Service Level Agreement

Your vendor's SLA says 99.9% uptime. What it doesn't say is that scheduled maintenance windows, third-party integration failures, and incidents 'within the customer's environment' don't count toward downtime. Service credits sit at 5% of one month's fee — roughly ₹5,000 on a ₹1 lakh contract — and a single clause makes them your 'sole and exclusive remedy.' That is the standard SLA most IT and SaaS vendors send across. It is written to protect them, not you.

A properly drafted SLA flips that equation. It defines uptime by actual business impact, not server ping times. It sets severity-based response and resolution targets your operations team can enforce. It aligns with India's Digital Personal Data Protection Act 2023 and IT Act Section 43A for data-processing engagements. And it gives you a real exit — not a situation where switching vendors requires rebuilding data pipelines and negotiating terms from zero leverage.

At a Glance

• Who needs it: IT outsourcing, SaaS subscriptions, BPO contracts, managed-services, and cloud hosting — any engagement where service quality affects your revenue, operations, or regulatory compliance posture.
• Governing law: Indian Contract Act 1872; IT Act 2000 Section 43A (data security obligations); DPDP Act 2023 (data-processor duties); Specific Relief (Amendment) Act 2018 (injunctive relief for ongoing breaches).
• Turnaround: 5–10 working days from service map to signature-ready draft; one negotiation round with the counterparty adds 3–5 days depending on responsiveness.
• Uptime tiers: 99.9% (≈8.7 hrs downtime per year) for back-office tools; 99.95% (≈4.4 hrs) for customer-facing systems; 99.99% (≈53 mins) for mission-critical platforms — chosen by business impact, not vendor preference.
• Service credits: Typically 5% / 10% / 25% of monthly fee by severity tier; capped at one to three months' fees per year; sole-remedy clause resisted so termination and indemnity rights are preserved.
• DPDP alignment: Mandatory for any SLA where a vendor processes personal data of Indian users on your behalf — processor instructions, 72-hour breach notification, sub-processor controls, and post-termination data return.
• Format: Standalone SLA or Annexure to a Master Services Agreement, delivered with escalation matrix, governance calendar, and breach-response runbook.

What's New for FY 2026-27

Four developments in 2025-26 have materially changed what an SLA for an Indian business must contain.

• DPDP Act rules expected: The Digital Personal Data Protection Act 2023 rules are expected to be notified in 2025-26. Any SLA covering a data-processing engagement must now include processor instructions, 72-hour breach notification, sub-processor consent, and post-termination data deletion — as enforceable obligations, not aspirational language.
• Cross-border transfer whitelist: The Central Government's whitelist of permitted jurisdictions for cross-border data transfer is expected before end-2025. SLAs should include a compliance review trigger when the whitelist publishes rather than hardcoding permitted jurisdictions today.
• Force majeure jurisprudence tightened: Indian courts — Energy Watchdog v. CERC and Halliburton v. Vedanta — have narrowed force majeure to specifically listed events at an impossibility threshold. Open-ended 'beyond reasonable control' clauses no longer hold; rewrite to list events, require 7-day notice, and cap FM suspension at 30–60 days.
• AI-output SLOs now needed: SaaS and platform agreements increasingly cover AI-generated outputs. SLAs should define accuracy SLOs, AI-output disclaimers, and liability allocation for AI errors — particularly in BFSI, healthcare, and legal-tech deployments.
• IT Act Section 43A remains live: With DPDP enforcement approaching, Section 43A (reasonable security practices) continues to apply in parallel. SLAs for data-processing engagements should reference both statutes to close any coverage gaps between regimes.

Why a Vendor's Standard SLA Is Not Enough

• Measurement-gap clauses: Most vendor SLAs exclude scheduled maintenance, incidents during 'customer configuration changes,' and third-party integration failures from uptime calculations — stripping out the most common failure modes before measurement even begins.
• Credits without real recourse: A sole-and-exclusive-remedy clause means your only option after a major outage is a modest credit. You cannot terminate, cannot claim indemnity for revenue loss, and cannot seek specific performance — even after repeated failures over months.
• Force majeure written for the vendor: Pre-2020 open-ended language has been stretched to cover single-region cloud outages, power cuts, and staffing shortages that any competent vendor should have anticipated and mitigated through basic redundancy planning.
• No exit plan: Without transition-assistance and portability provisions, you negotiate handover terms at the vendor's prices and timeline — after a relationship has already broken down.
• DPDP exposure sits with you: If your vendor processes personal data of Indian users and the SLA doesn't specify processor obligations, you — the data fiduciary — bear the regulatory exposure under the DPDP Act 2023, not the vendor.
• No severity hierarchy: A single response time for all incidents means a P1 outage affecting 10,000 customers and a P4 billing display glitch share the same 48-hour response target.

How It Actually Works

The process runs in six stages, designed so that metrics are calibrated before drafting begins — not reverse-engineered from a vendor template.

Step 1: Service Map and Criticality Brief

We capture services in scope, classify each by business criticality (mission-critical, business-critical, standard), estimate hourly downtime cost, identify sector-specific regulatory obligations (RBI, SEBI, IRDAI, DPDP Act), and document current performance baselines for existing engagements. This brief takes 1–2 days and drives every metric that follows.

Step 2: Metric Design

Uptime tier, severity definitions (P1 through P4), response and resolution targets, throughput or accuracy SLOs for BPO and AI-driven services, reporting cadence, and escalation matrix — all designed with your technology and operations teams, not lifted from a vendor template. For data-processing engagements, breach-notification timelines and sub-processor performance standards are added here. This takes 2–3 days.

Step 3: Drafting the SLA

The full SLA covers: uptime commitments with measurement methodology; severity-based response and resolution targets; service credit schedule and calculation; force majeure with a specific event list, 7-day notice requirement, and 30-day suspension cap; exclusions from availability calculation; change control; DPDP Act processor obligations; and exit, portability, and reverse-transition terms. Delivered as standalone document or Annexure to your MSA. Takes 3–5 days.

Step 4: Negotiation Round

Vendors push back on credit caps, force majeure scope, exclusion lists, and the sole-remedy clause. We support one negotiation round — reviewing counterparty mark-ups, redlining metric definitions, resisting dilution of exit provisions, and calibrating sub-processor obligations to reflect actual data-processing risk. This adds 3–5 days depending on counterparty pace.

Step 5: Execution and MSA Integration

Once agreed, the SLA is stamped (nominal stamp duty applies in most states) and executed by authorised signatories. A hierarchy clause in the MSA confirms the SLA governs service quality while the MSA governs everything else. Effective date, measurement start date, and SLA version number are fixed at execution to prevent later disputes about when obligations began.

Step 6: Governance and Review Setup

An SLA needs a governance structure to function. We deliver a monthly SLA dashboard template, quarterly review calendar, change-control process for mid-term metric revisions, a breach-response runbook for your operations team, and an annual compliance review trigger aligned to DPDP rule notifications and any sector-regulator guidance updates.

A Real Example: SaaS ERP for a Mid-Size Manufacturer

A manufacturer running their ERP on a SaaS platform came to us after their vendor's standard SLA gave them a ₹8,000 credit for a 14-hour P1 outage that cost ₹12 lakh in halted production and delayed customer shipments. Here is what changed in the renegotiated SLA.

• Uptime tier: Moved to 99.95% for the production module; 99.9% retained for reporting and analytics — reflecting the actual business impact of each layer rather than applying a single tier across all services.
• Downtime calculation: Scheduled maintenance windows capped at 4 hours per month, notified 72 hours in advance; all other downtime counted — including third-party payment gateway failures the vendor had previously excluded.
• P1 credits: Increased to 15% of monthly fee per breach (up from 5%); cumulative cap raised to 3 months per year (up from 1 month); sole-remedy clause removed, preserving termination and indemnity rights.
• Persistent breach trigger: Three P1 or P2 breaches in any rolling 6-month period, or any single unresolved P1 exceeding 48 hours, gives the customer termination rights with no cure period.
• Exit provisions: 9-month transition assistance at current contract rates; ERP data returned in SQL dump and CSV within 30 days of termination notice; vendor provides 3 knowledge-transfer days per quarter during transition.

The renegotiated SLA cost nothing extra in contract value. The vendor accepted the changes because the metrics were calibrated to what they could actually deliver — not arbitrarily tightened. That is how a balanced SLA gets built.

What Backs Up Each Commitment

An SLA is only as strong as its monitoring, reporting, and enforcement mechanisms. These are the governance structures that give the metrics teeth.

• Monthly SLA reports: Automated reports from the vendor showing uptime logs, incident counts by severity, response and resolution actuals versus targets, and credit calculations — delivered before the 10th of each month.
• Audit rights: Your right to audit uptime logs and incident records — directly or through a named third-party auditor — at least once a year. For DPDP-covered engagements, this extends to data-processing audit rights under Section 8(2)(f).
• Named escalation matrix: Contacts at P1 through P4 levels on both sides; escalation path from service desk to account manager to CTO within defined time windows — so a critical incident doesn't queue behind routine tickets for hours.
• Change control: Any revision to SLA metrics requires a written change order signed by both parties. Unilateral 'we've updated our terms' emails cannot alter committed metrics or credit schedules mid-contract.
• Breach-response runbook: Step-by-step internal guide for your operations team — how to log an incident, escalate to the vendor, calculate credits owed, and initiate termination procedures when persistent breach thresholds are reached.
• Annual compliance review: Metrics should be reviewed annually as DPDP rules are notified, sector-regulator guidance updates, or your business-criticality classification changes — with a change-control process to implement agreed revisions.

A 72-hour breach notification SLO is not a best practice under the DPDP Act 2023 — it is a statutory obligation. Your SLA with any data-processing vendor must reflect this, or you bear the exposure as the data fiduciary.

Where SLAs Go Wrong

Most SLA disputes trace back to one of these eight drafting failures.

• Availability measured at infrastructure layer: Uptime defined as server ping time does not capture application-layer failures, degraded performance, or partial outages. Define availability at the service-delivery layer — can users complete intended transactions?
• Unlimited force majeure: Open-ended 'beyond reasonable control' language lets vendors invoke FM for events they should have anticipated — single-region cloud failures, power cuts, staffing shortages. List events specifically with a high threshold.
• Credits as the sole remedy: The sole-and-exclusive-remedy clause eliminates your right to terminate, claim indemnity, or seek injunctive relief. This is the most commercially dangerous clause in a standard SLA — resist it on every engagement.
• No severity definitions: Without P1–P4 definitions, severity is whatever the vendor declares at the moment. Define severity by customer impact — users affected, revenue at risk, regulatory exposure — not by technical symptom alone.
• Missing exit provisions: No transition-assistance clause means you negotiate handover terms at the vendor's pricing and timeline, after a relationship has already broken down and they have maximum leverage.
• DPDP obligations absent: Processor instructions, breach notification, sub-processor controls, and data-return requirements are not implied into commercial contracts by law. They must be written in explicitly or they do not exist.
• No measurement start date: SLAs that don't define when measurement begins create disputes about go-live grace periods and the first three months of every engagement — a common source of early-relationship friction.
• Auto-renewal without a performance gate: SLAs that renew automatically without a mandatory performance review allow a deteriorating vendor to remain in contract and in profit indefinitely.

What You Receive at the End

• Signed SLA document — standalone or as an Annexure to your Master Services Agreement
• Service credit schedule with calculation methodology and credit claim process
• Force majeure clause with specific event list, 7-day notice requirement, and 30-day suspension cap
• DPDP Act 2023 processor obligations schedule for any data-processing engagement
• Exit, portability, and reverse-transition provisions with timelines and data-return format
• Escalation matrix template with severity definitions (P1–P4) and named contacts
• Monthly SLA dashboard template and quarterly review calendar
• Breach-response runbook for your operations team
• Change-control template for mid-term metric revisions
• Annual compliance review trigger aligned to DPDP rule notification timeline

How to Get Started

Share your current SLA or vendor agreement, your service scope, and the business-criticality classification for each service. If this is a new engagement with no existing SLA, a brief on services in scope and a rough estimate of hourly downtime cost is sufficient to begin the service map. We start with a 45-minute discovery call to capture any sector-specific regulatory requirements — RBI, SEBI, IRDAI, or DPDP Act obligations — before drafting begins.

Once the discovery brief is finalised, drafting starts immediately. The first draft reaches you in 3–5 working days, followed by a review call to walk through metrics, credits, and exit terms. One negotiation round with the counterparty is included. The final, signature-ready SLA is delivered within the 5–10 working day timeline.