Policy for security tests (penetration tests) on the Open Telekom Cloud

Customers of the Open Telekom Cloud have the option to test the security of their services and in this setting, to carry out security tests on the customer's instances/resources on the Open Telekom Cloud in compliance with this policy.

Prohibited security tests are any security tests not expressly permitted in this policy. Security tests requiring approval are allowed, provided they have been approved by Telekom prior to the security test being performed. This guideline is conclusive.

Even if executed properly, security tests can result in damage and/or data loss. In this respect, security tests shall be carried out by the customer independently.

By carrying out a security test, the customer accepts the following provisions:

1. The customer is responsible for compliance with the provisions of this policy by it or a third party attributable to it (e.g., employees, service providers).
2. The customer is obliged to have security tests exclusively carried out by authorized, certified, and professionally qualified personnel of the customer or an external service provider who is not directly in competition with Telekom regarding the services to be tested. The customer shall indicate any existing conflicts of interest.
3. The customer shall ensure compliance with all applicable legal and industry-specific provisions, including in particular:
   
   
   1. § 202c and § 203 of the German Criminal Code (Strafgesetzbuch – StGB), as well as other provisions of the StGB
   2. Provisions of the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) and the EU's General Data Protection Regulation (GDPR)
   3. Workers' rights and Works Constitution Act (BetrVG)
   4. Basic right of ensured confidentiality and integrity of information technology systems
   5. Observance of national and international copyrights, trademarks, patents, names and trademarks as well as other industrial property rights and personal rights of third parties
       
4. In accordance with the statutory provisions, the customer shall be liable for all direct and indirect damage arising from or in conjunction with security tests carried out by it or on its behalf. Possible damage includes in particular data loss, resource consumption, expenses for system restoration, damage to the Open Telekom Cloud platform/infrastructure, or damage to third parties that result from the impairment of its services. In the event of damage, the customer shall be obliged to demonstrate that any damage cannot be attributed to the security tests carried out by it. The customer shall exempt Telekom from all claims by third parties based on the performance of the security test. If the customer identifies or has to identify a risk of this kind of infringement against the agreement concluded with Telekom, it shall inform Telekom of this immediately..
5. The customer is prohibited from performing security tests on other publicly offered infrastructures or platforms of the Open Telekom Cloud.
6. The customer shall ensure that a security test can be canceled at any time at the request of Telekom.
7. The customer ensures that they know and have tested the tools used to carry out the security test.
8. Telekom makes every effort to constantly improve its services. If the customer recognizes or believes in a security test
   
   
   1. identify general security problems with the infrastructure or platform of the Open Telekom Cloud, or
   2. unforeseen consequences occur, in particular disruptions of the Telekom infrastructure
      
      he is obliged to inform Telekom of this without delay:
      
      Germany:                      0800 330 44 77
      all other countries:       +800 330 44 770
      Email:                           service@open-telekom-cloud.com
      
      The customer provides Telekom with a report with the following information:
      
      1. Vulnerability and information of reproducibility
      2. UTC time stamp for the test activities
         The customer grants Telekom, as well as Deutsche Telekom AG and its affiliated companies, a right to use the report.
          
9. Results on general security problems in the infrastructure or platform of the Open Telekom Cloud must be treated as confidential. If legally permissible, the customer and/or third party attributable to it may pass on this information.
10. If a security test by the customer triggers the security mechanisms of the Open Telekom Cloud, Telekom shall inform the customer of this. In this case, the customer shall be obliged to inform Telekom of the specific measures of the security test and their termination. Comparable security tests of the customer must be requested through Telekom in the future as security tests requiring approval.
11. The customer is responsible for the correct assessment and classification of its security tests. In cases of doubt, the customer shall apply to carry out the security test as a security test requiring approval.
12. The customer warrants that it is authorized to carry out the security tests and have the required permission. Furthermore, the customer shall ensure that all those affected have been sufficiently informed.

Insofar as security tests are not expressly permitted in accordance with this guideline or have been approved in writing by Telekom in individual cases, these are prohibited. This applies to the following measures and security tests:

Any security tests that are not expressly permitted according to this policy and/or have not been approved by Telekom in individual cases are prohibited. This concerns in particular, but not conclusively, the following measures and security tests:

All other security tests not listed above must be requested by the customer and approved by Telekom prior to execution in the following procedure:

1. The customer requests the application form from the ServiceDesk, stating their Open Telekom Cloud Tenant ID.
2. The customer fills out the application form completely and accurately and sends it to the e-mail address given in the application form at least 7 (seven) days before the planned implementation.
3. The decision on the application is usually made within 3 (three) days of submitting the application, insofar that no further inquiries are required. Telekom assumes no liability for approval that is not given or not given on time.