SLA Policy (Enterprise SaaS) — Alabama

SERVICE LEVEL AGREEMENT POLICY — ENTERPRISE SAAS

Alabama Jurisdiction

Effective Date: [__/__/____]

Provider: [________________________________] ("Provider")

Customer: [________________________________] ("Customer")

Master Agreement Reference: [________________________________] (the "SaaS Agreement")

Order Form / SOW Reference: [________________________________]

ALABAMA PRACTICE NOTE: Alabama courts apply common-law contract principles to service agreements. Pre-dispute jury trial waivers are generally enforceable in Alabama commercial contracts between sophisticated parties when the waiver is knowing, voluntary, and conspicuous. Alabama's Data Breach Notification Act of 2018 (Ala. Code § 8-38-1 et seq.) imposes specific security requirements ("reasonable security measures") and notification timelines (45 days). Alabama also requires covered entities to maintain a written record of any good-faith determination that a breach is not reasonably likely to cause substantial harm, retained for at least five years.

TABLE OF CONTENTS

1. Purpose and Scope
2. Definitions
3. Uptime Commitment and Service Levels
4. Measurement Methodology
5. Exclusions from Downtime Calculations
6. Service Credit Structure
7. Credit Claim Process
8. Chronic Failure and Termination Rights
9. Scheduled Maintenance Windows
10. Emergency Maintenance
11. Incident Response and Escalation
12. Change Management
13. Data Security and Breach Notification
14. Order of Precedence
15. Modifications to This SLA
16. Governing Law and Dispute Resolution
17. Alabama-Specific Provisions
18. Signatures

1. PURPOSE AND SCOPE

1.1 This Service Level Agreement Policy ("SLA" or "SLA Policy") is incorporated into and forms part of the SaaS Agreement between Provider and Customer. It defines the performance commitments, measurement standards, remedies, and operational procedures applicable to the hosted services identified in the applicable Order Form(s) (the "Services").

1.2 This SLA applies exclusively to the Production Environment of the Services. Staging, development, sandbox, and beta environments are excluded unless expressly stated in an Order Form.

1.3 Capitalized terms not defined herein shall have the meanings assigned to them in the SaaS Agreement.

2. DEFINITIONS

2.1 "Availability" or "Uptime Percentage" means the percentage of total minutes in a calendar month during which the Production Environment is operational and accessible, calculated as:

Availability (%) = [(Total Minutes in Month − Downtime Minutes) ÷ Total Minutes in Month] × 100

2.2 "Downtime" means any period of five (5) or more consecutive minutes during which the Production Environment is materially unavailable or materially degraded such that Customer's end users cannot perform core business functions. Partial degradation affecting non-critical features does not constitute Downtime unless it renders the Services substantially unusable.

2.3 "Excluded Downtime" means any period of unavailability attributable to the causes identified in Section 5.

2.4 "Measurement Period" means each calendar month during the term of the applicable Order Form.

2.5 "Monthly Fee" means the fees payable by Customer for the affected Service during the Measurement Period in which a Downtime event occurs, as specified in the applicable Order Form.

2.6 "Production Environment" means the live, customer-facing instance of the Services designated as "Production" in the Order Form.

2.7 "Response Time" means the elapsed time between Customer's submission of a support ticket and Provider's initial substantive acknowledgment (not an automated receipt).

2.8 "Resolution Time" means the elapsed time between Provider's acknowledgment of an incident and restoration of the affected Service to normal operating parameters.

2.9 "Scheduled Maintenance" means planned maintenance performed during the maintenance windows defined in Section 9, with advance notice as specified therein.

2.10 "Service Credit" means a credit against future invoices, calculated as a percentage of the Monthly Fee, issued to Customer as the remedy for failure to meet the Uptime Commitment.

3. UPTIME COMMITMENT AND SERVICE LEVELS

3.1 Uptime Target. Provider commits to maintaining a minimum monthly Availability of [____]% (the "Uptime Commitment") for the Production Environment during each Measurement Period.

Drafting Note: Common enterprise targets are 99.9% (~43.8 min/month downtime), 99.95% (~21.9 min/month), or 99.99% (~4.4 min/month). Select a target consistent with Provider's operational capacity and Customer's business criticality requirements.

3.2 Service Level Objectives. In addition to the Uptime Commitment, Provider shall use commercially reasonable efforts to meet the following performance targets:

3.3 Failure to meet the response or resolution targets in Section 3.2 shall not independently trigger Service Credits but shall be documented and factored into periodic service reviews and any chronic-failure analysis under Section 8.

4. MEASUREMENT METHODOLOGY

4.1 Monitoring Tools. Availability shall be measured using Provider's monitoring infrastructure, which shall include synthetic transaction monitoring, server health checks, and endpoint availability tests conducted at intervals of no greater than [____] minutes from geographically distributed monitoring nodes.

4.2 Customer Validation. Customer may deploy its own third-party monitoring tools. If Customer's monitoring data materially differs from Provider's data (by more than [____]%), the parties shall confer in good faith to reconcile the discrepancy. If no resolution is reached within [____] business days, an independent third-party monitor mutually agreed upon shall be engaged, with costs shared equally.

4.3 Reporting. Provider shall make Availability data available to Customer through a real-time status dashboard and shall deliver a monthly Availability report within [____] business days after the close of each Measurement Period. Each report shall include:

• (a) Total Uptime and Downtime minutes;
• (b) Availability percentage;
• (c) Incident log with root-cause summaries;
• (d) Scheduled and emergency maintenance windows utilized;
• (e) Comparison to the prior three (3) Measurement Periods.

5. EXCLUSIONS FROM DOWNTIME CALCULATIONS

The following shall not count as Downtime for purposes of Availability calculations:

• (a) Scheduled Maintenance performed in accordance with Section 9;
• (b) Emergency Maintenance performed in accordance with Section 10;
• (c) Downtime caused by Customer's acts or omissions, including misconfiguration, violations of the Acceptable Use Policy, or unauthorized modifications;
• (d) Failures of Customer's equipment, network connections, or third-party software not provided or controlled by Provider;
• (e) Force majeure events as defined in the SaaS Agreement;
• (f) DNS propagation delays outside Provider's authoritative DNS infrastructure;
• (g) Features or environments designated as "beta," "preview," "experimental," or "unsupported";
• (h) Downtime resulting from Customer's failure to implement Provider-recommended updates, patches, or configuration changes within [____] days of notification;
• (i) Governmental actions, court orders, or regulatory mandates requiring suspension of Services.

6. SERVICE CREDIT STRUCTURE

6.1 Credit Tiers. If Provider fails to meet the Uptime Commitment in any Measurement Period, Customer shall be entitled to Service Credits as follows:

Example (99.9% target):

Monthly Availability	Service Credit
< 99.9% to ≥ 99.5%	5% of Monthly Fee
< 99.5% to ≥ 99.0%	10% of Monthly Fee
< 99.0% to ≥ 95.0%	20% of Monthly Fee
< 95.0%	30% of Monthly Fee

6.2 Credit Cap. Total Service Credits in any single Measurement Period shall not exceed [____]% of the Monthly Fee for the affected Service (typically 30%-100%).

6.3 Application. Service Credits shall be applied to Customer's next invoice following validation. Credits are not redeemable for cash, are non-transferable, and may not be carried forward beyond [____] Measurement Periods.

6.4 Sole and Exclusive Remedy. Service Credits constitute Customer's sole and exclusive monetary remedy for failure to meet the Uptime Commitment, except that:

• (a) Customer retains the right to terminate under Section 8 (Chronic Failure);
• (b) Nothing in this Section limits Customer's remedies for Provider's breach of other obligations under the SaaS Agreement, including data security, confidentiality, or indemnification obligations;
• (c) Service Credits do not limit Provider's liability for willful misconduct, gross negligence, or breach of confidentiality obligations.

7. CREDIT CLAIM PROCESS

7.1 Submission. Customer must submit a Service Credit request in writing (email to [________________________________] or via the support portal) within [30] calendar days after the end of the Measurement Period in which the Availability shortfall occurred.

7.2 Required Information. Each credit request shall include:

• ☐ Measurement Period (month/year)
• ☐ Date(s) and time(s) of claimed Downtime (in Central Time or UTC)
• ☐ Duration of each Downtime event
• ☐ Description of impact on Customer's operations
• ☐ Supporting evidence (screenshots, logs, third-party monitoring data)

7.3 Review and Response. Provider shall review the claim and respond within [15] business days. If Provider disputes the claim, it shall provide its own monitoring data and a written explanation. Unresolved disputes shall be escalated pursuant to Section 16.

7.4 Late Claims. Credit requests submitted after the deadline in Section 7.1 are waived unless Customer demonstrates that timely submission was not reasonably practicable.

8. CHRONIC FAILURE AND TERMINATION RIGHTS

8.1 Chronic Failure Trigger. A "Chronic Failure" occurs if:

• (a) Availability falls below [____]% in any [2] out of [3] consecutive Measurement Periods; or
• (b) Availability falls below [____]% in any single Measurement Period; or
• (c) Provider fails to meet Severity 1 response-time targets more than [____] times in any [____]-month period.

8.2 Termination Right. Upon a Chronic Failure, Customer may terminate the affected Order Form(s) by providing [30] days' prior written notice to Provider. Upon such termination:

• (a) Provider shall refund the pro-rata portion of any prepaid, unused fees for the terminated Services;
• (b) Provider shall cooperate with Customer's data export and transition efforts for a period of [____] days following the effective date of termination (the "Transition Period"), at no additional charge;
• (c) Customer's termination right under this Section is in addition to, and does not limit, any other termination rights under the SaaS Agreement.

8.3 Cure Period. Provider may, within [15] days of receiving Customer's termination notice, present a written remediation plan. If Customer accepts the plan (acceptance not to be unreasonably withheld), the termination shall be suspended for a period of [____] days. If Provider fails to meet the remediation milestones, Customer's termination right shall be immediately reinstated.

9. SCHEDULED MAINTENANCE WINDOWS

9.1 Standard Maintenance Window. Provider shall perform routine maintenance during the following recurring window(s):

• Day(s): [________________________________]
• Time: [________________________________] (Central Time — CT)
• Maximum Duration per Window: [____] hours

9.2 Advance Notice. Provider shall provide at least [____] hours' advance notice for Scheduled Maintenance, delivered via [status page / email / in-app notification].

9.3 Monthly Cap. Total Scheduled Maintenance shall not exceed [____] hours per Measurement Period. Maintenance exceeding this cap shall count as Downtime.

9.4 Customer Preferences. Provider shall use commercially reasonable efforts to accommodate Customer's requests to reschedule maintenance when business-critical operations would be adversely affected.

10. EMERGENCY MAINTENANCE

10.1 Provider may perform unscheduled emergency maintenance to address security vulnerabilities, imminent system failures, or regulatory requirements.

10.2 Provider shall use commercially reasonable efforts to provide advance notice of emergency maintenance. Where advance notice is not practicable, Provider shall notify Customer as soon as reasonably possible after commencement.

10.3 Emergency maintenance shall be excluded from Downtime calculations only if: (a) it is genuinely necessitated by an urgent threat to security or system integrity; and (b) Provider uses commercially reasonable efforts to minimize duration and impact.

10.4 If emergency maintenance exceeds [____] hours in any Measurement Period, the excess shall count as Downtime.

11. INCIDENT RESPONSE AND ESCALATION

11.1 Incident Notification. Provider shall notify Customer of any Severity 1 or Severity 2 incident within [____] minutes of detection via [email / phone / status page / PagerDuty integration].

11.2 Status Updates. During an ongoing Severity 1 incident, Provider shall issue status updates at intervals of no greater than [____] minutes until resolution.

11.3 Post-Incident Review. For each Severity 1 or Severity 2 incident, Provider shall deliver a root-cause analysis ("RCA") report to Customer within [____] business days. The RCA shall include:

• (a) Timeline of events;
• (b) Root cause identification;
• (c) Corrective actions taken;
• (d) Preventive measures to avoid recurrence.

11.4 Escalation Path.

12. CHANGE MANAGEMENT

12.1 Provider shall not implement material changes to the Services' architecture, functionality, or APIs that could adversely affect Customer's use without providing [____] days' advance written notice and, for breaking changes, a migration path and documentation.

12.2 Customer may object to a proposed material change within [____] days of notice. The parties shall confer in good faith to resolve the objection. If no resolution is reached, Customer may elect to remain on the prior version for a period not to exceed [____] days, or exercise termination rights under the SaaS Agreement.

12.3 Non-material changes (bug fixes, security patches, performance optimizations) may be deployed without advance notice but shall be documented in release notes.

13. DATA SECURITY AND BREACH NOTIFICATION

13.1 Security Standards. Provider shall maintain administrative, technical, and physical safeguards consistent with industry standards (e.g., SOC 2 Type II, ISO 27001) and applicable law. Pursuant to Ala. Code § 8-38-2, Provider (as a third-party agent) and Customer (as a covered entity) must each implement and maintain "reasonable security measures" to protect sensitive personally identifying information against a breach of security.

13.2 Alabama Data Breach Notification. In the event of a breach of security involving Customer data that includes sensitive personally identifying information of Alabama residents, Provider shall:

• (a) Notify Customer within [____] hours of confirming the breach (and in no event later than required to enable Customer to comply with the Alabama Data Breach Notification Act of 2018, Ala. Code § 8-38-1 et seq.);
• (b) Cooperate with Customer's investigation and notification obligations;
• (c) Assist Customer in providing required notifications to affected individuals as expeditiously as possible and without unreasonable delay, and in any event within forty-five (45) days of discovery that a breach has occurred and is reasonably likely to cause substantial harm (per Ala. Code § 8-38-5);
• (d) If the breach affects more than 1,000 Alabama residents, assist Customer in notifying the Alabama Attorney General (per Ala. Code § 8-38-8);
• (e) Be aware that failure to provide required notification may result in civil penalties of $5,000 per day of non-disclosure, up to a maximum of $500,000 per breach (per Ala. Code § 8-38-11).

13.3 Good-Faith Determination. If, after a good-faith and prompt investigation, the covered entity determines the breach is not reasonably likely to cause substantial harm, notification to individuals is not required. However, such determination must be documented in writing and maintained for at least five (5) years (per Ala. Code § 8-38-5).

13.4 Cooperation. Provider shall reasonably cooperate with Customer to mitigate harm, preserve forensic evidence, and comply with applicable regulatory requirements.

14. ORDER OF PRECEDENCE

In the event of a conflict among the contract documents, the following order of precedence shall apply (highest priority first):

1. Data Processing Agreement / Business Associate Agreement (if applicable)
2. The SaaS Agreement
3. This SLA Policy
4. The applicable Order Form(s) / SOW(s)
5. Provider's Documentation and Acceptable Use Policy

Notwithstanding the foregoing, this SLA shall control with respect to Availability calculations, Service Credit entitlements, and Chronic Failure termination rights.

15. MODIFICATIONS TO THIS SLA

15.1 Provider may update this SLA prospectively upon [30] days' prior written notice to Customer.

15.2 Any modification that materially reduces Uptime Commitments, increases Exclusions, or reduces Service Credit percentages shall require Customer's written consent. If Customer does not consent, the prior SLA terms shall remain in effect for the balance of the then-current Order Form term.

15.3 Immaterial modifications (e.g., formatting changes, clarifications that do not alter substantive obligations) may take effect upon posting to Provider's website or customer portal.

16. GOVERNING LAW AND DISPUTE RESOLUTION

16.1 Governing Law. This SLA shall be governed by and construed in accordance with the laws of the State of Alabama, without regard to its conflict-of-laws principles. To the extent that any goods are bundled with the Services, the Alabama Uniform Commercial Code (Ala. Code Title 7) shall apply to the goods component.

16.2 Venue. The parties consent to the exclusive jurisdiction and venue of the state and federal courts located in [Jefferson County / Montgomery County / Madison County], Alabama.

16.3 Jury Trial Waiver. TO THE FULLEST EXTENT PERMITTED BY ALABAMA LAW, EACH PARTY KNOWINGLY, VOLUNTARILY, AND INTENTIONALLY WAIVES ANY RIGHT IT MAY HAVE TO A TRIAL BY JURY IN ANY LITIGATION ARISING OUT OF OR RELATING TO THIS SLA OR THE SAAS AGREEMENT. THIS WAIVER APPLIES TO ANY MATTER WHATSOEVER ARISING OUT OF OR RELATED TO THIS SLA, INCLUDING CLAIMS SOUNDING IN CONTRACT, TORT, OR OTHERWISE. EACH PARTY CERTIFIES THAT NO REPRESENTATIVE OF THE OTHER PARTY HAS REPRESENTED, EXPRESSLY OR OTHERWISE, THAT THE OTHER PARTY WOULD NOT, IN THE EVENT OF LITIGATION, SEEK TO ENFORCE THIS WAIVER.

ALABAMA PRACTICE NOTE: Alabama courts generally enforce pre-dispute jury waivers in commercial contracts between sophisticated parties when the waiver is knowing, voluntary, and conspicuous. To maximize enforceability: (1) use bold, all-caps formatting; (2) ensure the waiver is mutual; (3) confirm that both parties had the opportunity to consult counsel; and (4) include a certification that neither party's representative made contrary representations.

16.4 Informal Resolution. Before initiating formal proceedings, the parties shall attempt to resolve any dispute arising under this SLA through good-faith negotiation between designated executives for a period of [30] days.

16.5 Mediation. If informal resolution fails, either party may initiate non-binding mediation before a mediator mutually agreed upon, conducted in [Jefferson County / Montgomery County], Alabama. Mediation costs shall be shared equally.

16.6 Arbitration (Optional). [If the parties elect arbitration, insert the following: "Any dispute not resolved through mediation shall be submitted to binding arbitration administered by [AAA / JAMS] under its Commercial Arbitration Rules, conducted in [Jefferson County / Montgomery County], Alabama, before a single arbitrator with experience in technology contracts. The arbitrator's award shall be final and binding and may be entered as a judgment in any court of competent jurisdiction."]

17. ALABAMA-SPECIFIC PROVISIONS

17.1 Trade Secrets. Any Confidential Information constituting a trade secret shall be protected in accordance with the Alabama Trade Secrets Act, Ala. Code § 8-27-1 et seq. The Act provides for injunctive relief (§ 8-27-3), damages including unjust enrichment (§ 8-27-4), and, for willful and malicious misappropriation, exemplary damages not to exceed twice any damages awarded under the Act, plus reasonable attorney's fees (§ 8-27-4, § 8-27-5).

17.2 Electronic Signatures. This SLA and all related documents may be executed electronically in accordance with the Alabama Uniform Electronic Transactions Act (Ala. Code § 8-1A-1 et seq.). Electronic signatures shall have the same legal effect, validity, and enforceability as manual signatures.

17.3 Deceptive Trade Practices. Nothing in this SLA limits any rights Customer may have under the Alabama Deceptive Trade Practices Act (Ala. Code § 8-19-1 et seq.), to the extent applicable. The Act prohibits unconscionable, false, misleading, or deceptive acts or practices in the conduct of trade or commerce.

17.4 Reasonable Security Measures. Both parties acknowledge their respective obligations to implement and maintain "reasonable security measures" as required by Ala. Code § 8-38-2. Provider represents that its security measures are practicable and appropriate for the nature and scope of the Services.

17.5 Limitation of Liability. The limitations of liability set forth in the SaaS Agreement shall be enforced to the maximum extent permitted under Alabama law. Alabama courts generally uphold contractual limitations of liability in commercial transactions between sophisticated parties, subject to exceptions for fraud, willful misconduct, and gross negligence.

17.6 Statute of Limitations. Written contract claims in Alabama are subject to a six-year statute of limitations (Ala. Code § 6-2-34). SLA-related claims should be identified and preserved within this window.

17.7 Five-Year Record Retention. Where a good-faith determination is made that a data breach is not reasonably likely to cause substantial harm, the written documentation of that determination must be retained for at least five (5) years, per Ala. Code § 8-38-5. Provider shall cooperate with Customer in creating and retaining such documentation.

18. SIGNATURES

By executing below, the parties acknowledge that they have read, understood, and agreed to be bound by this SLA Policy as part of the SaaS Agreement.

PROVIDER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

CUSTOMER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

PRACTICE TIPS FOR ALABAMA PRACTITIONERS

1. Jury Waiver Enforceability. Alabama is among the states that enforce pre-dispute jury waivers in commercial contracts. For maximum enforceability, ensure the waiver is mutual, conspicuous (bold/all-caps), and that both parties had opportunity to consult counsel.

2. "Reasonable Security Measures" Requirement. Alabama's Data Breach Notification Act uniquely requires covered entities and their third-party agents to implement "reasonable security measures" (Ala. Code § 8-38-2). This is a substantive security obligation, not merely a notification requirement. Ensure the SaaS Agreement addresses this explicitly.

3. $5,000/Day Penalty. Alabama imposes a $5,000 per day civil penalty for failure to provide required breach notification, capped at $500,000. Build aggressive internal notification timelines to avoid exposure.

4. Five-Year Record Retention. The requirement to retain written good-faith determinations for five years (Ala. Code § 8-38-5) means Provider and Customer should establish a document-retention protocol for breach investigations, even for incidents that do not trigger notification.

5. Trade Secret Exemplary Damages. Alabama allows up to 2x exemplary damages for willful and malicious trade secret misappropriation (Ala. Code § 8-27-4). Ensure the SaaS Agreement's confidentiality provisions are robust.

6. Six-Year Statute of Limitations. Alabama applies a six-year limitations period to written contracts (Ala. Code § 6-2-34). Claims for SLA credits or chronic failure should be documented and preserved accordingly.

SOURCES AND REFERENCES

• Ala. Code § 8-38-1 et seq. — Alabama Data Breach Notification Act of 2018
• Ala. Code § 8-27-1 et seq. — Alabama Trade Secrets Act
• Ala. Code § 8-1A-1 et seq. — Alabama UETA
• Ala. Code § 8-19-1 et seq. — Alabama Deceptive Trade Practices Act
• Alabama Attorney General — Data Breach Notification
• Perkins Coie — Alabama Breach Notification Chart