/knowledge
● Availability: Anytime

Complete information regarding Resolution Time based on severity can be found in this link: https://help.rush.ph/knowledge/resolution-time-based-on-severity

1.2 Table 2: Escalation Matrix for Incidents and Requests. In the event that RTI fails to respond within the given response time based on Table 1, the following escalations shall apply:

Escalation Level Designation  Email/URL How/When to Escalate
Merchant Support  Solution Support
support@rush.ph
Once the issue is identified to be under the scope of RUSH

Merchant Support Manager

Julia Dane Ubaldo
julia@rush.ph
If escalation 1 is unresponsive given the time frame of the resolution SLA table.
3 Chief Operations Officer Jeff Alejandrino
jeffrey@rush.ph
If escalations 1 and 2 are unresponsive given the time frame of the resolution SLA table.
4 Chief Executive Officer Stephanie Kubota
steph@rush.ph
If escalations 1, 2, and 3 are unresponsive given the time frame of the resolution SLA table.

2 Business Continuity Framework


Rush Technologies, Inc. Business Continuity Plan

Introduction

This Business Continuity Plan (BCP) was developed to enable Rush Technologies, Inc. to maintain and/or resume critical operations and services to clients at functional levels following major disruptions and recover to full capabilities within prescribed timeframes.

RTI reserves the right at any time, and from time to time, to modify this BCP as the RUSH Software may reasonably require according to RTI sole discretion with or without notice (unless otherwise required by applicable law). Said revisions or modifications shall be posted in the RUSH website, and once published therein, shall become binding on Merchant. It shall be Merchant’s obligation to be informed thereof by
accessing, from time to time, such website where the latest version of this BCP may be found.

Policy Statement

This document provides information and guidance for maintaining critical business operations and protecting staff health and safety, as well as information needed during a recovery.

This document is primarily addressed to the senior and middle-management teams to enable them to prepare for ‘disasters and crises’ that disrupt normal business operations and/or threaten the access and availability of resources -- personnel, records, information, and physical facilities.

Key Principles

This document aims to:

  • Ensure that all Rush Technologies, Inc. employees understand their responsibilities in relation to the BCP
  • Provide contingency arrangements are appropriate, agile and cost-effective
  • Align all decisions following disruptions in all departments
  • Enable disaster recovery capabilities as applicable to key customers, vendors and other stakeholders
     

Crisis Management process

The President/CEO will notify his/her Mancom team of an emergency situation and the company’s immediate plans and they, in turn, will notify their top-tier managers. The top-tier managers will serve as the focal points for their departments and will call the people they have been assigned to call. The call tree continues until all affected personnel have been contacted.

Call Tree Flow and Guidelines

Call Tree

  • No one person should call more than 5 names. By keeping each call to less than 3 minutes, 100+ employees can be contacted in less than 51 minutes.
  • If person called is available, relay the information
    • disaster status
    • action to be taken
  • If a person called is not available, call the next in the list. If a person remains uncontactable for 20 minutes,
    • call the alternate coordinator or POC or
    • If there is no alternate POC, call the next person that this person is assigned to notify
  • Report list of uncontactable persons to your coordinator/POC


Key Business Process and BCP Strategy

Key business processes and the agreed BCP strategy for each are listed below. The strategy chosen for 24/7 operation is to work alternatively from home (teleworking) or a temporary site that will be provided by management if office building facility recovery will take longer. Monitoring tools, knowledge base and relevant documents are hosted and secured in the cloud.

Systems and IT infrastructure are deployed in a multi-site cloud providing high availability. In case one of the availability zones becomes inaccessible, the affected server can be easily restored to another availability zone using snapshots.

Key Business Process BCP Strategy
Rush Technologies, Inc.
Operations
 
Workstations/Workplace Laptop Computer / Work from home
Internet connection Pocket Wifi / Mobile Phone / VPN
Storage Google Drive / AWS S3
Telephone Mobile Phone
Systems & Infrastructure  
Servers AWS Multi-zone deployment / Snapshots / S3 / AWS Terraform
Databases AWS Multi-zone deployment / Replication / Snapshots / Backups 
Office Facilities Alternative Site - 917Ventures in The W Fifth Avenue, 5th Ave, BGC, Taguig, Metro Manila, Philippines

Secondary - The Globe Tower in 32nd St, BGC, Taguig, Metro Manila,
Philippines

Teleworking (Work from Home)

Communications  
Internal Meetings  Google Meet / Zoom
External Meetings  Google Meet / Zoom / MS Teams / AWS Chime

 
 
Event Categories
Potential disasters have been assessed as follows:

Potential Disaster Probability Rating Impact Rating
Flood 1 2
Fire 3 1
Earthquake 5 1
Civil Unrest 2 4
Typhoon  2 2
Infectious Disease Outbreak 5 2
Data/Hacking 1 2

Probability: 1 = very high, 5 = very log Impact: 1 = total destruction, 5 = minor annoyance

Team Structure
Roles and Responsibilities

BC Team Names

Name Function
Rosella Gonzaga Governance Director
Yrose Lacerna-Baguio People Operations Manager
Mark Manalang  Tech Infrastructures (Servers, DBs)
Danica Diesta Tech Solutions (Development)
Shoggi Lalog Tech Testing (QA)
Sofia Caram Business Intelligence
Gene Patrick Hora Account Management Director
Julia Hubaldo Merchant Support Manager
Aaron Paul Llena Corporate Finance Manager



Emergency Response

Plan Triggering Events


Key trigger issues at main office that would lead to activation of the Emergency Response are:

  • Total loss of all communications due to fire, earthquake and typhoon
  • Total loss of power due to fire, earthquake and typhoon
  • Flooding of the premises / Inaccessible premise
  • Loss of the building due to fire and earthquake
  • Infectious Disease Outbreak
  • Emergency Response Guideline

Emergency Response Guideline

Alert Level Response
Severity 3 Business As Usual

Management:
● to monitor and provide information about the current Situation necessary

Employee:
● to take necessary precautions and be informed of the current situation
Severity 2 Discretionary

Management:
● to convene and assess current situation, review and activate comm plan
● BU heads to make decisions based on the current situation and outline actions to be taken (whether to send employee home or allow them to work from home)
● BU heads to release appropriate communications as necessary

Employee:
● affected employees to report their situation to their IS and if assistance is needed
● ask for IS approval if work from home is possible
Severity 1 Activate BCP

Management:

● to convene and assess current situation, review and activate comm plan
● to decide whether to declare emergency and activate the Call Tree
● to provide information about disaster status and action plan to be taken (whether evacuation is needed or to suspend work or to work from home or split operation) depending on the nature of disaster
● to activate M360 SMS broadcast as alternative platform to communicate

Employee:
● to assess their safety and report back their status during call tree
● to be informed and aware of the current situation
● to keep constant status update with IS or BU head and take instructions about the contingency plan

 
When an incident occurs the Emergency Response Team (ERT) must be activated. The ERT will then decide the extent to which the Disaster Recovery Plan must be invoked. All employees must be issued a Quick Reference card containing ERT contact details to be used in the event of a disaster. Responsibilities of the ERT are to:

  • Respond immediately to a potential disaster and call emergency services;
  • Assess the extent of the disaster and its impact on the business, cloud asset, data center, etc.;
  • Decide which elements of the DR Plan should be activated;
  • Establish and manage disaster recovery team to maintain vital services and return to normal operation;
  • Ensure employees are notified and allocate responsibilities and activities as required.


Evacuation and Assembly Points

Where the premises need to be evacuated due to Earthquake or Fire, the DRP invocation plan identifies evacuation assembly point:

Primary – Nearest mall (Highstreet in BGC; Pioneer Center in Globe Pioneer, etc)

Alternate Recovery Facilities

If necessary, the hot site at 917Ventures in The W Fifth Avenue, 5th Ave, BGC, Taguig, Metro Manila, Philippines will be activated and notification will be given with managers. Hot site staffing will consist of members of the disaster recovery team only for the first 24 hours, with other staff members joining at the hot site as necessary.

Secondary hot site will be The Globe Tower in 32nd St, BGC, Taguig, Metro Manila, Philippines.

Activation of Disaster Recovery Team

The Disaster Recovery Team (DRT) is responsible for activating the Disaster Recovery Plan for potential disasters identified in this document as well as in the event of any other occurrence that affects the company’s capability to perform normally. These include but are not limited to office building structures, information systems or IT infrastructures. The DRT will then decide the extent to which the DRP must be invoked.

Responsibilities of the DRT are to:

  • Assess the extent of the disaster and its impact on the business, cloud asset, data center, etc.;
  • Decide which elements of the DR Plan should be activated;
  • Ensure employees are notified and allocate responsibilities and activities as required.
  • Establish facilities for an emergency level of service within 1.0 business hours;
  • Restore key services within 4.0 business hours of the incident;
  • Recover to business as usual within 8.0 to 24.0 hours after the incident;
  • Coordinate activities with the disaster recovery team, first responders, etc.


The DR plan will rely principally on key members of management and staff who will provide the technical and management skills necessary to achieve a smooth technology and business recovery. Suppliers and service providers should continue to support recovery of business operations as the company returns to normal operating mode.

 

Disaster Recovery Plan
DRP

Crisis Communications and Flowchart

DRP 2

The Rush Technologies, Inc’s  President/CEO will notify his/her Mancom team of an emergency situation and the company’s immediate plans and they, in turn, will notify their top-tier managers. The top-tier managers will serve as the focal points for their departments and will call the people they have been assigned to call. The call tree continues until all affected personnel have been contacted.

BC Documentation Maintenance

Document Review

To ensure that BCP is implemented and operated in accordance with the company’s policies and procedures approach to managing information security and its implementation (i.e. policies, processes and procedures for information security) shall be reviewed at planned intervals (at least once a year) or when significant changes occur.