Service Specification - CI Synchronizer to ServiceNow

— Last updated: May 27^th, 2024

1. Service overview

CI Synchronizer (CI Sync) is a Software-as-a-Service (SaaS) offering made available through various Subscription Plans.

As a general description, CI Sync is a SaaS integration application which processes records between a source system (one that holds automatically discovered IT assets and associated data) and a destination system (one that holds a transformed version of the source records in the form of Configuration Items (CI or CIs) and associated data).

This Service Specification relates specifically to the version of CI Sync that processes records between various source systems and ServiceNow (as the destination system). That is, this Service Specification relates to CI Sync for ServiceNow (CI Sync for SN).

The source and destination systems, both of which are owned and managed by You, do not form part of the Service. The ability for the Service to successfully perform its functions, is dependent upon Your systems and data which are outside of Our control.

The diagram below provides an overview of the major components which make up the Service, including which components are owned and/or managed by You or Us.

2. Detailed description of services

The Service consists of the following components provided by Us:

• The CI Synchronizer SaaS application (CI Sync SaaS application or CI Sync) in the Cloud.

• The CI Synchronizer Agent (CI Sync Agent) hosted in Your environment.

For the CI Sync SaaS application

• We will provide You with a logical instance of the CI Sync SaaS application within a hosted environment (Hosted Environment) provided by Our hosting provider (Cloud Host) and make the logical instance (Your Instance) available to You. Refer to "Overview of Service Provisioning and Initial Service Use" for additional details. Your Instance may consist of a combination of dedicated and non-dedicated technology components.

• You will be able to access to Your Instance through an authenticated login. You will also be able to make Your Instance available to other users You provision with an authenticated login (an End User). All user access and authentication to Your Instance is controlled by You, not Us. Refer to “Overview of Authentication and Security” for additional details.

• You will be able to use a web browser user interface to configure Your Instance and perform synchronisation of Your source system records into Your ServiceNow Configuration Management Database (CMDB). You will also be able to define a schedule of automated recurring synchronisation events, provided it complies with any fair use requirements set out in this Service Specification.

• Your Instance, working in conjunction with the CI Sync Agent, will generate data for Your source system records (i.e. those source system records which match the configuration rules You have defined), process that data (by attempting to match them with existing Configuration Items (CIs) stored in Your ServiceNow CMDB) and either insert new CIs or update existing CIs. Refer to “Overview of data used within the Service” for additional details.

• The CI Sync SaaS application will transform Your data, persist Your data, and store logs and metrics as part of its processing operations. Refer to “Overview of data used within the Service” for additional details.

For the CI Sync Agent

• We will provide You with one or more copies of the CI Sync Agent (Agent) which You will be required to install onto a Microsoft Windows Server within Your environment. As part of the Agent installation process, You will be directed to register the Agent as an application within Your Azure Active Directory (AAD).

• When an installation of Your Agent first authenticates and connects to Your Instance, the specific installation of the Agent is automatically registered in Your Instance (this allows Your users to visually differentiate Agent installations and ensures the CI Sync SaaS application can authenticate individual Agent installations).

• The Agent requires read access to Your source system repository (i.e. a Microsoft SQL server in the case of SQL based source systems, or a cloud account/subscription for cloud based source systems records).

• The Agent also requires read and write access to either a Microsoft SQL or MongoDB database which is automatically created during the installation process. This additonal database is used by the CI Sync Agent to track and process Delta Synchronisations which is a key feature of CI Sync.

• The Agent will periodically poll Your Instance looking for synchronisation jobs to perform (i.e. jobs You have configured using the user interface of Your Instance).

• When the Agent receives a synchronisation job it will determine which of Your source system records have changed since the previous synchronisation job and send the relevant records as data payloads to Your Instance for processing.

Overview of Record & Field Types in the Service

The Service differentiates between the following Record & Field Types:

• Source system records and fields that are oriented towards assets (Asset Oriented Record & Field Types).

• Source system records and fields that are oriented towards events (Event/Activity Oriented Record & Field Types).

The Record & Field types available to You is governed by the particular Subscription Plan You have purchased.

Asset Oriented Record & Field Types

These are typically parent records and objects discovered and/or present in source systems and primarily consist of any of the following:

• Computing devices (servers, hosts, VMWare vCenter Servers, virtual machines, nodes, personal computers, and similar).

• Network connected devices (SAN, NAS, printers, switches, firewalls, IP phones, IP cameras, IoT devices, other IP connected devices, and similar).

• Mobile devices (mobile phones, tablets, and similar).

• Cloud resources (virtual machines, resource groups, VPCs, and similar).

These also consist of child records and objects directly related to, or installed upon the records described above such as any of the following:

• Installed software packages (on computing devices).

• Installed applications (on mobile devices).

• Hardware and virtualised components (displays/monitors, memory modules, network adapters, directly attached storage devices and volumes, VMWare components such as datacenter, datastore, clusters, virtual networks, and similar).

• Asset groups, tags and similar (if applicable to a given source system).

• The Last Logged on Username field/value (if applicable to a given source system).

Asset Oriented Record & Field Types exclude any records or fields identified as an Event & Activity Oriented Record Type.

Event & Activity Oriented Record & Field Types

These are typically date, time or transactional events and activities which directly relate to Asset Oriented Record & Field Types. These consist of any of the following:

• Event Fields such as the following:

  • Last Seen Date/Time.

  • Last Logged On Date/Time.

  • And similar.

• Event Records such as the following:

  • Log records (e.g. Windows Event Logs).

  • Monitoring records (e.g. Windows Performance Monitor logs and metrics).

  • And similar.

3. Overview of Service Provisioning and Initial Service Use

The Service is initially provisioned through the following general process:

• You will provide Us with the following details:

  • Contact details of a primary point of contact, and an alternative contact, for the service within Your organisation (Your Service Owner contact details). We also recommend You provide Us with an alternative contact who can act on behalf of Your Service Owner if they are not available.

  • An email address, which may be a Distribution List email address, within Your organisation that We will use to send service-related notifications (Your Service Notification contact details).

  • The Tenant ID of Your Azure Active Directory (AAD). That is, the Tenant ID of the ADD that will be hosting the Enterprise Application registration (see below for further details on this topic).

• We will initialise Your Instance within the Hosted Environment and make the instance accessible by You. 

• We will provide You with a URL, which is specific to Your organisation, to the user interface for Your Instance.

• Using the URL We provide, a privileged user in Your Azure Active Directory (AAD) will register Your Instance of the CI Sync SaaS application as an Enterprise Application within Your AAD. The Enterprise Application will contain any roles needed to provide authorisation into Your Instance. Such roles will be used by You to control access Your Instance.

• We will also provide You with an installable copy of the CI Sync Agent (Agent) (or make it available for download by You):

  • You will install the Agent on a Microsoft Windows Server within Your environment and You will provide the Agent access one or more of Your source asset repositories.

  • As part of the installation process, You will need to register the Agent in Your Azure Active Directory (AAD) and grant it the relevant role under the CI Sync enterprise application registration.

  • You may install the Agent on multiple servers within Your environment (e.g. if necessary to support the specifics of Your environment).

  • Each install of the Agent will have a “friendly name”, initially the NETBIOS name of the server it is installed on, so You can identify it in the user interface of Your Instance.

The initial use of the Service, for the purpose of performing synchronisation of data, will take place through the following general process:

• You will configure the following:

  • The connection details (including URL and various authentication information) for Your ServiceNow.

  • The name of each Agent You have installed.

  • The one or more source systems You will connect to from the Agent.

  • The source record types, and related data objects, You want synchronised into Your ServiceNow CMDB.

  • The synchronisation schedule You wish to use.

• With respect to the above, and in accordance with the inclusions of Your Subscription Plan:

  • We will provision You a single instance of the CI Sync SaaS application which is suitable for connection to both Your Non-Production ServiceNow instance and then Your Production ServiceNow instance.

  • We will provide You with comprehensive planning and setup instructions, and work with you to prepare for the implementation of the Service initially using the default configuration of the CI Sync SaaS application which You will initially connect Your Non-production ServiceNow instance.

  • Once the configuration of the CI Sync SaaS application has been validated against Your Non-Production ServiceNow You can create a second connection between Your instance of CI Sync and Your Production ServiceNow instance. The production connection will utilise the configuration of CI Sync which was validated with your Non-Production ServiceNow instance.

  • It is Your responsibility to assess the potential impact on Your environment, including but not limited to Your business processes, Your operational services and Your data, prior to performing synchronisation/s against any of Your ServiceNow instances.

  • It is Your responsibility to make any changes to Your ServiceNow CMDB if such changes are required to successful use the Service.

  • Refer also to “Subscription Plans” for additional details about inclusions of each CI Sync edition.

4. Support Services

Unless stated otherwise, all Subscription Plans for the Service include the following Support Services:

Types of Support Services

First level support is made available to You via articles in Our knowledge base (available via Our Website).

Second level support is provided via a support email address (or any other communication medium chosen by Us). This email address is monitored (during the Support Services Availability Times specified below) and We will use reasonable efforts to resolve Your support requests.

In exceptional cases and at Our sole discretion, third level support may be provided by Us via an online meeting.

In all cases Our Support Services will entail reasonable advice and guidance concerning the use of the Service, and troubleshooting of the Service in an attempt to resolve the issue, either by providing You with the possible steps to resolve the issue, or undertaking the necessary measures on Our end and notifying You accordingly.

Support Services Availability Time

Our Support Services are available on Business Days (in Australia) from 09:00 AM till 05:00 PM, Australian Eastern Standard Time (AEST) (Business Hours) (Support Services Availability Time).

Requirements and Exclusions

We will only provide the Support Services when: (i) You have not made any modifications to Your installation, where "modifications" mean: changes or additions that are not entailed in Our documentation or that are made outside of the Service’s configuration settings; (ii) You use the Service in accordance with the terms of the Subscriber Agreement (including this Service Specification) and Our knowledge base (iii) We received the support request in English from a person authorised by Your Service Owner; and (iv) first level support made available through Our knowledge base has been exhausted.

We may also require You to upgrade to the latest version of the CI Sync SaaS application and/or the latest version of the CI Sync Agent for LS prior to providing You with Our Support Services.

Support requests that meet the above requirements are defined as Valid Support Request.

Cooperation

You must cooperate with Us in the performance of the Support Services including by providing reliable, accurate, and complete information regarding Your Valid Support Request, and You acknowledge that the delivery and the quality of the Support Services depend upon Your cooperation. If You do not provide Us with such information as reasonably requested by Us, We may not be able to assist You with the resolution of Your Valid Support Request.

Severity Levels

Upon receipt of a Valid Support Request, We shall determine, in good faith, the severity level of the request in accordance with the following criteria: (i) “High” means that the Service or a major part of the Service is not functioning; (ii) “Medium” means that there is a malfunction in the Service which degrades the Service’s performance or functionality, affecting Your usage of the Service; (iii) “Low” means issues or questions with no or limited impact on the functioning of the Service, such as general questions, change or improvement requests in relation to the Service. You are allowed to give an indication of the severity level You consider applicable to Your Valid Support Request, which may be taken into account by Us when We determine the severity level of Your Valid Support Request.

Initial Response Time

We shall employ reasonable efforts to meet the following initial response times to respond to Valid Support Requests, according to the severity levels as determined above:

• High: 4 Business Hours, during the Support Services Availability Time

• Medium: 24 Business Hours, during the Support Services Availability Time

• Low: 40 Business Hours, during the Support Services Availability Time

Confirmation of Receipt

The Initial Response Time starts to run, during the Support Services Availability Time, from the moment that You receive a confirmation of receipt email from Us.

Initial Response Inclusions

The Initial Response to the Valid Support Request may include: (i) possible solutions which should allow You to resolve the issue; and/or (ii) a request for more information if no possible solutions can be provided based on the information available at that point.

5. Overview of Planned Maintenance

Unless agreed otherwise, We will perform Planned Maintenance according to the details below:

• We will aim to provide at least 48 hours’ notice prior to any planned maintenance. We may provide less notice if We determine an urgent requirement for planned maintenance.

• During the planned maintenance period Your Instance may be unavailable for use (either via the user interface of Your Instance or for the performance of synchronisation activities).

• We will provide an email notification of planned maintenance to each of the following:

  • The email address provided by You for the Service Owner (both the Primary Contact and Alternate Contact)

  • The email address, which may be a Distribution List email address, provided by You for Service Notifications

6. Overview of Service Upgrades

Unless agreed otherwise, We will perform Service Upgrades according to the details below:

• From time to time, We may implement upgrades to the Service (Service Upgrade), including any enhanced, improved, modified or new versions of the Service.

• We may contact You in advance of a Service Upgrade and recommend Your participation in non-production testing of the upgrade. In such circumstances:

  • We will provide You with a reasonable period of advanced notice so You can prepare for Your involvement in such non-production testing.

  • In the unlikely situation that We determine an entirely separate instance of the CI Sync Saas application is required, We will offer You a temporary instance of the CI Sync (Temporary Test Instance) for You to perform testing of Our upgrade against a non-production clone of Your ServiceNow.

  • We will also provide You with a reasonable period to perform such non-production testing. Upon completion of this period, We will de-provision the Temporary Test Instance.

  • If You do not participate in such non-production testing, for whatever reason, then We may proceed to implement an upgrade to Your Instance (Production Instance) at Our sole discretion.

• Refer also to “Subscription Plans” for additional details on the various instance types.

• From time to time, We may also perform a Service Upgrade without requesting Your participation in non-production testing.

• We will provide an email notification of an upgrade to each of the following:

  • The email address provided by You for the Service Owner (both the Primary Contact and Alternate Contact)

  • The email address provided by You for Service Notifications

7. Overview of data used within the Service

The Service relies upon the following data:

• Service Owner contact details

• Service Notification contact details

• Transient synchronisation data

• Persisted synchronisation data

• Logging data

• Metrics and billing data

Service Owner contact details

Service Notification contact details

Transient Synchronisation Data

Persisted Synchronisation Data

Logging data

Metrics and Billing Data

8. Overview of Authentication and Security

The Service includes security controls as generally described below:

• Authentication of Your Instance based on the Tenant ID of Your Azure Active Directory

• Authentication and authorisation of Your End Users and the user interface of Your Instance

• Authentication and authorisation between Your installed CI Sync Agent and each of Your configured source system data repositories

• Authentication and authorisation between Your installed CI Sync Agent and Your CI Sync SaaS Instance

• Authentication and authorisation between Your CI Sync SaaS Instance and Your ServiceNow

• Cryptographic controls

Authentication of Your CI Sync SaaS Instance based on the Tenant ID of Your Azure Active Directory

You will be asked to provide Your Azure AD Tenant ID (GUID value) prior to Your Instance being provisioned. The Tenant ID is used by our provisioning process, so Your Instance knows to only accept tokens presented by Your Azure AD. This token validation process is used by Your Instance to authenticate Your End Users (accessing the user interface of Your Instance) and Your installed CI Sync Agent.

Authentication and authorisation of Your End Users and the user interface of Your Instance

User authentication and authorisation in the Service is based on the OAuth protocol and token-based identity management backed by Azure Active Directory (AAD) with role-based access controls.

The Service is designed so that only authenticated users can interact with the user interface of Your Instance. Your Instance will only accept a valid authentication token issued by Your Azure Active Directory (i.e. authentication to the Service is controlled by You based on Your End Users being authenticated to Your Azure Active Directory).

Your Instance applies roles to control authorisation and access to features of the Service. The roles generally consist of (1) those End Users expected to create synchronisation jobs and (2) the CI Sync Agent. Your AAD administrator will manage Your End User’s authorisation to Your Instance by assigning the required role.

Authentication and authorisation between Your installed CI Sync Agent and each of Your configured source system repositories

During the setup process You will create an authentication credential in each source system for use by the CI Sync Agent. You will grant this authentication credential permissions to access the source data repository. These permissions are granted within each given source system. The default permissions afforded to the authentication credential, and therefore the CI Sync Agent consist of the following (in high level terms):

• The ability to read from all tables and resource object structures in the source system schema (this typically includes by default the ability to read all asset related data and user related data).

If the CI Sync default configuration settings are implemented, the CI Sync Agent will only query asset and asset related records (and associated attributes). For example, this includes serial numbers, MAC addresses, installed software, hostnames and so on. The CI Sync default configuration does not query user related data.

If You have requested that We include an attribute that represents the Last Logged On User or Most Frequently Logged on User, User Principal Name, Owner (or similar) so it can be mapped to the Assigned_To attribute (or other similar attribute) on a CMDB CI record, the CI Sync Agent will also query at least one user related attribute for the purpose of correlation.

We offer system documentation to explain the above concepts in detail.  If You do not have a copy of this documentation is Your responsibility to request it from Syncfish.  

It is also Your responsibility to assess the source system access rights afforded to the CI Sync Agent and determine if You wish to implement fine-grain access controls within source system to restrict greater than what is provided by the defaults. We offer system documentation to explain how You might go about implementing fine-grain access controls, however such controls are entirely dependent on the original vendor/s.

Authentication and authorisation between Your installed CI Sync Agent and You CI Sync SaaS Instance

Agent authentication and authorisation in the Service is also based on the OAuth protocol and token-based identity management via Azure Active Directory and role-based access controls.

The Service is designed so that only an authenticated Agent can interact with the relevant APIs in Your Instance. Your Instance will only accept a valid authentication token issued by Your Azure Active Directory (i.e. authentication of Agent/s to Your Instance is controlled by You based on Your installation of each Agent being authenticated to Your Azure Active Directory).

Your Instance applies roles to control authorisation and access to features of the Service. The roles generally consist of (1) those End Users expected to create synchronisation jobs and (2) the CI Sync Agent. Your AAD administrator will manage Your Agent/s authorisation to Your Instance by assigning the required role.

Authentication and authorisation between Your CI Sync SaaS Instance and Your ServiceNow

The authentication type used between Your Instance and Your ServiceNow is selected and managed by You. The following authentication types are supported by Your Instance:

• Basic Authentication (username and password)

• OAuth (Client ID and Client Secret)

• Multi-factor Authentication (digest token)

We will provide You with Our recommended authorisation details in the form of a dedicated role within Your ServiceNow. You will be responsible for creating, maintaining and assigning this role to the related authentication credentials in Your Instance.

During the setup process You will create an authentication credential for use by Your Instance of CI Sync. You will grant this authentication credential permissions to access the ServiceNow destination data repository. These permissions are granted within ServiceNow by applying Roles to the user account You have created to permit Your Instance of CI Sync to access Your ServiceNow. The default permissions afforded to the authentication credential, and therefore Your Instance consist of the following (in high level terms):

• The ability to read and write to the CMDB CI tables in ServiceNow.

• The ability to read and write to various Reference Data tables in ServiceNow, including (but potentially not limited to) the following:

  • Choice lists [sys_choice]

  • CMDB Groups [cmdb_group]

  • Company [core_company

  • Location [cmn_location]

  • Model [cmdb_model]

  • Users [sys_user]

If the CI Sync default configuration settings are implemented, CI Sync will only access CIs and CI related records (and associated attributes). For example, this includes serial numbers, MAC addresses, installed software, hostnames and so on.  The CI Sync default configuration does not query user related data.

If You have requested that We include an attribute that represents the Last Logged On User or Most Frequently Logged on User, User Principal Name, Owner (or similar) so it can be mapped to the Assigned_To attribute (or other similar attribute) on a CMDB CI record, the Agent will also query at least one user related attribute from sys_user for the purpose of correlation.

We offer system documentation to explain the above concepts in detail.  If You do not have a copy of this documentation is Your responsibility to request it from Syncfish.  

It is also Your responsibility to assess the ServiceNow system access rights afforded to Your Instance of CI Sync and determine if You wish to implement fine-grain access controls within ServiceNow to restrict greater than what is provided by the defaults. We offer system documentation to explain how You might go about implementing fine-grain access controls, however such controls are entirely dependent on the original vendor/s (in this case ServiceNow for the database schema details and ServiceNow for role based access controls and ACLs on a table by table basis).

Cryptographic controls

We will use cryptographic controls in various components of the Service as detailed below:

• HTTPS is used to secure data in transit between the user interface and Your Instance.

• HTTPS is used to secure data in transit between each Agent and Your Instance.

• All data at rest, including transient data and persisted data, is encrypted using functionality provided by the Cloud Host of the relevant storage technology.

9. Cloud Hosts

We use the following Cloud Hosts as part of the Service.

• Microsoft (for the provision of Azure services)

• MongoDB Atlas (for the provision some data storage services)

We may, at Our discretion, change Cloud Hosts from time to time.

10. Hosting Location

We can provision Your Instance in any location where Our Cloud Host/s offers the Hosted Environment. 

Some aspects of the Hosted Environment are provided globally by Our Cloud Host and not from a specified location (i.e. some services and components cannot be nominated at a specific location). We can provide You details of such services and components upon request.

We will work with You during the ordering process of the Service to agree upon the Hosting Location for Your Instance. The agreed hosting location will be reflected in Your Order (Initial Hosting Location).

You may request Us to change the Initial Hosting Location to a new location. Such request, and subsequent action to move the Initial Hosting Location, will be agreed in writing. Once the Initial Hosting Location has been moved it will be Your current hosting location (Current Hosting Location). Any subsequent change to the Current Hosting Location will use the same process. Fees apply to changes of Hosting Location as set out in this Agreement.

11. Subscription Plans

We offer the Service to You based on the following subscription plans:

• CI Synchronizer (Professional Edition)

• CI Synchronizer (Enterprise Edition)

• Trial Subscription

11.1 Detailed Description of CI Synchronizer (Professional Edition)

11.2 CI Synchronizer (Enterprise Edition)

11.3 Trial Subscription

12. Other Fees (in addition to Subscription Plans and Fees)

We provide the following services, for an additional fee, beyond the inclusions of Your Subscription Plan.

Professional Services

We can also provide a variety of professional services assistance to You in relation to source systems, ServiceNow and generally the integration and synchronisation of data between Your systems.

We will provide You with a Statement of Work for Our professional services and deliver such services based on receipt of a Your Purchase Order.

Change of Hosting Location

You may request Us to change the hosting location of Your Instance. Each change of location will incur a one-time fee of $2,000 USD plus any third party costs We incur in implementing the change.

Additional Instances

We are able to provide You with additional instances of the CI Sync SaaS application (i.e. beyond the instances included with Your Subscription Plan). Upon Your request for an additional instance/s, We will provide You with a Quotation and/or Order Form including the associated fees and any other related details. We will provision the additional instance/s upon receipt of Your Purchase Order.

13. Other Information

Open Source Software Licence Attribution

The Service includes certain free and open source software components (Open Source Software). The known list of unique Open Source Software licences included in the Service is shown in the table below.  This list will be updated from time-to-time but may not be 100% accurate at any given moment.