Service Level Agreement

This Service Level Agreement (“SLA”) applies to the paid production use of careos platform under an active order form and is incorporated into the Terms of Service. Capitalised terms not defined here have the meaning given in the Terms of Service.

1. Definitions

• 1.1 “Core API” — the authenticated REST and webhook APIs and the admin console used by Customer administrators and integrations.
• 1.2 “Patient Portal and Mobile Sync” — the patient-facing portal and the mobile sync endpoints.
• 1.3 “Audit Write Path” — the append-only Evidence Ledger ingestion path that guarantees audit capture.
• 1.4 “Monthly Uptime” — total minutes in a calendar month minus Downtime, divided by total minutes, expressed as a percentage.
• 1.5 “Downtime” — sustained unavailability of a Service component, measured by ITLOX monitoring against documented health checks, excluding Exclusions defined in Section 5.
• 1.6 “Incident” — any unplanned event that degrades the Service below agreed commitments.

2. Uptime commitments

• Core API and admin console: 99.95% Monthly Uptime.
• Patient portal and mobile sync: 99.9% Monthly Uptime.
• Audit write path (Evidence Ledger ingestion): 99.95% Monthly Uptime, with a durability objective for accepted writes of at least eleven nines.

3. Recovery objectives

• RPO (Recovery Point Objective): ≤ 15 minutes for the core production database and audit stores.
• RTO (Recovery Time Objective): ≤ 4 hours for the Core API and admin console in a region-level failure.
• Restore testing: quarterly restore exercises with documented evidence available to Customer on request.

4. Incident severity and response

• P1 — Critical: Service unavailable, patient safety or data integrity at risk. Acknowledgement within 15 minutes, continuous work until resolved, first status update within 30 minutes, updates at least hourly. Target mitigation within 4 hours.
• P2 — High: Major functionality impaired for multiple users; no viable workaround. Acknowledgement within 30 minutes during business hours, 1 hour outside. Target mitigation within one business day.
• P3 — Medium: Functionality impaired with workaround available. Acknowledgement within one business day. Target mitigation within five business days.
• P4 — Low: Minor issue or enhancement request. Acknowledgement within two business days. Resolution tracked through the product roadmap.

5. Exclusions

The following are excluded from Downtime calculations and SLA commitments:

• Scheduled maintenance announced at least 48 hours in advance via the status page, during documented maintenance windows;
• Emergency maintenance required to address a security threat;
• Force majeure events, including failures of third-party infrastructure outside ITLOX’s reasonable control;
• Customer-caused issues, including misconfiguration, misuse, and issues arising from Customer-managed integrations or credentials;
• Issues arising from the Customer’s failure to install required updates to supported client libraries or SDKs;
• Beta and preview features explicitly marked as such.

6. Support hours and tiers

• Standard support: business hours in the Customer’s region, Monday to Friday, excluding local public holidays. 24/7 on-call for P1 incidents only.
• Premium support: 24/7 for all severities, with named technical account manager, quarterly service reviews, and participation in the design-partner community.
• Regulatory support: assistance with DSARs, audit evidence and regulatory enquiries in accordance with the Data Processing Agreement.

7. Service credits

If Monthly Uptime for a committed component falls below the applicable target and the Customer is in good standing, ITLOX will issue a service credit as a percentage of the monthly fees attributable to that component, calculated on a sliding scale:

• Below 99.95% and at or above 99.9%: 5% credit;
• Below 99.9% and at or above 99.5%: 10% credit;
• Below 99.5% and at or above 99.0%: 20% credit;
• Below 99.0%: 30% credit, capped at 50% of the monthly fee.

Service credits are the Customer’s sole and exclusive remedy for a failure to meet the uptime commitments, subject to rights of termination for cause under the Terms of Service. Credits must be requested within 30 days of the end of the affected month and will be applied to the next invoice.

8. Change management

• Feature flags: significant behaviour changes are rolled out behind flags with progressive exposure and rollback.
• Canary releases: new versions are deployed to a subset of tenants first, with health and error budgets monitored before wider rollout.
• Rollback: automatic rollback on service level degradation, with a documented recovery path for each change class.
• Customer notice: advance notice of breaking API changes with a minimum 90-day deprecation window, except where security mandates immediate action.

9. Communication

• Status page: real-time component status, historical uptime and incident write-ups at status.careosp.com.
• Email: proactive notifications to Customer administrators for P1 incidents and scheduled maintenance.
• Support portal: ticketing with incident IDs that align with the status page.
• Post-incident reviews: published within 10 business days of a P1 incident, including timeline, impact, root cause and preventive actions.

10. Reporting

ITLOX makes monthly uptime reports available to Premium support Customers by default, and to Standard support Customers on request. Reports include Monthly Uptime for each committed component, incident summaries, and any credits due.

11. Escalation path

• Tier 1: support ticket via the support portal.
• Tier 2: on-call engineer for P1 incidents, reached via the support portal or the emergency number provided to Customer administrators.
• Tier 3: incident commander and engineering leadership, engaged automatically for P1 incidents lasting more than one hour.
• Executive escalation: the named technical account manager (Premium) or escalation@careosp.com.

12. Contact

Support: support@careosp.com
Escalation: escalation@careosp.com
Legal: legal@careosp.com