BUSINESS SERVICE LEVEL AGREEMENT
Last updated May 21, 2022
This Agreement represents a Service Level Agreement (“SLA” or “Agreement”) between STRAIN and Customer for the provisioning of services required to support their mobile app and dashboard platform.
This Agreement remains valid until superseded by a revised agreement approved by STRAIN.
This Agreement outlines the parameters of all services covered as they are mutually understood by the Customer and STRAIN. This Agreement does not supersede current processes and procedures unless explicitly stated herein.
1. Business Service Level Agreement (“SLA”). STRAIN (“Company”) commits to provide a level of service for Customers guarantying:
1.1 99.99% uptime. Uptime is defined by a response from the client device to the API (“Availability”), measuredly on a calendar monthly basis (the “Availability Commitment”). Availability measures exclude downtime resulting from the following:
-Upgrades: The Customer will receive a notification via email from STRAIN prior to any upgrade scheduled tasks, tasks that will take effect during between 6pm and midnight Eastern Time.
-Pre-scheduled maintenance periods: The Customer will receive a notification via email from STRAIN prior to any pre-scheduled maintenance. Maintenance tasks shall be scheduled between 6pm and midnight Eastern Time.
-Emergency maintenance periods: The Customer will receive notifications via email from STRAIN prior and during the maintenance process. Emergency maintenance periods will involve applying security updates, system patches and or other repairs to bring back all services. Possible intermittence in different services may occur.
STRAIN availability terms does not apply to any downtime that results from: (i) account suspension or termination due to Customer’s breach of the Agreement; (ii) disengagement of functionality of the STRAIN Service due to Customer’s request; (iii) force majeure events or other matters beyond STRAIN’s reasonable control; or (iv) Customer’s or its service provider’s equipment, software or other technology.
1.2 Penalties. If the Service fails to meet the above service level, the Customer will receive a credit equal to the result of the Service Credit calculation in Section 4 of this SLA.
2. Service Management
Effective support of in-scope services is a result of maintaining consistent service levels. The following sections provide relevant details on service availability, monitoring of in-scope services and related components.
2.1 Service Availability: Coverage parameters specific to the service(s) covered in this Agreement are as follows:
-Customer support hours: 9AM EDT to 9PM EDT Monday – Saturday
-Emails received outside of office hours will be collected, however no action can be guaranteed until the next working day
-Limited E-mail customer support will be available on the following days:
–Presidents Day (third Monday of February)
–Memorial Day (last Monday of May)
–Independence Day (July 4)
–Labor Day (first Monday of September)
–Thanksgiving Day (fourth Thursday in November)
–Christmas Eve (December 24)
–New Year’s Eve (December 31)
-Remote assistance will be provided in-line with the above timescales dependent on the priority of the support request.
-Calls received out of office hours will be forwarded to a phone answering service
-Live customer support will not be available on the following days:
–Christmas Day (December 25)
–New Year’s Day (January 1)
–Three kings Day (January 6)
2.2 Support methods. The following channels are covered by this Agreement:
Account representative telephone support
[email protected] monitored email support
Remote assistance using Anydesk or Team viewer softwares
2.3 Service Levels, Rankings, and Priority
Severity Level Response Description
1. Outage SaaS Immediate Server down
2. Critical High Within 10 mins. Risk downtime
3. Urgent Within 30 mins. End-user impacted
4. Important Within 60 mins. Potential for performance impact if not addressed
5. Informational Within 48 hours Inquiry for information
3. Service Credits.
3.1 The amount and method of calculation of Service Credits is described below in Section 4.
3.2 Service Credits are Customer’s sole and exclusive remedy for any violation of this SLA.
3.3 The total amount of Service Credits awarded in any twelve (12) month period shall not, under any circumstance, exceed one (1) month of a Customer’s cumulative total monthly service fees.
3.4 Service Credits for this SLA will only be calculated against monthly recurring fees associated with the Service.
4. Service Credit Calculation:
4.1 For any and each Outage Period during a monthly billing period the Company will provide as a Service Credit an amount calculated as follows: Service Credit = (Outage Period minutes * Affected Customer Ratio) ÷ Scheduled Availability minutes.
5. Security Incident Response
5.1 STRAIN is committed to appropriately protecting all information relating to its members and affiliates, as well as protecting its confidential business information (including information relating to its employees, affiliates, and members). To achieve this goal and to minimize the risk of loss, theft, or compromise of business or patient-related information, appropriate systems, operating procedures, and policies are in effect and are regularly reviewed and updated.
In the event of a privacy/security incident, the goals of STRAIN Privacy/ Incident Response Team are to:
5.2 A privacy incident is any attempt at, or occurrence of, unauthorized acquisition, exposure, disclosure, use, modification or destruction of sensitive data that compromises the security, confidentiality, or integrity of:
5.3 Incidents have a timeline that generally contains an Initial Response phase and a Continuing Response phase. Initial Response begins as soon as an incident is discovered or reported and includes time-sensitive first response actions to limit damage while a more organized response is being planned. Continuing Response includes all activities that are conducted necessary to close an incident case and include investigation, correcting processes, notifying affected individuals, and reporting to regulatory agencies as required by law. Generally, the activities within each phase are ongoing and may occur simultaneously, and there may be some overlap between Immediate Response activities and Continuing Response Activities.
Immediate Response (0-1 Business Day)
Continuing Response (0-15+ days)
5.4 Incidents that should be reported may include but are not be limited to:
5.5 STRAIN’s initial response to an incident can make the difference between a situation that is handled properly and a catastrophe. For instance, if a Security Incident is discovered involving a data breach of STRAIN system or network, the immediate steps taken to stop unauthorized access and secure data could make a huge difference in the amount of damage that could be inflicted to other parties.
Depending on the nature of an incident, its scale, potential impact, risk to the organization, or other factors, STRAIN staff may respond in a variety of ways to include:
5.6 When a breach is discovered, the management team may determine the need to conduct containment activities to stop additional information from being lost or disclosed, or to reduce the number of persons to whom information may reach. STRAIN members may, over their areas of responsibility or collaboratively, take steps to attempt having lost/stolen/inappropriately disclosed information returned or destroyed. For instance the Information Technology Department may shut down particular applications or third party connections, reconfigure firewalls, change computer access codes, or change physical access codes.
The Help Desk must still be notified of the incident to insure proper notification, resolution and follow up by the appropriate team members.
If applicable, staff members closest to the incident will determine the extent of the incident by identifying all information (and systems) affected, and take action to stop the exposure. This may include:
This would most typically occur in instances of electronic system intrusion, exposed physical (e.g. medical) files or records or similar situations.
5.7 STRAIN staff members will document all actions taken regarding an incident to include all steps taken. This may be done using incident logs, or systems designated for this purpose. Management team will begin to establish this documentation as soon as possible, at which point the incident response will considered an open case file.
Generally speaking, documentation, at a minimum, needs to provide thorough, complete documentation of an incident that can be used to fulfill reporting requirements to government agencies and to organizational senior leadership, as well as serve as legal documentation in the case of a future legal or regulatory proceeding. This documentation will include notations of analyses, notification, reporting, communication, meetings, and all other actions
5.8 As more information is gathered, responsible a staff member will assess each privacy/security incident to determine appropriate handling. For instance, while a minor and low risk incident may be assigned to and investigated by competent technicians within a department, the department may require that technician to escalate to management any incident that may damage the organization. The manager, in turn, may escalate the incident to the director, VP, or C- level staff member.
5.9 Upon notification of a real or potential privacy/security incident, the designee will perform a preliminary analysis of the facts and assess the situation to determine the nature and extent of the incident. Such analysis may include contacting the individual who reported the problem.
As needed, any/all members of the staff team may be involved in carrying out the activities of the Incident Response Plan. The plan will address the following:
5.10 Thorough investigation, and documentation of that investigation, is a critical component of incident response. Thorough investigation and documentation needs to be timely, accurate, and professional, and serves several purposes as listed below.
Purposes of thorough Investigation:
5.11 STRAIN has a legal and ethical obligation to mitigate (reduce) any harmful effects that result from privacy and security incidents. Though this is only legally required if STRAIN “has actual knowledge of harm,” STRAIN will also take reasonable and appropriate steps to prevent harm from occurring either to individuals or to the STRAIN organization. Actual privacy/security incidents may result in negative outcomes for the affected parties several months or years later – STRAIN must acknowledge and be prepared to handle this risk appropriately.
Examples of Mitigation:
5.12 Closely tied to mitigation, Correction should occur after any privacy or security incident in order to prevent future recurrence and to comply with organizational policy.
Examples of Correction:
5.13 Before an incident case file can be closed, STRAIN must have met the goals of incident response. To recap, those goals are to:
5.14 STRAIN will fulfill all reporting requirements under state and federal law. In the event that a breach involves more than 500 individuals, Public Relations company will prepare for fallout that may occur once the covered entity conducts notification of the media.
Additionally, for the purpose of organizational improvement, information from investigation case files may be used to report to staff and management of various levels in the form of trainings, reports, or other means. Identifying information (both of patients and of staff), patient specific information, and other sensitive information will be redacted as appropriate.
In order to resolve a complaint regarding or to receive further information regarding the content of this document, please contact us at:
PO Box 367017
San Juan, PR 00936-7017