Service Level Agreement (SLA)

BUSINESS SERVICE  LEVEL AGREEMENT

Last updated May 21, 2022

AGREEMENT OVERVIEW

This Agreement represents a Service Level Agreement (“SLA” or “Agreement”) between STRAIN and Customer for the provisioning of services required to support their mobile app and dashboard platform.

This Agreement remains valid until superseded by a revised agreement approved by STRAIN.
This Agreement outlines the parameters of all services covered as they are mutually understood by the Customer and STRAIN. This Agreement does not supersede current processes and procedures unless explicitly stated herein.

1. Business Service Level Agreement (“SLA”). STRAIN (“Company”) commits to provide a level of service for Customers guarantying:

1.1  99.99% uptime. Uptime is defined by a response from the client device to the API (“Availability”), measuredly on a calendar monthly basis (the “Availability Commitment”). Availability measures exclude downtime resulting from the following:

-Upgrades: The Customer will receive a notification via email from STRAIN prior to any upgrade scheduled tasks, tasks that will take effect during between 6pm and midnight Eastern Time.

-Pre-scheduled maintenance periods: The Customer will receive a notification via email from STRAIN prior to any pre-scheduled maintenance. Maintenance tasks shall be scheduled between 6pm and midnight Eastern Time.

-Emergency maintenance periods: The Customer will receive notifications via email from STRAIN prior and during the maintenance process. Emergency maintenance periods will involve applying security updates, system patches and or other repairs to bring back all services. Possible intermittence in different services may occur.

STRAIN availability terms does not apply to any downtime that results from: (i) account suspension or termination due to Customer’s breach of the Agreement; (ii) disengagement of functionality of the STRAIN Service due to Customer’s request; (iii) force majeure events or other matters beyond STRAIN’s reasonable control; or (iv) Customer’s or its service provider’s equipment, software or other technology.

1.2 Penalties. If the Service fails to meet the above service level, the Customer will receive a credit equal to the result of the Service Credit calculation in Section 4 of this SLA.

2. Service Management
Effective support of in-scope services is a result of maintaining consistent service levels. The following sections provide relevant details on service availability, monitoring of in-scope services and related components.

2.1 Service Availability: Coverage parameters specific to the service(s) covered in this Agreement are as follows:

-Customer support hours: 9AM EDT to 9PM EDT Monday – Saturday
-Emails received outside of office hours will be collected, however no action can be guaranteed until the next working day
-Limited E-mail customer support will be available on the following days:

–Presidents Day (third Monday of February)
–Memorial Day (last Monday of May)
–Independence Day (July 4)
–Labor Day (first Monday of September)
–Thanksgiving Day (fourth Thursday in November)
–Christmas Eve (December 24)
–New Year’s Eve (December 31)

-Remote assistance will be provided in-line with the above timescales dependent on the priority of the support request.
-Calls received out of office hours will be forwarded to a phone answering service
-Live customer support will not be available on the following days:

–Christmas Day (December 25)
–New Year’s Day (January 1)
–Three kings Day (January 6)

2.2 Support methods. The following channels are covered by this Agreement:

Account representative telephone support
[email protected] monitored email support
Remote assistance using Anydesk or Team viewer softwares

2.3 Service Levels, Rankings, and Priority

Severity Level              Response             Description

1. Outage SaaS            Immediate             Server down
2. Critical High          Within 10 mins.     Risk downtime
3. Urgent                     Within 30 mins.     End-user impacted
4. Important              Within 60 mins.     Potential for performance impact if not addressed
5. Informational         Within 48 hours     Inquiry for information

3. Service Credits.
3.1 The amount and method of calculation of Service Credits is described below in Section 4.

3.2 Service Credits are Customer’s sole and exclusive remedy for any violation of this SLA.

3.3 The total amount of Service Credits awarded in any twelve (12) month period shall not, under any circumstance, exceed one (1) month of a Customer’s cumulative total monthly service fees.

3.4 Service Credits for this SLA will only be calculated against monthly recurring fees associated with the Service.

4. Service Credit Calculation:

4.1 For any and each Outage Period during a monthly billing period the Company will provide as a Service Credit an amount calculated as follows: Service Credit = (Outage Period minutes * Affected Customer Ratio) ÷ Scheduled Availability minutes.

5. Security Incident Response

5.1 STRAIN is committed to appropriately protecting all information relating to its members and affiliates, as well as protecting its confidential business information (including information relating to its employees, affiliates, and members). To achieve this goal and to minimize the risk of loss, theft, or compromise of business or patient-related information, appropriate systems, operating procedures, and policies are in effect and are regularly reviewed and updated.

In the event of a privacy/security incident, the goals of STRAIN Privacy/ Incident Response Team are to:

  1. Investigate the incident internally (in cooperation with law enforcement if necessary);
  2. Mitigate potential harm to affected parties;
  3. Minimize adverse impact to parties in an ethically and legally appropriate manner, to include minimizing reduction in operations, reputational harm, and/or financial harm;
  4. Appropriately communicate the incident or loss:
    1. To affected parties in a timely manner (as appropriate or as otherwise may be required by law);
    2. To regulatory agencies, news media, or other entities (as appropriate or required)
    3. To staff (as appropriate or required, especially to leadership);
  5. Provide guidance or assistance in the development of specific corrective actions (including disciplinary actions when appropriate); and
  6. Conduct post-incident reviews, training and education, and provide internal communications in order to minimize potential future incidents.

5.2 A privacy incident is any attempt at, or occurrence of, unauthorized acquisition, exposure, disclosure, use, modification or destruction of sensitive data that compromises the security, confidentiality, or integrity of:

  • Confidential business information (including information relating to its employees, and agents); or
  • Individually identifiable information maintained by STRAIN, its affiliated entities or their agents;
  • And:
    • May violate privacy/security regulations or laws; or
    • May result in the acquirer or another person taking some specific action with the information, (i.e. identify theft, extortion, sale of information, internet posting, reporting to media, etc.).

5.3 Incidents have a timeline that generally contains an Initial Response phase and a Continuing Response phase. Initial Response begins as soon as an incident is discovered or reported and includes time-sensitive first response actions to limit damage while a more organized response is being planned.  Continuing Response includes all activities that are conducted necessary to close an incident case and include investigation, correcting processes, notifying affected individuals, and reporting to regulatory agencies as required by law.  Generally, the activities within each phase are ongoing and may occur simultaneously, and there may be some overlap between Immediate Response activities and Continuing Response Activities.

Discovery/Reporting

  • Determination that an incident has happened
  • Involvement of Area Management
  • Involvement of IT Department
  • Involvement of legal Department

Immediate Response (0-1 Business Day)

  • Containment
  • Opening of Incident Case Files
  • Escalation

Continuing Response (0-15+ days)

  • Analysis and Planning
  • Investigation
  • Mitigation and Correction
  • Notification
  • Closing of Incident Case File
  • Reporting

5.4 Incidents that should be reported may include but are not be limited to:

    1. Patient Privacy Complaints relating to:
      1. Patient Privacy Rights
      2. Communications
      3. Inappropriate use, access or disclosure of personal identifiable information
    2. Employee-related Privacy Concerns relating to:
      1. Inappropriate use, access or disclosure of personal identifiable information
      2. Inappropriate use, access or disclosure of confidential health information
      3. Inappropriate modification, deletion or destruction of information
    3. Other Concerns relating to:
      1. Loss or deletion of stored data; loss or theft of laptops, handheld devices, portable media storage containing confidential business or individually identifiable information.
    4. Theft or Loss of STRAIN Computer Equipment, including:
      1. Desktop computers,
      2. Laptop computers,
      3. External hard drives
    5. Computer/Network Intrusions, Data Losses, or other Compromises, including:
      1. The unauthorized access, viewing, copying, forwarding, or removal of electronically stored data; or
      2. Any other incidents that result/may result in unauthorized acquisition or release of any potential compromise of electronically stored business or patient information.
    6. Data Transmission Incidents, including:
      1. Inadvertent e-mail releases
      2. Unsecured data transmission

5.5 STRAIN’s initial response to an incident can make the difference between a situation that is handled properly and a catastrophe.  For instance, if a Security Incident is discovered involving a data breach of STRAIN system or network, the immediate steps taken to stop unauthorized access and secure data could make a huge difference in the amount of damage that could be inflicted to other parties.

Depending on the nature of an incident, its scale, potential impact, risk to the organization, or other factors, STRAIN staff may respond in a variety of ways to include:

  • Containment
  • Opening of Incident Case Files
  • Analysis and Planning
  • Escalation & Activation of the Incident Response Team

5.6 When a breach is discovered, the management team may determine the need to conduct containment activities to stop additional information from being lost or disclosed, or to reduce the number of persons to whom information may reach.  STRAIN members may, over their areas of responsibility or collaboratively, take steps to attempt having lost/stolen/inappropriately disclosed information returned or destroyed.  For instance the Information Technology Department may shut down particular applications or third party connections, reconfigure firewalls, change computer access codes, or change physical access codes.

The Help Desk must still be notified of the incident to insure proper notification, resolution and follow up by the appropriate team members.

If applicable, staff members closest to the incident will determine the extent of the incident by identifying all information (and systems) affected, and take action to stop the exposure.  This may include:

  • Securing or disconnecting affected systems
  • Securing affected records or documentation
  • Halting affected business processes
  • Pausing any processes that may rely on exposed information or that may have given rise to the incident (as necessary to prevent further use/exposure/etc)

This would most typically occur in instances of electronic system intrusion, exposed physical (e.g. medical) files or records or similar situations.

5.7 STRAIN staff members will document all actions taken regarding an incident to include all steps taken.  This may be done using incident logs, or systems designated for this purpose.  Management team will begin to establish this documentation as soon as possible, at which point the incident response will considered an open case file.

Generally speaking, documentation, at a minimum, needs to provide thorough, complete documentation of an incident that can be used to fulfill reporting requirements to government agencies and to organizational senior leadership, as well as serve as legal documentation in the case of a future legal or regulatory proceeding.  This documentation will include notations of analyses, notification, reporting, communication, meetings, and all other actions

5.8 As more information is gathered, responsible a staff member will assess each privacy/security incident to determine appropriate handling.  For instance, while a minor and low risk incident may be assigned to and investigated by competent technicians within a department, the department may require that technician to escalate to management any incident that may damage the organization.  The manager, in turn, may escalate the incident to the director, VP, or C- level staff member.

5.9 Upon notification of a real or potential privacy/security incident, the designee will perform a preliminary analysis of the facts and assess the situation to determine the nature and extent of the incident.  Such analysis may include contacting the individual who reported the problem.

As needed, any/all members of the staff team may be involved in carrying out the activities of the Incident Response Plan.  The plan will address the following:

  • Review of initial containment activities
    • Communication regarding containment activities taken thus far
    • Assessing risks to information and systems
    • Determination of additional containment measures
    • Determination of the need to inform law enforcement (for instance, it may be appropriate to notify the FBI in cases of identity theft or hacking) [Approval from Legal is Required unless the workforce member determines a delay could result in harm to the company or to individuals internal or external to the company]
  • Investigation Planning
    • Assignment of and coordination with Investigators
    • Evidence gathering planning
    • Interview planning
  • Communications/Public Relations Planning
    • Assess how an incident and the response to it may affect STRAIN’s reputation and public image.
    • Internal Communications
      • Determine the need to notify all current employees of the incident or employees
      • Determine how employees will be notified (email or mandatory staff meeting)
      • Determine who will communicate to the staff
      • Determine material content of the notification
    • External Communications
      • Determine the need for external communications to covered entity, media (press conference or press release if Covered Entity is required to notify the media), etc.
      • Determine who will represent STRAIN publicly
      • Determine the material content of the Press Conference and/or Press Release
    • Determine the need to post information regarding the incident to the STRAIN website

5.10 Thorough investigation, and documentation of that investigation, is a critical component of incident response.  Thorough investigation and documentation needs to be timely, accurate, and professional, and serves several purposes as listed below.

Purposes of thorough Investigation:

  • Shows due diligence in complying with legal and regulatory requirements.
  • Provides management with accurate and detailed information.  This is essential to correct processes, contain damage, communicate with staff and with external affected persons, and take other appropriate measures.
  • Promotes fair, just, and more objective outcomes in regard to the handling of workforce members, especially as it pertains to discipline.
  • Reduces the chances for mistakes that may occur due to incomplete or incorrect information.
  • Provides documentation showing the organization’s commitment to protection of the information it holds.
  • Provides documentation that may be used in civil or criminal proceedings even years after an incident occurred.

5.11 STRAIN has a legal and ethical obligation to mitigate (reduce) any harmful effects that result from privacy and security incidents.  Though this is only legally required if STRAIN “has actual knowledge of harm,” STRAIN will also take reasonable and appropriate steps to prevent harm from occurring either to individuals or to the STRAIN organization.  Actual privacy/security incidents may result in negative outcomes for the affected parties several months or years later – STRAIN must acknowledge and be prepared to handle this risk appropriately.

Examples of Mitigation:

  • Compliance, IT, and others may consult with Risk Management and Legal as necessary to understand full scope of risks and potential damages and ways to mitigate.
  • Staff management may determine need for any legal action to be taken on parties (internal or external) involved in the incident.
  • Staff management may determine need for termination of third party contract.
  • STRAIN may contact third party insurers for services or resources related to any purchased policies (for instance, breach response services provided by a cyber-security policy).

5.12 Closely tied to mitigation, Correction should occur after any privacy or security incident in order to prevent future recurrence and to comply with organizational policy.

Examples of Correction:

  • As appropriate, revise written policies and procedures that may be deficient.
  • Assess informal/unwritten processes and practices and make changes that correct or improve them.
  • Follow human resources policy and disciplinary action guidelines to determine need for disciplinary action on any STRAIN employee involved in the incident.
  • Determine the need for additional staff training.
  • Determine the need for increased security measures.

5.13 Before an incident case file can be closed, STRAIN must have met the goals of incident response.  To recap, those goals are to:

  1. Investigate the incident internally (in cooperation with law enforcement if necessary);
  2. Mitigate potential harm to affected parties;
  3. Minimize adverse impact to all parties in an ethically and legally appropriate manner, to include minimizing reduction in operations, reputational harm, and/or financial harm;
  4. Appropriately communicate the incident or loss:
    1. To affected parties in a timely manner (as appropriate or as otherwise may be required by law);
    2. To regulatory agencies, news media, or other entities (as appropriate or required)
    3. To staff (as appropriate or required);
  5. Provide guidance or assistance in the development of specific corrective actions (including disciplinary actions when appropriate); and
  6. Conduct post-incident reviews, training and education, and provide internal communications in order to minimize potential future incidents.

5.14 STRAIN will fulfill all reporting requirements under state and federal law.  In the event that a breach involves more than 500 individuals, Public Relations company will prepare for fallout that may occur once the covered entity conducts notification of the media.

Additionally, for the purpose of organizational improvement, information from investigation case files may be used to report to staff and management of various levels in the form of trainings, reports, or other means.  Identifying information (both of patients and of staff), patient specific information, and other sensitive information will be redacted as appropriate.

 

CONTACT US

In order to resolve a complaint regarding or to receive further information regarding the content of this document, please contact us at:

STRAIN, LLC.
PO Box 367017
San Juan, PR 00936-7017

[email protected]