This document is for documentation purposes only and is no longer valid because it displays the version from March 5, 2021. The current version of our service description can be found here: Service description
Service description
Archived version from March 5, 2021
Table of contents
- 1. Product variants
- 1.1 DRACOON Enterprise Cloud – recommended variant
- 1.2 DRACOON Enterprise On Premises
- 2. Users and storage
- 2.1 DRACOON Enterprise Cloud storage usage
- 2.2 Usage of own storage infrastructure – Hybrid Cloud
- 2.3 Storage usage DRACOON Enterprise On Premises
- 3. Security and data protection
- 3.1 Encryption
- 3.2 Certifications and testing
- 3.3 Handling of critical security incidents
- 4. Access to DRACOON
- 4.1 Autthentication
- 4.2 Access options
- 4.3 API based access
- 5. Enterprise features
- 5.1 Branding
- 5.2 Guest licenses
- 5.3 Integration of hybrid components
- 6. Product support
- 7. Service levels & availability
- 7.1 Availability
- 7.2 SLA Standard
- 7.3 SLA Premium – Enterprise Cloud
- 8. Server and system component operation
- 8.1 Operation of the DRACOON Enterprise Cloud
- 8.2 Special notes regarding operation of hybrid components
- 8.3 Operation of DRACOON Enterprise On Premises
- 8.4 Operation in DRACOON Enterprise On Premises – Full Managed model
- 9. Product improvement & roadmap (updates)
- 9.1 Updates for DRACOON Enterprise Cloud
- 9.2 Updates for DRACOON Enterprise On Premises
- 10. Maintenance
- 10.1 DRACOON Enterprise Cloud maintenance window
- 10.2 DRACOON Enterprise On-Premises maintenance window
1. Product variants
DRACOON GmbH (hereinafter referred to as DRACOON) enables its customers to easily use a storage solution compliant to the EU General Data Protection Basic Regulation (GDPR) in order to securely and easily exchange data between multiple participants, network-compatible devices or software services internally and externally. Additional services for processing and managing data can be obtained from third-party providers. The DRACOON end user license terms (as of 11.03.2020) apply.
1.1 DRACOON Enterprise Cloud – recommended variant
The product variant DRACOON Enterprise Cloud is operated on a SaaS platform by DRACOON in Germany and invoiced according to consumption.
Within the scope of technical and operational possibilities DRACOON provides the services shown in the product matrix below. A detailed description of these services can be found in the corresponding chapters.
DRACOON Enterprise Cloud |
|
Users and storage (see Chapter 2) |
|
Users |
Unlimited |
Storage |
Unlimited 1 |
Integration of hybrid components |
2 |
Maximum security and data protection (see Chapter 3) |
|
Client-side encryption |
|
Certifications and testings |
|
Automatic data backup |
2 |
Universal access (see Chapter 4) |
|
Web App |
|
DRACOON Clients |
|
RESTful API (own Clients) |
3 |
SDKs |
|
Enterprise features (see Chapter 5) |
|
Own branding with own URL |
|
Guest licenses |
|
Secure Data-Bring-In Service |
4 |
Product support (see Chapter 6) |
|
Support portal |
|
Localization |
|
Additional services (e.g. trainings) |
|
Service levels (see Chapter 7) |
|
SLA Standard · Availability of 99.5 % of the SaaS platform on an annual average · 24 / 7 Acceptance of issue reports via support form and phone hotline |
|
SLA Premium · Extended availability commitment with service credit 5 · Guaranteed response times in case of critical malfunctions |
|
Service included in the product variant
Service can be added to the product variant for an additional fee
Notes:
1 Storage space in the variant DRACOON Enterprise Cloud is limited according to a fair use clause (see chapter 2).
2 DRACOON availability promises do not refer to hybrid components (here Identity and Access Management via OpenID Connect and Object Storage via S3). Hybrid technologies can affect the overall availability of a single DRACOON Enterprise Cloud (example: data cannot be stored or retrieved if a hybrid object storage technology fails). If object storage is integrated by the customer, the available storage space depends on the hardware used by the customer. Furthermore there is no automatic backup of data by DRACOON.
For further details see chapter 8.
3 50.000 API calls / month included after activation of custom clients
4 Via maximum security hard drive - BSI certified and encrypted via smartcard. Information: https://support.dracoon.com/hc/de/articles/36001204512
5 Penalty: 0.5 % of the total sum of the yearly invoice. The credit is issued once with the subsequent invoice.
1.2 DRACOON Enterprise On Premises
The product variant DRACOON Enterprise On Premises is deployed on the customer's hardware. The necessary server services have to be provided separately by the customer. DRACOON will provide the customer with a list of the required hardware and software components and will transmit the access data for downloading the DRACOON software components.
The customer is obliged to support DRACOON with all measures necessary for the operation of the server that are not within DRACOON's sphere of influence.
DRACOON Enterprise On-Premises |
|
Users and storage (see chapter 2) |
|
Users |
Capacity depends on available infrastructure. |
Storage |
The available storage capacity depends on the hardware used by the customer. |
Integration of hybrid components |
|
Maximum security and data protection (see Chapter 3) |
|
Client-side encryption |
|
Certifications and testing |
6 |
Automatic data backup |
|
Universal access (see chapter 4) |
|
Web App |
|
DRACOON Clients |
|
RESTful API |
|
SDKs |
|
Enterprise features (see chapter 5) |
|
Own branding with own URL |
|
Guest licenses |
|
Secure Data-Bring-In Service |
|
Product support (see chapter 6) |
|
Support portal |
|
Localization |
|
Additional services (e.g. trainings) |
|
Full-Managed Service |
|
Service levels (see chapter 7) |
|
SLA Standard · 24 / 7 Acceptance of issue reports via support form and phone hotline |
7 |
SLA Premium · Additional services can be obtained via partners. |
|
Service included in product variant
Service not included in product variant
Service can be added to the product variant for an additional fee
Notes:
6 In the context of certifications and testing, only procedures, processes and systems that are the responsibility of DRACOON can be tested. When using DRACOON Enterprise On Premises on the client's hardware these systems cannot be certified or tested by DRACOON so that not all DRAOON certificates are valid for this product variant. This concerns e.g. the certificate according to the BSI requirements catalogue Cloud Computing (C5).
7 DRACOON's support efforts for on-premises installations are exclusively provided for a separate fee, unless a separate contractual agreement exists. The services can only be provided if the infrastructure requirements according to chapter 8 are met.
2. Users and storage
2.1 Storage usage DRACOON Enterprise Cloud
The customer receives unlimited cloud storage space for storing his data. The size of the storage space is limited by a so-called fair-use clause. Each licensed user automatically adds 0.1TB of storage to the total usable amount. Guest licenses do not add additional usable storage space.
Sample calculation: 50 users ∗ 0.1 TB = 5 TB gross storage capacity
The usable storage space, the provided bandwidth and the computing power are realized on a system used by several customers (shared). The logical separation of the storage space and the separation of the tenants takes place at application level.
2.2 Usage of own storage infrastructure – Hybrid Cloud
If a customer integrates his own object storage, there is no entitlement to the cloud storage space described above, and this is not provided. Further information can be found at: https://support.dracoon.com/hc/en-us/sections/360002210000-S3-Object-Storage
2.3 Storage usage DRACOON Enterprise On Premises
The available storage space depends on the hardware used by the customer.
3. Security and data protection
3.1 Encryption
By using modern cryptographic algorithms DRACOON offers the highest level of security for the stored data. This is achieved by using an optionally available client-side encryption (end-to-end encryption).
As a process-technical reference of the implemented client-side encryption the whitepaper at www.dracoon.com/en/crypto-whitepaper is valid.
All encryption methods used are disclosed and available in source code. The following is a reference example: github.com/dracoon/dracoon-java-crypto-sdk
3.2 Certifications and testing
Information security and data protection are of central importance for DRACOON in the operation and further development of the DRACOON platform. Therefore DRACOON operates an Information Security Management System (ISMS) which is audited and certified according to ISO 27001. Furthermore, the compliance with the high demands on information security according to the BSI's requirements catalogue Cloud Computing (C5) has been certified by an independent auditor.
You can find proofs for download and further information about our certifications at www.dracoon.com/de/certifications.
Third party services are used to provide functionalities such as sending e-mails and SMS. Only providers who also ensure a strong protection of information security and meet the requirements of the DSGVO are used. The providers must provide suitable evidence of this, e.g. certifications according to ISO 27001. The requirements for third-party providers are regularly monitored as part of DRACOON's supplier management and compliance with these regulations is checked as part of the certified ISMS. Current technology partners can be viewed at https://support.dracoon.com/hc/de/articles/360011917220.
3.3 Handling of critical security incidents
In order to be able to handle security-critical incidents quickly and effectively, DRACOON has set up the e-mail address security@dracoon.com. Incidents reported to this address are automatically forwarded to DRACOON's CERT team, which evaluates and prioritizes them based on their impact on information security.
All customers are therefore required to immediately send critical security incidents to the e-mail address security@dracoon.com. The information transmitted is subject to confidentiality.
4. Access to DRACOON
4.1 Authentication
Prerequisite for access to DRACOON is the authentication of the customer by means of an access code. The initial login information will be sent to the customer when DRACOON provides the services for the first time. Further additional information about the secure initial authentication is available at https://support.dracoon.com/hc/de/articles/360012007660.
The initial login password has to be changed by the customer immediately.
4.2 Access options
The universal access to DRACOON is the core of the DRACOON product philosophy. DRACOON provides customers with client software or apps for easy access to various end devices and operating systems. In concrete terms access take place via web browsers, native DRACOON applications for Microsoft Windows and Apple macOS, DRACOON apps for Apple iOS and Google Android, an add-in for Microsoft Outlook (under Windows) as well as in a restricted way with the help of compatibility protocols - here currently WebDAV.
All DRACOON clients support, except WebDAV due to technology reasons, a complete end-to-end encryption. DRACOON provides an exact overview on the internet for which end devices or operating systems a client software or app is available.
The currently valid overview as well as a compatibility matrix and the necessary system requirements can be viewed at https://support.dracoon.com/hc/de/articles/360009344719. DRACOON reserves the right to change the system requirements according to the current technical standard or to extend or discontinue the DRACOON clients at any time.
4.3 API based access
File-based process and software integrations can be connected directly via a JSON/REST API or abstracted using the DRACOON SDKs. The SDKs are available under a free license from https://github.com/dracoon. A current documentation of function calls of the DRACOON API can be found at https://dracoon.team/api.
Current available client SDKs and code samples are referenced in the development area of the support portal at https://developer.dracoon.com/ and distributed via the DRACOON GitHub account https://github.com/dracoon. Support for interested developer and integration partners is provided free of charge in the community area of the support portal at https://support.dracoon.com/hc/de/community/topics.
The use of the API by software not developed by DRACOON has to be registered on the website https://www.dracoon.com/de/api and activated by DRACOON.
The use of the API-based access is charged according to the remuneration model agreed upon when placing the order. DRACOON reserves the right to throttle or block individual API-requests if any of the agreed included services are exceeded.
4.4 Provision of access infrastructure
The connectors and connections required for access to DRACOON, the necessary communication equipment as well as the protection of the used client hardware and software against vulnerabilities and malware are not part of the software and this contract.
It is the responsibility of the customer to provide any internet access that may be required; further costs may arise from this.
DRACOON customers are recommended to inform themselves regularly about the "state of the art". The current handbook of TeleTrusT is recommended:
https://www.teletrust.de/publikationen/broschueren/stand-der-technik/
5. Enterprise features
5.1 Branding
If desired by the customer, the appearance of DRACOON can be adapted to the customer's company. This can be done by the customer himself without any additional costs via a branding self-service.
Independent of the adaptation of the visual appearance to the client's corporate design (logos, colors, etc.) the lettering "DRACOON" as well as the logos of possibly existing reselling partners are displayed in the client applications to identify the platform.
Further information on the branding is available at https://www.dracoon.com/de/branding.
5.2 Guest licenses
Guest licenses can be booked for external users which provide additional access to DRACOON. The remuneration of these licenses will be agreed upon individually with the client. Guest licences may not be used by employees or other members of the client's staff or any other company of the same group family. Guest licenses may not be resold or passed on against payment.
When calculating cloud storage space in accordance with the fair use clause, guest licenses are not taken into account and therefore do not add any additional usable storage space.
DRACOON may check on the instance of the Client whether booked guest licenses are used according to the conditions described above. Misused guest licenses have to be paid as normal user licenses against additional payment to DRACOON.
5.3 Integration of hybrid components
The following hybrid technologies can currently be connected after approval by the Operations team of DRACOON:
- IAM (Identity Access Management) / IDP (Identity Provider): Supported are IAM and IDP systems, which can be connected via OpenID Connect. Supported configurations can be found at https://support.dracoon.com/hc/de/articles/360012346239.
- Object Storage: Supported are object storage systems listed under https://support.dracoon.com/hc/de/articles/360012345579.
AWS-S3-Policies using S3-Tags are supported.
Availability, bandwidth and IT security of the respective technology must be ensured by the customer and are not subject matter of this contract. Further information on the integration of hybrid components is available at https://www.dracoon.com/de/hybrid.
6. Product support
DRACOON provides its customers with all necessary information to use their DRACOON instance online. The support portal at https://support.dracoon.com/ serves as a starting point. Current system and process requirements as well as known problems and limitations can also be accessed via the support portal.
The support portal and the Service & Support section support the languages German and English.
DRACOON may provide additional services, such as consulting and training services, within the existing technical and operational possibilities for a separate fee. The remuneration for these services will be agreed upon individually with the customer.
The following services are offered:
- Set-Up/Installation by DRACOON: Mandatory service that needs to be booked when ordering the product variant Enterprise On-Premises.
- Consulting: Individual consulting of the customer, e.g. for the connection of external systems or consulting for individual technical questions
- Training: A product training can be carried out in varying degrees per webinar, on-site at the customer's location or at the premises of DRACOON or a cooperating training provider.
7. Service levels & availability
7.1 Availability
The annual availability (calendar year) is calculated for the respective year as the maximum available minutes minus downtime, divided by the maximum available minutes in the respective year. The maximum available minutes correspond to the total number of minutes in the respective year in which a contractual relationship between DRACOON and the customer exists. Downtime is the total number of minutes in the respective year in which the DRACOON instance of the customer was not available and in which a contractual relationship existed between DRACOON and the customer. The times of the used maintenance windows are not included in the calculation of the downtime (see also chapter 10).
7.2 SLA Standard
The services of the SaaS platform are available with an average availability of 99.5 % on an annual average. The availability can be tracked on the status page status.dracoon.com. Times in which maintenance windows are used by DRACOON are not included in the availability calculation (see also chapter 10).
The following features apply to the incident resolution provided by DRACOON:
- Pro-active issue resolution through automated monitoring of the systems
- Acceptance of issue reports daily from 0.00 to 24.00 hours by ticket system via the support portal at support.dracoon.com or by phone at +49 (941) 78385-112
- Reported issues are processed during business hours (Monday to Friday, 9:00 to 17:00 CET/CEST except on public holidays in Bavaria and 24.12. and 31.12.). A certain response time is not guaranteed.
7.3 SLA Premium – Enterprise Cloud
In the SLA Premium, the services of the SLA Standard are extended by increased availability commitments of the cloud platform and response times in the event of incidents. This SLA can be concluded with the customer for an additional fee. The duration and payment terms of the SLA are based on the underlying contract DRACOON Enterprise Cloud.
If the annual average availability commitments are not met, a percentage service credit of the usage price of the respective year will be granted according to the following regulation:
Penalty: 0.5 % on the total amount of the annual invoice
The credit note is issued once with the subsequent invoice.
Furthermore, a processing of reported incidents begins within the time window below after acceptance of the incident, depending on the severity of the incident. DRACOON is responsible for the assessment of the severity of an incident. A resolution time is not guaranteed. The processing is only done remotely. The documentation of the processing of a reported incident can also be found on a publicly available website, such as the status page status.dracoon.com,
Severity |
1 – High |
2 – Medium |
3 – Low |
Description |
A core business process is unavailable. |
A core business process is severely impaired. |
A small group of users experiences issues. |
Example |
More than 50 % of the users have no availability and cannot access the DRACOON platform. |
More than 25 % of users are affected by severe performance issues of the DRACOON platform. |
Minor performance issues. |
Issue resolution start |
Within 2 hours. |
Within 4 hours. |
Within 12 hours. |
8. Server and system component operation
8.1 Operation of the DRACOON Enterprise Cloud
All server and system components necessary for operation are operated in a technically and organizationally secure, high-performance computer network in Germany, which is protected by a firewall system against attacks and unauthorized access from the Internet.
The computer network is connected to the Internet via an Internet backbone connection with a state-of-the-art transmission speed and is designed redundantly.
The following performance features apply for operation and system management:
- Operating time daily from 0.00 bis 24.00 hrs
- Automatic detection of errors within the computer network
- A data backup is performed for the platform at regular intervals. The backups are retained for a period of 30 days. The data backup is stored in an additional fire compartment and is thus archived separately from the actual data.
8.2 Special notes regarding operation with hybrid components
- If hybrid components are operated by the customer, there is no automated error detection and repair of the hybrid components operated by the customer (IdP, storage) or any other components outside of DRACOON's sphere of action.
- If an own object storage is integrated, DRACOON will not backup the data. The customer is solely responsible for the creation of backups.
- If own Object Storage is integrated, data deletion cannot be guaranteed if the Object Storage integrated by the customer is not available. In particular DRACOON is not liable for breaches of data protection if hybrid hardware embedded by the client is not available.
8.3 Operation of DRACOON Enterprise On Premises
The operation of the server and system components in the product variant DRACOON Enterprise On Premises is basically the responsibility of the customer. The requirements for the respective versions can be found at https://support.dracoon.com/hc/de/categories/115000698665.
The following requirements for the customer's infrastructure have to be met:
1Infrastructure and network
All server and network infrastructures necessary for operation are to be provided and maintained by the customer. The client will be advised by DRACOON regarding network layout and network security. However, the proper implementation of the recommendations and network security is the customer's responsibility and will not be checked by DRACOON.
The number and performance of the servers necessary for the operation is determined by DRACOON.
All adjustments after commissioning are only allowed in coordination with DRACOON.
2Server and operating system
The product variant DRACOON Enterprise On Premises contains only the software necessary for the operation of the product.
To run the product an additional operating system approved by DRACOON is required.
The customer is responsible for the installation and maintenance of the operating system and should be consulted with DRACOON. For the operation of the software DRACOON Enterprise On Premises adjustments to the configuration of the operating system may be necessary.
3Virus scan
A virus scan on the systems is not provided. A virus check of the user data is only possible by connecting a virus scanner via ICAP to the load balancer/reverse proxies or via intermediate proxy servers. The operation, maintenance and configuration of the hardware and software required for the virus scan is to be carried out by the customer.
8.4 Operation in DRACOON Enterprise On Premises – Full Managed model
For an additional monthly fee it is possible to have the servers for the operation of the product variant DRACOON Enterprise On Premises, as a so-called Full-Managed-Service, serviced and maintained directly by DRACOON. For this purpose the following requirements have to be met:
1Admin server access
For the maintenance of the software, DRACOON employees must have the possibility to establish a remote session via SSH with administrative rights to the servers permanently and at any time. If connections are to be secured by additional protective measures such as VPN connections, the customer must set up and maintain this according to DRACOON's specifications.
All user accounts necessary for operation can be created by DRACOON without consulting the customer.
2Server access by the customer
An access to the servers maintained by DRACOON by the customer is not intended.
3Operating system
As the maintenance of the operating system of the servers supported by DRACOON is not possible for the client, DRACOON will take over the maintenance after installation. For this purpose the systems are hardened according to a standard procedure and updated at least monthly.
4SSL certificates
Necessary SSL certificates are provided by DRACOON at no cost. Currently the provision is done via "Let's Encrypt". For this purpose additional systems may be necessary for operation.
5Monitoring
The monitoring of the systems is done by DRACOON. For this purpose additional systems may be necessary for operation. The monitoring data is transmitted to DRACOON for proactive troubleshooting. No personal data in terms of GDPR will be transmitted to DRACOON.
The customer may have limited access to the monitoring data and may set up e-mail notifications for himself.
Should it be necessary for the operation, adjustments can be made to this regulation.
Customer specifications regarding data protection and information security will be implemented by DRACOON as far as they are technically possible and reasonable, i.e. do not disturb the operation of the software or involve disproportionately high efforts. Any costs for this measure are to be borne by the customer.
If the customer does not have access to the servers there is the possibility to carry out an audit of the systems regarding the proper implementation of the data protection and security requirements. This can be done up to twice a year together with an employee of DRACOON.
Penetration tests of the servers supported by DRACOON or the system provided by DRACOON can be carried out after consultation with DRACOON.
9. Product improvement & roadmap (updates)
9.1 Updates for DRACOON Enterprise Cloud
DRACOON is constantly being developed and regularly receives improvements, bug fixes and feature enhancements.
These updates are installed by DRACOON within the defined maintenance windows. In the sense of continuous improvement, optimizations and extensions are carried out in short intervals that are not bound to fixed dates. Compatibility to current client applications is maintained. Deviations from this will be communicated by DRACOON with an appropriate lead time.
Planned and current development topics can be viewed online here: https://support.dracoon.com/hc/de/articles/360010945500
9.2 Updates for DRACOON Enterprise On-Premises
For the DRACOON Enterprise On Premises variant, bundled updates are delivered up to twice a year. The software update is carried out by DRACOON when a full managed service is booked.
The updates are called LTS version (Long-Term Support) and are supported for six months and provided with bug fixes. During this time, however, no new functionality is added. With the release of a new LTS version, security updates and bug fixes are only offered for the new version but not for the previous version. Customers of DRACOON Enterprise On Premises receive support for the previous version up until 30 days after the release of a new LTS version. With a booked Full Managed Service the customer commits himself to have an update to the new LTS version carried out by DRACOON within this time window after appointment with DRACOON.
Client applications are also delivered in a synchronized cycle as LTS version and are compatible with the above LTS version. For the use of the continuously updated client applications the compatibility cannot be guaranteed. An exception are mobile apps which are only offered via app stores as a continuously updated version.
Should important bug fixes (e.g. in case of a security issue) be necessary for an LTS version, DRACOON will immediately provide an update and inform the clients of DRACOON Enterprise On Premises about the update. The customer agrees to provide DRACOON with an email distribution list where security relevant information can be sent to the customer by DRACOON's CERT team.
The continuous update of the infrastructure is the responsibility of the customer. If updates are necessary for the operation, they have to be carried out by the client.
10. Maintenance
10.1 DRACOON Enterprise Cloud maintenance window
For maintenance purposes - especially for changes and updates of the server configuration - the services can be taken out of service (maintenance window):
DRACOON provides maintenance windows on Wednesdays from 8:00 pm CET/CEST until Thursdays 06:00 am CET/CEST.
Maintenance that does not affect the availability of the system can also be carried out outside the maintenance window defined above.
Furthermore, emergency maintenance windows especially due to critical security updates (e.g. defense against hacker attacks or viruses or worms) are provided for. Due to their urgency these maintenance windows can be carried out by DRACOON at any time and at short notice.
DRACOON will keep the impairment of the performance by maintenance windows (especially emergency maintenance windows) as low as possible and will carry out the necessary maintenance work outside the main hours if possible. Information about planned maintenance work and maintenance windows will be published on the status page status.dracoon.com.
The times of the used maintenance windows are not included in the calculation of an availability.
Notes:
In order to be able to carry out maintenance procedures and emergency procedures efficiently, it is possible for designated employees of the DRACOON Operations department to access data structures of the customer.
These operations are limited to copy, move and restore operations in the DRACOON storage system and serve to proactively prevent overload and error situations.
Due to the use of end-to-end encryption on the customer side and the basic anonymization of metadata in the underlying storage system, there is no technical and organizational possibility of information leakage. When using a hybrid storage system, there is no access by employees of DRACOON.
All maintenance work is logged via the website status.dracoon.com, individual notification of the customer does not take place for reasons of efficiency.
10.2 DRACOON Enterprise On Premises maintenance window
For maintenance purposes - especially for changes and updates of the server configuration - maintenance windows are planned in coordination with the customer. Should short-term (unscheduled) maintenance be necessary, the customer will be informed accordingly.
Hours worked will be documented by DRACOON via a suitable system (ticket system) and can be requested by the client in individual cases.