What We Do
Since 1989, Bottomline has been modernizing global business payments with connected solutions for more than 800,000 financial institutions and businesses in 92 countries.
Securely and efficiently manage funds disbursements
For Businesses
Streamline the collection and management of single and recurring payments
Direct submission and processing of your UK bank payments for payables and receivables
Centralize and automate all your payment creation, controls, and submissions
Comprehensive connectivity to Swift and other domestic and global financial messaging networks
For Banks & Financial Institutions For Businesses
Convert legacy financial message formats to modern message standards
For Banks & Financial Institutions
Easily view analytics of financial messages with central repository
View, optimize, and forecast your cash position with all accounts connected in one solution
Combat payment fraud and evolving threats in real-time with a SaaS solution that helps you stop fraud before it happens.
Identify unusual behaviour from insiders or intruders before their high-risk activities disrupt your business.
Reduce fraud and errors through digital account verification
Efficiently screen transactions to identify and manage sanctions risk
Explore the enterprise-wide alert and case management system for creating and managing alerts and cases of suspicious activity and filing suspicious activity reports (SARs).
Who We Serve
Our Company
All Resources
This service level agreement (“SLA”) applies to the Global Payments Hub & Cash Management (previously known as TreasuryXpress) services hosted by Service Provider (Bottomline) (“Hosted Services”). By subscribing to the Hosted Services, through an Order Agreement, or otherwise using such services, Customer agrees to be bound by the terms of the reference contract stated in the applicable Order Agreement (“Agreement”), this SLA, and the applicable Order Agreement(s).
Capitalised terms not defined in this SLA have the meaning given to them in the Agreement. This SLA applies only to services to which Customer has subscribed.
1. Access Authorisation. Subject to the terms and conditions of the Agreement and the applicable Order Agreement(s), Customer and its end users may access and use Hosted Services solely (i) for Customer’s internal business operations, with no right to make such Hosted Services available to third parties, other than its own affiliates; and (ii) in accordance with the applicable documentation provided by Service Provider (“Documentation”). Customer’s authorisation to use Hosted Services is non‑exclusive, non‑transferable, non‑sublicensable, terminable and limited to any restrictions set forth in the documentation. Customer may make the Hosted Services available to use by its affiliates (within any applicable license parameters) providing that (i) it ensures that these affiliates comply with the applicable provisions of the Agreement and (ii) Customer is responsible for its affiliates’ use of the Hosted Services and compliance with the Agreement as if the affiliates were the Customer.
2. Third Party Providers. Service Provider may contract with third party providers to deliver the Hosted Services, or a portion thereof. Customer acknowledges and agrees that Service Provider’s websites, dashboards, or portals may contain references (e.g., name, logo, or brand) to such third‑party service providers, which references may be required by law or contract. Service Provider third‑party providers have no logical access to any Customer data.
3. Datacentres. The Hosted Services are hosted on a high availability Microsoft Azure located in the USA or the Republic of Ireland (as applicable). Service Provider reserves the right to change datacentre provider at its sole option. Active Active DR is provided at an extra cost.
4. Operating Environments. Service Provider is responsible for the operation, control and maintenance of the Hosted Services environments, including the hardware and software equipment under the responsibility of and managed by Service Provider. The infrastructure includes access to two separate environments: Production environment and Test environment. Service Provider commits to service levels for the Production environment only. Test environment is out of scope for the service levels described in this document. Disaster recovery environments are available at additional cost subject to contract.
5. Infrastructure. Customer is fully responsible for the entirety of its own infrastructure except any Service Provider component (e.g. router) in use at Customer’s site. Service Provider takes full responsibility for the entirety of the Hosted Services infrastructure within its perimeter of control, except any Customer component (e.g. VPN tunnel, customer internet connectivity, customer router etc.). Service Provider reserves the right to upgrade, at its sole discretion, the Hosted Services infrastructure, environments and processes to ensure service efficiency and data protection in line with capacity management, compliance regulations and good industry practice.
6. Service Connectivity. Customer is responsible for selecting the network solution to be used for connection to the Hosted Services; in particular Customer must ensure that the connectivity architecture selected meets its requirements in terms of security, availability, capacity, resilience and performance. The network architecture chosen by Customer can vary (examples include MPLS connectivity, customer leased line connectivity, and VPN over internet connectivity). The data flow between Customer and the Hosted Services is encrypted using industry standard encryption algorithms. Connectivity responsibilities are as follows:
7. Security
Service Provider has a Chief Information Security (CISO) team dedicated to the security of Service Provider services and solutions and the Hosted Services are operated exclusively in accordance with Service Provider IT security policies.
Security Controls. The Hosted Services environment is protected using a combination of security controls such as boundary protection, use of certified and supported software, a security Incident policy (including ownership, process, communication, escalation and tracking), penetration testing, vulnerability scanning, intrusion detection and malware protection. Data flows between Customer and the Hosted Services are secured using recognised industry standard encryption algorithms. The Hosted Services implements logical separation of customer data so that each Customer only has access to its own information. Amendments to the infrastructure are handled as set out in section 16 below, and Customer issues arising through the use of the Hosted Services are handled as set out in section13.
Secure Use. Customer undertakes to take all appropriate technical and organisational security measures in accordance with good industry practice to protect against any abuse or fraudulent use of the Hosted Services, including but not limited to any illegal or unlawful activity; the collection, development or distribution of malicious code; hacking or cracking activities; the circumvention of copy‑protection mechanisms; assisting or allowing any third person to do any of the foregoing.
Secure Access. Service Provider manages employee logical and physical access to the Hosted Services to ensure that access is restricted to authorised personnel only in accordance with their role and that access is monitored and controlled. Customer is responsible for its own user administration for the Hosted Services (unless an applicable Order Agreement states that Customer has delegated this responsibility to Service Provider) which includes controlling Customer’s end user access and authorisation. Service Provider employee access and Customer end user access to the Hosted Services requires a mandatory secondary authentication (multi‑factor authentication) after password control. Customer remains fully responsible for employing the password requirements defined by the Hosted Services (such as controls on password length, character content, character repetition, sequence repetition, frequency of password change and number of allowed unsuccessful login attempts to ensure secure access to the Hosted Services.
Personnel Vetting and Training. Service Provider maintains a screening policy regarding Hosted Services employees, including systematic checks on criminal and financial records. Service Provider ensures that all Service Provider personnel follow a mandatory annual security awareness training programme.
Customer Scrutiny Right. Upon request from Customer, Service Provider provides the list of Service Provider employees who have logical or physical access rights to Customer data.
8. Hosted Services Availability
Service Provider will use all reasonable efforts to reach the targeted Availability Rate (calculated as set out below) of 99.5% per calendar month for Production environments. The Availability Rate is calculated as a percentage of total hours of availability for such month, excluding periods that the Services are unavailable due to Excluded Events. For the purposes of this section “availability” shall mean the ability to access and use the Hosted Services.
Availability Rate is calculated by taking the sum of the hours of availability during Service Availability Hours (including Out‑of‑Hours support if applicable) and dividing it by the Total number of Service Availability Hours (including Out‑of‑Hours support if applicable) for a given period. Periods of less than an hour are expressed as a decimal fraction of an hour.
Ta = Number of hours service is unavailable per calendar month during Service Availability Hours Tq = Total number of service hours per calendar month during Service Availability Hours Availability Rate [%] = (1 – Ta Tq x 100)
An “Excluded Event ” is one of the following events which results in services being unavailable: (a) network, Internet or telecommunications problems outside of Service Provider’s control; (b) failure of Customer’s hardware and/or software; (c) any scheduled, negotiated or emergency maintenance period; (d) problems with Customer’s networks, including LANS, WANS, connectivity to the Hosted Services or any failure of such networks to conform to any capacity requirements; (e) Scheduled and Mandatory Maintenance (as defined below); or (f) network intrusions, denial of service attacks to the extent that these have not been caused by Bottomline’s failure to implement technical and organisational measures against these risks in accordance with good industry practice, or any force majeure events; (g) service interruption linked to scheduled or unscheduled downtimes for Interbank Networks such as (this list is not exhaustive) BACS, SWIFT, SIC, euroSIC, SECOM, Telekurs; (h) service interruption linked to scheduled or unscheduled downtimes at the third party service providers (e.g. datacentres); (i) crisis events such as fire, flooding, pandemic as listed in the Business Continuity Plan; (j) Customer exceeds the authorised daily volume limits or the concurrent users limit, as defined in the Agreement.
Service Availability Hours. The hours during which the Hosted Services are made available to Customer with support, excluding those Excluded Events as outlined under Hosted Services Availability. Please see section 12 for more detail.
Service Accessibility Hours. The hours during which the Hosted Services can be accessed. For periods outside the Service Availability Hours, Customer may access the services but incident management and availability service levels do not apply and the Customer will not have access to Service Desk support. Outside these hours, the Hosted services are not available for use (services under maintenance for example).
The Hosted Services are accessible 24*7*365 except for internal maintenance windows (Hosted Services maintenance) and external maintenance windows (Interbank Network maintenance).
Service Usage Parameters To maintain optimum Service performance and availability the Customer must archive production data to ensure that the following production environment maximum thresholds are not exceeded:
In the event that the above thresholds are exceeded, the performance and availability of the Service may be negatively impacted, including but not limited to slower Disaster Recovery response; and there will be additional Service fees to accommodate a higher subscription band volume and increased data storage requirements.
9. Scheduled and Mandatory Maintenance. Service Provider at its sole discretion, regularly conducts maintenance to perform routine software and hardware and other mandatory upgrades on the systems supporting the Hosted Services. Customer acknowledges and agrees that access to the Hosted Services may be degraded during scheduled maintenance. Customer involvement particularly for validation and non-regression testing may be required. Notification on scheduled or mandatory maintenance is as defined below unless otherwise defined by the recognised body mandating the change. Service Provider commits to provide and install new product versions rendered necessary by infrastructure changes (such as operating systems and hardware components) and product versions rendered necessary by Interbank Network enhancements where these enhancements do not involve a structural infrastructure or software change for Service Provider.
Maintenance Notification. Service Provider provides 30 Business Days’ notice at a minimum for changes relating to scheduled maintenance that are due to occur during Service Availability Hours. These changes include upgrades relating to operating systems, infrastructure components and Interbank Network enhancements. Service Provider will use commercially reasonable efforts to schedule maintenance at non-peak hours and limit its occurrence. Service Provider provides 5 Business Days’ notice at a minimum for mandatory maintenance which involves changes which Service Provider deems essential to be implemented before the next scheduled maintenance window. These include, without limitation, product releases, software and hardware upgrades, continuous improvement changes and configuration changes.
10. Emergency Maintenance. Emergency maintenance may be necessary to address emergency changes (fix deficiencies or address unexpected risks to the Hosted Services). An emergency change corresponding to a Critical Incident or High Incident and thus necessitating a rapid return to normal operations may also be required. Customer acknowledges and agrees that access to the Hosted Services may be degraded during emergency maintenance. Service Provider will notify customers upon event in this instance.
11. Test Environment. A test environment is made available to Customer. Customer is responsible for providing test cases and data and is also responsible for test implementation. Customer is also responsible for notifying Service Provider upon test completion. Test support is provided during Service Desk hours on a case by case basis only. Priority will always be given to production operations. If Customer wishes to guarantee test support, then it may initiate a Service Request for this purpose.
Test Environment Accessibility Hours. The hours during which test environments can be accessed by Customer with no commitment on service. Test environment accessibility is 24 * 7 * 365 excepting scheduled test environment maintenance and any crisis as outlined in the Business Continuity Plan.
Test Environment Availability Hours. The hours during which the test environment is made available to Customer with service levels offered on a case by case basis only. Customers may utilise the test environment from 09:00 to 17:00 on normal Business Days during normal operations. Normal operations exclude all test environment maintenance windows and any crisis event affecting Business Continuity (pandemic, fire, flood). Service Provider cannot guarantee test environment availability during maintenance windows. If Customer wishes to ensure test environment availability (i.e. that no maintenance is underway), it must book a test environment slot under the following conditions: Customer to initiate a test slot request to Service Provider no earlier than 20 calendar days in advance of the test slot required; Customer utilise the booked test slot for a maximum of 5 Business Days.
Test Environment Monitoring. Gold and Platinum customers can request a Start of Business Day check on the availability of the test environment. Service Provider will communicate to affected customers in cases of unavailability.
12. Service Desk Support.
Access. The Service Provider’s Service Desk may be reached via the Customer Care Portal.
Customers may contact the Service Desk by phone in the following specific circumstances only: (i) if the Customer Care Portal web portal is unavailable for any reason; (ii) to expedite handling of Critical Incidents (it is mandatory for Customer to contact the Service Desk by telephone in addition to opening the Incident on the Service Desk portal); and (iii) for Out‑of‑Hours support for Critical Incidents only.
The contact information for the Service Desk can be found on the Service Provider’s website based on region and type of products and services. Secure, password‑protected access to Service Provider’s Customer Care Portal is available 24 hours a day, 7 days a week, and 365 days a year.
Service Provider commits to providing support in English. Support in other languages may be provided if practicable for specific geographies.
Service Desk Hours. Hours during which the Service Desk is open and provides support to customers. Service Desk support is provided in accordance with the table specified in Part 2 of this SLA below.
13. Incident Management
For the purposes of this section, the term “Incident” shall mean a material defect in the Hosted Services, experienced by the Customer, that prevents the Hosted Services from conforming in any material respect to the Documentation.
Customer raises an Incident using the following address: https://support.bottomline.com/s/login/ (“Customer Care Portal”). Customer provides all supporting information and documentation required to investigate the Incident. If supporting documentation is missing – any defined response and resolution timelines are suspended. All Critical Incidents must be reported to Service Provider’s Service Desk via telephone following Incident creation on the Customer Care Portal.
Service Provider will determine, at its sole discretion, the applicable severity level of any reported Incident in accordance with the descriptions set forth in the table below. Service Provider formally acknowledges the Incident and then responds to the Incident in accordance with the target acknowledgement and response times set forth in the table below. Service Provider informs Customer about the status of the Incident and any actions taken to date. Where possible, Service Provider provides an estimated timeframe for issue resolution. Service Provider keeps Customer informed on the status of the Incident. Customer is responsible for providing any additional supporting information required for the investigation. If required supporting documentation is not provided, timelines are suspended and resolution could be delayed.
Service Provider targets to resolve Incidents in accordance with the target resolution times set forth in the table below:
14. Incident Notification. Customer is notified within 30 minutes of any Critical Incident (as defined under Incident Management) detected by Service Provider which impacts services. Outage status is communicated on treasuryxpress.statuspage.io.
15. Service Requests. Customer may make formal requests for the delivery of additional services or amendments to existing services (“Service Request”). In this case, a formal written request is required (email from official company email address or letter on customer branded paper) detailing the Service Request in full, and this must contain at least one signature from an authorised Customer representative.
Service Request Acknowledgement. Service Provider will make an initial response to all Service Requests within 2 Business Days during normal operations. Normal operations exclude any crisis event affecting Business Continuity (pandemic, fire, flood etc.). Positive responses may include a proposal or may be followed by a proposal. Negative responses include an explanation as to why the Service Request cannot be fulfilled.
Service Request Acceptance. Customer must formally accept the positive Service Request response or proposal sent by Service Provider for the related work to commence.
16. Change Management. In the case the Service Request corresponds to a Customer change request or a Customer project related request, Service Provider deploys the change on the test environment within the agreed timeframe. Customer is responsible for test implementation by its users using its own test scenarios. Customer formally confirms that the change in the test environment meets its requirements and formally authorises Service Provider to deploy the change into production within the agreed timeframe. In the case of an internal change request issued by Service Provider, Customer is also responsible for test implementation. However, if no response or confirmation on test success is received from Customer within the specified timeframe, Service Provider can authorise deployment to the Production environment.
17. Customer Administrators. (Not applicable for APAC region). Customer formally nominates two (2) key representatives to (i) act as recipient for all formal Service Provider communications relating to the Hosted Services and (ii) act as administrator for Customer end user access to the Hosted Services and (iii) be authorised to make formal requests to Service Provider relating to the Hosted Services such as service requests, change requests and test slot registrations on behalf of Customer. Customer representatives’ contact details (and any subsequent updates) must be communicated to Service Provider in writing, immediately following their nomination.
18. Minimum System Requirements; Internet Connectivity and Browser Settings. Customer acknowledges and agrees that use of the Hosted Services requires (i) maintenance of an Internet connection and browser on each authorised user’s workstation with adequate bandwidth and the minimum system requirements as set forth in the Documentation, (ii) configuration of browsers to access the Hosted Services’ websites, dashboards and portals, and (iii) verification that its firewalls and proxy servers allow access to the Hosted Services.
19. Support Limitations. In the case of any Incidents that are not reproducible by Service Provider Service Provider will restore the Hosted Services but may not be able to correct the underlying cause if the Incident is not reproducible. Service Provider is not responsible for correcting any Incidents that are (i) for services for which Customer does not have the appropriate subscription if such a subscription is required for the service (e.g. SWIFT); (ii) due to Customer lack of technical knowledge / training on the Hosted Services provided; or (iii) software errors related to any of the following: (A) changes to Customer’s operating system or environment that adversely affect the Hosted Services; (B) use of the Hosted Services in a manner for which such Hosted Services were not designed or not otherwise in conformance with the Documentation; (C) Customer’s negligence or misuse of the Hosted Services. In the event Service Provider is requested to provide support for any of the foregoing, Service Provider will use commercially reasonable efforts to assist Customer but reserves the right to charge for such assistance at its then applicable professional services rates.
20. Business Continuity. Service Provider maintains a Business Continuity plan which is reviewed annually. The Business Continuity plan details Service Provider’s strategy for continuing business in case of major Incidents such as natural disasters, pandemics, technology outage, terrorist attack etc. A business Impact analysis exercise is conducted annually which is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accident or emergency.
21. Disaster Recovery. A disaster constitutes an exceptional scenario which, when it occurs, results in the loss of services of the Service Provider for an extended period and critically affects Customer’s business. Service Provider ensures that site and system resilience is in place so that services remain available for Customer in the event of a site disaster. Site and system resilience is achieved through a combination of local resilience on the Production site (where critical components and services are replicated or deployed in a cluster environment to ensure business continuity in case of hardware or software failure) and the provision of a Disaster Recovery site (which continues operations should a critical issue occur at the Production site). In the event of a disaster, Service Provider will use all reasonable efforts to switch to the Disaster Recovery site in accordance with the timeframes set forth in the table below where “H” is the time at which the Company’s operational staff first becomes aware of the Disaster.
Customers are notified as soon as possible upon a Disaster situation affecting services provided by Service Provider. Disaster scenarios and communication strategies are detailed in the Business Continuity Plan.
Customers are responsible to whitelist DR IP addresses
Disaster Recovery Testing or Disaster Recovery Role Swaps occur once annually at a minimum. Disaster Recovery Role Swaps are a form of testing where operations are run from the Disaster Recovery site instead of the Production site for a period of time to ensure business continuity in case of disaster. Customers are notified by Service Provider in advance of these tests.
22. Monitoring. Customer is the data controller and Service Provider is the data processor in relation to data flowing through the Hosted Services. Customer therefore is entirely responsible for monitoring its own business operations (monitoring transactions, payments, flows processed through the Hosted Services in line with what the Hosted Services to which Customer has subscribed can deliver). Service Provider is responsible for the technical monitoring of the Hosted Services within the perimeter of its control (connections, performance, processes, Incidents etc.).
23. Reporting. Service Provider provides the following reports to the Customer:
24. Customer Data Retention. Service Provider retains Customer data for 12 rolling months as standard. The Customer data may be retained in any combination of online data and archive files during this period. This retention period can be extended or reduced for certain specific Hosted Services based on Customer subscription in line with Customer requirements.
25. Customer Data Archive. Service Provider provides Customer with access to download its database archive through a secured channel. It is Customer’s responsibility to ensure that its database archive is downloaded and stored within its own infrastructure. Service Provider reserves the right to delete Customer database archive for the previous calendar year, following a minimum of three (3) communications to Customer.
26. Customer Data Confidentiality Policy. Service Provider maintains a Privacy policy governing the confidentiality of privacy information and conducts a privacy risk assessment annually.
27. Customer Responsibilities. If Customer is using the Hosted Services to access SWIFT, it must have a valid membership agreement with SWIFT. Customer is responsible for paying all applicable SWIFT membership charges, SWIFT traffic fees and other fees levied by SWIFT, in accordance with its SWIFT user agreement. SWIFT customers must comply with the policies stipulated by SWIFT for SWIFT users and must notify Service Provider and SWIFT of any non-compliance with such rules and regulations and/or breach of any such conditions. SWIFT customers must treat as confidential, any information relating to the Hosted Services, or SWIFT operations (including but not limited to the contents of messages passing through the Services and Quoted Infrastructure), SWIFT technical documentation, SWIFT security tokens and SWIFT network information.
Customer Payload. Customer agrees that designated Service Provider operations staff may have access to the Customer’s message payload data for use only in appropriate operations / support tasks requiring such access. Access to Production platforms is restricted to these designated staff and change access to Production platforms is further restricted and subject to formal change authorisation. Service Provider user access is maintained at an appropriate number of individuals to carry out the support and operational activities in line with Service Provider’s contractual commitments. User access is logged and reviewed and adjusted in line with employee roles twice annually at a minimum. Service Provider is not required to seek specific authorisation on each occasion when such access is required.
Delegated Operations. SWIFT customers may delegate certain operations to Service Provider and these delegated operations must be clearly identified in the Agreement. Customer’s own personnel can act as SWIFT registered Security Officers (SOs) in which case Customer shall provide contact details for the designated Security Officers to Service Provider. Alternatively Customer may nominate two or more Service Provider Security officers to act on its behalf. Customer delegates control and operation of its PKI certificates to two Security Officers (SO) at Service Provider. Customer’s PKI keys are maintained securely by Service Provider according to SWIFT best practices and only accessible by authorised Service Provider personnel. Any changes to PKI keys are managed under related SWIFT procedures. Customer may request an audit trail of PKI operations. Customer may also request a list of authorised Service Provider personnel with access to the PKI keys.
SWIFT Upgrades. SWIFTNet upgrades are implemented by Service Provider at least 1 month before the end of life of the current version; a SWIFT FIN standards release is provided by Service Provider for Customer testing at least 6 weeks before the cutover date; SWIFT Quarterly security updates are applied by Service Provider in line with SWIFT requirements.
28. Updates to this SLA. Service Provider agrees to provide its services in compliance with the set of basic operational obligations as defined by SWIFT for Service Bureau Providers. Service Provider shall be entitled to amend this SLA to incorporate additional mandatory contractual provisions as required by SWIFT from time to time in order to comply with its Shared Infrastructure Programme or any successor thereto.
Service Provider may also amend this SLA from time to time as required to reflect changes in its operational processes, mandatory regulatory or legal requirements or evolution of the services provided, provided always that the amended version does not materially degrade the service levels enjoyed by Customer in the version being replaced.
Customer understands and acknowledges that it is a condition of Service Provider’s continued access to SWIFT that it must comply with SWIFT’s mandatory provisions, which include the insertion of certain contractual clauses.
Business Day. Working days excluding weekends (Saturdays and Sundays in most geographic locations) and national holidays defined under Public Holiday.
Business Hours. Hours that fall during the Service Desk hours on a Business Day in the geography where the Hosted Services are based (and therefore excludes out-of-hours support).
Customer Administrator / Representative. Nominated Customer contact representative, acting as key point of contact for Service Provider Customer communication and authorised to make request to Service Provider for services such as access security measures, service and change Requests, test slot reservations, on behalf of the Customer.
Disaster. An exceptional scenario which, when it occurs, results in the loss of services for an extended period and critically affects the Customer’s business.
Emergency Change. An emergency change is a change corresponding to a Critical Incident or High Incident and thus necessitates a rapid return to normal operations.
Incident. Any event resulting in a service interruption, a service slowdown or a loss of service quality.
Incident Acknowledgement. Automated email response sent to Customer with an Incident reference number once the Customer logs an Incident in the Service Provider’s service desk tool.
Incident Priority. There are 4 Incident priorities as follows: Critical Incident, High Incident, Medium Incident, Low Incident.
Incident Resolution. A work around or fix provided by Service Provider to remedy an Incident.
Incident Response. The response provided to the Customer by a Service Provider employee / team assigned to the Incident, following Incident acknowledgement and initial investigation.
Interbank Network. Networks that facilitate payment transfer between entities. Examples include (non-exhaustively) BACS, SWIFT, SIC, euroSIC, SECOM, and Telekurs;
Production. Live business transaction processing which has effect outside a test environment.
Public Holiday. The following public holidays apply:
Service Accessibility Hours. As set out in section 8.
Service Desk Hours. Hours during which Service Desk is open and providing support to customers as defined in Part 2 of this SLA.
Service Request. A formal (written) customer request for a service which is not Incident-related but results in the delivery of an additional service or an amendment to an existing service provided by Service Provider to the Customer.
A BCP business Impact analysis exercise is conducted annually.
