This Schedule forms part of the Cloud Master Services Agreement and describes the scope, responsibilities and limitations relating to Platform and Infrastructure.

It explains what we are responsible for at the platform and data centre layer, what you control, and any important technical boundaries or limitations.

1. Overview of the Cloud Platform

  1. The Cloud Platform is made up of:
    • data centre facilities (power, cooling, physical security, connectivity);
    • host servers and hypervisors (virtualisation layer);
    • shared or dedicated storage and, where applicable, local storage on host servers;
    • core switching, routing and firewalls;
    • remote access and management tools; and
    • supporting services such as monitoring, alerting and backup infrastructure.
  2. The Cloud Platform may be delivered entirely by Cultrix, or by a combination of Cultrix and one or more upstream data centre or cloud infrastructure providers.
  3. We remain your primary point of contact for all in-scope Cloud Services delivered on the Cloud Platform.

2. Data centre and hosting environment

  1. We host the Cloud Platform in professionally managed data centres that provide:
    • restricted physical access controls (for example access cards, biometric readers, visitor logging);
    • redundant power feeds and UPS/generator backup;
    • environmental controls (cooling, fire detection and suppression);
    • 24/7 monitoring and security presence; and
    • multiple network connections to upstream providers.
  2. Where we use a third-party data centre or cloud provider, the detailed design and tier level of the facility is governed by that provider’s own standards. We take reasonable steps to select providers whose services are suitable for small and medium-sized business workloads.
  3. We do not guarantee that your workloads will run in a specific data centre, region or facility unless this is explicitly agreed in your Order.

3. Host servers, virtualisation and storage

  1. We operate host servers that run supported hypervisors (for example VMware, Hyper-V or similar technologies) and provide virtualised compute resources (CPU and memory) to your virtual machines and remote desktop servers.
  2. We provide shared or dedicated storage platforms (for example SAN, NAS or virtual SAN) or local storage on host servers, as appropriate for the service.
  3. We:
    • monitor host health, capacity and basic performance;
    • apply vendor-recommended firmware and hypervisor updates during maintenance windows;
    • manage resource allocation policies across the platform; and
    • take reasonable steps to avoid resource contention between customers.
  4. Resource allocation (for example vCPU, RAM and storage) for your workloads is defined in your Order or in the Service Schedules. We may use industry-standard techniques such as over-commit and resource pooling, provided we maintain performance at a level suitable for the agreed workloads.

4. Networking and internet connectivity

  1. The Cloud Platform includes:
    • internal switching and routing between hosts, storage and management networks;
    • perimeter firewalls and, where applicable, VPN end-points;
    • public IP address allocation and NAT where needed; and
    • shared internet connectivity to external networks.
  2. We:
    • design and maintain core network addressing, routing and firewall rules for the platform;
    • implement standard security baselines for inbound and outbound network traffic;
    • apply changes in line with agreed change processes; and
    • monitor core network availability and respond to alerts.
  3. Bandwidth is typically shared between customers unless you purchase dedicated connectivity or a private link for your environment. We may implement reasonable traffic management or rate limiting to protect the platform from abuse or to maintain stability for all customers.

5. Firewalls and perimeter security

  1. We operate perimeter firewalls to protect the Cloud Platform from unauthorised access. These may include:
    • stateful packet inspection;
    • access-control lists (ACLs) and security zones;
    • VPN termination for site-to-site or remote-access VPNs where purchased; and
    • basic intrusion-prevention or reputation-based blocking.
  2. Standard firewall rules are designed and maintained by us. Custom rules for your workloads (for example publishing specific services to the internet or exposing internal ports over VPN) will be implemented on request, subject to security review.
  3. You:
    • are responsible for any application-level access controls behind the firewall (for example authentication on web applications);
    • must not attempt to bypass or weaken firewall controls; and
    • must promptly notify us if you become aware of suspicious traffic or access patterns.

6. Monitoring, alerting and incident response

  1. We monitor key aspects of the Cloud Platform during our standard monitoring window, including:
    • host and storage availability;
    • platform CPU, memory and storage utilisation;
    • core network and firewall status; and
    • backup infrastructure health.
  2. Where monitoring identifies a platform-level issue affecting your Cloud Services, we will:
    • log an internal incident ticket;
    • begin investigation and remediation in line with the priorities and targets described in the SLA (Annex A); and
    • keep you updated on material incidents that have an impact on your services.
  3. Monitoring of individual virtual machines (for example CPU spikes or disk usage inside the guest OS) is covered in other Schedules if those services are purchased.

7. Platform maintenance and changes

  1. We carry out planned maintenance on the Cloud Platform from time to time, including:
    • hypervisor and firmware updates;
    • storage platform updates;
    • firewall and network device updates; and
    • capacity upgrades or restructuring work.
  2. Where maintenance is expected to be service-affecting, we will:
    • schedule it outside Business Hours where reasonably practical; and
    • provide reasonable notice, unless the work is urgent for security or stability reasons.
  3. Emergency changes may be performed without prior notice if required to address a critical security or stability risk. We will notify you as soon as reasonably possible afterwards if you are affected.

8. Customer responsibilities at the platform layer

  1. You must:
    • avoid making unplanned or unsupported changes directly to the Cloud Platform (for example host or hypervisor settings, storage configuration or firewall rules), unless explicitly agreed with us;
    • inform us of significant planned events that may affect platform load (for example large user onboarding, major application go-lives or batch processing runs); and
    • follow any platform-related guidance we issue (for example supported operating system versions, reserved IP ranges or naming standards).
  2. If changes are made to the Cloud Platform by you or a third party acting on your behalf without our knowledge, and those changes cause instability or security issues, we may need to perform remedial work on a time-and-materials basis to bring the environment back into a supported state.

9. Exclusions

  1. This Schedule does not include:
    • application development or code changes;
    • performance tuning of Customer Applications beyond reasonable platform-level adjustments;
    • complex network or security architecture design (for example Zero Trust architectures);
    • compliance or certification work (for example ISO, PCI or Cyber Essentials projects); or
    • any work listed as out-of-scope or project-only in the Agreement or other Schedules.
  2. We are not responsible for the operation of the public internet, third-party networks or services outside our reasonable control.