Service Commitments and Support Tier Details

CleanStart's service commitments cover image delivery, vulnerability remediation, and customer support. Use this document when signing enterprise contracts, evaluating CleanStart as a critical vendor, setting internal SLAs with your stakeholders, escalating production incidents, or evaluating support tier cost/benefit.

Key Principle: CleanStart commitments apply only to images published to registry.cleanstart.com and clnpkgs.clnstrt.dev. Custom/private images built for specific customers have tailored SLAs per contract.

Image Delivery SLA

Registry Availability Commitment

The target uptime is 99.9% measured monthly. This translates to a maximum of 43 minutes of downtime per month.

The primary registry endpoint registry.cleanstart.com provides HTTPS protocol with TLS 1.3 compatibility across Docker, Podman, containerd, and CRI-O. The registry has multi-region geographic redundancy covering us-central, eu-west, and ap-southeast regions, and utilizes CDN acceleration through CloudFlare to provide access across 100+ edge locations globally.

The supporting registry clnpkgs.clnstrt.dev serves as the Alpine package repository, using HTTPS protocol with APK package signing. Mirror locations span multiple CDN endpoints, maintaining the same 99.9% availability as the primary registry.

CleanStart schedules planned maintenance during low-traffic windows to minimize customer impact, limiting it to a maximum of 4 hours per calendar month. All maintenance is communicated on status.cleanstart.dev so you can plan your deployments accordingly, with typical maintenance windows occurring on Tuesday mornings from 2-4 AM Pacific time.

During maintenance windows, the registry may be temporarily unavailable and push/pull operations may fail. However, images that have been pulled recently remain available from CDN edge locations, and new image pulls from cache may experience a slight latency increase. To mitigate the impact of maintenance windows, maintain a registry mirror in your infrastructure for critical images, allowing deployments to succeed even if registry.cleanstart.com is temporarily unavailable.

Image Update Cadence and Frequency

CleanStart follows a regular release schedule with monthly base releases occurring on the 2nd Tuesday at 12:00 AM UTC, announced with 7 days notice. Security patches for critical CVEs are released within 24 hours of discovery with immediate notification. High CVE security patches are released within 7 days of discovery with 24-hour notification. Bugfix releases are delivered within 30 days as-needed with notification posted in the changelog.

CleanStart supports the current major version with comprehensive updates and the previous major version with critical updates only, providing a rolling support window.

The Python runtime provides a concrete example of this timeline. When Python 3.11 releases in October 2024, it receives full support including patches, bugfixes, and security updates. When Python 3.12 releases in March 2025, python:3.12 receives full support while python:3.11 enters a 12-month limited support window where it receives only security patches and critical bugfixes. When Python 3.13 releases in March 2026, python:3.13 receives full support, python:3.12 receives security patches only, and python:3.11 reaches end-of-life with no further support.

This general rule applies across all runtimes: the current major version receives full support including new features, bugfixes, and security patches. The previous major version receives 12 months of support limited to security patches and critical bugfixes. Older versions reach end-of-life and receive no guaranteed support.

Breaking Changes Policy

Breaking changes are defined as significant modifications that may require application changes to maintain compatibility. These include major version upgrades in the primary component such as Python 3.11 to Python 3.12, base OS changes affecting binary compatibility like Alpine 3.18 to Alpine 3.20, removal of commonly-used packages or utilities that applications depend on, changes in default configuration or behavior, and new minimum system requirements that affect deployment feasibility.

The communication timeline is structured in phases. Announcements are made 6 months before the change via email and changelog notification. A detailed migration guide is published concurrently with the announcement. Pre-release test images become available 4 weeks before the production release for validation. The production release occurs on the announced date. A deprecation period of 12 months follows the production release, during which the old version receives security patches only.

Example: Python 3.11 → 3.12 Transition

The announcement is made on 2025-09-01 with the Python 3.12 launch scheduled for 2026-03, and the migration guide is published simultaneously. Test images python:3.12-rc1 become available on 2026-02-15. The production release python:3.12 replacing python:3.11 occurs on 2026-03-15. From 2026-03-15 to 2027-03-15, python:3.11 receives security patches only. Finally, on 2027-03-16, python:3.11 reaches EOL with no support.

Vulnerability Response SLA

CVE Detection and Disclosure Timelines

CleanStart's vulnerability detection system continuously monitors the National Vulnerability Database (NVD), GitHub Security Advisories (GHSA), Open Source Vulnerabilities (OSV), and upstream project security announcements to identify newly discovered vulnerabilities affecting CleanStart images.

SLA Matrix: Detection to Fix

CleanStart maintains different response timelines based on vulnerability severity. Critical vulnerabilities with CVSS scores of 9.0 or higher must be fixed within 24 hours, representing exploitable remote code execution with immediate threat to production. Notification is sent immediately within 1 hour. High severity vulnerabilities with CVSS scores of 7.0 to 8.9 must be fixed within 7 days and notification is sent within 24 hours. Medium severity vulnerabilities with CVSS scores of 4.0 to 6.9 must be fixed within 30 days, with weekly digest notifications. Low severity vulnerabilities with CVSS scores below 4.0 must be fixed within 90 days, with monthly digest notifications.

CVE Assessment Process

Vulnerability detection happens automatically within 1 hour of public disclosure. Automated scanning identifies vulnerable components in CleanStart images, and the severity is assessed using CVSS v3.1 scores. The impact is analyzed to determine which published images are affected.

Immediate triage follows within 2 hours. The security team determines whether the vulnerability affects any published images. If not, the vulnerability is documented and closed. If yes, the vulnerability is escalated to the remediation team.

Customer notification follows the SLA timeline specified in the severity classification. Email is sent to all affected customers, an advisory is posted to cleanstart.dev/security, webhook notifications are sent to Enterprise tier customers, and the RSS feed at https://cleanstart.dev/security/feed.xml is updated for other subscription methods.

Remediation begins immediately. The upstream component is patched or a workaround is applied, affected images are rebuilt, and the patch is verified with security scanning tools like Trivy or Grype.

Release and verification conclude the process. The patched image is published with a new build date, the SBOM is updated to reflect the patched component version, the image and attestations are signed, and an independent security scan verifies the patch was successful.

Response SLA Details

Critical Severity (CVSS 9.0+)

Response window is 24 hours from vulnerability discovery. The timeline begins with CVE-2025-12345 disclosed at 2025-03-15 10:00 UTC with CVSS 9.8. CleanStart detection and assessment occurs at 10:30 UTC. At 10:45 UTC, the vulnerability is found to affect 8 published images. At 11:00 UTC, customer notification email is sent. At 11:15 UTC, the remediation team begins work. By 14:00 UTC, a patch is applied to the build system. At 16:00 UTC, images are rebuilt and scanned. The patched images are published at 16:30 UTC, and verification is complete with customer notification at 17:00 UTC.

All customers from Community through Enterprise receive email notifications. Enterprise tier customers receive webhook notifications. The CleanStart security team is alerted via Slack. CleanSight users see dashboard notifications.

Customers can receive updates via security advisory email, the CleanStart dashboard at status.cleanstart.dev, automated webhooks (Enterprise only), and GitHub releases coordinated with GHSA.

What customers receive is a detailed email notification stating "SECURITY ALERT: Critical CVE affects Python 3.12, Node.js 20, etc." with the vulnerability details CVE-2025-12345: [Vulnerability Title] (CVSS 9.8). The affected images section lists all impacted images including registry.cleanstart.com/cleanstart/python:3.12, registry.cleanstart.com/cleanstart/python:3.11, registry.cleanstart.com/cleanstart/node:20, and others (8 total). Action required is to pull the new image registry.cleanstart.com/cleanstart/python:3.12-build20250315. The remediation status shows patched and published as of 2025-03-15 17:00 UTC. Contact information is provided at security@cleanstart.dev.

High Severity (CVSS 7.0 - 8.9)

The response window is 7 days from vulnerability discovery with notification within 24 hours. A timeline example shows a high severity CVE discovered on 2025-03-10 with CleanStart detection and triage occurring at 1 hour afterward. Customer notification is provided at 4 hours. Remediation development and testing spans from 2025-03-10 to 2025-03-17. Patched images are published by end of day on 2025-03-17.

Medium Severity (CVSS 4.0 - 6.9)

The response window is 30 days with weekly security digest notification (or immediate if combined with other CVEs). A timeline example shows a medium CVE discovered on 2025-03-10. It is included in the weekly security digest on 2025-03-15. Patch application and testing occurs from 2025-03-17 to 2025-04-10. The patched image is published by 2025-04-09, within the 30-day window.

Low Severity (CVSS < 4.0)

The response window is 90 days with monthly security digest or next scheduled release notification. A timeline example shows a low CVE discovered on 2025-03-10. It is included in the monthly digest on 2025-04-01 if still pending. The patched image is published by 2025-06-08, within the 90-day window.

Vulnerability Notification Channels

Email notifications are available opt-in at https://cleanstart.dev/security/subscribe for all severity levels. Critical notifications are sent immediately, while high notifications are sent as daily digests if multiple CVEs exist, and medium/low notifications are sent as weekly digests.

The RSS feed at https://cleanstart.dev/security/feed.xml includes all severities with automatic detection of new advisories.

Webhook notifications are available for Enterprise tier only. You can configure webhook destination to receive JSON payload with event type cve_advisory, severity level, CVE ID, affected images list, patched images list, patch publication time, and details URL.

The CleanSight Dashboard is optional and customer-deployed, providing real-time alerts for outdated images in production, automatic recommendations when patches are available, and historical trend analysis.

Support Tiers

Tier Comparison Matrix

The three support tiers differ significantly in features and pricing. Community tier is free and includes access to all public images, full documentation access, public issue tracking, community forums, and security advisories via RSS. Professional tier costs $500-1000/mo and includes email support during business hours, a named support contact, quarterly review calls, custom image builds up to 2/month, and up to 10% monthly SLA credits. Enterprise tier is custom pricing starting at $3000+/mo and includes 24/7 email and phone support, a dedicated support team, monthly review calls plus ad-hoc sessions, unlimited custom builds, and up to 20% monthly SLA credits.

Uptime guarantees are 99.0% for Community, 99.5% for Professional, and 99.9% for Enterprise. Response times for P1 (production down/security) are best-effort for Community, 4 hours during business hours for Professional, and 1 hour 24/7 for Enterprise. Response times for P2 (production degraded) are best-effort for Community, 8 hours next business day for Professional, and 4 hours for Enterprise. Response times for P3-P4 (minor issues) are best-effort for Community, 1 business day for Professional, and 4 hours for Enterprise.

Community Tier (Free)

Community tier is best for learning, development, non-critical workloads, and open source projects. It includes access to all public images from registry.cleanstart.com/cleanstart/*, full access to documentation in the Knowledge Hub, public issue tracking via GitHub Issues, community forums for peer support, and security advisories distributed via RSS feed and optional email subscription.

Support response is on a best-effort basis, with time-to-first-response potentially taking 1-2 weeks. Response quality is provided by the Community and volunteer contributors rather than CleanStart employees. No SLA credits are issued for Community tier.

The Community tier has significant limitations: there is no guaranteed response time for issues, priority support is not available, and there is no direct contact path with the CleanStart engineering team. If you require guaranteed response times or direct engineering support, upgrade to Professional or Enterprise tier by contacting sales@cleanstart.dev.

Professional Tier

Professional tier is best for small to medium organizations and production systems with adequate change management. It includes all Community features plus email support during business hours from 8 AM to 6 PM PT, Monday through Friday. You receive a named support contact, one designated person at CleanStart who becomes familiar with your organization and serves as your primary technical liaison. The tier includes quarterly review calls of 30 minutes per quarter to discuss your usage patterns, product roadmap, and feedback. Custom image builds are available on a limited basis of 2 per month, subject to security and technical review. Critical bugs receive priority treatment in the development queue. If CleanStart misses SLA commitments, you receive up to 10% of your monthly fee as service credit.

Support contacts include the primary contact at support@cleanstart.dev, and you receive a named contact assigned during onboarding. For escalation, you can contact the support manager directly.

Response time commitments vary by priority. P1 (production down or security issue) requires 4-hour response during business hours. P2 (production degraded or major feature broken) requires 8-hour response or next business day if after hours. P3 (minor issue with workaround) requires 1-2 business day response. P4 (feature request or documentation question) requires 3-5 business day response.

An example support workflow shows a customer reporting a P1 issue at 2025-03-15 14:00 PT. Support acknowledgment email is received at 14:15 PT. The issue is assigned to named contact Alice Smith at 14:45 PT. Alice provides root cause analysis and temporary workaround at 15:30 PT. Engineering begins permanent fix at 18:00 PT. The patch is ready and tested with customer by 10:00 PT the next day. The fix is deployed to production image by 14:00 PT, meeting the 4-hour response requirement.

Cost is $500-1000/month depending on organization size and usage.

Enterprise Tier

Enterprise tier is best for large organizations, mission-critical infrastructure, high-security requirements, and FedRAMP/regulated environments. It includes all Professional features plus comprehensive premium support. You receive 24/7 phone and email support with dedicated infrastructure for your account. A dedicated support engineer serves as a full-time resource for your organization, providing continuity and deep familiarity with your infrastructure. On-call availability is 24/7 for P1 (critical) issues, ensuring response within one hour regardless of time of day. Monthly review calls plus ad-hoc calls as needed keep your success team aligned with your evolving needs. Custom image builds are unlimited subject to CleanStart's project capacity. Private registry hosting assistance helps you set up secure mirrors for air-gapped environments. Comprehensive compliance documentation includes SOC 2 mapping, ISO 27001 certification support, and attestations for your auditors. Direct escalation paths to the VP of Customer Success ensure executive visibility for major issues. Pre-release access allows you to beta test upcoming features. Quarterly performance profiling and recommendations help optimize your image builds and deployments. If CleanStart misses SLA commitments, you receive up to 20% of your monthly fee as service credit.

Support contacts include a dedicated support engineer available via direct phone/email/Slack. The support team provides 24/7 rotational coverage. The VP of Customer Success is available for escalations.

Response time commitments are more stringent. P1 (production down, security issue, revenue impact) requires 1-hour response with 24-hour resolution target or credit. P2 (production degraded, critical feature broken) requires 4-hour response with 48-hour resolution target or credit. P3 (major feature broken with workaround) requires 8-hour response with 1-week resolution target. P4 (feature request or minor issue) requires 1-business-day response with backlog placement.

An example Enterprise support workflow shows a customer discovering a P1 issue on Wednesday night at 2025-03-15 22:00 PT. At 22:05 PT, the emergency phone line auto-answers. At 22:10 PT, dedicated support engineer Alice picks up saying "Hi, I'm Alice, let's fix this right now." The customer describes the issue. At 22:30 PT, a temporary workaround is deployed. By 23:00 PT, an incident bridge is set up with the engineering team. At 01:00 PT on March 16, the root cause is identified (bad deployment in new build). At 04:30 PT, a hotfix is built and tested. At 05:00 PT, the customer pulls the patched image. At 05:15 PT, P1 is resolved and incident declared closed. At 10:00 PT Thursday morning, a post-incident review call is held with executive sponsor.

Custom image builds for Enterprise include the ability to build custom image variants with additional packages or tools, custom base OS or runtime version, private registry hosting, and compliance-specific hardening such as FIPS and FedRAMP.

Cost is custom, typically $3,000-10,000+/month. Contact enterprise@cleanstart.dev for details.

Priority Definitions

P1 - Critical: Production Down

P1 incidents are defined as situations where service is unavailable, revenue is impacted, security is breached, or data loss risk exists. Examples include registry completely unavailable where you can't pull images, published images with Critical CVEs of CVSS 9.0 or higher, images that fail in production with no rollback available, security vulnerabilities disclosed in deployed images, and scenarios with data corruption or loss risk.

The customer impact of P1 incidents is severe: production services are down or severely degraded, revenue loss or customer-facing outages are occurring, potential security or compliance violations are happening, and immediate action is required to restore service.

CleanStart response times vary by support tier. Community tier receives best-effort response that may take hours or days. Professional tier receives response within 4 hours during business hours or 24 hours if reported after business hours. Enterprise tier receives response within 1 hour, 24/7. P1 incidents receive immediate escalation to the engineering team and become the highest priority for all resources.

P2 - High: Production Impacted

P2 incidents are defined as situations where significant functionality is broken or degraded, and a workaround may exist. Examples include images with High CVE (CVSS 7.0-8.9), non-critical functionality broken, performance significantly degraded, intermittent failures, or build pipeline blocked.

Customer impact is moderate: production is affected but not completely down. Operations team must work around issue. A workaround is available or can be implemented.

CleanStart response varies by tier: Community provides best-effort response (days/weeks), Professional provides 8-hour response next business day, Enterprise provides 4-hour response.

Engineering team involvement is required, and may require external support coordination.

P3 - Medium: Development Impact

P3 incidents are defined as non-critical issues affecting development or staging, where a workaround exists. Examples include documentation error or gap, image has Medium CVE (CVSS 4.0-6.9), feature not working as documented, non-critical package missing, or build optimization question.

Customer impact is minimal: the development team can work around issue. No production impact. Can be deferred to next sprint.

CleanStart response varies by tier: Community provides best-effort response (1-2 weeks), Professional provides 1-2 business day response, Enterprise provides 8-hour response.

Support engineer involvement may coordinate with product team.

P4 - Low: Enhancement Request

P4 incidents are defined as feature requests, general questions, and nice-to-have improvements. Examples include feature request (e.g., "add Python 3.13"), general architectural question, how-to guidance, image optimization ideas, or compliance certification questions.

Customer impact is none: no impact on current operations. Nice-to-have improvement. Can be handled asynchronously.

CleanStart response varies by tier: Community provides best-effort response (weeks/months), Professional provides 3-5 business day response, Enterprise provides 1-2 business day response.

Support team routes to product management if applicable.

SLA Measurement and Credits

Monthly SLA Calculation

Uptime SLA is measured as (Total Minutes - Downtime Minutes) / Total Minutes × 100. For example, in March 2025 with 31 days × 24 hours × 60 min = 44,640 minutes total, if downtime due to emergency maintenance is 30 minutes, uptime is (44,640 - 30) / 44,640 × 100 = 99.93%, which exceeds the 99.9% target.

Response time SLA is measured as (Ticket response time) - (Ticket created time). For example, if a P1 ticket is created 2025-03-15 10:00 UTC and first response is sent at 2025-03-15 10:45 UTC, the response time is 45 minutes, which is within the 4-hour Professional SLA.

SLA Credits

If CleanStart misses SLA targets, customers are eligible for service credits. For Professional tier, P1 miss results in 5% of monthly fee, P2 miss results in 3% of monthly fee, and P3 miss results in 1% of monthly fee, capped at 10% per month maximum. For Enterprise tier, P1 miss results in 10% of monthly fee, P2 miss results in 5% of monthly fee, and P3 miss results in 2% of monthly fee, capped at 20% per month maximum.

To claim credits, email billing@cleanstart.dev with your ticket ID, SLA commitment, and evidence of the miss. CleanStart reviews and issues credit within 5 business days.

An example calculation shows a monthly fee of $1,000, with 1 incident of P1 SLA miss. The credit is 5% × $1,000 = $50, applied to the next month's invoice.

Exclusions and Limitations

Not Covered by SLA

The following are NOT covered by CleanStart SLAs:

Customer application bugs are not covered, including issues in your application code, incorrect usage of image, or missing dependencies.

Third-party tool integration issues are not covered, such as Kubernetes version incompatibility, Docker/container runtime bugs, or CI/CD pipeline misconfiguration.

Custom Dockerfile issues are not covered, including errors when extending CleanStart images, custom build problems, or application-specific configurations.

Customer infrastructure is not covered, including your registry outages, your network issues, or your Kubernetes cluster problems.

Force majeure is not covered, including AWS/GCP outages affecting CleanStart infrastructure, DNS provider failures, or carrier/ISP issues beyond CleanStart control.

Customer-caused issues are not covered, including accidental image deletion, credential compromise (requires customer remediation), or misconfigured network policies.

Unsupported configurations are not covered, including EOL versions past the 12-month support window, images pulled from unauthorized mirrors, or custom/private builds covered by separate SLA.

Customer Responsibilities

For SLA targets to apply, customers must pull from supported versions by using official registries (registry.cleanstart.com or clnpkgs.clnstrt.dev) and using images within the 12-month support window. You must maintain current credentials by providing a valid API key for authentication and notifying CleanStart of credential changes. Subscribe to notifications by opting-in to security advisories via email or RSS and monitoring the status page for maintenance windows. Report issues promptly by creating support tickets for problems, providing reproduction steps and logs, and responding to support questions within 24 hours.

What to Read Next

For Procurement/Legal

vendor-risk-assessment.md: Full vendor evaluation guide. master-service-agreement.md: Contractual terms and conditions.

For Support Teams

defect-reporting-lifecycle.md: How to report and escalate bugs. incident-response-playbook.md: How to respond to production incidents.

For Operations Teams

acceptance-testing-guide.md: Consumer-side validation procedures. registry-mirror-setup.md: Configure private registry for high availability.

Document Version: 1.0 Last Updated: 2025-03-22 Next Review: 2025-09-22 Owner: Customer Success and Support Teams

Contact: Sales: sales@cleanstart.dev, Support: support@cleanstart.dev, Enterprise: enterprise@cleanstart.dev, and Security: security@cleanstart.dev.