Document Version: 1.0 Effective Date: 2026-03-22 Last Updated: 2026-03-22
1. Overview and Commitments
CleanStart provides container image hardening and supply chain security services. This SLA defines our service availability, remediation guarantees, and support commitments.
Core SLA Commitments
CleanStart's core service commitments establish clear expectations for infrastructure reliability and security patching. Infrastructure uptime is committed to 99.95% monthly measured through external monitoring while excluding planned maintenance windows. Critical CVE remediation must be completed within 7 days with patches released, tested, and ready for customer deployment. High-severity CVEs require remediation within 14 days following the same process. Medium-severity CVEs allow 30 days for remediation, with the patch released but customer deployment at the team's discretion. Support response times vary by tier and are detailed in Section 5. Planned maintenance is limited to less than 4 hours per month and requires 72 hours advance notice.
2. Infrastructure Availability and Uptime Guarantee
2.1 Uptime SLA: 99.95%
Definition: Service availability measured as percentage of minutes where CleanStart API endpoints respond with success (HTTP 2xx or 3xx) to synthetic health checks.
Uptime measurement relies on synthetic health checks deployed from 5 geographically distributed monitoring points, ensuring no single regional outage can trigger false SLA calculations. Checks execute every 60 seconds, and the response time threshold is 500ms. Success requires >99.95% of all checks within a calendar month. Uptime calculations exclude planned maintenance, customer network issues, and DDoS attacks.
Monthly Uptime Target: 99.95% = 21.6 minutes downtime allowed per month. 99.90% = 43.2 minutes downtime allowed per month.
Calculation:
Monthly Uptime % = (Total Seconds - Downtime Seconds) / Total Seconds × 100Monitoring: Public status page at status.cleanstart.com with real-time uptime reporting
2.2 Service Credits for SLA Shortfalls
If CleanStart fails to meet uptime SLA, customer receives service credit:
Monthly Uptime | Service Credit |
|---|---|
99.90% to <99.95% | 10% of monthly bill |
99.0% to <99.90% | 25% of monthly bill |
98.0% to <99.0% | 50% of monthly bill |
<98.0% | 100% of monthly bill |
How to Claim:
- Incident must be documented in CleanStart status page or confirmed via support ticket
- Customer submits credit request within 30 days of incident
- CleanStart issues credit as account credit (next billing cycle) within 15 days of approval
- Total credits per year capped at 12 months' billing (customer cannot be "paid" more than their annual contract)
Exclusions (no credit): Customer-caused downtime (misconfigured credentials, deleted resources). Force majeure (earthquake, war, government action). Customer's network or ISP issues. DDoS attacks (unless CleanStart's DDoS protection was disabled).
2.3 Excluded Incidents
The following are excluded from uptime calculations and do not trigger service credits:
- Planned Maintenance Windows: Up to 4 hours monthly, typically 2am-6am US Eastern. Notice: 72 hours in advance via status page. No service credit if announced in advance.
- Force Majeure Acts of God, natural disasters, war, government action. Justification required; customer notification within 4 hours.
- DDoS Attacks If attack overwhelms infrastructure and DDoS protection is enabled: No credit. If attack overwhelms and DDoS protection disabled by customer: No credit. CleanStart will notify customer and work to mitigate.
- Customer Network Customer's ISP outage, firewall issues, DNS resolution failures. CleanStart provides logs showing successful API processing; failures were in customer's network.
- Third-Party Service Failures AWS region outage (rare): CleanStart fails over to secondary region if available. If failover takes >4 hours: ProRated credit allowed. Subcontractor issues (Okta, GitHub outages): No credit unless CleanStart depends entirely on failed service.
3. Critical CVE Remediation SLA
3.1 7-Day Critical CVE Remediation Guarantee
Definition: Critical CVE: CVSS ≥9.0 OR known active exploitation OR vendor advisory indicating supply chain attack risk. Remediation: CleanStart releases patched image; customer deployment required.
Timeline:
Day 0: CVE Disclosed (NVD, vendor advisory, or CISA alert)Day 1: CleanStart security team assesses impact on CleanStart imagesDay 1-2: Patch applied to base image, tested in stagingDay 3-5: Image rebuilt, signed, SBOM + attestation generated, tested in production-like environmentDay 6-7: Patched image released to customer; notification sentScope: Applies to CleanStart-maintained base images (e.g., cleanstart/python, cleanstart/nodejs, cleanstart/go). Does NOT apply to customer's custom application code (customer responsibility). Does NOT apply to dependencies customer adds (customer responsibility for patching).
Measurement: Start: CVE disclosure date (NVD publish date or CleanStart discovery, whichever is later). End: Image released and available in customer registry with signed attestation. Evidence: Release notes, image build timestamp, git commit date.
3.2 High and Medium CVE Remediation
Severity | CVSS | SLA | Notification |
|---|---|---|---|
High | 7.0-8.9 | 14 days | Email within 24 hours of discovery |
Medium | 4.0-6.9 | 30 days | Email within 48 hours of discovery |
Low | 0-3.9 | Next quarterly release | Monthly security bulletin |
Notice Requirements: Customer receives email notification listing: CVE ID and CVSS score Affected images/packages Remediation timeline Recommended action.
3.3 SLA Exceptions and Exclusions
Does NOT trigger 7-day SLA: Zero-day vulnerabilities (unpatched in upstream projects) Remedy: CleanStart releases workaround or interim patch within 48 hours Full upstream patch applied when available (separate SLA). Vulnerabilities in customer's added dependencies Customer responsibility to patch their dependencies CleanStart provides SBOM identifying all packages in image. Vulnerabilities requiring architectural changes Example: CVE requiring API redesign, not applicable via patch CleanStart communicates remediation plan within 5 business days. Vulnerabilities deemed "low priority" by security team Explained in release notes; customer can request alternative timeline.
SLA Waiver Options: Customer can request extended timeline if: Testing window is insufficient Business requirement requires staggered deployment Written request to security@cleanstart.com before SLA deadline.
4. Support Tiers and Response Times
4.1 Support Tier Structure
CleanStart offers three support tiers:
Tier | Monthly Cost | Response Time | Available Hours | Use Case |
|---|---|---|---|---|
Standard | Included | 24 hours | Business hours (M-F 8am-6pm ET) | Non-critical issues, documentation, billing |
Premium | +$500 | 4 hours | Business hours (M-F 8am-6pm ET) | Urgent issues, deployment guidance |
Enterprise | +$2,000 | 1 hour | 24/7/365 | P1 incidents, security incidents, compliance support |
4.2 Priority Classification
Priority | Criteria | Example | Response Time |
|---|---|---|---|
P1 - Critical | Service unavailable; security incident; production data breach risk | CleanStart API down; image signing key compromised; P1 CVE in prod | 1 hour (Enterprise), 2 hours (Premium), 4 hours (Standard) |
P2 - High | Service degraded; workaround exists; major functionality broken | API response time >5s; image pull failing intermittently | 4 hours (Enterprise), 8 hours (Premium), 24 hours (Standard) |
P3 - Medium | Minor functionality issue; no workaround; low business impact | Image metadata missing from SBOM; attestation not generating | 24 hours (Enterprise), 48 hours (Premium), 5 days (Standard) |
P4 - Low | Documentation request; feature question; enhancement request | "How do I export attestations?"; "Can we add feature X?" | No SLA (best effort) |
4.3 Support Response and Resolution
Response vs. Resolution: Response: Ticket acknowledged, issue confirmed, initial troubleshooting started. Resolution: Issue fixed, service restored, or root cause documented.
SLA Examples:
P1 Incident (Enterprise Tier): Response SLA: 1 hour. Investigation SLA: 4 hours (root cause identified). Resolution SLA: 24 hours (fix deployed or workaround provided). Example: Image registry offline T+0:00: Support ticket submitted T+0:45: Support engineer on call; investigating T+3:00: Root cause found (database failover triggered) T+8:00: Service restored; customer notification sent.
P2 Incident (Premium Tier): Response SLA: 4 hours. Investigation SLA: 8 hours. Resolution SLA: 48 hours. Example: Slow API response (5s instead of 200ms) T+0:00: Support ticket submitted T+3:45: Support engineer begins investigation T+12:00: Root cause identified (caching layer full) T+30:00: Fix deployed; performance restored.
4.4 Escalation Procedure
Standard Tier: Issue remains unresolved after 24 hours → Escalate to Senior Support Engineer. Senior engineer has 4 hours to provide status or propose escalation to Premium/Enterprise.
Premium Tier: Issue remains unresolved after 48 hours → Escalate to Product Security Team. P1 issues not resolved within 12 hours → Escalate to VP Engineering.
Enterprise Tier: P1 issues: Escalate to VP Engineering immediately if not resolved within 4 hours. CISO notification required for P1 security incidents.
5. Reporting and Transparency Commitments
5.1 Monthly SLA Report
CleanStart provides monthly SLA report to all customers:
Report Contents: Uptime percentage (99.95% or actual %). Service credit eligibility (if applicable). Incident summary (P1/P2 incidents: brief description, impact, resolution). Performance metrics (API response time, image build time, registry availability). Planned maintenance forecast for next 30 days.
Delivery: Email to primary contact by 5th business day of month
Access: Customers can also download report from console anytime
5.2 Public Status Page
CleanStart maintains public status page: status.cleanstart.com
Content: Real-time system status (All Green / Some Issues / Major Outage). Individual component status: API endpoints Container registry Build service Signing service Monitoring/alerting. Incident timeline (real-time updates during incidents). Planned maintenance calendar (72 hours in advance).
Subscription: Customers can subscribe to status updates (email, Slack, SMS)
5.3 Incident Reporting
Post-Incident Report (PIR): Provided within 10 business days of P1/P2 incident
Report Contents: Timeline: When incident was first detected, when customer was notified, when resolved. Root cause: Technical explanation of what failed. Impact: How many customers affected, duration, what functionality was unavailable. Response: What CleanStart did to mitigate. Prevention: Changes made to prevent recurrence. Lessons learned: Anything we're improving going forward.
Example:
Incident: API Endpoint Timeouts (2026-03-15, 14:30-15:45 UTC) Timeline:- 14:30 UTC: Monitoring alert: API response time exceeded 5s threshold- 14:35 UTC: On-call engineer confirmed issue; incident declared- 14:40 UTC: Status page updated; customer notifications sent- 14:50 UTC: Root cause identified: database connection pool exhaustion- 15:00 UTC: Temporary fix applied: increased connection pool size- 15:15 UTC: Full fix deployed: database optimization applied- 15:45 UTC: Issue fully resolved; status page updated Impact:- 3 customers experienced intermittent image pull failures- Duration: 75 minutes- Affected operations: Image registry pulls, build API calls Root Cause:- A new feature introduced database query that scaled poorly with image count- Under load, database connections exhausted, blocking all queries- Immediate fix: Increased connection pool to 200 (from 50)- Long-term fix: Query optimization + connection pooling configuration improvement Prevention:- Added load testing to CI/CD pipeline- Database connection monitoring added to alerting- Code review process updated to flag database-intensive queries5.4 Annual Audit Review
CleanStart commits to: Annual SLA Review: Compare actual performance vs. committed SLA. Customer Feedback: Solicit feedback on support quality, response times. Public Annual Report: Publish aggregate statistics (uptime %, incident count, average response time).
6. Data and Infrastructure Guarantees
6.1 Backup and Recovery
Backup Guarantee: All customer data backed up hourly. Backups retained for 30 days (longer retention available). Recovery point objective (RPO): 1 hour (maximum data loss). Recovery time objective (RTO): 4 hours (maximum service restoration time). Tested quarterly: Disaster recovery drill completed every 90 days.
Evidence: Customer can request backup verification; CleanStart will provide: Last backup timestamp. Backup size and integrity checksum. Recovery testing results (from most recent drill).
6.2 Data Residency Guarantee
Default Region: US (aws-us-east-1 or aws-us-west-2)
Customer Choice: At account creation, customer can select: US: US regions only (default). EU: EU regions only (GDPR-compliant). Custom: By special request (minimum annual commitment required).
Data Immutability: Once region selected, container image data never leaves that region without explicit customer authorization.
Subcontractor Locations: AWS data center locations per customer region selection
7. Security Incident SLA
7.1 Security Event Classification
Severity | Description | Notification SLA |
|---|---|---|
Critical | CleanStart infrastructure compromised; customer data exposed or at immediate risk | Within 4 hours |
High | Third-party vendor compromised (AWS, Okta, etc.); CleanStart controls prevent exposure | Within 24 hours |
Medium | Vulnerability found in CleanStart software; assessed as low risk | Within 5 business days |
Low | Security issue discovered through responsible disclosure; no customer impact | Monthly security bulletin |
7.2 Notification Process
Critical Security Incident:
- T+0: Internal incident classification; decision to notify customers
- T+4 hours: Initial notification email to primary contact + CISO Incident description (non-technical summary). Affected systems (which customer data). Immediate actions CleanStart is taking. Recommended customer actions.
- T+24 hours: Detailed technical briefing (optional, by request)
- T+5 business days: Full root cause analysis + remediation steps
Content of Notification:
Subject: [SECURITY] CleanStart Security Incident Notification Dear [Customer Name], We are notifying you of a security incident that may affect your account. Incident: [Brief description]Severity: [Critical/High/Medium]Affected: [Which CleanStart services/data affected]Timeline: [When discovered, when reported] What CleanStart is doing:- [Immediate containment steps]- [Investigation in progress]- [Additional safeguards enabled] What you should do:- [Recommended immediate actions]- [Optional: review your access logs] For more information:- Security contact: security@cleanstart.com- Status page: status.cleanstart.com- Additional briefing: [link to secure portal] Sincerely,CleanStart Security Team8. Escalation and Dispute Resolution
8.1 SLA Dispute Process
If customer disputes SLA compliance:
- Notification (within 30 days of incident): Email to support@cleanstart.com with. Date/time of incident. Evidence of SLA non-compliance. Specific SLA clause allegedly violated.
- Investigation (within 5 business days): CleanStart reviews logs, monitoring data. Provides detailed response explaining SLA status. Offers resolution (credit, extended service, etc.).
- Appeal (if customer disagrees with investigation): Email to escalation@cleanstart.com with additional evidence. VP of Operations investigates within 10 business days. Final decision binding.
8.2 Service Credit Request Process
How to Request Credit:
- Log into console: Account → Billing → SLA Credits
- Or email support@cleanstart.com with: Incident date/time. Evidence of SLA shortfall (screenshot from status page OK). Link to related support ticket (if applicable).
Approval: CleanStart approves or denies within 15 business days; credit applied next billing cycle
9. Contract Terms Related to SLA
9.1 SLA Modifications
CleanStart may modify SLA with 30 days' notice. Modifications apply to new contracts and renewals; existing contracts remain under previous SLA until renewal.
Notice Method: Email to all customer contacts; posted on status page
9.2 Sole Remedy
Service credits are the sole and exclusive remedy for SLA non-compliance. Customer waives right to: Terminate contract for SLA breach. Claim damages beyond service credit. Legal action for SLA-related disputes (except fraud).
Service credits cap at 12 months' billing per calendar year.
10. SLA Support by Product
10.1 Source Intelligence Core API
Availability SLA: 99.95% (same as infrastructure)
Response Time SLA: P50 latency: <200ms. P95 latency: <500ms. P99 latency: <2 seconds.
Measurement: Monthly report includes latency percentiles
Exceeding SLA: If latency SLA breached in a calendar month, customer receives 5% service credit
10.2 CleanStart Image Registry
Availability SLA: 99.95%
Image Pull Performance SLA: <100MB images: <5 seconds pull time. 100MB-500MB images: <15 seconds pull time. >500MB images: <30 seconds pull time.
Measurement: Average pull time per size tier, reported monthly
Exceeding SLA: 5% service credit if performance SLA breached
10.3 Build and Signing Service
Build SLA: Build initiation: <5 minutes after commit. Build completion (avg): <30 minutes (varies by image complexity).
Signing SLA: Image signing: <5 minutes after build completes.
Uptime: 99.9% (lower than API due to compute resource constraints)
11. Glossary
MTTR (Mean Time to Repair): Average time from incident detection to resolution. RPO (Recovery Point Objective): Maximum acceptable data loss (time-based). RTO (Recovery Time Objective): Maximum acceptable service outage duration. Uptime: Percentage of time service is available and responding correctly. SLA (Service Level Agreement): Contractual commitment to service quality. Incident: Any unplanned outage or degradation of service. P1/P2/P3/P4: Priority levels for support tickets and incidents.
12. Contact Information
Support Portal: console.cleanstart.com/support
Email: General support: support@cleanstart.com. Security incidents: security@cleanstart.com (24/7). Compliance/SLA: compliance@cleanstart.com. Escalation: escalation@cleanstart.com.
Status Page: status.cleanstart.com
Phone: +1 (555) 123-4567 (Enterprise tier customers only)
Effective Date: 2026-03-22 Next Review: 2027-03-22 Maintained by: VP of Operations and Product Security Team