PART 3 – BUSINESS CONTINUITY MANAGEMENT

Last Updated: 19 November 2024 

Company must maintain a comprehensive and current: business continuity plan (“BCP”) that completely covers, at a minimum, the contracted services and any infrastructure required to support them, documenting and implementing processes and procedures to ensure essential business functions continue to operate during and after a disaster; and disaster recovery plan (“DRP”) that documents technical plans for specific restoration of Expedia Information, ensuring there is no reduction of security in a disaster. Key Personnel must be knowledgeable about the BCP/DRP referenced herein.

If Company is allowed to store or process Expedia Information within its environment, the following Business Continuity Management requirements apply:

1.1 BACKUP

1.1.1 At least once weekly, Company shall perform a complete backup of Expedia Information using highest industry standard backup procedures. This backed-up data will be maintained at a Company colocation center in the US on US based servers (or such other location as may be approved in writing by Expedia). In addition, Company will perform incremental daily backups. 

1.1.2 On at least a monthly basis, Company will make a copy of Expedia Information and store it at an off-site or at an alternate processing location in the US. Expedia may request a backup of the Expedia Information at any time, and Company shall provide the backup within five (5) business days in a mutually agreed upon format. 

1.2 BUSINESS CONTINUITY PLAN

1.2.1 Institute suitable business continuity targets and solutions for prioritized business activities required to continue or re-establish delivering products and services following a disruptive incident or crisis impacting Company facilities, services or staff.

1.2.2 Minimize risks of disruptive incidents to time-critical activities required to deliver Company products and services.

1.2.3 Define roles, responsibilities, and authorities.

1.2.4 Define and implement Business Continuity and Crisis Management Plans, Procedures, Business Impact Assessments, Risk Assessments, Tests, Exercises, Monitoring, Measurement, Analysis, Evaluation, and Continuous Improvement Plans.

1.2.5 Include business continuity/disaster recovery provisions in contracts with Third Parties who impact delivery of Company products and services. The provisions must require appropriate business continuity/disaster recovery policies as well as compliance with applicable laws or regulations regarding their business continuity/disaster recovery programs or plans.

1.2.6 Define notification requirements during an event impacting Company facilities, services or staff. Specifically, if Company experiences an outage disrupting its processes and services and determines that it will not be able to rectify this within one (1) business day, in addition to any other obligations herein, Company shall notify Expedia of the relevant issue and expected rectification period. Company will update Expedia in writing at least twice daily until such issue is resolved.

1.3 DISASTER RECOVERY PLAN

1.3.1 Company shall implement a DRP for the recovery of the Application that addresses the following: 

  1. Re-establishment of Information Technology (“IT”) environment(s) following an unplanned event impacting the data center, infrastructure, data or applications/systems.

  2. Policies and procedures necessary to minimize the risk of delay in establishing alternate recovery facilities and beginning the recovery process.

  3. Crisis management plan, including standardized procedures for successfully responding to unplanned service outages due to disasters.

  4. Comprehensive test strategy for the DRP.

1.3.2 Company shall provide a documented copy or evidence of such plan to Expedia within ten (10) days of the Effective Date.

1.3.3 Company shall periodically update and test the operability of such plan at least once during each annual period of the Term and implement such plan upon the occurrence of a disaster. 

1.3.4 In the event of a disaster, Company shall not increase its charges under this Agreement.

1.3.5 If a disaster causes Company to allocate limited resources between or among Company's customers, Expedia shall receive at least the same priority as such other customers in respect of such allocation.

1.3.6 Notification requirements during an event impacting Company IT systems, infrastructure or applications.

Specifically, if Company experiences an outage disrupting IT systems, infrastructure or applications and determines that it will not be able to rectify this within one (1) business day, in addition to any other obligations herein, Company shall notify Expedia of the relevant issue and expected rectification period. Company will update Expedia in writing at least twice daily until such issue is resolved.

1.4 POWER BACKUP

All infrastructure in Company’s service location including desktops, servers, network, switch, quality monitoring and heating/lighting/ventilation must have a backup system (UPS and stand-by generators with fuel) with the ability to provide uninterrupted power for a minimum of seventy-two (72) hours. Power back-up systems should be tested at least once each month to ensure adequate operation.

1.5 BCP/DRP TESTING

The BCP/DRP and related procedures must be tested and Business Impact Assessments and Risk Assessments performed at least once annually and evidence of testing maintained. The tests must demonstrate that Company approach is effective. A review of the BCP/DRP will occur on at least an annual basis.