Overview
This Service Level Agreement (SLA) defines the Web Publishing service provided by the Office of Information Technology (OIT) to campus departments for an annual fee, as well as the roles and responsibilities of both parties that are needed in order to meet the defined support levels.
This SLA will remain in effect for one (1) fiscal year. The SLA may be renewed on an annual basis by mutual agreement of both parties and a new copy of the SLA will be prepared and signed. If the SLA is not renewed or payment is not received, then OIT reserves the right to revoke access and remove data. Services will not be initiated until the completed SLA is received by OIT. Modifications to an executed SLA may be made only by mutual consent of both parties. If modifications occur, a signed and dated addendum will be made to this SLA.

Service Offerings
- Web Publishing is a managed WordPress service for individuals, departments, and organizations at NC State.
- cPanel is a highly flexible web site and application hosting service for individuals, departments, and organizations at NC State.

Responsibilities of Service Agreement
As the individual or entity that has registered this website, you are responsible for:
1. Renewing your website on an annual basis and, where applicable, paying service fees. If you do not renew your website within 60 days of receiving a renewal notification, your service may be disabled.
2. Selecting the individuals at NC State who should have decision-making authority for your website; providing OIT with their names and contact information; and updating that information whenever it changes. Decision-making authority may include:
- Annual renewals
- Changes to service level and billing information (as applicable)
- Requests to make a website live or archive a website
3. As applicable, receiving approval for use of any third-level, fourth-level, or non-NCSU domains (see https://getontheweb.ncsu.edu/university-urls-and-domains/ ) and provide OIT with the names of all domains.
- If this website uses a non-NCSU domain, you are also responsible for:
- Registration and payment of domain registration fees and charges.
- Securing approval for NC State to handle the domain.
- Continuing renewal payments for domain registration.
- Websites using non-NCSU domains must pay an additional $24/domain/year surcharge. (See Service Rates below.)
4. Manage the users who have access to edit your web content, and assign appropriate user roles.
- When adding and managing users to your website, you are expected to practice the Principle of Least Privilege. In particular, you should only grant the Administrator permissions to users who must complete tasks on your website that require Administrator-level privileges.
- Users outside of the NC State community may be added to your website. However, OIT and the NC State Help Desk will not guarantee support for users who do not have an active Unity ID.
5. Creating the content of your website, adding users responsible for creating content, and removing objectionable content as needed. Content on your website includes:
- Text
- Images
- Videos
- Other media files (e.g. PDF documents)
- Navigation menus
- Comments or other user-submitted information
6. Any automated site crawls should be limited to 1 request/10 seconds and a max number of 5 concurrent crawls.
These web services may not be used to operate your website as a course management service or a mail hosting service.

Web Publishing-Specific Terms
At some service levels, you may be permitted to activate themes and plugins that have been selected, purchased, or written by you. These themes and plugins will undergo a code review prior to installation in the Web Publishing service. However, you are still responsible for ensuring that this custom code:
1. Does not introduce security vulnerabilities.
2. Complies with WCAG 2.1 AA or better.
3. Does not consume excessive system resources, have a “run-away script,” or otherwise “misbehave” in a way that jeopardizes the operation of the Web Publishing service.
4. Does not depend on “freezing” versions of WordPress or other themes and plugins (e.g. code that works with WordPress version 5.8 but breaks at version 5.9 or higher).
- If updates to WordPress or other themes and plugins break functionality in your custom code, you are responsible for fixing that code in a timely manner or discontinuing your use of that code.
5. Is properly licensed. Unlicensed code, or code whose license has lapsed, will be removed from the Web Publishing service.
6. The Web Publishing service does not support stand-alone applications outside of WordPress. Only WordPress themes and plugins are permitted.

cPanel-Specific Terms
You are responsible for all cPanel account maintenance:
1. Maintain and secure cPanel administrator account
2. Maintain and secure any service accounts (eg, ftp, mysql)
All software installed by the customer must be maintained at the latest available version and in a secure configuration.
All services hosted in cPanel should implement strong authentication, preferably using NCSU’s Shibboleth Service as it includes strong passwords and multi-factor authentication. All of our cPanel servers include a Shibboleth Service Provider that can be accessed/configured from your account using .htaccess files. More information: https://oit.ncsu.edu/campus-it/identity-management/shibboleth/

Web Content
You are responsible for the content stored within your website, as well as any content requested by and displayed on your website (e.g. an embedded YouTube video). In particular, you are responsible for ensuring that the content on your website:
1. Follows any applicable state and federal laws. This includes (but is not limited to) FERPA, HIPAA, GLB, ECPA, and CFAA.
2. Follows any applicable University policies, rules, and regulations. In particular, you must adhere to the University’s Computer Use Regulation and the University’s Data Management Procedures Regulation. No purple or red data may be stored on your website.
3. Meets the NC State Information and Communication Technology Accessibility Regulation (https://go.ncsu.edu/ict-accessiblity-reg). This includes Web pages, Web applications, and electronic documents.
- Your content must adhere to WCAG 2.1 AA standards or better. (Contact the IT Accessibility Office for additional information.)
4. Follows any community standards and expectations articulated by the University.
5. Is material that you are permitted to distribute. You are responsible for responding in a timely manner to any requests for removal of copyrighted material.
If your website represents a University unit or otherwise exists to conduct official University business, you must adhere to the University’s branding guidelines or have permission from University Communications to deviate from those guidelines.

Personal Information
Your website must adhere to the University’s privacy statement. Under the University’s Data Management Procedures Regulation, no purple or red data may be stored on your website.
When collecting information from your users (via form submissions, automated scripts, or other methods), you are expected to practice data minimization. Only collect the information required to fulfill your operational needs. Do not collect information that you do not need and do not store data you will not use.
You are responsible for responding in a timely manner to any requests related to personal information. This includes requests for removal of personal information from your website or systems connected to your website.

Payment Processing
The Web Publishing and/or cPanel services are NOT PCI-compliant. You are not permitted to accept, receive, or transmit any sort of payment card information through these services, nor may your site link or transmit information to a payment processor.
If you need to accept credit card information for any purpose, you are required to contact NC State Merchant Services (merchantservices@ncsu.edu) to arrange for use of the university’s e-storefront service or other Merchant Services-approved options.

Non-Compliance
Failure to fulfill your responsibilities may result in the temporary or permanent removal of your website from the Web Publishing service. OIT may temporarily suspend your website while investigating complaints related to your website.
OIT is not required to provide notice that a website has been removed, but will make a good faith effort to do so in a timely manner.

OIT’s Responsibilities

OIT will be responsible for:
1. Generating renewal SLA’s on an annual basis
2. Maintaining stable web hosting with minimal interruptions to service.
3. Providing timely responses to questions, support tickets, and bug reports.
4. Communicating with you about changes to the service and your website, including annual renewals.
5. Creating nightly backups of your website for disaster recovery. (Backups may be restored only for disaster recovery, not for accidental deletions of content.)
6. As needed, providing a temporary URL while building a website prior to launch.
7. Managing all DNS configuration for your domain.
8. Installing and maintaining SSL certificates for your hosted domain.
Web Publishing-Specific:
- Managing the WordPress application, including timely installation of updates to core installation files, themes, and plugins.
cPanel-Specific:
- Maintenance and updates of the cPanel application and supporting software.
- In order to provide the best service possible for all accounts, OIT Web Services will monitor the resource utilization of all cPanel accounts and servers. Monitored resources include, but are not limited to disk space, bandwidth, CPU and RAM. Based on these metrics, OIT Web Services may transfer cPanel accounts between cPanel servers to establish a more balanced usage of all cPanel servers’ resources. An account transfer will only be performed after the account owner has been informed and a specific time for the transfer has been agreed upon by OIT Web Services and the account owner. Transferring an account requires a short period of time for the account data to be migrated to the new server and for the DNS records to be updated to the new server’s hostname. The actual IP address of the hosted server will be different. The change of the IP address may be significant to customers who are using IP address-based firewall rules to allow access to external resources by a specific cPanel server.

OIT will not be responsible for:
- Maintaining or creating any content to be delivered by the service.
- Maintenance and updates of any software installed by the customer.
- Any copyright infringements caused by the unauthorized use of copyrighted material.
- Any authorizations, approvals, or payments for non- ‘ncsu.edu’ domains.
- Migration of any and all content as a function of executing an exit strategy.
OIT reserves the right to disable any services, sites or applications that are – in the opinion of the Manager of Identity & Web Services (or their designate) – misbehaving, run-away, or consuming excessive CPU resources.
Communications, questions, and requests from the Customer to OIT Web Services staff should be submitted through the IT Service Portal.

Incident Response
If the web service, or any associated applications hosted on this service, are in violation of any of the aforementioned confidentiality or PCI-related terms/conditions, or if a site is reported as hacked or defaced, OIT will take the following actions:
- The site will be immediately disabled from access by/to the Internet. On cPanel, the entire account, including any add-on and sub-domains, will be disabled.
- Customer access will be immediately disabled.
- In consultation with OIT Security and Compliance, OIT Web Services Staff will begin attempting restoration and remediation of the affected account(s). This will likely take more than one business day to complete. Restoration may be done in a different environment to allow for further forensics beyond restoration.
- In the case of security issues the site and account will only be reactivated upon approval by OIT’s Security & Compliance Unit that confidential and/or PCI-related information has been removed and associated applications hosted on this service have been disabled or remediated.
- Any security remediation of a hacked or defaced site will incur a $200 charge.
For reporting and help with security incidents please contact OIT Security & Compliance and follow the Cybersecurity Incident Response Procedure.
OIT reserves the right to charge the owning unit for staff hours required to repair and/or remediate accounts that have been hacked, or are in violation of terms.

Service Rates

cPanel Service Rates
- $27 per site per month (Annual Total: $324 per site)
- Accounts come with 10GB storage quota and additional quota may be requested in 10GB increments at a cost of $36/year.
- No more than 5 domains should be installed in a single cPanel account. Accounts are limited to 20 domains and add-on domains total. Domains above 5 will be charged at a rate of $10/domain/year.
- Non-ncsu.edu domains will incur a $24/domain/year surcharge (flat rate, not prorated) for Domain Control Validation for certificate management and DNS maintenance.
- Any security remediation of a hacked or defaced site within a cPanel instance will incur a $200 charge. This applies only if the hack or defacement was easily avoidable by the customer (out of date software, known poor configuration, spamming, easily guessable passwords, etc).
- Web Publishing Service Rates

Web Publishing supports the following service levels:
Free
- This is the wordpress.ncsu.edu service
- At the Free level, you get a site with preselected themes and plugins. Additional plugins will not be added. Your storage quota is limited to 500MB and will not be increased. Your site domain will be a subdomain of wordpress.ncsu.edu and cannot be changed.
Standard
- $27 per site per month (Annual Total: $324 per site)
- At the Standard level, you get all the features of the Free level, the ability to have a custom domain,  and access to a NCSU Brand-compliant theme. Your website will look and feel like an official NC State website. You will also get several plugins that you can activate to add more functionality.
Custom
- $30 per site per month (Annual Total: $360 per site)
- At the Custom level, you get all the features of the Standard level and the ability to request non-standard or internally developed plugins and themes. Note that all themes and plugins must pass the code review process.
Bulk Rate Custom
- $187.50 per month platform fee plus $3 per site per month (Annual Total: $2,250 platform fee plus $36 per site)
- This service level also incorporates the option of an isolated WordPress installation within the infrastructure. Support of such an installation will be negotiated separately.
Extra storage (available only at the Standard, Custom, and Bulk-Rate Custom levels)
- Your website has a quota of 10 GB for media uploads, with additional storage available in 10 GB increments for $36/year.
- Supported file types that may be uploaded to your website’s Media Library include:
- Images (.jpg, .jpeg, .png, and .gif)
- PDFs (.pdf)
- Productivity suite files, e.g. from Microsoft Office programs (.doc, .docx, .odt, .ppt, .pptx, .pps, .ppsx, .key .xls, .xlsx, and .csv)
- Additional file types may be enabled on a per-site basis as required by your business process and after review by OIT. In general, audio and video files should not be hosted in Web Publishing and should instead be uploaded to another service, such as Youtube or Google Drive.
Non-NCSU domain (available only at the Custom and Bulk-Rate Custom levels)
- Annual Total: $24 per domain per year (flat rate, not prorated)
Security remediation of a hacked or defaced site will incur a $200 charge. This applies only if the hack or defacement was easily avoidable by the customer (out of date software, known poor configuration, spamming, easily guessable passwords, etc).