SLA Policy - Enterprise SaaS (Connecticut)

ENTERPRISE SERVICE LEVEL AGREEMENT POLICY

State of Connecticut Jurisdiction

Effective Date: [__/__/____]

Provider: [________________________________] ("Provider")

Customer: [________________________________] ("Customer")

SaaS Agreement Reference: [________________________________] (the "Agreement")

TABLE OF CONTENTS

1. Definitions
2. Service Availability Commitment
3. Scheduled Maintenance Windows
4. Severity Classification and Response Times
5. Service Credits
6. Escalation Procedures
7. Performance Monitoring and Reporting
8. Disaster Recovery and Business Continuity
9. Security SLA
10. Data Protection SLA
11. Communication Protocol
12. SLA Review and Amendments
13. Chronic Failure and Termination Rights
14. Connecticut-Specific Provisions
15. Execution Block
    Exhibit A: Uptime Credit Table
    Exhibit B: Escalation Contact Matrix
    Exhibit C: DR Test Schedule

Section 1. DEFINITIONS

1.1 "Availability" means the percentage of time during a calendar month that the Production Environment is operational and accessible:

Availability % = ((Total Minutes in Month - Downtime Minutes) / Total Minutes in Month) x 100

1.2 "Downtime" means any period during which the Production Environment is materially unavailable or materially degraded such that Customer cannot perform core business functions, measured from the earlier of Provider's monitoring detection or Customer's documented report.

1.3 "Scheduled Maintenance" means planned maintenance with advance notice per Section 3.

1.4 "Emergency Maintenance" means unplanned maintenance to address imminent threats to security, integrity, or availability.

1.5 "Availability Percentage" means Availability for a single calendar month for a specific Production Environment.

1.6 "Service Credit" means the monetary credit per Section 5, as a percentage of monthly fees for the affected Service.

1.7 "SLA Exclusions" - unavailability not counted as Downtime:

• (a) Scheduled Maintenance per Section 3;
• (b) Emergency Maintenance (commercially reasonable minimization);
• (c) Customer-caused Downtime including AUP violations;
• (d) Force majeure events per Section 14.10;
• (e) Third-party network, ISP, or DNS failures outside Provider's control;
• (f) Beta, pilot, sandbox, or development environments;
• (g) Preview or experimental features.

1.8 "Severity Levels" means P1-P4 per Section 4.

1.9 "Response Time" means the time from ticket submission to first substantive acknowledgment by qualified technical personnel.

1.10 "Resolution Time" means the time from acknowledgment to restoration of substantially normal operations.

1.11 "Recovery Time Objective (RTO)" means maximum acceptable time to restore Services after disaster.

1.12 "Recovery Point Objective (RPO)" means maximum acceptable data loss measured in time after disaster.

1.13 "Production Environment" means the live, customer-facing service instance.

1.14 "Root Cause Analysis (RCA)" means the formal investigation and report on incident causation.

1.15 "Personal Data" has the meaning assigned under the Connecticut Data Privacy Act (Conn. Gen. Stat. Section 42-515(19)), including information linked or reasonably linkable to an identified or identifiable individual.

1.16 "Consumer" has the meaning assigned under the CTDPA (Conn. Gen. Stat. Section 42-515(8)).

Section 2. SERVICE AVAILABILITY COMMITMENT

2.1 Tiered Uptime Targets.

2.2 Measurement Methodology. Automated monitoring at intervals not exceeding [____] minutes from [____] distributed nodes. Methodology documentation available upon request.

2.3 Monitoring Tools.

• ☐ Real-time synthetic monitoring
• ☐ Application Performance Monitoring (APM)
• ☐ Infrastructure health checks
• ☐ API endpoint response tracking
• ☐ Customer-accessible status page

2.4 Calculation Period. Calendar month, 12:00:00 AM to 11:59:59 PM Eastern Time.

2.5 Disputed Measurements. Customer may submit alternative data within [____] business days. Good-faith resolution; unresolved disputes determined by mutually selected independent auditor (costs shared equally).

Section 3. SCHEDULED MAINTENANCE WINDOWS

3.1 Standard Window. [________________________________] (e.g., Sundays, 2:00 AM to 6:00 AM Eastern Time).

3.2 Advance Notice. No fewer than [____] business days, including: (a) date/time; (b) duration; (c) work description; (d) impact assessment; (e) rollback plan.

3.3 Extended Maintenance. Exceeding [____] hours or outside standard window requires Customer's written approval (not unreasonably withheld), requested [____] business days in advance.

3.4 Monthly Cap. Not to exceed [____] hours per month. Excess counted as Downtime.

3.5 Emergency Maintenance. Without advance notice when necessary. Provider shall: (a) notify Customer as soon as practicable; (b) update every [____] minutes; (c) deliver post-incident summary within [____] business hours.

Section 4. SEVERITY CLASSIFICATION AND RESPONSE TIMES

4.1 Definitions.

4.2 Response and Resolution Targets.

4.3 Automatic Escalation. Failure triggers escalation per Section 6.

4.4 Reclassification. P1/P2 evaluated within [____] minutes; P3/P4 within [____] business hours.

4.5 24/7 Support. Round-the-clock for P1/P2, including Connecticut state and federal holidays.

Section 5. SERVICE CREDITS

5.1 Formula. Service Credit = Credit Percentage x Monthly Fee for Affected Service.

5.2 Credit Tiers.

5.3 Credit Cap. Aggregate monthly credits not to exceed [____]% of monthly fees.

5.4 Request Process.

• (a) Written request within [____] days (e.g., 30) after the affected month;
• (b) Include dates, times, impact, documentation;
• (c) Provider validates within [____] business days (e.g., 15);
• (d) Credits applied to next invoice or refunded.

5.5 Sole Remedy. Except for Section 13, Service Credits are sole remedy for Availability failures. Nothing herein limits rights under the Connecticut Unfair Trade Practices Act (Conn. Gen. Stat. Section 42-110a et seq.) or the Connecticut Data Privacy Act.

Section 6. ESCALATION PROCEDURES

6.1 Matrix.

6.2 Customer-Initiated. Via Exhibit B contacts. Acknowledgment: [____] min business hours, [____] min after hours.

6.3 Documentation. Timestamp, reason, personnel, actions, outcome for each escalation.

Section 7. PERFORMANCE MONITORING AND REPORTING

7.1 Monthly Reports. Within [____] business days of month-end: Availability, Downtime itemization, incident counts, Response/Resolution means, maintenance hours, credits, trend analysis.

7.2 Dashboard.

• ☐ System status
• ☐ Historical uptime for [____] months
• ☐ Active incidents
• ☐ Maintenance calendar
• ☐ API metrics

7.3 Root Cause Analysis. P1/P2: RCA within [____] business days including timeline, cause, impact, corrective actions, preventive measures, lessons learned.

7.4 Quarterly Reviews. Performance, trends, capacity, improvements.

Section 8. DISASTER RECOVERY AND BUSINESS CONTINUITY

8.1 RTO/RPO Targets.

8.2 DR Testing. No fewer than [____] per year; [____] days' advance notice; Customer observation; results within [____] business days.

8.3 Geographic Redundancy. Minimum [____] regions separated by [____] miles. Locations: [________________________________].

8.4 BCP. Documented plan covering personnel, facilities, technology, communications. Available for Customer review.

8.5 Connecticut-Specific Considerations. Provider's DR plan shall address risks relevant to the New England region:

• (a) Nor'easter storms and severe winter weather causing power outages and transportation disruptions;
• (b) Hurricane and tropical storm risk during Atlantic hurricane season;
• (c) Coastal flooding affecting Connecticut's Long Island Sound shoreline facilities;
• (d) Regional power grid vulnerabilities in the ISO New England grid;
• (e) Extreme cold weather impacts on data center cooling and power infrastructure.

Section 9. SECURITY SLA

9.1 Vulnerability Patching.

• (a) Critical (CVSS 9.0-10.0): [____] hours (e.g., 24);
• (b) High (CVSS 7.0-8.9): [____] days (e.g., 7);
• (c) Medium (CVSS 4.0-6.9): [____] days (e.g., 30);
• (d) Low (CVSS 0.1-3.9): [____] days (e.g., 90).

9.2 Incident Response. Notify Customer within [____] hours; updates every [____] hours; post-incident report within [____] business days.

9.3 Penetration Testing. No fewer than [____] per year. Executive summaries available upon request.

9.4 Certifications.

• ☐ SOC 2 Type II
• ☐ ISO 27001
• ☐ [________________________________]

Section 10. DATA PROTECTION SLA

10.1 Backup Frequency.

• (a) Full: [____] (e.g., daily);
• (b) Incremental: [____] (e.g., every 4 hours);
• (c) Transaction logs: [____] (e.g., every 15 minutes).

10.2 Retention.

• (a) Daily: [____] days (e.g., 30);
• (b) Weekly: [____] weeks (e.g., 12);
• (c) Monthly: [____] months (e.g., 12);
• (d) Annual: [____] years (e.g., 7).

10.3 Recovery Testing. No fewer than [____] per year.

10.4 Encryption.

• (a) At rest: AES-256;
• (b) In transit: TLS 1.2+;
• (c) Backups: Same as at-rest.

10.5 Connecticut Data Breach Notification Compliance. In the event of a breach of security (as defined in Conn. Gen. Stat. Section 36a-701b), Provider shall:

• (a) Notify Customer within [____] hours of confirming a breach affecting personal information of Connecticut residents;
• (b) Cooperate with Customer's obligation to provide notice to affected Connecticut residents and the Connecticut Attorney General within sixty (60) days of breach discovery, as required by Conn. Gen. Stat. Section 36a-701b(b);
• (c) Provider acknowledges that the Connecticut Attorney General actively enforces the sixty-day notification deadline and has issued warning letters to organizations failing to comply (more than 1,830 breach notifications received and 63 warning letters issued for delayed notifications in recent enforcement actions);
• (d) Assist Customer in providing the written notification in the format prescribed by Connecticut law, including the nature of the breach, types of information compromised, and steps taken;
• (e) Bear reasonable costs of notification if the breach resulted from Provider's security failures.

10.6 Connecticut Data Privacy Act (CTDPA) Compliance. To the extent Provider acts as a "processor" under the CTDPA (Conn. Gen. Stat. Section 42-515 et seq.):

• (a) Provider shall process Personal Data solely in accordance with Customer's documented instructions;
• (b) Provider shall assist Customer in fulfilling obligations regarding consumer rights requests, including the right to access, correct, delete, obtain a copy of, and opt out of processing;
• (c) Provider shall assist Customer in conducting data protection assessments required by the CTDPA;
• (d) Provider shall implement appropriate technical and organizational security measures;
• (e) Provider shall engage sub-processors only with Customer's prior notice and opportunity to object;
• (f) Provider shall make available all information necessary to demonstrate compliance with CTDPA processor obligations;
• (g) Provider shall allow and cooperate with reasonable audits and inspections by Customer or Customer's designee;
• (h) Provider acknowledges that the CTDPA is enforced exclusively by the Connecticut Attorney General, and that the cure period has been progressively narrowed in enforcement practice;
• (i) Provider and Customer shall enter into a data processing agreement that meets the requirements of Conn. Gen. Stat. Section 42-518, which shall be incorporated by reference into this SLA Policy.

10.7 Sensitive Data Protections. Under the CTDPA, processing of "sensitive data" (including precise geolocation, racial or ethnic origin, religious beliefs, health data, biometric data, and data concerning minors) requires affirmative consumer consent. Provider shall implement technical safeguards to ensure that sensitive data processed through the Services receives enhanced protection, including:

• (a) Access controls limiting sensitive data access to authorized personnel only;
• (b) Enhanced encryption or pseudonymization measures;
• (c) Separate audit logging for sensitive data access and processing events.

Section 11. COMMUNICATION PROTOCOL

11.1 Status Page. Publicly accessible at: [________________________________].

11.2 Notification Methods.

• ☐ Email to designated contacts: [________________________________]
• ☐ Status page updates
• ☐ SMS/text for P1
• ☐ In-application notifications
• ☐ Phone for P1 incidents

11.3 Timing.

• (a) P1: Within [____] minutes;
• (b) P2: Within [____] minutes;
• (c) P3/P4: Within [____] hours;
• (d) Maintenance: Per Section 3.2.

11.4 Post-Incident Reports. P1/P2: Written within [____] business days.

Section 12. SLA REVIEW AND AMENDMENTS

12.1 Quarterly Reviews. Within [____] business days of quarter-end.

12.2 Annual Review. Within [____] days of Effective Date anniversary.

12.3 Continuous Improvement. Recurring remediation, improvements, forecasts, enhancements.

12.4 Amendments. Written agreement required. No unilateral reduction during the term.

Section 13. CHRONIC FAILURE AND TERMINATION RIGHTS

13.1 Chronic Failure. Occurs when:

• (a) Availability < [____]% in [____] of [____] consecutive months (e.g., < 99.0% in 2 of 3);
• (b) P1 Resolution missed [____]+ times in [____] months (e.g., 3 in 6); or
• (c) Availability < [____]% in any single month (e.g., < 95.0%).

13.2 Termination. [____] days' notice (e.g., 30), no early termination fees.

13.3 Refund. (Remaining Months / Total Months) x Prepaid Fees + Accrued Credits.

13.4 Transition Assistance. [____] days (e.g., 90) at no charge.

13.5 Survival. Sections 5, 10, 13.3, and 13.4 survive.

Section 14. CONNECTICUT-SPECIFIC PROVISIONS

14.1 Governing Law. This SLA Policy shall be governed by the laws of the State of Connecticut, without regard to conflict of laws principles.

14.2 Venue. Exclusive jurisdiction in the state courts of [________________________________] Judicial District, Connecticut, or the United States District Court for the District of Connecticut. Each party consents to personal jurisdiction.

14.3 Jury Waiver. TO THE FULLEST EXTENT PERMITTED BY CONNECTICUT LAW, EACH PARTY KNOWINGLY, VOLUNTARILY, AND INTENTIONALLY WAIVES ANY RIGHT TO TRIAL BY JURY IN ANY ACTION ARISING UNDER THIS SLA POLICY.

14.4 Unfair Trade Practices. Nothing herein limits rights under the Connecticut Unfair Trade Practices Act (CUTPA) (Conn. Gen. Stat. Section 42-110a et seq.). CUTPA provides a broad private right of action for unfair or deceptive acts, and the parties acknowledge its applicability to technology services.

14.5 Trade Secrets. Protected under the Connecticut Uniform Trade Secrets Act (Conn. Gen. Stat. Section 35-50 et seq.).

14.6 Electronic Signatures. Valid under Connecticut UETA (Conn. Gen. Stat. Section 1-266 et seq.).

14.7 CTDPA Processor Relationship. This SLA Policy, together with the data processing agreement required by Section 10.6(i), constitutes the written contract between controller (Customer) and processor (Provider) as required by Conn. Gen. Stat. Section 42-518. Provider shall not process Personal Data except as instructed by Customer and as permitted by the CTDPA.

14.8 Connecticut Insurance and Financial Services. If Customer is in the insurance or financial services industry, Provider acknowledges that Connecticut is a major center for insurance and financial services companies. Provider shall cooperate with Customer's compliance obligations under applicable Connecticut Department of Insurance regulations and any cybersecurity requirements imposed on Connecticut-regulated financial institutions.

14.9 Government Customer Provisions. If Customer is a Connecticut state agency:

• (a) This SLA Policy is subject to Connecticut procurement laws and regulations;
• (b) Provider shall comply with all applicable Connecticut Bureau of Enterprise Systems and Technology (BEST) standards;
• (c) Provider shall cooperate with audits by the Connecticut Auditors of Public Accounts;
• (d) Provider shall comply with CT Executive Orders relating to cybersecurity and data protection.

14.10 Force Majeure. Neither party liable for failures caused by events beyond reasonable control: natural disasters (including Nor'easters, hurricanes, blizzards, and coastal flooding), government actions, civil unrest, terrorism, pandemics, power failures (including ISO New England grid events), or telecommunications outages. Prompt notice and commercially reasonable mitigation required.

14.11 Limitation of Liability. Enforced to the maximum extent under Connecticut law. Nothing limits liability for gross negligence, willful misconduct, breach of confidentiality, or CTDPA violations.

Section 15. EXECUTION BLOCK

IN WITNESS WHEREOF, the parties execute this SLA Policy as of the Effective Date.

PROVIDER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

CUSTOMER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

EXHIBIT A: UPTIME SERVICE CREDIT TABLE

Monthly cap: [____]%.

EXHIBIT B: ESCALATION CONTACT MATRIX

EXHIBIT C: DR TEST SCHEDULE

Results within [____] business days.

Incorporated into the Agreement. Agreement controls in conflict except for Availability, Credits, and Chronic Failure provisions herein.