SERVICE LEVEL AGREEMENT
服务级别协议

I. INTRODUCTION
一、引言

Scope and Objectives:
范围和目标：
This agreement establishes the terms and conditions to which [Supplier's Corporate Name], hereinafter referred to as the SUPPLIER, is subject in the context of providing the service [product/service provided] to INDUSTRIAL ARCOL, S.A., hereinafter referred to as the CLIENT.
本协议规定了 [供应商的公司名称] （以下简称供应商） 在向 INDUSTRIAL ARCOL， S.A.（以下简称“客户”）提供服务 [提供的产品/服务]  时所遵守的 条款和条件 。 
The purpose of this agreement is to establish quality levels in the service provided by the SUPPLIER.
本协议的目的是确定供应商提供的服务的质量水平。

b. Parties:
b.各方：
The parties to sign this agreement are identified as follows:
签署本协议的各方如下：

On one side, INDUSTRIAL ARCOL, S.A., with VAT No. ES-A58104043 and registered office at c/Juan de la Cierva, 4, Polígono Industrial Valldoriolf, 08430 La Roca del Vallès, Barcelona (Spain), represented by Mr. Raül Colom Jaén, acting on behalf of the company in his capacity as Chief Executive Officer [CEO].
一侧是 INDUSTRIAL ARCOL， S.A.，增值税号为 ES-A58104043，注册办事处位于 c/Juan de la Cierva， 4， Polígono Industrial Valldoriolf， 08430 La Roca del Vallès， Barcelona （Spain），由 Raül Colom Jaén 先生代表公司，以首席执行官 [CEO] 的身份代表公司 。

On the other side, the SUPPLIER, as the provider of the service Service, with VAT No. [Supplier’s VAT] and registered office at [Supplier’s Address], represented by Mr./Ms. [Supplier Representative’s Name], acting on behalf of the company in his/her capacity as [Supplier Representative’s Position]
另一方面，供应商作为服务的提供者，增值税号为[供应商的增值税]和位于[供应商地址]的注册办事处，由[供应商代表姓名]先生/女士代表，以[供应商代表职位]的身份代表公司行事.

c. Duration:
c. 持续时间：
This agreement becomes effective upon signing and remains in force until the end of the product’s lifecycle or the end of the contract, unless modified by mutual agreement between both parties.
本协议自签署后生效，并一直有效，直至产品生命周期结束或合同结束，除非双方共同协议修改。

II. SERVICE DESCRIPTION
二、服务说明

The service provided by the SUPPLIER to the CLIENT, and to which this agreement is linked, consists of:
供应商向客户提供的服务以及本协议与之相关的服务包括：

The cybersecurity service provided by the Supplier, for the list of products detailed below, aims to ensure comprehensive protection of these components against cyber threats throughout their entire lifecycle. This service covers both the development and production phases as well as the post-production phase, ensuring the continued security of the component and its secure integration into the Client’s system and the final vehicle.
供应商提供的网络安全服务（如下详述的产品列表）旨在确保这些组件在其整个生命周期内全面保护这些组件免受网络威胁。该服务涵盖开发和生产阶段以及后期生产阶段，确保组件的持续安全性及其与客户系统和最终车辆的安全集成。

List of products subject to this contract:
受本合同约束的产品清单：

Within this service, the following tasks are included:
在此服务中，包括以下任务：

1- Cybersecurity risk assessment and management.
1- 网络安全风险评估和管理。
This task includes the identification, analysis, and classification of threats and vulnerabilities that may compromise the component. This assessment is continuous and is carried out in accordance with ISO/SAE 21434 standards and the requirements of Regulation 155. The Supplier must establish effective mitigation measures to reduce the impact of identified threats.
此任务包括识别、分析和分类可能危及组件的威胁和漏洞。该评估是连续的，并根据 ISO/SAE 21434 标准和第 155 条的要求进行。供应商必须制定有效的缓解措施，以减少已识别威胁的影响。
A TARA (Threat Analysis and Risk Assessment) of the supplied products may be requested.
可能会要求对所提供的产品进行 TARA（威胁分析和风险评估）。

2- Sharing responsibilities between Supplier and Client regarding ISO/SAE 21434 requirements.
2- 供应商和客户之间就 ISO/SAE 21434 要求分担责任。
A RASIC matrix may be requested to determine the responsibilities for each required activity as well as for the deliverable documents.
可能会要求 RASIC 矩阵来确定每项所需活动以及可交付文件的责任。

3- Continuous supervision and monitoring.
3-持续监督和监控。
This task involves the implementation of a monitoring system that enables early detection of abnormal behaviors and malicious activities in the component. This monitoring must be continuously operational, generating alerts and facilitating the rapid detection of vulnerabilities and potential cyberattacks. For example, by consulting official information sources or participating in forums and user organizations of the products or services used.
此任务涉及实施监控系统，以便及早检测组件中的异常行为和恶意活动。这种监控必须持续运行，生成警报并促进快速检测漏洞和潜在的网络攻击。例如，通过咨询官方信息来源或参加所用产品或服务的论坛和用户组织。

4- Cybersecurity incident management.
4- 网络安全事件管理。
This task must ensure a quick and effective response to any cybersecurity incident affecting the component. The service includes incident detection, an escalation process, classification based on criticality, detailed analysis, and the application of containment and mitigation measures. Additionally, detailed reports of each incident will be provided, and the response will be coordinated with the Client’s team.
此任务必须确保快速有效地响应影响组件的任何网络安全事件。该服务包括事件检测、升级流程、基于关键性的分类、详细分析以及遏制和缓解措施的应用。此外，还将提供每个事件的详细报告，并将与客户团队协调响应。
The Client provides the following contact for cybersecurity incident communication, mailbox cybersecurity@arcol.es. The Supplier is requested to provide a contact to the Client for cybersecurity incident management: [Supplier's contact or email address].
客户提供以下网络安全事件沟通、邮箱 cybersecurity@arcol.es 联系人 。要求供应商向客户提供网络安全事件管理的联系人：[供应商的联系人或电子邮件地址]。

5- Development and implementation of security patches and updates.
5- 开发和实施安全补丁和更新。
This task will be carried out if critical vulnerabilities are detected in the component. At that time, the Supplier will develop and deploy security updates or patches to prevent potential incidents. The updates must be implemented in coordination with the Client and in accordance with the response times established in this agreement.
如果在组件中检测到严重漏洞，则将执行此任务。届时，供应商将开发和部署安全更新或补丁，以防止潜在事件发生。更新必须与客户协调并按照本协议中规定的响应时间实施。

6- Compliance reports and audits.
6- 合规报告和审计。
Finally, compliance reports and annual audits must be submitted to verify that all security requirements and service levels are maintained within the agreed standards. The reports must include assessments of the cybersecurity status of the component, details of incidents, and the mitigation measures implemented.
最后，必须提交合规报告和年度审计，以验证所有安全要求和服务级别是否保持在商定的标准范围内。报告必须包括对组件网络安全状态、事件详细信息以及实施的缓解措施的评估。

III. TECHNICAL ASPECTS
三、技术方面

Availability – Service Level Objectives:
可用性 – 服务水平目标：

The service components assigned to each of the tasks will have an associated availability according to the following table:
根据下表，分配给每个任务的服务组件将具有关联的可用性：

Incident and Service Request Management
事件和服务请求管理

The provision of the service may be subject to incidents that could compromise the maintenance of adequate service levels. To minimize the impact of such incidents on service delivery, prioritization criteria are established to ensure appropriate response and resolution times. These prioritization criteria are categorized into two types:
服务的提供可能会受到可能影响维持足够服务水平的事件的影响。为了尽量减少此类事件对服务交付的影响，建立了优先级标准以确保适当的响应和解决时间。这些优先级标准分为两种类型：

Normal: Incidents that do not result in a complete service outage or do not compromise the security of the service in any of its parameters.
正常： 不会导致服务完全中断或不损害服务任何参数安全性的事件。

Critical: Incidents that result in a complete service outage or may compromise the security of the service.
严重 ： 导致服务完全中断或可能危及服务安全性的事件。

Regarding response and resolution times, the following service levels have been established:
关于响应和解决时间，已确定以下服务级别：

(*) Resolution times may vary from the initial estimates depending on the nature of the incident, the complexity of the required analysis, the time needed to implement corrective actions, the resources available, and the results obtained from testing the effectiveness of the applied measures. In such cases, the Supplier must duly justify these timeframes and keep the Client informed in a timely and continuous manner about the status and progress of the actions undertaken.
（*） 解决时间可能与最初的估计有所不同，具体取决于事件的性质、所需分析的复杂性、实施纠正措施所需的时间、可用资源以及从测试所应用措施的有效性中获得的结果 。在这种情况下，供应商必须适当地证明这些时间框架的合理性，并及时、持续地向客户通报所采取行动的状态和进展。

EXCLUSIONS
排除

The following aspects are excluded from the scope of this agreement:
以下方面不在本协议的范围内：

Support for unauthorized modifications made to the component or system by third parties without prior approval from the Client.
支持第三方未经客户事先批准对组件或系统进行未经授权的修改。

Response to incidents or vulnerabilities related to external systems that are not under the control of the Supplier.
应对与供应商无法控制的外部系统相关的事件或漏洞。

Management and protection of end users’ personal data, which will be the sole responsibility of the Supplier, unless such data is compromised due to a vulnerability in the component.
管理和保护最终用户的个人数据，这将由供应商全权负责，除非此类数据因组件漏洞而泄露。

PENALTIES FOR NON-COMPLIANCE
对不遵守规定的处罚

All downward deviations in the level of service compliance will be associated with compensation from the Supplier to the Client. To determine compensation, two levels of non-compliance are defined: minor and major.
服务合规水平的所有向下偏差都将与供应商向客户的补偿相关。为了确定赔偿，定义了两个级别的不合规行为：轻微和严重。

Whenever the service levels are not met, the Supplier must compensate the Client. The compensations for service non-compliance are outlined below.
每当服务水平未达到时，供应商必须向客户进行补偿。服务不合规的赔偿概述如下。

In the event of repeated non-compliance, whether minor or major, that results in economic or reputational impacts for the Client, both parties agree to jointly evaluate possible corrective measures. Such measures may include compensation proportional to the level of impact, always agreed upon fairly and in accordance with the principles of good faith and mutual collaboration.
如果屡次违规，无论是轻微还是严重，对客户造成经济或声誉影响，双方同意共同评估可能的纠正措施。这些措施可包括与影响程度成正比的补偿，这些补偿始终按照诚信和相互合作的原则公平商定。

ENDING
结束

The Supplier undertakes to ensure the security of information after the termination of the contracted services. When applicable, and at the Client’s request, the Supplier shall proceed with the return of assets, removal of access permissions, and deletion of sensitive organizational information stored in the Supplier’s systems.
供应商承诺在合同服务终止后确保信息的安全。在适用的情况下，应客户的要求，供应商应继续归还资产、删除访问权限以及删除存储在供应商系统中的敏感组织信息。

The service level agreement remains valid for the entire duration of the service provision period.
服务级别协议在整个服务提供期内仍然有效。