Enterprise SLA Policy for SaaS Services - California

ENTERPRISE SLA POLICY FOR SAAS SERVICES

California Operations Guide

Policy Effective Date: [__/__/____]

Service Provider: [________________________________] ("Provider")

Enterprise Customer: [________________________________] ("Customer")

Master Agreement Reference: [________________________________] (the "Master Agreement")

OVERVIEW AND PURPOSE

This Enterprise SLA Policy establishes the operational service level commitments, performance metrics, remediation procedures, and compliance obligations for the cloud-based software services delivered by Provider to Customer under the Master Agreement. This Policy is designed for enterprise deployments governed by California law and incorporates California-specific regulatory requirements including the California Privacy Rights Act (CPRA), California data breach notification statutes, and California consumer protection laws.

Article I. KEY TERMS AND METRICS

1.1 Service Uptime. The percentage of a calendar month during which the live production platform is fully operational and accessible, calculated as:

Uptime % = ((Total Month Minutes - Outage Minutes) / Total Month Minutes) x 100

1.2 Service Outage. Any period of material unavailability or performance degradation rendering core platform functions inoperable. An outage begins at the earlier of: (a) Provider's automated monitoring detection; or (b) Customer's documented support ticket with substantiating evidence.

1.3 Planned Maintenance. Pre-scheduled system maintenance conducted during designated windows with required advance notice per Article III.

1.4 Urgent Maintenance. Unscheduled maintenance to neutralize imminent security threats or prevent cascading system failures.

1.5 Uptime Percentage. Service Uptime measured across one calendar month for a single production instance.

1.6 Financial Credit. A monetary offset per Article V, expressed as a percentage of monthly platform fees for the impacted service component.

1.7 Excluded Periods. Time not counted toward outage calculations:

• (a) Planned Maintenance within designated windows (Article III);
• (b) Urgent Maintenance with commercially reasonable duration;
• (c) Customer-attributable disruptions (AUP violations, configuration errors, unauthorized modifications);
• (d) Force majeure events (Article XIV);
• (e) Third-party infrastructure failures (ISPs, CDNs, DNS providers) outside Provider's operational control;
• (f) Non-production environments (staging, sandbox, QA, development);
• (g) Preview, beta, or experimental feature sets;
• (h) Customer's failure to implement Provider-recommended architecture or security configurations.

1.8 Issue Priority Levels. P1 (Critical) through P4 (Low) as specified in Article IV.

1.9 Acknowledgment Window. Time from support ticket creation to Provider's first substantive response by a qualified engineer.

1.10 Fix Window. Time from acknowledgment to restoration of normal service operations.

1.11 Disaster Recovery Time (RTO). Maximum tolerable time to restore platform services following a declared disaster.

1.12 Data Recovery Point (RPO). Maximum tolerable data loss window following a disaster, measured in time.

1.13 Live Platform. The production-grade, customer-facing service instance supporting actual business operations.

1.14 Incident Review. A formal post-mortem documenting root cause, timeline, impact, corrective actions, and prevention plan.

1.15 Consumer Personal Information. As defined under the CCPA/CPRA (Cal. Civ. Code Section 1798.140(v)), information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to a particular consumer or household.

1.16 Service Provider. As defined under the CCPA/CPRA (Cal. Civ. Code Section 1798.140(ag)), a person that processes personal information on behalf of a business pursuant to a written contract.

Article II. UPTIME COMMITMENTS

2.1 Performance Tiers.

2.2 How We Measure. Provider uses automated monitoring performing health checks every [____] minutes from at least [____] geographically distributed points of presence, including at least one monitoring node within California or the Western United States. Technical documentation on monitoring methodology is available upon Customer request.

2.3 Monitoring Stack.

• ☐ Synthetic transaction monitoring
• ☐ Application performance management (APM) instrumentation
• ☐ Infrastructure telemetry (CPU, memory, disk, network)
• ☐ API latency and error rate tracking
• ☐ Public-facing status dashboard with historical data

2.4 Measurement Window. Calendar month, 12:00:00 AM to 11:59:59 PM Pacific Time.

2.5 Challenging a Measurement. Customer may dispute Provider's uptime calculations by submitting independent monitoring data within [____] business days of the monthly report. Parties will work collaboratively to reconcile differences. If unresolved within [____] business days, an independent technical auditor (mutually agreed, costs split evenly) will make a binding determination.

Article III. MAINTENANCE OPERATIONS

3.1 Regular Maintenance Window. [________________________________] (e.g., Sundays, 2:00 AM to 6:00 AM Pacific Time).

3.2 Notice Requirements. Provider will give Customer at least [____] business days' advance written notice including: (a) maintenance date/time in Pacific Time; (b) estimated duration; (c) scope of work; (d) anticipated customer impact; (e) contingency/rollback approach.

3.3 Major Maintenance. Work exceeding [____] hours or falling outside the regular window requires Customer's advance written consent (not unreasonably withheld), with at least [____] business days' notice.

3.4 Monthly Maintenance Budget. Total planned maintenance shall not exceed [____] hours per month. Time beyond this budget counts as outage time.

3.5 Urgent Maintenance. When immediate action is required, Provider will: (a) notify Customer as soon as possible; (b) provide status updates every [____] minutes; (c) deliver a written post-action summary within [____] business hours.

Article IV. ISSUE CLASSIFICATION AND RESPONSE STANDARDS

4.1 Priority Definitions.

4.2 Response Benchmarks.

4.3 Auto-Escalation. Missed benchmarks trigger the escalation ladder in Article VI.

4.4 Re-Prioritization. Either party may request priority reassignment with documented justification. P1/P2 re-evaluation within [____] minutes; P3/P4 within [____] business hours.

4.5 Always-On Coverage. Provider maintains 24/7/365 support staffing for P1 and P2 issues, including California state holidays.

Article V. FINANCIAL CREDITS

5.1 How Credits Are Calculated.

Credit Amount = Credit Rate x Monthly Platform Fee for Affected Component

5.2 Credit Schedule.

5.3 Monthly Cap. Total credits in any month shall not exceed [____]% of the affected component's monthly fee. Credits do not roll over between months.

5.4 How to Request Credits.

• (a) Submit a written request within [____] days (e.g., 30) after the affected month;
• (b) Include outage dates/times (in Pacific Time), business impact description, and supporting evidence;
• (c) Provider will validate and respond within [____] business days (e.g., 15);
• (d) Approved credits apply to the next invoice or, at Customer's choice, are refunded.

5.5 Credits as Remedy. Except for chronic failure termination rights (Article XIII), financial credits are the exclusive contractual remedy for uptime shortfalls. This does not limit Customer's statutory rights under California law, including rights under the Consumer Legal Remedies Act (Cal. Civ. Code Section 1750 et seq.) or the Unfair Competition Law (Cal. Bus. & Prof. Code Section 17200 et seq.).

Article VI. ESCALATION FRAMEWORK

6.1 Escalation Ladder.

6.2 Customer-Triggered Escalation. Customer may invoke any escalation stage directly via the contacts in Exhibit B. Provider acknowledges within [____] minutes during business hours, [____] minutes after hours.

6.3 Tracking. Every escalation is logged with: timestamp, trigger reason, personnel engaged, actions taken, and outcome.

Article VII. PERFORMANCE VISIBILITY

7.1 Monthly Performance Packet. Delivered within [____] business days of month-end. Contents:

• (a) Uptime percentage per platform tier;
• (b) Outage minutes broken down by incident;
• (c) Incident count by priority;
• (d) Average acknowledgment and fix times;
• (e) Maintenance hours consumed;
• (f) Credits earned;
• (g) Trend comparison (current month vs. trailing [____] months).

7.2 Live Operations Dashboard.

• ☐ Real-time service health indicators
• ☐ Rolling uptime history for [____] months
• ☐ Open incident tracker
• ☐ Upcoming maintenance schedule
• ☐ API performance metrics

7.3 Post-Mortems. P1/P2 incidents receive a written Incident Review within [____] business days, covering: chronological timeline, root cause, blast radius, immediate fixes, long-term prevention, and lessons learned.

7.4 Quarterly Strategy Sessions. Jointly review performance, spot trends, plan capacity, and align on improvement priorities.

Article VIII. DISASTER RECOVERY AND CONTINUITY

8.1 Recovery Targets.

8.2 DR Drills. At least [____] per year; [____] business days' advance notice; Customer observation available; written results within [____] business days.

8.3 Multi-Region Deployment. Provider operates from a minimum of [____] geographically separated regions at least [____] miles apart. Locations: [________________________________].

8.4 Continuity Plan. Documented business continuity program covering personnel, facilities, technology, and communications. Available for Customer review.

8.5 California-Specific Hazard Planning. Provider's disaster recovery program shall address hazards particularly relevant to California infrastructure:

• (a) Seismic Events: California sits atop major fault systems (San Andreas, Hayward, San Jacinto). Provider shall ensure data center facilities meet or exceed California Building Code seismic standards and shall maintain failover to non-seismically-active regions;
• (b) Wildfires: Provider shall plan for wildfire events that may cause evacuations, power shutoffs (Public Safety Power Shutoffs / PSPS by utilities), and air quality impacts affecting personnel and cooling systems;
• (c) Public Safety Power Shutoffs (PSPS): California utilities may proactively de-energize lines during fire weather. Provider shall maintain sufficient backup power capacity (generators and UPS) to sustain operations through extended PSPS events of up to [____] hours;
• (d) Mudslides and Flooding: Post-fire terrain and atmospheric river events create landslide and flood risks. DR plans shall account for facility access disruptions;
• (e) Drought-Related Impacts: Extended drought may affect water-cooled data center operations. Provider shall disclose cooling infrastructure type and water dependency;
• (f) Rolling Blackouts: During extreme heat events, the California Independent System Operator (CAISO) may order rotating outages. Provider shall maintain grid-independent power capability for critical infrastructure.

Article IX. SECURITY COMMITMENTS

9.1 Patch Management.

• (a) Critical (CVSS 9.0-10.0): [____] hours (e.g., 24);
• (b) High (CVSS 7.0-8.9): [____] days (e.g., 7);
• (c) Medium (CVSS 4.0-6.9): [____] days (e.g., 30);
• (d) Low (CVSS 0.1-3.9): [____] days (e.g., 90).

9.2 Security Incident Protocol. Provider will: (a) alert Customer within [____] hours (e.g., 24) of confirming an incident affecting Customer data; (b) provide ongoing updates every [____] hours; (c) deliver a comprehensive incident report within [____] business days.

9.3 External Penetration Testing. Conducted by independent third parties at least [____] per year. Executive-level results summaries shared with Customer on request.

9.4 Compliance Certifications.

• ☐ SOC 2 Type II
• ☐ ISO 27001
• ☐ CCPA/CPRA Compliance Attestation
• ☐ [________________________________]

Article X. DATA PROTECTION COMMITMENTS

10.1 Backup Cadence.

• (a) Full backups: [____] (e.g., daily);
• (b) Incremental backups: [____] (e.g., every 4 hours);
• (c) Transaction logs: [____] (e.g., every 15 minutes).

10.2 Retention Windows.

• (a) Daily backups: [____] days (e.g., 30);
• (b) Weekly backups: [____] weeks (e.g., 12);
• (c) Monthly backups: [____] months (e.g., 12);
• (d) Annual backups: [____] years (e.g., 7).

10.3 Recovery Validation. Restore tests conducted at least [____] per year to verify backup integrity. Results documented and available.

10.4 Encryption Baseline.

• (a) At rest: AES-256;
• (b) In transit: TLS 1.2+;
• (c) Backups: Encrypted to the at-rest standard.

10.5 California Breach Notification (Cal. Civ. Code Section 1798.82). Upon a breach of security involving personal information of California residents:

• (a) Provider shall notify Customer within [____] hours of breach confirmation;
• (b) Provider shall cooperate with Customer's obligation to notify affected California residents within thirty (30) calendar days of discovery (effective January 1, 2026, per SB 446);
• (c) If more than five hundred (500) California residents are affected, Provider shall assist Customer in notifying the California Attorney General within fifteen (15) days of consumer notification;
• (d) Notifications must follow the prescribed format under Cal. Civ. Code Section 1798.82(d): plain language, titled "Notice of Data Breach," with specific required headings ("What Happened," "What Information Was Involved," "What We Are Doing," "What You Can Do," "For More Information");
• (e) Provider shall provide all information Customer needs for compliant notification, including breach timeline, data elements compromised, and affected individual count;
• (f) Provider shall bear reasonable notification costs where the breach resulted from Provider's security failures.

10.6 CCPA/CPRA Compliance. To the extent Provider acts as a "service provider" under the CCPA/CPRA:

• (a) Provider shall process personal information solely for the business purposes specified in the Master Agreement;
• (b) Provider shall not sell or share (as defined in the CPRA) personal information received from Customer;
• (c) Provider shall not retain, use, or disclose personal information outside the direct business relationship with Customer;
• (d) Provider shall assist Customer in responding to verifiable consumer requests (access, deletion, correction, portability, opt-out of sale/sharing);
• (e) Provider shall implement reasonable security procedures and practices as required by Cal. Civ. Code Section 1798.81.5;
• (f) Provider shall notify Customer if it determines it can no longer meet its CCPA/CPRA obligations;
• (g) Provider shall allow Customer to take reasonable steps to stop and remediate unauthorized use of personal information;
• (h) Provider shall certify in writing, upon Customer's request, that it understands and will comply with its service provider obligations;
• (i) The Master Agreement or a separate data processing addendum shall satisfy the written contract requirements of Cal. Civ. Code Section 1798.100(d).

10.7 California Age-Appropriate Design Code. If the Services may be accessed by users under the age of eighteen (18), Provider shall cooperate with Customer's compliance obligations under the California Age-Appropriate Design Code Act (Cal. Civ. Code Section 1798.99.28 et seq.), including default high-privacy settings for minor users.

Article XI. STATUS COMMUNICATION

11.1 Status Page. Publicly available at: [________________________________].

11.2 Alert Channels.

• ☐ Email to designated contacts: [________________________________]
• ☐ Status page updates
• ☐ SMS alerts for P1 events
• ☐ In-application banners
• ☐ Voice call for P1 events to designated emergency contact

11.3 Alert Timing. P1: [____] min; P2: [____] min; P3/P4: [____] hrs; Maintenance: per Article III.

11.4 Post-Event Summaries. P1/P2: Written stakeholder summary within [____] business days.

Article XII. POLICY GOVERNANCE

12.1 Quarterly Check-Ins. Within [____] business days of each quarter-end.

12.2 Annual Policy Review. Comprehensive evaluation of all targets within [____] days of the Effective Date anniversary.

12.3 Improvement Cadence. Provider presents: recurring issue fixes, platform improvements, capacity forecasts, proposed SLA upgrades.

12.4 Policy Changes. Require mutual written agreement. Provider cannot unilaterally weaken any commitment during the current term. Provider shall propose updates as needed to maintain compliance with evolving California regulatory requirements.

Article XIII. PERSISTENT FAILURES AND EXIT RIGHTS

13.1 What Constitutes Persistent Failure.

• (a) Uptime below [____]% in [____] of [____] consecutive months (e.g., < 99.0% in 2 of 3);
• (b) P1 resolution targets missed [____]+ times in [____] months (e.g., 3 in 6); or
• (c) Uptime below [____]% in any single month (e.g., < 95.0%).

13.2 Customer's Exit Right. Upon persistent failure, Customer may terminate on [____] days' written notice without early termination charges.

13.3 Financial Reconciliation. Provider refunds: (Remaining Months / Total Months) x Prepaid Fees + Accrued Credits.

13.4 Migration Support. Provider assists with transition for [____] days (e.g., 90) at no charge, including data export in standard formats and reasonable cooperation with replacement providers.

13.5 Surviving Obligations. Articles V, X, XIII.3, and XIII.4 survive termination.

Article XIV. CALIFORNIA LEGAL FRAMEWORK

14.1 Governing Law. This Policy is governed by California law, without regard to conflict of laws rules.

14.2 Venue. Exclusive jurisdiction in [________________________________] County, California (e.g., San Francisco County, Los Angeles County, Santa Clara County), in the state or federal courts located therein.

14.3 Jury Waiver. TO THE FULLEST EXTENT PERMITTED BY CALIFORNIA LAW, EACH PARTY KNOWINGLY, VOLUNTARILY, AND INTENTIONALLY WAIVES ANY RIGHT TO TRIAL BY JURY. Provider acknowledges that California courts may scrutinize jury waiver provisions; this provision has been negotiated and is conspicuously placed.

14.4 Consumer Protection. This Policy does not limit Customer's rights under: the Unfair Competition Law (Cal. Bus. & Prof. Code Section 17200 et seq.), the Consumer Legal Remedies Act (Cal. Civ. Code Section 1750 et seq.), or the False Advertising Law (Cal. Bus. & Prof. Code Section 17500 et seq.).

14.5 Trade Secrets. Protected under the California Uniform Trade Secrets Act (Cal. Civ. Code Section 3426 et seq.).

14.6 Electronic Signatures. Valid under the California UETA (Cal. Civ. Code Section 1633.1 et seq.).

14.7 California Government Customers. If Customer is a California state or local government entity:

• (a) Subject to the California Department of Technology (CDT) standards;
• (b) Provider must comply with the California State Administrative Manual (SAM) information security requirements;
• (c) Provider shall cooperate with audits by the California State Auditor;
• (d) This Policy is subject to the provisions of the California Public Contract Code.

14.8 Force Majeure. Neither party liable for failures beyond reasonable control, including: earthquakes, wildfires, mudslides, Public Safety Power Shutoffs (PSPS), government-ordered evacuations, pandemics, civil unrest, terrorism, power grid failures (including CAISO rotating outages), and telecommunications disruptions. Prompt notice and commercially reasonable mitigation required.

14.9 Liability Parameters. Enforced to the maximum extent under California law. Nothing limits liability for: gross negligence, willful misconduct, CCPA/CPRA violations, or breach of confidentiality.

Article XV. SIGNATURES

By signing, both parties agree to this Enterprise SLA Policy as of the Effective Date.

PROVIDER:

Signature: [________________________________]

Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

CUSTOMER:

Signature: [________________________________]

Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

EXHIBIT A: CREDIT SCHEDULE

Monthly cap: [____]%.

EXHIBIT B: ESCALATION DIRECTORY

EXHIBIT C: DR DRILL CALENDAR

Results documentation within [____] business days.

This Policy is part of and governed by the Master Agreement. Where they conflict, the Master Agreement controls -- except for uptime commitments, financial credits, and persistent failure exit rights stated here.