The following guidelines and services apply to Workforce Central and Workforce Telestaff applications that are deployed in the Kronos Cloud:

Cloud Services  
Environments:

One standard Production and one Non-Production (Development) environment.
Included.

Additional non-production environments are available for additional fees.
Environment restoration:

Services to restore Production environment to one Non-Production environment up to one time per week, if requested.

Customer is responsible for requesting data to be moved from the Production environment to the Non-Production environment and for the contents of the data moved from the Production environment to the Non-Production environment.
Included.

More frequent restores or additional environments will be subject to additional time and material fees.
Connectivity to Service:

Customer's users connect to application via secure SSL/TLS connection over the internet. Cooperative efforts with customer IT staff may be required to enable access. Kronos will assist with validating site connectivity but assumes no responsibility for customer internet connection or ISP relationships. Kronos related Internet traffic cannot be filtered by proxy or caching devices on the client network. Exclusions must be added for the fully qualified domain names and public IP addresses assigned to the environments in the Kronos Cloud.
Included
Device Initiated Terminal Connectivity:

All terminals that are compatible with Device Initiated communication mode must use this mode of communication. With the Device Initiated mode of communication, the Kronos terminal initiates all communications with the Device Manager Server at the Kronos Cloud over the internet. In cases where Network Address Translation is required for terminals, the customer is responsible for applying the translations on their network. Kronos Cloud does not support terminals prior to Kronos 4500 series and does support certain models released thereafter. Please see product documentation support matrix for details.

Note: Server Initiated terminal communication, if permitted, requires a VPN and is not the preferred communication method when connecting terminals to the Kronos Cloud.
Included
Remote Access to Non-Web Kronos Applications:

Remote access to non-web Applications (e.g. Kronos Workforce Integration Manager) using a remote access tool such a Citrix® Receiver. Limited Kronos Applications require the use of these remote access accounts.
2 named users included
SFTP Accounts:

SFTP accounts are provided to customers to push files to the Kronos Cloud and to pull files from the Kronos Cloud for designated integration points (e.g. Kronos Workforce Integration Manager input/output folders). The Kronos SFTP folder location is not designed for long-term storage and files stored longer than 30 days may be deleted. Kronos Cloud SFTP does not initiate connections, thus SFTP file transfers must be a customer initiated process.
2 logins included
Operating System and Database Software Management:

Includes the required O/S and SQL Server licenses, as well as services for Kronos to apply critical security patches, service packs and hot-fixes for the software running in Kronos Cloud.
Included
Server Maintenance:

All server maintenance, including repair and replacement of defective or failed hardware and the installation of hardware upgrades for the software running in Kronos Cloud.
Included
Kronos Application Updates:

Services to perform technical tasks required to apply application service packs, legislative updates (if applicable), point releases and version upgrades.
Included
Backup:

Customer data is backed up daily. Database backups are replicated via encrypted connections to a second Kronos Cloud datacenter. Backups are retained for the prior 28 days on a rotating basis. All historical employee and configuration data is stored in the rotating backups.
Included
Security:

For customers that choose datacenters in the United States of America or continental Europe:

Kronos maintains a hosting environment that undergoes examinations from an independent auditor in accordance with the American Institute of Certified Public Accounts SSAE 16 (i.e. SOC 1) and the AICPA Trust Services Principles Section 100a, Trust Services for Security, Availability, Processing Integrity, Confidentiality and Privacy (i.e. SOC 2). The Kronos Private Cloud (KPC) is evaluated for the principles of Security, Availability and Confidentiality by the independent auditor. The Kronos Private Cloud is located in data centers that undergo SSAE 16 examinations. Management access to the KPC is limited to authorized Kronos support staff and customer authorized integrations. The security architecture has been designed to control appropriate logical access to the KPC to meet the Trust Services Principles of Security, Availability and Confidentiality. The Applications provide the customer with the ability to configure application security and logical access per the customer's business processes.

In the event the customer identifies a security issue, the customer agrees to notify Kronos.

For security purposes customers are restricted from directly accessing the desktop, file systems, databases and operating system of the environments. Thus, WIM integrations cannot initiate connections to push or pull data from on premise or other cloud based data sources including but not limited to external databases, and remote file shares.

Customer agrees not to upload payment card information, as the service is not certified for PCI DSS.

Customer agrees not to upload health information that falls under the United States HIPAA law.

For customers that choose in datacenters outside the United States of America or continental Europe:

For any outsourced (subcontracted) infrastructure (e.g. co-location provider, public cloud provider) Kronos will provide Customer a copy of its subcontractor’s AICPA SSAE 16 SOC 1 Type II and/or AT101 SOC 2 Type II reports, published and attested to by an independent third party auditing firm, if applicable. Kronos is not required to utilize any outsourced (subcontracted) infrastructure (e.g. co-location provider, public cloud provider) as part of this agreement to deliver services. If Kronos does not use outsourced (subcontracted) infrastructure (e.g. co-location provider, public cloud provider) customer will be entitled to receive a copy, if made available from Kronos at a future date, of a Kronos published AICPA SSAE 16 SOC 1 Type II and AT101 SOC 2 Type II reports published and attested to by an independent third party auditing firm, if made available.

The Kronos applications provide the customer with the ability to configure application security and logical access per the customer's business processes.

In the event the customer identifies a security issue, the customer agrees to notify Kronos.

For security purposes customers are restricted from directly accessing the desktop, file systems, databases and operating system of the environments. Thus, WIM integrations cannot initiate connections to push or pull data from on premise or other cloud based data sources including but not limited to external databases, and remote file shares.

Customer agrees not to upload payment card information as the service is not certified for PCI DSS.

Customer agrees not to upload health information that falls under the United States HIPAA law.
Included
Read-Only ODBC Access:

Kronos will provide customer with read-only ODBC access into customer's Production and Non-Production databases for Timekeeper/HRMS and/or TeleStaff over secure connection (e.g. VPN). Customer is responsible for establishing this secure connection to the Kronos Cloud and for any additional fees for that connection that may apply. Kronos may, but is not obligated to, limit or block customer's database read-only ODBC queries in order to prevent failure of the database due to overload. Kronos will not pay SLA credits for any Outage that is the result of overloading the database during read-only ODBC access. Customer understands that overall performance may be reduced during peak processing periods, and customer may need to limit resource intensive read-only ODBC queries to off-peak periods. Customer acknowledges that read-only ODBC access over a long distance secure connection is not a reliable protocol, as it does not have built-in retry logic to handle connectivity issues. Kronos is not responsible for any changes that may be required to customer's internal systems due to read-only OBDC access.
If selected on Order Form
Disaster Recovery Services:

Basic Disaster Recovery services are provided to all hosted customers at no additional fee and include:

Customer environment and all customer data in the Kronos Cloud are replicated to a secondary Kronos Cloud data center. Disaster Recovery Services provide for a Recovery Point Objective (RPO) of 24 hours and Kronos strives to restore application availability in a commercially reasonable timeframe. The customer will be down until the Production environment is restored in the primary or secondary data center, if needed, as an application environment is not readily available at the alternate site to process data. Customers are expected to use fully qualified domain names (FQDNs) to access the service given that IP address of the service may change.

Any issues arising out of the disaster recovery event due to customer configuration/customization and/or customer third party software outside of the Kronos Cloud is the responsibility of the customer to resolve.
 
Included
Disaster Recovery Services (fee-based):

Kronos offers enhanced Disaster Recovery services at an additional fee, as they provide for a secondary environment at a secondary Kronos datacenter to be used for customer recovery. With this offering the Customer environment and all customer data in the Kronos Cloud are replicated to a secondary Kronos Cloud datacenter. This service provides for a RPO (Recovery Point Objective) of 24 hours and a RTO (Recovery Time Objective) of 72 hours.

In the unlikely event that Kronos declares a disaster in the primary datacenter, Kronos will notify the customer and activate the Disaster Recovery steps necessary to restore application availability within the RTO defined. As part of this enhanced service, Kronos will conduct an annual Disaster Recovery Process test, which has the objectives to 1) test backups 2) train Kronos employees 3) verify and improve internal Kronos procedures. The annual Disaster Recovery Process test may be live or simulated. Customers are expected to use fully qualified domain names (FQDNs) to access the service given that IP address of the service may change.

Any issues arising out of the disaster recovery event due to customer configuration/customization and/or customer third party software outside of the Kronos Cloud is the responsibility of the customer to resolve.

The following services are not included in this service, but they may be purchased from Kronos on a time and material basis, and are subject to additional fees: a customer specific DR plan with annual review.

*Note that Workforce Analytics, Workforce Record Manager, Enterprise Archive, Workforce TeleStaff, Workforce TeleTime IP and all non-Production environments are excluded from the RTO.
If selected on Order Form
Temporary Environments:

Temporary Environments are designed for classroom training for no more than 40 people and/or functional application testing for approximately five to ten simultaneous users. Temporary environments are only available to those customers whose Production environment is hosted in the Kronos Cloud in a United States datacenter or continental Europe datacenter.
If selected on Order Form
Third Parties:

If Customer uses a third party to configure and/or implement Customer's applications, the following applies:

The third party must be authorized by Kronos as part of the Kronos Connect Partner Program prior to accessing Customer's development and testing environments in the Kronos Cloud. Third parties will not be granted access to Customer's Production environment for purposes of configuring the applications. Customer understands that although Kronos Connect Partners are subject to Kronos policies and procedures, such Partners are not subject to SOC audits by Kronos or its representatives. As such, Kronos' SSAE16 SOC 1 and AT101 SOC 2 reports are applicable to the Production environment only and are not applicable to third parties' activities.

Applicable to customers that choose datacenters in the United States or continental Europe.
If Customer uses 3rd party resources to configure/implement Kronos applications
Encryption at rest of Customer Content at storage level

For each of the customer’s production and non-production environments in a data center in the United States or continental Europe, Customer Content will be encrypted at rest at the storage level. Encryption at rest is defined as Customer Content is made unreadable on disk via encryption technology when the Kronos Cloud computing environment hardware is powered off.
If selected on Order Form

 

Guidelines and Assumptions:

 

Category Assumption
  Estimated availability of production server hardware is approximately 30 days after the Order Form is processed.
  Customer agrees to receive automatic updates to the applications.
  Use of the Workforce Central translation toolkit requires a Kronos Professional Services engagement to import/export the translation file(s) into a test environment and into the Production environment.
  Connecting modem clocks to the Kronos Cloud is not supported.
  Applications will support English only unless stated on the Order Form.
  Customer agrees not to conduct security testing, which includes, but is not limited to penetration testing and vulnerability scanning.
  Customer agrees not to conduct any sort of automated or manual performance testing of the Service.
  Offering includes system resources to process the equivalent of five WIM interfaces using up to 10 links with a maximum of five megabytes of data per link. In addition, systems resources for the integration between Workforce Central and Workforce TeleStaff for People, Punch, and Accrual interfaces are included assuming product documentation is followed for setup and run-time scheduling. Additional processing requirements may incur additional fees associated with corresponding system resources. Custom developed functionally outside of WIM that runs in the Kronos Cloud may incur additional fees.
  Retention policies must be configured in the application(s). Setting retention policies will ensure that unnecessary system data (e.g. temp files, deleted records, empty rows, etc.) is routinely purged from the system and will help in managing database growth. Retention policies do not apply to configuration and/or historical data. Historical employee data can be maintained for the duration of the agreement and renewal periods, per customer business requirements.
  Sizing considerations are based on a three year growth projection of the Production database environment. After three years, an archiving strategy may be reviewed with the customer for Service performance.
  Custom reports for Workforce Central are created using Microsoft Visual Studio. HR/Payroll reports are created using Crystal Reports. If made available from the vendors, the free versions of these tools will be made available to the customer in their development environment. Customer will have read-only ODBC access to their development database for modifying and/or creating reports. Customer is limited to two named users for report creation, as access requires the use of one of the two included user licenses for remote access to non-web applications (e.g. Citrix Receiver). Note that Customer created reports for Workforce HR and Payroll may have reduced functionally from Kronos product documentation due to security restrictions in Kronos Cloud.
  Customer will be required to sign a go live milestone document confirming customer has completed their testing and is ready to go live with the Workforce Central application(s) and/or TeleStaff.

Product Specific Considerations

  Workforce Record Manager/ Kronos Enterprise Archive (if included on order form):

If Workforce Record Manager or Kronos Enterprise Archive is included, note that Setup Data Manager will only support import and export of configurations via XML file transfers between Production and Non-Production environments, as a direct connection between Production and Non-Production environments is not provided.

If an environment is available for the use of archiving functionality, compared to the used of just Setup Data Manager, this additional environment for archiving will be noted on the order form if it is included.
  Workforce TeleTime IP:

Customer is responsible for procuring the phone lines (SIP trunks) required for their Workforce TeleTime IP system. Customer should work with their ISP/telco provider to procure a private circuit (specifically MPLS) with adequate bandwidth to support the number of SIP trunks (phone lines) needed for their use case, SIP calls per second required, along with a router and cross-connects to terminate the circuit in the Kronos Cloud. Kronos will provide detailed information to Customer on Kronos Cloud connectivity requirements. Cross-connects can be also purchased directly from Kronos, and would be indicated on order form if included.

This offering is only available to customers who chose Kronos datacenters in the United States.

Upgrade Services

The Service includes services for Kronos to execute tasks to apply point releases and version upgrades to customer’s Kronos Applications in the Kronos Cloud. Services are limited to those tasks which apply these updates to the Applications.

The table below reflects the included upgrade tasks.

 
Project Coordination:
  • Project Manager to coordinate the upgrade project.
  • Up to eight 30-minute weekly status calls (one per week)
  • Coordinate Kronos resources
  • Send meeting invites
  • Provide Project Timeline and expected customer commitment at the start of the project
  • Provide initial Project Schedule and communicates progress during weekly status calls
  • Provide Communication Plan and Contact List
Included
Planning Phase
Customer/ Kronos Introduction Call – up to one hour Included
Technical readiness & architecture review – Kronos Cloud Environment Included
Assessment Phase
Assessment of WIM interfaces to be upgraded Included
Assessment of new features or changes to configurations Not included
Assessment of customs and custom reports and development activities related thereto Not included
Solution Upgrade / Build Phase
One (1) restore of Production database to NON-Production environment for the purpose of upgrade testing. Additional restores, if requested, shall be subject to additional time and material fees. Included
Upgrade Non-Production and Production environments to new point release or version. Included
Upgrade of Workforce Integration Manager (WIM) interfaces due to product changes introduced as part of the technical upgrade, as defined in product documentation. For Workforce Central this includes XML export/imports and database views as defined in the "Workforce Central Import User Guide" and "Workforce Central Data View Reference Guide". Included
Upgrade of non-WIM interfaces in Non-Production environment and Production environment. Not Included
Upgrade of customs and custom reports. This includes upgrade of Workforce Integration Manager (WIM) interfaces that use table import batch functionality, read/write directly to database tables or require changes due to new/changed customer requirements. Not Included
Upgrade of interfaces and reports created or provided by customer Not Included
Update of terminal firmware managed by Kronos Not Included
Configuration of new features or functionality or changes to existing configuration Available for Purchase
Test & Certify Phase
System test upgraded environments by verifying a user can log in Included
User acceptance testing (UAT) of upgraded environments, interfaces, custom reports, new features, etc. Not Included
Develop customer-specific test cases Not Included
Sign-off on upgraded Non-Production and Production Environments Customer
Deploy & Support Phase
Deployment Readiness Call – up to one hour Included

 

Note that new feature configuration, project management services, other Professional, Managed and Educational Services and training are not included as part of Upgrade Services, but may be purchased independently, if desired.

 

Project coordination lasts for no more than eight weeks. At the end of this time, Kronos will complete the production upgrade. If for any reason Kronos cannot complete the technical upgrade steps within eight weeks due to a Kronos caused delay, project coordination will continue proportionally to cover the Kronos caused delay. For example if Kronos causes a two week delay due to Kronos resource unavailability, project coordination will last no more than 10 weeks.

If not specifically noted, the customer should assume responsibility of the task and/or deliverable.

Additional Polices:

https://www.kronos.com/policies/legal-hold

https://www.kronos.com/policies/acceptable-use

Rev 2017-05-01