Specific Terms and Conditions of the Services

Last update: November 2024

These Specific Terms and Conditions of Service (the “Specific terms and conditions”) describe the Services provided by JOTELULU and set out the specific terms and conditions into which the Services are provided by JOTELULU and shall be used by the Client.

These Specific terms and conditions are an integral part of the Contract in force between JOTELULU and the Client and supplement the other documents that are part of the said Contract. In case of any conflict, the order of priority defined in the General terms and conditions of service shall apply.

Specific conditions of SERVERS

1.1 Service description

Definition and characteristics

By means of the Service “Servers”, JOTELULU makes available the Client a virtual server or “instance” that is (i) created with and managed through a virtualization solution, (ii) hosted on JOTELULU’s infrastructures, (iii) accessible 24/7 remotely through internet or VPN connectivity, and (iv) available to the Client for the storage, hosting, installation and/or execution of Software or data.

The instance includes a local space storage, compute resources and RAM. The available types and capacities of these resources is communicated on JOTELULU website and in the Portal as well.

The Instance is created on a physical server which is shared for several Client. The Client can select the location of the physical server during the set-up of the Service among the available geography. The instances of the Client are logically isolated from the instances of the other clients.

Features and functionalities

The Service “Servers” enables to host critical applications, including all necessary components: virtual machine, disk, OS, private network, dedicated virtual router, and firewall, with a default backup policy included.

The following features and functionalities are available to Client through the Portal:

Interface to configure and manage the Service (create, configure and remove Instances, select geography, select resources, OS systems and applications, select and configure the network, manage Snapshots and backup, monitor the status and completion of the service).
Identity and access rights management system to add and remove Users and manage their access rights (access method, type of user), including a 2FA functionality.
IP addressing, NAT and Servers connectivity (internal and internet).
A dedicated router.
A firewall.
A VPN.
Snapshots, back-up and restoration functionalities.
A catalogue of operating systems and applications that the Client can decide to be installed on its instance during the set-up of the service.
Additional Services, notably File Storage and Object Storage Services can be associated to the instances.

1.2 Security Measures

Authentication and Access Control:

The administration portal access requires mandatory 2FA for administrator roles. The generated token is a six-digit number that users must provide in addition to their username and password to access services. There is also a comprehensive granular permissions management system for user subscriptions to limit access to authorized users.

Data Encryption:

Mutualize Disk Storage Volume are encrypted at rest on NetApp storage arrays using XTS-AES-256 through NVE and NAE encryption. JOTELULU is responsible for managing and ensuring the availability of the relevant encryption keys.

The Client shall assess the sufficiency of this solution of encryption and implement and manage any additional encryption solution that may be necessary to ensure the confidentiality of the data stored within the Service, taking into account the criticality of the said data.

The Client is solely responsible for encrypting the data in transit.

Firewalls and Intrusion Detection:

Dedicated FW: Configurable from the Portal considering origin, protocol Public IP, public port, Private IP

Alongside the dedicated firewall, there is a perimeter firewall and intrusion detection systems (IDS) with Anti-DDoS to protect the infrastructure from external attacks.

The service may be not accessible from some blacklisted countries due to regulation and security concerns. Client can contact Client Support for more information.

Backup and Disaster Recovery:

All servers are deployed with default pre-configured backups, which consist of scheduled Disk Snapshots (NetApp):

Every hour (retaining the last 5 hours).
Daily (retaining the last 14 days at 00:10).
Weekly (retaining the last 8 weeks – Sundays at 00:15).

Additionally, a secondary copy is made in another Data Center every 12 hours for disaster recovery purposes. This copy is for internal use, and it is not available through the portal.

The Client can restore via the Portal the available copies based on the schedule and a history of restores.

The Client is responsible for periodically checking the integrity and availability of its back-up and Snapshot.

In addition, Disaster Recovery optional service is available, allowing configuration of a replica in another Data Center as a recovery site.

Replica frequency: 1h, 3h, 6h, 12, 24h.
Up to 24 restoration points.

For Disaster Recovery option the Client can run drill exercises from the Portal.

In addition, the Client shall assess the adequacy of these back-up and recovery solutions and implement and manage any additional back-up and/or recovery solution that may be necessary to ensure the availability of the data stored within the Service, taking into account the criticality of the said data.

Data Portability

Upon request, provides to the client in the conditions provided by the contract, an export file of the data stored within the service. The format is communicated in the web site or upon request to support.

1.3 Distribution of tasks and responsibilities

Responsibility	Client	Service Provider
Service Start-up
Service Selection	Ensures the service meets their needs and those of the end clients.	Informs the client about the service’s features and conditions.
Provision of Infrastructure	None	Provides the following infrastructure used to deliver the service: – Physical sites to host hardware infrastructure – Hardware infrastructure – Virtual infrastructure – Backup solution – Connectivity
Service Configuration	– Selects/adds authorized users to use the service – Manages user access rights (access method, user type, and 2FA options) – Selects geography – Selects resources (vCPU, VRAM) – Selects the operating system image (Windows, Centos, etc.) – Selects software to be automatically installed from Jotelulu’s catalog – Selects disks and capacity (default backup included) – Selects network type (standard or VPC) – Completes the name and information for remote access – Once the instance is created, configures any software and operating system not provided by the service provider that they wish to use as part of the services – Verifies the completion of the configuration – Configures the disaster recovery service option (if contracted)	– Provides self-service portals (admin.jotelulu.com and portal.jotelulu.com), including the access rights management system (IAM) and 2FA functionality. – Deploys the instance in the geography selected by the client and with the configuration applied by the client. – Configures the software selected by the client from Jotelulu’s catalog.
Connectivity Management	– Configures networks, IPs, NAT rules – Configures firewall rules to restrict access to identified IPs – Configures load balancer options – Configures the virtual private network (VPN), S2S, to enable/restrict access – Ensures the service can only be accessed from allowed countries, IPs, and protocols.	Provides the following service as configured by the client (or in the default configuration): – IP address, NAT, and server connectivity (internal and Internet) – Dedicated internal vRouter/vFirewall for routing, FW, LB, and VPN capabilities.
Licensing	– Acquires the right to use any third-party solution not provided by JOTELULU and used within the service. – The User is solely responsible for having the necessary licenses or permissions for the software they wish to install.	Provides the necessary licenses to use third-party solutions that are (i) used to provide the service and (ii) provided to the client as part of the service.

Service Utilization
Data Encryption	– In addition to the encryption provided by Jotelulu, configures any additional encryption processes for data stored within the service that may be necessary, considering the criticality of the data and the end client’s requirements. – Ensures the encryption of data in transit.	– Encrypts the data stored by the client within the service (according to NetApp’s encryption capabilities in the NVE or NAE storage cabinet). – Ensures the confidentiality and availability of the relevant encryption key.
Service Operation	– Is responsible for the use of the instance (primarily the content, software, and any other elements stored and/or configured within the service). – Ensures users comply with the service’s terms of use.	Communicates the service’s features and terms of use to the client.
Create and Delete Instances	– Decides to create new instances and modify/delete instances through the administration portal – Monitors the completion of instance creation, modification, and deletion.	Creates and deletes instances as requested by the client through the Portal.
Add Resources to Instances	– Decides to add and remove resources (compute, storage) to instances and delete instances through the Portal – Monitors the completion of resource creation and deletion.	Adds and removes resources (compute, storage) to instances as requested by the client through the Portal.
Backup (Snapshots) and Disaster Recovery Option	– Restores backups when necessary from the available recovery points in the panel. – Manages the VSS (Volume Shadow Copy Service) option through previous versions of Windows. – Monitors the availability and integrity of backups. – Periodically tests and monitors recoveries. – Implements and manages any additional backup solution necessary to ensure data availability and business continuity. – When disaster recovery is configured, monitors replicas and performs drill exercises.	– Performs disk snapshots with the following default configuration: – Every hour (retaining the last 5 hours) – Daily (retaining the last 14 days) – Weekly (retaining the last 8 weeks). – Provides the option to restore available copies through the portal according to the schedule and restoration history.
Access Logs and Usage Traces	Retains access logs and event traces provided by JOTELULU, according to the client’s and end client’s data retention policy.	– Retains access logs and event traces related to the use and management of the service as established in the contract. – Makes traces and access logs available to the client through the self-service portal or upon request.
Access Rights Management	– Creates and deletes users and manages their access rights to the service. – Ensures the confidentiality of their personnel’s authentication means. – Is responsible for all activities performed using their client account and the authentication means provided to users (username and password) and the account, even if they occur without their permission.	– Provides the IAM system, including user interfaces – Manages the access rights of their personnel. – Ensures the confidentiality of their personnel’s authentication means.

Maintenance and Service Continuity
Service Monitoring	– Verifies the completion of the service (notably the creation and deletion of instances, addition/removal of resources, etc.) to detect potential incidents. – Notifies JOTELULU of any known incidents that affect or may affect the service. – Resolves any incidents within their scope of responsibility.	– Monitors the execution of the service to ensure its proper functioning and detect incidents. – Provides information on CPU usage, CPU load, and available RAM in the portal. – Notifies the client of any detected incidents that may affect them.
Vulnerability Management	– Performs periodic vulnerability and penetration tests on components within their scope of responsibility. – Notifies Jotelulu of any known vulnerabilities. – Monitors various software, operating systems, and other elements configured in the instances (including those configured by Jotelulu) to detect identified vulnerabilities, implementing available patches.	– Performs periodic vulnerability and penetration tests on platform components. – Monitors service components under their responsibility to detect identified vulnerabilities, implementing available patches.
Service Update	– Monitors the availability of any new versions and updates for various software, operating systems, and other elements configured in the instances (including those configured by Jotelulu) and implements updates appropriately. – Considers updates communicated by Jotelulu, especially when they impact the service’s terms of use and/or availability.	– Monitors the availability of any new versions and updates for service components under their responsibility and implements updates appropriately. – Informs the client of any implementations that may affect the service’s terms of use and/or availability.
Available Resources	– Monitors the utilization rate of resources associated with their service and expands capacity as needed (CPU usage, CPU load, and available RAM are accessible in the portal). – Informs JOTELULU of their resource needs, especially in case of significant changes, to ensure availability.	– Monitors the evolution of available resource volume and periodically updates capacity planning.
Business and Service Continuity	Implements appropriate technical and organizational measures to ensure the continuity of their activities and those of the end client, considering the service’s features and terms of use.	Implements the technical and organizational measures established in the contract to ensure service continuity, as defined in the service level agreement (SLA).

End of Service
Data Portability	– Defines and implements the necessary operations to ensure the portability of data and other elements hosted within the service. – Ensures the completion of portability operations before the end of the service.	– Provides the client, upon request, with any necessary information to perform portability operations. – Upon request, delivers to the client, under the conditions stipulated in the contract, an export file with the data stored within the service. – Ensures service continuity to guarantee the portability of data and other elements hosted within the service.
Service Termination	Terminates the service.	– Decommissions the service. – Ensures data deletion before reassigning storage space.
End of Disk Life	None	– Deletes data stored within the service before destroying the disks. – Destroys the disks.
Destruction Certificate	Requests a certificate of destruction for the data hosted within the services.	Provides the client, upon request, with a certificate of destruction for the data hosted within the service.

1.4 Personal Data Processing

As part of the execution of the Service, JOTELULU carries out as a data processor acting on Client’s instructions, the processing of personal data described below. These processing of personal data are carried out under the conditions defined in the Data Processing Agreement.

1.4.1 Data hosted by the Client as part of the Service

Categories of personal data: Data stored and used by the Client within the Servers.
Categories of data subjects: Persons concerned by the personal data referred to above.
Nature of processing: Recording, storage, deletion or destruction.
Purpose of processing: Provision of the Service.
Duration: Duration defined by the Client, provided that the duration shall not exceed the duration of the Service utilization.

1.4.2 Service usage data

(a) Category of personal data:

User identification data (surname, first name, email address, login, password).
Logs of Users’ connections to the Services via the platform and API (date, time and IP address of connection).
Traces of actions (or events) carried out in the course of using the Services (creation and configuration of servers, management of authorizations, etc.).

(b) Category of persons concerned: Users of the Services.

(c) Nature of processing: Collection, recording, organization, structuring, conservation, transmission, adaptation or modification, extraction, consultation, limitation, deletion and destruction.

(d) Purpose of processing: Provision of Services.

(e) Data retention period:

User identification data: duration of user account + 12 months.
Connection logs and traces of actions taken: 12 months.

In the event of termination or expiration of the Service, the aforementioned data will be deleted no later than 60 days following the effective date of termination or expiration of the Service. Notwithstanding the foregoing, JOTELULU reserves the right to retain the said data longer than the aforementioned retention periods on the basis of a legitimate interest (in particular to enforce its rights) or a legal provision (e.g. judicial requisition).

The Client may access the aforementioned Service use data from the Platform or via request to support. The Client must send his request at least 30 (thirty) days before the effective date of termination or expiry of the Services.

Specific conditions of the Product: REMOTE DESKTOP

2.1 Services description

Definition and characteristics

By means of the Service “Remote Desktop”, JOTELULU provides the User with the infrastructure necessary for computing, storage and remote execution of the operating system and software installed by the User, based on the previous SERVER Product.

The instance includes a local space storage, compute resources and RAM. The available types and capacities of these resources is communicated on JOTELULU website and in the Portal as well.

Features and functionalities

The Service “Remote Desktop” enables secure access to any application from anywhere as an alternative to Terminal Server or VDI, accessible via a web browser or RDP

The following features and functionalities are available to Client through the Portal:

Interface to configure and manage the Service (create, configure and remove Instances, select geography, select resources, OS systems and applications, select and configure the network, manage Snapshots and backup, monitor the status and completion of the service).
Identity and access rights management system to add and remove Users and manage their access rights (access method, type of user), including a 2FA functionality.
IP addressing, NAT and Servers connectivity (internal and internet).
A dedicated router.
A firewall.
A VPN.
Snapshots, back-up and restoration functionalities.
A catalogue of operating systems and applications that the Client can decide to be installed on its instance during the set-up of the service.

Additional Services, notably File Storage and Object Storage Services can be associated to the instances.

2.2 Security Measures

Authentication and Access Control:

Data Encryption:

The Client is solely responsible for encrypting the data in transit.

Firewalls and Intrusion Detection:

Dedicated FW: Configurable from the panel considering: Origin, protocol Public IP, public port, Private IP

Alongside the dedicated firewall, there is a perimeter firewall and intrusion detection systems (IDS) with Anti-DDoS to protect the infrastructure from external attacks.

The service may be not accessible from some blacklisted countries due to regulation and security concerns. Client can contact Client Support for more information.

Backup and Disaster Recovery:

All servers are deployed with default pre-configured backups included in the price, which consist of scheduled Disk Snapshots (NetApp):

Every hour: retaining the last 5 hours.
Daily: retaining the last 14 days at 00:10.
Weekly: retaining the last 8 weeks, Sundays at 00:15.

Additionally, a secondary copy is made in another Data Center every 12 hours for disaster recovery purposes. This copy is for internal use and it is not available through the portal.

The Client can restore via the Portal the available copies based on the schedule and a history of restores.

The Client is responsible for periodically checking the integrity and availability of its back-up and Snapshot.

In addition, Disaster Recovery optional service is available, allowing configuration of a replica in another Data Center as a recovery site.

Replica frequency: 1h, 3h, 6h, 12, 24h.
Up to 24 restoration points.

For Disaster Recovery option the Client can run drill exercises from the Portal.

In addition, the Client shall assess the adequacy of these back-up solutions, and implement and manage any additional back-up solution that may be necessary to ensure the availability of the data stored within the Service, taking into account the criticality of the said data.

Data Portability

2.3 Distribution of tasks and responsibilities

Responsibility	Client	Service Provider
Service Start-up
Service Selection	Ensures the service meets their needs and those of the end clients.	Informs the client about the service’s features and conditions.
Provision of Infrastructure	None	Provides the following infrastructure used to deliver the service: – Physical sites to host hardware infrastructure – Hardware infrastructure – Virtual infrastructure – Backup solution – Connectivity
Service Configuration	– Selects/adds authorized users to use the service. – Manages user access rights (access method, user type, and 2FA options). – Selects the number of concurrent sessions. – Chooses the software(s) to be automatically installed from Jotelulu’s catalog. – Selects server features (Region, vCPU, OS, Disk, Backup, Network). – Customizes images. – Verifies the completion of the configuration. – Once configured, manages new applications and user access. – Configures the disaster recovery service option (if contracted).	– Provides self-service portals (admin.jotelulu.com and portal.jotelulu.com), including the access rights management system (IAM) and 2FA functionality. – Deploys the instance in the geography selected by the client and with the configuration applied by the client. – Configures the software(s) selected by the client from Jotelulu’s catalog.
Connectivity Management	– Configures networks, IPs, NAT rules – Configures firewall rules to restrict access to identified IPs – Configures load balancer options – Configures the virtual private network (VPN), S2S, to enable/restrict access – Ensures the service can only be accessed from allowed countries, IPs, and protocols.	Provides the following service as configured by the client (or in the default configuration): – IP address, NAT, and server connectivity (internal and Internet) – Dedicated internal vRouter/vFirewall for routing, FW, LB, and VPN capabilities.
Licensing	– Acquires the right to use any third-party solution not provided by JOTELULU and used within the service. – The User is solely responsible for having the necessary licenses or permissions for the software they wish to install.	Provides the necessary licenses to use third-party solutions that are (i) used to provide the service and (ii) provided to the client as part of the service.

Service Utilization
Data Encryption	In addition to the encryption provided by Jotelulu, configures any additional encryption processes for data stored within the service that may be necessary, considering the criticality of the data and the end client’s requirements.	– Encrypts the data stored by the client within the service (according to NetApp’s encryption capabilities in the NVE or NAE storage cabinet). – Ensures the confidentiality and availability of the relevant encryption key.
Service Operation	– Is responsible for the use of the instance (primarily the content, software, and any other elements stored and/or configured within the service). – Ensures users comply with the service’s terms of use.	Communicates the service’s features and terms of use to the client.
Create and Delete Instances	– Decides to create new instances and modify/delete instances through the administration portal – Monitors the completion of instance creation, modification, and deletion.	Creates and deletes instances as requested by the client through the control panel.
Add Resources to Instances	– Decides to add and remove resources (compute, storage) to instances and delete instances through the control panel – Monitors the completion of resource creation and deletion.	Adds and removes resources (compute, storage) to instances as requested by the client through the control panel.
Backup (Snapshots) and Disaster Recovery Option	– Restores backups when necessary from the available recovery points in the panel. – Manages the VSS (Volume Shadow Copy Service) option through previous versions of Windows. – Monitors the availability and integrity of backups. – Periodically tests and monitors recoveries. – Implements and manages any additional backup solution necessary to ensure data availability and business continuity. – When disaster recovery is configured, monitors replicas and performs drill exercises.	– Performs snapshots of the disks with the following default configuration: – Every hour (retaining the last 5 hours) – Daily (retaining the last 14 days) – Weekly (retaining the last 8 weeks). – Provides the option to restore available copies through the portal according to the schedule and restoration history.
Access Logs and Usage Traces	Retains access logs and event traces provided by JOTELULU, according to the client’s and end client’s data retention policy.	– Retains access logs and event traces related to the use and management of the service as established in the contract. – Makes traces and access logs available to the client through the self-service portal or upon request.
Access Rights Management	– Creates and deletes users and manages their access rights to the service. – Ensures the confidentiality of their personnel’s authentication means. – Is responsible for all activities performed using their client account and the authentication means provided to users (username and password) and the account, even if they occur without their permission.	– Provides the IAM system, including user interfaces – Manages the access rights of their personnel. – Ensures the confidentiality of their personnel’s authentication means.

Maintenance and Service Continuity
Service Monitoring	– Verifies the completion of the service (notably the creation and deletion of instances, addition/removal of resources, etc.) to detect potential incidents. – Notifies JOTELULU of any known incidents that affect or may affect the service. – Resolves any incidents within their scope of responsibility.	– Monitors the execution of the service to ensure its proper functioning and detect incidents. – Provides information on CPU usage, CPU load, and available RAM in the portal. – Notifies the client of any detected incidents that may affect them.
Service Update	– Monitors the availability of any new versions and updates for various software, operating systems, and other elements configured in the instances (including those configured by Jotelulu) and implements updates appropriately. – Considers updates communicated by Jotelulu, especially when they impact the service’s terms of use and/or availability.	– Monitors the availability of any new versions and updates for service components under their responsibility and implements updates appropriately. – Informs the client of any implementations that may affect the service’s terms of use and/or availability.
Available Resources	– Monitors the utilization rate of resources associated with their service and expands capacity as needed (CPU usage, CPU load, and available RAM are accessible in the portal). – Informs JOTELULU of their resource needs, especially in case of significant changes, to ensure availability.	– Monitors the evolution of available resource volume and periodically updates capacity planning.
Business and Service Continuity	Implements appropriate technical and organizational measures to ensure the continuity of their activities and those of the end client, considering the service’s features and terms of use.	Implements the technical and organizational measures established in the contract to ensure service continuity, as defined in the service level agreement (SLA).

End of Service
Data Portability	– Defines and implements the necessary operations to ensure the portability of data and other elements hosted within the service. – Ensures the completion of portability operations before the end of the service.	– Provides the client, upon request, with any necessary information to perform portability operations. – Upon request, delivers to the client, under the conditions stipulated in the contract, an export file with the data stored within the service. – Ensures service continuity to guarantee the portability of data and other elements hosted within the service.
Service Termination	Terminates the service.	– Decommissions the service. – Ensures data deletion before reassigning storage space.
End of Disk Life	None	– Deletes data stored within the service before destroying the disks. – Destroys the disks.
Destruction Certificate	Requests a certificate of destruction for the data hosted within the services.	Provides the client, upon request, with a certificate of destruction for the data hosted within the service.

2.4 Personal Data Processing

2.4.1 Data hosted by the Client as part of the Service

Categories of personal data: Personal data stored and used by the Client within the Remote Desktop infrastructures.
Categories of data subjects: Persons concerned by the personal data referred to above.
Nature of processing: Recording, storage, deletion or destruction.
Purpose of processing: Provision of the Service.
Duration: Duration defined by the Client, provided that the duration shall not exceed the duration of the Service utilization.

(a) Category of personal data:

User identification data (surname, first name, email address, login, password).
Logs of Users’ connections to the Services via the platform and API (date, time and IP address of connection).
Traces of actions (or events) carried out in the course of using the Services (creation and configuration of Remote Desktop, management of authorizations, etc.).

(b) Category of persons concerned: Users of the Services.

(c) Nature of processing: Collection, recording, organization, structuring, conservation, transmission, adaptation or modification, extraction, consultation, limitation, deletion and destruction.

(d) Purpose of processing: Provision of Services.

(e) Data retention period:

User identification data: duration of user account + 12 months.
Connection logs and traces of actions taken: 12 months.

The Client may access the aforementioned Service use data from the portal or via request to support. The Client must send its request at least 30 (thirty) days before the effective date of termination or expiry of the Services.

Specific conditions of the Product: CLOUD PBX

3.1 Services description

Definition and characteristics

By means of the Service “Cloud PBX”, JOTELULU provides the User with an electronic communications Product under IP protocol (Virtual Switchboard). This service includes telephone switchboard and advanced communications functionalities.

Features and functionalities

The following features and functionalities are available to Client through the Portal:

Individual and group extensions.
New numbering or portability.
Calendar Configuration – Available Days and times.
PBX menus, call forwarding programming.
Professional Voice Recording.
Call flows.
Call response customization.
Call Records.
Fully operational webphone in the portal.
Service compatible with softphones and IP phones.
Only available for Spanish Partners.

3.2 Security Measures

Network redundancy

Network redundancy with different level-1 providers.
Geo-redundant IP telephony infrastructure.

Authentication and Access Control

The administration portal access requires mandatory 2FA for administrator roles. The generated token is a six-digit number that users must provide in addition to their username and password to access services.
There is also a comprehensive granular permissions management system for user subscriptions to limit access to authorized users.

Firewalls and Intrusion Detection

There is a perimeter firewall and intrusion detection systems (IDS) with Anti-DDoS to protect the infrastructure from external attacks.
The service may not be accessible from some blacklisted countries due to regulation and security concerns. Client can contact Client Support for more information.

3.3 Distribution of tasks and responsibilities

Responsibility	Client	Service Provider
Service Start-up
Service Selection	Ensures the service meets their needs and those of the end clients.	Informs the client about the service’s features and conditions.
Provision of Infrastructure		Provides the following infrastructure necessary to deliver the service: – Physical locations to host the hardware infrastructure. – Hardware infrastructure. – Virtual infrastructure. – Platform to host applications and databases. – Applications and databases. – Internet and connectivity.
Service Configuration	Create users to grant access to the service. Create individual extensions and assign them to a user. Create a group of extensions (a number from which a group is called). Define what to do when someone calls that group: ring all, ring sequentially or cyclically. Contract new numbering, perform number portability, or leave it unassigned. Configure a calendar and time slots. Create an operator menu to automate call reception in the PBX. Define what the numbering should do: a) Allow direct calls if the extension is known. b) Manage invalid options. Record a welcome message and a message for invalid options. For a new recording, create it from a text file if available or record it manually. Configure the call flow: Reception → Time slots → a) If conditions are met → proceed. b) If conditions are not met → take an alternative action. Customize the SIP proxy of the PBX.	Provides the Self-Service Portal (admin.jotelulu.com and portal.jotelulu.com), including the identity and access rights management system (IAM) and 2FA functionality. Deploys the service with the configuration applied by the client.
Connectivity Management	Have an Internet connection for SIP connectivity.	Provide SIP connectivity and the corresponding details.
Licensing	Register as a fixed voice reseller with the CNMC.	Provide the required information for registration.

Service Utilization
Service Operation	Is responsible for the use of the instance. Ensures users comply with the service’s terms of use.	Communicates the conditions of use of the service to the client.
Configuration: Add, Change, or Delete Extensions, Groups, etc.	Decides to modify the configuration. Ensures the configuration meets the requirements.	Configures the service as defined by the client.
Access Logs and Usage Traces	Retains access logs and event traces provided by JOTELULU, according to the client’s and end client’s data retention policy.	Retains access logs and event traces related to the use and management of the service as established in the contract. Makes traces and access logs available to the client through the self-service portal or upon request.
Access Rights Management	Creates and deletes users and manages their access rights to the service. Ensures the confidentiality of their personnel’s authentication means. Is responsible for all activities performed using their client account and the authentication means provided to users (username and password) and the account, even if they occur without their permission.	Provides the IAM system, including user interfaces. Manages the access rights of their personnel. Ensures the confidentiality of their personnel’s authentication means.

Maintenance and Service Continuity
Service Monitoring	Verifies the completion of the service to detect potential incidents. Notifies JOTELULU of any known incidents that may affect or impact the service. Resolves any incidents within their scope of responsibility.	Monitors the execution of the service to ensure its proper functioning and detect incidents. Notifies the client of any known incidents that may affect them. Resolves any incidents within their scope of responsibility.
Vulnerability Management	Communicates to JOTELULU any known vulnerabilities. Considers any vulnerabilities communicated by JOTELULU.	Performs periodic vulnerability and penetration tests on platform components. Monitors infrastructure components under their responsibility to detect identified vulnerabilities, especially those reported by external providers or open-source communities, and implements available patches.
Service Update	Considers new versions and updates communicated by JOTELULU, especially when they may impact the service’s terms of use and/or availability.	Monitors the availability of any new versions and updates for service components under their responsibility and implements updates appropriately. Informs the client of any implementations that may affect the service’s terms of use and/or availability.
Available Resources	Notifies the service provider of their capacity needs, including any changes in these needs.	Monitors the utilization of resources used to deliver the service and updates capacity planning accordingly.
Business and Service Continuity	Implements appropriate technical and organizational measures to ensure the continuity of their activities and those of the end client, considering the service’s characteristics and terms of use.	Implements the technical and organizational measures established in the contract to ensure service continuity, as defined in the service level agreement (SLA).

3.4 Personal Data Processing

3.4.1 Data hosted by the Client as part of the Service

Categories of personal data: Personal data stored and used by the Client within the Remote Desktop infrastructures.

Categories of data subjects: Persons concerned by the personal data referred to above.

Nature of processing: Recording, storage, deletion or destruction.

Purpose of processing: Provision of the Service.

Duration: Duration defined by the Client, provided that the duration shall not exceed the duration of the Service utilization.

3.4.2 Service usage data

(a) Category of personal data:

User identification data (surname, first name, email address, login, password).
Logs of Users’ connections to the Services via the platform and API (date, time and IP address of connection).
Traces of actions (or events) carried out in the course of using the Services (creation and configuration, management of authorizations, etc.).

(b) Category of persons concerned: Users of the Services.

(c) Nature of processing: Collection, recording, organization, structuring, conservation, transmission, adaptation or modification, extraction, consultation, limitation, deletion and destruction.

(d) Purpose of processing: Provision of Services.

(e) Data retention period:

User identification data: duration of user account + 12 months.
Connection logs and traces of actions taken: 12 months.

3.3.1. Specific Obligations of the User

The User agrees to indemnify JOTELULU against any and all third-party claims and liabilities arising out of or related to the use of your Username, Password or Account. JOTELULU shall not be liable for any damages resulting from unauthorized or fraudulent use of your Username or Password or unauthorized use of your Account.

The User acknowledges and agrees to use the VoIP service for lawful purposes only. In this regard, the User may not engage in the following activities, which are not limited to:
(a) intercept or monitor, damage or modify any communication that is not intended for the User;
(b) send any unsolicited commercial communication that is not permitted by applicable law;
(c) use <<My Account>> or the VoIP service in a fraudulent manner;
(d) expose other users to offensive, harmful to a minor, indecent or unacceptable material; or
(e) otherwise disrespect JOTELULU’s etiquette.

The User acknowledges and agrees that JOTELULU is under no obligation to provide Emergency Services or short numbers under any applicable local or national laws, regulations, or provisions. Further, User acknowledges that JOTELULU is not a substitute for its primary telephone service.

Partner must register itself as Fixed Voice Reseller in the CNMC. JOTELULU informs you that the documentation provided is merely informative, with the sole purpose of facilitating the registration process of our Partners as operators with the CNMC. JOTELULU will not be responsible in any circumstance for the content of the documentation, nor for the result of the registration request. Likewise, JOTELULU will not be responsible for any of the Partner’s obligations associated with registering as an operator with the CNMC, such as, among others, the payment of annual fees and communicating every three years the wish to continue registered as an operator.

Specific conditions of the Product: FILE STORAGE

4.1 Service descriptions

Definition and characteristics

By means of the Service File Storage, JOTELULU makes available to the Client distributed storage spaces (the “File Storage Spaces”) which can be associated with one or several instances provided by JOTELULU as part of the Service “Servers” or “Remote Desktop” or be used separately.

The Service is (i) hosted on JOTELULU’s infrastructures and (ii) accessible 24/7 remotely through the internet (SMB, web access or portal).

The File Storage Spaces are created on physical servers which are shared for several Clients. The File Storage Spaces of the Client are logically isolated from the File Storage Spaces of the other Clients.

The capacities and technical characteristics of the File Storage Spaces are communicated on JOTELULU’s website and in the Portal as well.

The Client can select the location of its File Storage Spaces during the set-up of the Service among the available geographies.

Features and functionalities

File Storage Service allows to store, share, and collaborate on files from anywhere and on any device, seamlessly integrating with physical workstations or JOTELULU remote desktop and servers Services.

The following features and functionalities are available to Client through the Portal to:

Interface to configure and manage the Service (create and remove File Storage Spaces, select the quota, manage folder structure).
Identity and access rights management system to add and remove Users and manage their access rights (access method, type of user), including a 2FA functionality.
Service connectivity.
Snapshots, back-up and restoration functionalities.

4.2 Security Measures

Authentication and Access Control: The administration portal access requires mandatory 2FA for administrator roles. The generated token is a six-digit number that users must provide in addition to their username and password to access services. There is also a comprehensive granular permissions management system for user subscriptions to limit access to authorized users.

Data encryption:

Mutualized Disk Storage Volume are encrypted at rest on NetApp storage arrays using XTS-AES-256 through NVE and NAE encryption. JOTELULU is responsible for managing and ensuring the availability of the relevant encryption keys.

The Client is solely responsible for encrypting the data in transit.

Firewalls and Intrusion Detection:

There is a perimeter firewall and intrusion detection systems (IDS) with Anti-DDoS to protect the infrastructure from external attacks.

The service may not be accessible from some blacklisted countries due to regulation and security concerns. Client can contact Client Support for more information.

Backup and Disaster Recovery:

Default pre-configured backups included in the price, which consist of scheduled Disk Snapshots (NetApp):
- 46 Restore Points:
  - Hourly: Retention for 24 hours.
  - Daily: Retention for 14 days.
  - Weekly: Retention for 8 weeks.
All snapshots are available to the client directly from Windows Explorer under “Previous Versions” when using as Windows Shared Folder.
The Client is responsible for periodically checking the integrity and availability of its Snapshots.

In addition, the Client shall assess the adequacy of this backup solution and implement and manage any additional backup solution that may be necessary to ensure the availability of the data stored within the Service, taking into account the criticality of the said data.

Additionally, there is an hourly replication to another storage array. This copy is for internal use and it is not available through the portal.

4.3 Distribution of tasks and responsibilities

Responsibility	Client	Service Provider
Service Start-up
Service Selection	Ensures the service meets their needs and those of the end clients.	Informs the client about the service’s features and conditions.
Provision of Infrastructure	None	Provides the following infrastructure used to deliver the service: – Physical sites to host the hardware infrastructure – Hardware infrastructure – Virtual infrastructure – Backup solution – Connectivity
Set-up the Service	Creates the storage space. Selects the service quota. Selects/adds authorized users to use the service. Manages user access rights (access method, user type, and 2FA options). Manages the folder structure.	Provides the Self-Service Portal (admin.jotelulu.com and portal.jotelulu.com), including the identity and access rights management system (IAM) and 2FA functionality. Deploys the default storage space in Madrid or in the available region.
Management of Connectivity		Provides connectivity for the physical servers. Provides connectivity to the storage space (default configuration).
Licensing	Acquires the right to use any third-party solution not provided by JOTELULU and used within the service.	Provides the necessary licenses to use third-party solutions that are (i) used to provide the service and (ii) provided to the client as part of the service.

Service Utilization
Data Encryption	In addition to the encryption provided by Jotelulu, configures any additional encryption processes for the data stored within the service that may be necessary, considering the criticality of the data and the end client’s requirements. Ensures the encryption of data in transit.	Encrypts the data stored by the client within the service (according to NetApp’s encryption capabilities in the NVE or NAE storage array). Ensures the confidentiality and availability of the relevant encryption key.
Service Operation	Is responsible for the use of the instance (primarily the content, software, and any other elements stored). Ensures users comply with the service’s terms of use.	Communicates the service’s features and terms of use to the client.
Information Management	Creates folders. Uploads and deletes files. Renames files. Manages the information lifecycle through the portal or using an SMB client (folders, files).	Maintains the Self-Service Portal in operational conditions. Ensures the completion of deletions performed by the client or at the end of the retention period. Manages requests made by the client through the control panel.
Backups and Snapshots	Manages the VSS (Volume Shadow Copy Service) through previous versions of Windows. Implements and manages any additional backup solution necessary to ensure the availability of data and the continuity of activities. Monitors the availability and integrity of snapshots.	Performs snapshots of the disks with the following default configuration: – Hourly (retaining the last 24 hours). – Daily (retaining the last 14 days). – Weekly (retaining the last 8 weeks). Manages backup recovery requests made by clients.
Access Logs and Usage Traces	Retains access logs and event traces provided by JOTELULU, according to the client’s and end client’s data retention policy.	Retains access logs and event traces related to the use and management of the service as established in the contract. Makes traces and access logs available to the client through the self-service portal or upon request.
Access Rights Management	Creates and deletes users and manages their access rights to the service. Ensures the confidentiality of their personnel’s authentication means. Is responsible for all activities performed using their client account and the authentication means provided to users (username and password) and the account, even if they occur without their permission.	Provides the IAM system, including user interfaces. Manages the access rights of their personnel. Ensures the confidentiality of their personnel’s authentication means.

Maintenance and Service Continuity
Service Monitoring	Verifies the completion of the service (notably the creation and deletion of the instance, the addition/removal of resources, etc.) to detect potential incidents. Notifies JOTELULU of any known incidents that may affect or impact the service. Resolves any incidents within their scope of responsibility.	Monitors the execution of the service to ensure its proper functioning and detect incidents. Notifies the client of any known incidents that may affect them. Resolves any incidents within their scope of responsibility.
Vulnerability Management	Communicates to JOTELULU any known vulnerabilities. Considers any vulnerabilities communicated by JOTELULU.	Performs periodic vulnerability and penetration tests on platform components. Monitors infrastructure components under their responsibility to detect identified vulnerabilities, especially those reported by external providers or open-source communities, as applicable, and implements available patches.
Service Update	Considers new versions and updates communicated by JOTELULU, especially when they may impact the service’s terms of use and/or availability.	Monitors the availability of any new versions and updates for service components under their responsibility and implements updates appropriately. Informs the client of any implementations that may affect the service’s terms of use and/or availability.
Available Resources	Informs JOTELULU of their storage volume needs, especially in case of significant changes, to ensure availability.	Monitors the evolution of its available volume of storage and updates its capacity planning periodically.
Business and Service Continuity	Implements appropriate technical and organizational measures to ensure the continuity of their activities and those of the end client, considering the service’s characteristics and terms of use.	Implements the technical and organizational measures established in the contract to ensure service continuity, as defined in the service level agreement (SLA).

End of the Service
Data Portability	Defines and implements the necessary operations to ensure the portability of data and other elements hosted within the service. Ensures the completion of portability operations before the end of the service.	Provides the client, upon request, with any necessary information to perform portability operations. Ensures service continuity to guarantee the portability of data and other elements hosted within the service.
Service Termination	Terminates the service.	Decommissions the service. Ensures data deletion before reassigning storage space.
End of Disk Life	None	Deletes data stored within the service before destroying the disks. Destroys the disks.
Destruction Certificate	Requests a certificate of destruction for the data hosted within the services.	Provides the client, upon request, with a certificate of destruction for the data hosted within the service.

4.4 Personal Data Processing

4.4.1 Data hosted by the Client as part of the Service

Categories of personal data: Data stored and used by the Client within the File Storage.

Categories of data subjects: Persons concerned by the personal data referred to above.

Nature of processing: Recording, storage, deletion or destruction.

Purpose of processing: Provision of the Service.

Duration: Duration defined by the Client, provided that the duration shall not exceed the duration of the Service utilization.

4.4.2 Service usage data

(a) Categories of personal data:

User identification data (surname, first name, email address, login, password).
Logs of Users’ connections to the Services via the platform and API (date, time and IP address of connection).
Traces of actions (or events) carried out in the course of using the Services (creation and configuration of storage, management of authorizations, etc.).

(b) Category of persons concerned: Users of the Services.

(c) Nature of processing: Collection, recording, organization, structuring, conservation, transmission, adaptation or modification, extraction, consultation, limitation, deletion and destruction.

(d) Purpose of processing: Provision of Services.

(e) Data retention period:

User identification data: duration of user account + 12 months.
Connection logs and traces of actions taken: 12 months.

The Client may access the aforementioned Service use data from the Platform or via request to support. The Client must send its request at least 30 (thirty) days before the effective date of termination or expiry of the Services.

Specific conditions of OBJECT STORAGE

5.1 Service description

Definition and characteristics

By means of the Service “Object Storage”, JOTELULU makes available to the Client distributed storage spaces (the “Object Storage Spaces”) which is based on S3 standard protocol and enables to store data as an object.

The Service Object Storage enables storing and retrieving large volumes of data notably with any backup software from everywhere.

Object Storage Spaces can be attached to one or several instances provided by JOTELULU as part of the Service “Servers” or “Remote Desktop” or used separately.

The Service is (i) hosted on JOTELULU’s infrastructures and (ii) accessible 24/7 remotely through internet connectivity.

The Object Storage Spaces are created on physical servers which are shared for several Clients. The Object Storage Spaces of the Client are logically isolated from the Object Storage Spaces of the other Clients.

The technical characteristics of the Object Storage Spaces are communicated on JOTELULU’s website and in the Portal as well.

The Client can select the location of its Object Storage Spaces during the set-up of the Service among the available geographies.

Features and functionalities

The Service Object Storage allows to store and retrieve large volumes of data (notably unstructured data) with any backup software from everywhere.

The following features and functionalities are available to Client through the Portal to:

Interface to configure and manage the Service (create and remove Object Storage Spaces, manage folders and permissions, select geography).
Identity and access rights management system to add and remove Users and manage their access rights, including a 2FA functionality.
Versioning functionality which is included in the S3 Repository and enables to retain previous versions of an object and configure retention time.

5.2 Security Measures

Authentication and Access Control:

The Portal access requires mandatory 2FA for administrator roles. The generated token is a six-digit number that users must provide in addition to their username and password to access services.
There is also a comprehensive granular permissions management system for user subscriptions to limit access to authorized users.

Data Encryption:

As part of the Service, JOTELULU does not provide data encryption.

The Client is solely responsible for encrypting the data both in transit and at rest on the bucket, and for managing the relevant encryption keys.

For data encryption at rest, the Client can use a backup agent that allows to encrypt data on the bucket.

For data encryption in transit, the Client can configure its S3 client in “https”.

The Client shall ensure its data encryption solution is adapted to its needs, notably taking into account the criticality of the Data.

Firewalls and Intrusion Detection:

There is a perimeter firewall and intrusion detection systems (IDS) with Anti-DDoS to protect the infrastructure from external attacks.

The service may not be accessible from some blacklisted countries due to regulation and security concerns. Client can contact Client Support for more information.

Versioning Functionality:

The versioning functionality is included in the S3 Repository and allows previous versions to be recovered through the S3 protocol.
The Client is responsible for activating and configuring this functionality through the Portal (notably configure the retention period of the objects versions), and to periodically check the integrity and availability of the versions.
This functionality does not constitute a backup solution. The Client is solely responsible for implementing and managing any backup solution that is necessary to guarantee its objects availability and the continuity of its activities, notably taking into account the criticality of the data.

5.3 Distribution of Tasks and Responsibilities

Responsibility	Client	Service Provider
Service Start-up
Service Selection	Ensures the service meets their needs and those of the end clients.	Informs the client about the service’s features and conditions.
Provision of Infrastructure		Provides the following infrastructure necessary to deliver the service: – Physical locations to host the hardware infrastructure. – Hardware infrastructure. – Virtual infrastructure. – Platform to host applications and databases. – Applications and databases. – Connectivity.
Service Configuration	Creates the storage space. Selects the quota. Selects/adds authorized users to use the service. Manages user access rights. Activates 2FA options. Manages the folder structure.	Provides the Self-Service Portal (admin.jotelulu.com and portal.jotelulu.com), including the identity and access rights management system (IAM) and 2FA functionality. Deploys the default storage space in the Madrid region and in multi-AZ mode.
Connectivity Management		Provides connectivity for the physical servers. Provides connectivity to the storage space (default configuration).
Licensing	Acquires the right to use any third-party solution not provided by JOTELULU and used within the service. The User is solely responsible for having the necessary licenses or permissions for the software they wish to install.	Provides the necessary licenses to use third-party solutions that are (i) used to provide the service and (ii) provided to the client as part of the service.

Service Utilization
Data Encryption	Before any upload within the service, encrypts their objects with a solution adapted to the criticality of the data and the end client’s requirements. Ensures the encryption of data in transit, particularly by configuring their S3 client in “https”.
Service Operation	Is responsible for the use of the instance (primarily the content, software, and any other stored elements). Ensures users comply with the service’s terms of use.	Communicates the service’s features and terms of use to the client.
Object Management	Uploads their objects through the Self-Service Portal. Verifies the completion and integrity of uploads. Periodically checks the availability of objects and restores any damaged or unavailable objects. Activates and configures the object versioning option (especially the retention period). Deletes objects through the Self-Service Portal.	Maintains the Self-Service Portal in operational conditions. Communicates the status of uploads and replication. Provides a checksum to verify the integrity of uploads. Offers the object versioning option. Ensures the completion of deletions performed by the client or at the end of the retention period.
Backup	Implements and manages any backup solution necessary to ensure the availability of objects and the continuity of their activities.
Access Logs and Usage Traces	Retains access logs and event traces provided by JOTELULU, according to the client’s and end client’s data retention policy.	Retains access logs and event traces related to the use and management of the service as established in the contract. Makes traces and access logs available to the client through the self-service portal or upon request.
Access Rights Management	Creates and deletes users and manages their access rights to the service. Ensures the confidentiality of their personnel’s authentication means. Is responsible for all activities performed using their client account and the authentication means provided to users (username and password) and the account, even if they occur without their permission.	Provides the IAM system, including user interfaces. Manages the access rights of their personnel. Ensures the confidentiality of their personnel’s authentication means.

Maintenance and Service Continuity
Service Monitoring	Verifies the completion of the service to detect potential incidents. Notifies JOTELULU of any known incidents that may affect or impact the service. Resolves any incidents within their scope of responsibility.	Monitors the execution of the service to ensure its proper functioning and detect incidents. Notifies the client of any known incidents that may affect them. Resolves any incidents within their scope of responsibility.
Vulnerability Management	Communicates to JOTELULU any known vulnerabilities. Considers any vulnerabilities communicated by JOTELULU.	Performs periodic vulnerability and penetration tests on platform components. Monitors infrastructure components under their responsibility to detect identified vulnerabilities, especially those reported by external providers or open-source communities, as applicable, and implements available patches.
Service Update	Considers new versions and updates communicated by JOTELULU, especially when they may impact the service’s terms of use and/or availability.	Monitors the availability of any new versions and updates for service components under their responsibility and implements updates appropriately. Informs the client of any implementations that may affect the service’s terms of use and/or availability.
Available Resources	Informs JOTELULU of their storage volume needs, especially in case of significant changes, to ensure availability.	Monitors the evolution of its available volume of storage and updates its capacity planning periodically.
Business and Service Continuity	Implements appropriate technical and organizational measures to ensure the continuity of their activities and those of the end client, considering the service’s characteristics and terms of use.	Implements the technical and organizational measures established in the contract to ensure service continuity, as defined in the service level agreement (SLA).

End of the Service
Data Portability	Defines and implements the necessary operations to ensure the portability of data and other elements hosted within the service. Ensures the completion of portability operations before the end of the service.	Provides the client, upon request, with any necessary information to perform portability operations. Ensures service continuity to allow the portability of data hosted within the services.
Service Termination	Terminates the service.	Decommissions the service. Ensures data deletion before reassigning storage space.
End of Disk Life	None	Deletes data stored within the service before destroying the disks. Destroys the disks.

5.4 Personal Data Processing

5.4.1 Data hosted by the Client as part of the Service

Categories of personal data: Data stored and used by the Client within the Object Storage.
Categories of data subjects: Persons concerned by the personal data referred to above.
Nature of processing: Recording, storage, deletion or destruction.
Purpose of processing: Provision of the Service.
Duration: Duration defined by the Client, provided that the duration shall not exceed the duration of the Service utilization.

5.4.2 Service usage data

(a) Categories of personal data:

User identification data (surname, first name, email address, login, password).
Logs of Users’ connections to the Services via the platform and API (date, time and IP address of connection).
Traces of actions (or events) carried out in the course of using the Services (creation and configuration of storage, management of authorizations, etc.).

(b) Category of persons concerned: Users of the Services.

(c) Nature of processing: Collection, recording, organization, structuring, conservation, transmission, adaptation or modification, extraction, consultation, limitation, deletion and destruction.

(d) Purpose of processing: Provision of Services.

(e) Data retention period:

User identification data: duration of user account + 12 months.
Connection logs and traces of actions taken: 12 months.