ANNEX 2: Service Level Agreement
Introduction
This document describes the support and service levels for AssessFluence.
We support You with the installation, maintenance and update of Our Service and with assistance in solving problems arising from the use of our Service, hardware interfacing of peripheral devices and logging of enhancement requests and bugs that You have submitted to Us.
Definitions
In this Service Level Agreement, the following concepts shall have the following meaning (when written with a capital letter):
| Business Hours | Monday to Friday from 9 am to 5 pm (CET), excluding Belgian bank holidays or holidays in replacement of bank holidays during weekends. |
| Scheduled Maintenance | Planned interventions on the Application. |
| RPO (Recovery Point Objective) | Describes the acceptable amount of data loss measured in time after a critical failure. |
| RTO (Recovery Time Objective) | The duration of time and a service level within which a business process must be restored after a disruption |
| Response Time | The time between the creation of a support ticket by the Customer and the moment the Support Team acts on it. |
| Resolution Time | The time between the moment the Support Team starts to act on a support ticket and the moment the problem is resolved, excluding the time the team has spent waiting for Customer’s input. |
Exclusions
The SLA only applies to production platforms; there is no SLA on test/dev platforms. The SLA is not applicable when service levels are not met due to:
- Factors outside NEXTFLUENT's reasonable control, Force Majeure;
- Malfunctions attributable to an inappropriate connection to the Services;
- Inappropriate use of the Services
- Customer’s actions in an explicit intent to create downtime;
Application Hosting
The Application is hosted on Google Cloud Platform (GCP).
Google Cloud Platform is one of the world’s leading hosting providers, with a strong focus on supporting mission-critical applications. The Google Cloud Platform is audited for compliance with ISO/IEC 27001 and ISO/IEC 27018 by an accredited third-party certification body at least annually, providing independent validation that applicable security controls are in place and operating effectively.
More information on Google Cloud Platform and its various certifications is available at: https://cloud.google.com/security/compliance
The application setup was configured in close collaboration with Google Cloud specialists, following best practices to ensure maximum reliability, security, and performance. The application runs on a virtually separated, segregated network, with modules isolated from the public internet by multiple firewalls and load balancers.
All the application's components and all customer data reside on servers within the Google Cloud Platform, specifically within the (West-) EU region.
Service Availability
The Application uses a redundant architecture. A failure of a single component hardly ever results in downtime for the end-user. Different external and independent monitoring solutions check the uptime of our Application continuously and generate alerts whenever a problem is detected.
Application availability is defined as the percentage of time within a month that our Application is available (responding within 1000ms). The measurement is performed every 60 seconds, maintenance windows are excluded.
NEXTFLUENT represents that the Application will be operational in accordance with reasonable industry practices (99.7%).
As an example, for a month with 31 days this results in a maximum downtime of 44 minutes, outside of maintenance operations.
Maintenance
We distinguish three different types of maintenance:
1. Small maintenance
Interventions that have no or very limited impact on the availability of our Application. The impact duration varies from a zero to 120 seconds.
Small maintenance operations that introduce downtime are executed outside of Business Hours, but can –under exceptional conditions- also be executed during the day (max 6 times per year).
2. Heavy maintenance
Interventions that have a serious impact on the overall service, always executed outside business hours and are - whenever the expected downtime exceeds 30 minutes - announced 48 hours in advance.
3. Urgent Maintenance
On rare occasions, our support team might be forced to initiate an intervention without prior notice. Customers will be informed via our status page, status updates will be circulated every 30 minutes.
Service Desk - Support
Paying clients have access to the NextFluent Support Desk to report issues or request assistance. Support tickets can be created via email to hello@nextfluent.com or online via our Helpdesk.
The support desk is manned during Business Hours. Tickets that are created outside the Business Hours are handled the next working day unless they are activated via the support hotline (+32 477 06 03 95).
A defect is defined as a recent problem with functionality that was used in the past and fails to work at this moment. The table below contains the response / resolution objectives for defects:
| Level | Description | Response time | Resolution time |
| Critical | Major outage or downtime, the Application can no longer be used | 0-2h | 4h |
| High | The Application is available, but a certain functionality is not working, users are blocked in their normal operations | 2h | 24h |
| Normal | The Application is available and functionality can be used, but a defect is causing an inconvenience for users. | 4h | 48h or next service update |
Please note that the above response and resolution times are offered on a best-efforts basis and are not to be considered as commitments or guarantees towards the Customer.
Backup
A backup is created every 8 hours, the retention for the backups is 90 days.
- RPO: 8h
- RTO: 2h
Backups are securely stored in a Google Cloud Storage account. This storage uses geo-redundant storage, which maintains multiple copies of data across different geographic locations. Geo-redundant storage helps ensure data durability and availability in case of a catastrophic failure or outage at one of the data centers.
Security Audits – Vulnerability Assessments
We welcome external security audits and assessments, but need to be informed of any operation that is ongoing on our systems. Therefore any type of security / performance scanning on our infrastructure is prohibited without written approval from NEXTFLUENT.
A vulnerability assessment or security audit can be allowed if:
- methods are limited to non-destructive only;
- tests are only performed within the agreed time window;
- tests are executed on the agreed scope (IP’s, machines, domains, ...);
- test results are shared with NEXTFLUENT's security staff immediately after the assessment;
- test results are treated as confidential and are never disclosed towards third parties;
- tests are immediately interrupted on NEXTFLUENT's request.
NEXTFLUENT shall under no circumstances be obliged to allow any external security audits and assessments.
Any costs for executing such security audits / vulnerability assessments shall be borne by the Customer.