ℹ️ Information Security Service Level Agreements (SLAs) establish the terms and conditions governing security measures and assurances provided by the service provider to its valued customers. These SLAs serve as a foundational document, promoting a collaborative and transparent relationship between Service provider and its clientele.

These SLAs delineate our mutual understanding and expectations concerning information security practices and commitments tailored to specific security focus areas predefined by the service provider.

Incident Management:

• Incident Processing: In alignment with information security best practices, any incidents categorized as high or critical will be promptly addressed within a maximum time-frame of 2 hours.
• Incident Communication: Adhering to robust information security principles, customers will receive immediate notifications for all incidents rated as critical, within a maximum of 2 hours. Subsequently, they will receive continuous updates on incident response and recovery efforts, communicated exclusively through secure, predefined, and authorized channels.
• Incident Reporting: Quarterly incident reports will be provided to the customer.

Vulnerability Management:

• Continuous Asset Tracking: We will continuously monitor and track asset vulnerabilities from reputable sources, including direct vendor advisories. High or critical severity security vulnerabilities will be resolved within a maximum of 1 business day.

Access and Privilege Management:

• Identity and Privilege Life-Cycle: Quarterly reviews and documentation of identity and privilege life-cycles, as well as privileged account utilization, will be conducted.

Patch Management:

• Timely Patching: Patches for information systems, software, applications, etc., will be applied within a maximum of 5 business days following their release by the vendor.

Security Reporting:

• Compliance Reporting: Regular reports on compliance status with agreed-upon security requirements. Quarterly reports will cover AWS CIS Benchmarks compliance and compliance with service provider security concepts and policies.
• Availability Reporting: Routine reports on service and resource availability. Information systems will maintain a 99.99% availability rate for authorized users during authorized times.

Technical Security Reviews and Penetration Testing:

• Penetration Testing: Penetration testing will be conducted at least once annually. Any high or critical findings will be addressed within a maximum of two business days.
• Code Assessments and Reviews: Static and dynamic security code assessments, in addition to peer reviews, will be carried out as part of our development process. All vulnerabilities rated as medium to critical will be resolved before code deployment to production.

Internal Audits:

• Annual Audits: Internal audits will be conducted on an annual basis, with findings integrated into the continual improvement process. All findings will be addressed before the annual information security management meeting.

These SLAs will undergo annual review and updates to align with evolving threat landscapes, technology advancements, and business requirements. Both parties are committed to regular communication and collaboration, ensuring proactive responses to emerging security challenges and evaluating the effectiveness of security controls.