First-SKU Launch · Format Stub
Book 1 · Ch 12 · Product Boundaries That Hold

SLA Template: Federal-Grade Service Level Agreement

A format specification for NorthAI's first customer SLA. Uptime tiers, response-time matrix, escalation paths, credit schedule, and FedRAMP security incident carve-out. Populated once rate card and customer details are confirmed.

2.1 · First-SKU Launch · artifact id: sla-template-v0.html · 2026-05-28 · v0 · format stub
Format stub · What this is and is not

This artifact is a format specification, not a filled-in contract. The SLA structure below reflects FedRAMP-aware defaults grounded in industry practice for federal SaaS vendors. The content fields marked [CONFIRM WITH TIM AND STEPHANIE] require NorthAI's internal decisions on rate cards, customer deployment environments, and escalation personnel before this template becomes a customer-facing document.

The engagement produces the filled version. This format shows what the engagement delivers. No section below constitutes a commitment by HARBOR Initiative LLC or NorthAI to any service level, pricing term, or legal obligation.

Section 1: Uptime SLA tiers

Federal customers expect uptime commitments expressed as annual availability percentages with corresponding allowed downtime windows. Two tiers are the standard structure for a federal SaaS product at the Level 2 productized service stage.

Tier Availability target Allowed downtime (monthly) Allowed downtime (annual) Applicable to Status
Standard 99.9% 43.8 minutes 8.76 hours Base subscription tier (CLIN 0001) [CONFIRM: Is 99.9% the correct standard floor?]
Premium 99.95% 21.9 minutes 4.38 hours Agencies requiring higher availability SLA (optional upgrade, CLIN 0001 variant or CLIN 0003 T&M) [CONFIRM: Is 99.95% the right premium ceiling given current infrastructure?]
Measurement and exclusions

Measurement window: Calendar month. Availability is calculated as: ((Total minutes in month - Downtime minutes) / Total minutes in month) x 100.

Excluded from downtime calculation (standard exclusions):

  • Scheduled maintenance windows (notified 72 hours in advance, occurring between [CONFIRM: maintenance window hours, e.g., 02:00-06:00 ET Saturday])
  • Force majeure events (government-declared emergencies, natural disasters)
  • Downtime caused by customer action, customer equipment failure, or third-party integrations outside NorthAI's authorization boundary
  • FedRAMP-mandated security response actions (see Section 5 security incident carve-out)

Monitoring: Uptime tracked via [CONFIRM: monitoring tool, e.g., StatusPage, Datadog, AWS CloudWatch]. Status page URL: [CONFIRM URL]. Customers have read access to status dashboard.

Section 2: Response-time matrix

Four severity levels map to the standard federal IT incident classification framework. Response times below are defaults grounded in common federal SaaS SLAs. Adjust based on NorthAI's current support team capacity and customer tier.

Severity Definition Examples for NorthAI Initial response (Standard) Initial response (Premium) Target resolution Escalation trigger
Sev 1 · Critical Complete service unavailability. Production environment down. No workaround available. Federal mission impact. Analytics platform unreachable; authentication service down; data ingestion pipeline halted with no bypass Within 1 hour (24x7) Within 30 minutes (24x7) 4 hours (restore service); 24 hours (root cause) Auto-escalate to Engineering Manager at 1 hour if unresolved. VP Engineering at 2 hours.
Sev 2 · High Major feature degradation. Core functionality impaired but workaround exists. Limited mission impact. Report generation latency exceeding 5x normal; specific data source connector failing; dashboard rendering incomplete for one or more agencies Within 4 hours (business hours: 08:00-20:00 ET) Within 2 hours (business hours) 24 hours (workaround confirmed); 72 hours (resolution) Auto-escalate to Engineering Manager at 4 hours if no workaround confirmed.
Sev 3 · Medium Minor feature degradation or non-critical service disruption. Workaround available. No mission impact. Non-critical report export failing; UI rendering issue in specific browser; integration with optional data source intermittent Within 1 business day Within 1 business day 5 business days Escalate to TAM at 2 business days if no update provided.
Sev 4 · Low Cosmetic issue, documentation request, general inquiry, or enhancement request. No service impact. UI label inconsistency; documentation update needed; feature request submission; general configuration question Within 3 business days Within 2 business days Next scheduled release or 30 business days (as appropriate) No escalation path; tracked in product backlog.

[CONFIRM WITH TIM AND STEPHANIE: Current support team coverage hours and on-call rotation capacity. 24x7 Sev 1 coverage requires defined on-call rotation. Confirm whether NorthAI can commit to 24x7 response before offering the Standard SLA Sev 1 commitment above.]

Section 3: Escalation paths

Three escalation tiers. Personnel names are placeholders; populate with actual NorthAI team members before customer delivery.

Tier Role Name Contact Escalation trigger
Tier 1 Technical Account Manager (TAM) [CONFIRM NAME] [CONFIRM EMAIL AND PHONE] First point of contact for all Sev 1-4 issues. Owns ticket through resolution. Escalates to Tier 2 at defined thresholds.
Tier 2 Engineering Manager [CONFIRM NAME] [CONFIRM EMAIL AND PHONE] Sev 1 unresolved at 1 hour; Sev 2 unresolved at 4 hours (no workaround). Owns engineering response and customer communication during active Sev 1/2 incidents.
Tier 3 VP Engineering (or CTO equivalent) [CONFIRM NAME, Tim Otto?] [CONFIRM EMAIL AND PHONE] Sev 1 unresolved at 2 hours; any security incident triggering FedRAMP notification window; customer-escalated executive request. Final technical authority on incident response decisions.
Federal contracting officer escalation path

Federal customers may also escalate through the Contracting Officer (CO) or Contracting Officer's Representative (COR) named in the task order. NorthAI's escalation path maps to the COR-side as follows:

  • Sev 1: COR notified within 2 hours. CO notified at 4 hours if unresolved.
  • Sev 2: COR notified within 24 hours. CO notified at 48 hours if no resolution.
  • Security incidents: CO and COR notified within 1 hour of confirmed incident (pre-FedRAMP notification). FedRAMP notification to follow within 72 hours (see Section 5).

Section 4: Service credit schedule

Service credits are the standard remedy for SLA misses under a federal SaaS contract. Credits apply to the billing period in which the SLA miss occurred. Credits do not cascade to subsequent periods. Credits are the sole remedy for uptime SLA misses; they do not waive or reduce other contractual rights.

Monthly availability (Standard tier) Monthly availability (Premium tier) Credit applied to next invoice
99.9% or above 99.95% or above 0% (SLA met; no credit)
99.0% to 99.89% 99.5% to 99.94% 10% of monthly subscription fee
95.0% to 98.99% 95.0% to 99.49% 25% of monthly subscription fee
90.0% to 94.99% 90.0% to 94.99% 40% of monthly subscription fee
Below 90.0% Below 90.0% 50% of monthly subscription fee (maximum credit)
Credit claim process
  • Customer must submit credit claim within 30 days of the billing period in which the SLA miss occurred.
  • NorthAI provides supporting uptime data from the monitoring system within 5 business days of claim receipt.
  • Credits are applied to the next invoice; no cash refunds unless contract is terminating.
  • Maximum cumulative credit in any 12-month period: 50% of annual contract value. Credits beyond this threshold are not provided; persistent performance issues at this level should trigger contract review under the remediation clause.

[CONFIRM WITH TIM AND STEPHANIE: Is the 50% annual cap acceptable? Does legal counsel need to review the credit structure before customer delivery?]

Section 5: FedRAMP security incident carve-out

Security incidents that trigger FedRAMP notification requirements are subject to a separate timeline and procedure that supersedes the standard SLA response-time matrix in Section 2. This carve-out is not optional for a FedRAMP-authorized product; it reflects the mandatory federal notification framework.

FedRAMP mandatory notification timeline · Supersedes Section 2 for security incidents
Timeline Required action Recipient
1 hour Verbal or written notification of confirmed or suspected security incident to customer COR and CO Customer Contracting Officer (CO) and Contracting Officer's Representative (COR)
2 hours Initial incident report (preliminary scope, affected systems, containment steps in progress) CO, COR, NorthAI compliance lead, NorthAI VP Engineering
72 hours (mandatory) Formal federal incident notification submitted to FedRAMP Program Management Office, US-CERT, and all customer agencies using the authorized system FedRAMP PMO, US-CERT, all customer agencies (agency ISSOs)
7 days Incident summary report: confirmed scope, root cause (if determined), remediation steps taken, current status, POA&M entry for residual risk All customers, FedRAMP PMO, 3PAO (if assessment update triggered)
30 days Root cause analysis and final incident report. Updated SSP if boundary was affected. 3PAO notification if significant boundary change occurred. FedRAMP PMO, all customers, 3PAO, CO/COR

Critical note: The 72-hour FedRAMP notification window is a regulatory requirement, not an SLA commitment. Failure to notify within 72 hours can result in suspension or revocation of FedRAMP authorization. Standard SLA credits (Section 4) do not apply during a declared security incident. A separate incident remediation process governs customer remedies during and after a security event.

What counts as a security incident under this carve-out
  • Unauthorized access to, or disclosure of, federal data processed by the authorized system
  • Compromise of authentication credentials for federal user accounts
  • Ransomware, malware, or destructive attack on system components within the authorization boundary
  • Data exfiltration or suspected data exfiltration involving federal agency data
  • Breach of the authorization boundary (new data flows, integrations, or data types not documented in the SSP)

Routine technical issues (Sev 1 outages, performance degradation, failed deployments) that do not involve unauthorized data access or boundary compromise are governed by Sections 2-4, not this security incident carve-out.

Inputs needed to finalize this SLA

Tim and Stephanie inputs required before customer delivery
  1. Support coverage hours. Can NorthAI commit to 24x7 Sev 1 response, or is the realistic standard 08:00-20:00 ET with best-effort off-hours? This determines whether the Standard tier Sev 1 response (1 hour, 24x7) is achievable.
  2. Escalation personnel names. TAM, Engineering Manager, and VP Engineering (or CTO) names and contact info for Sections 3 and 5.
  3. Infrastructure uptime baseline. What is the current measured uptime of the NorthAI platform? If AWS GovCloud managed services underpin the product, AWS SLA (99.99%) provides headroom. If any component is below 99.9% measured availability, the Standard tier SLA is not defensible until that component is addressed.
  4. Maintenance window preference. Proposed maintenance window hours for the scheduled downtime exclusion in Section 1.
  5. Legal review. The credit schedule and security incident carve-out language should be reviewed by NorthAI's legal counsel before customer delivery. HARBOR research provides the federal-aware defaults; legal counsel confirms enforceability and contract-specific modifications.
  6. GovCloud status page URL. Monitoring dashboard URL for inclusion in Section 1.