Service Level Agreement (SLA)
Effective Date: February 23, 2026
This Service Level Agreement ("SLA") defines the operational commitments, support scope, and responsibilities for Oriphim's AI validation infrastructure. It applies to all active clients under a Master Service Agreement with Oriphim Labs LLC ("Oriphim", "we", "our").
1. Service Availability
Uptime Commitment
99.5% monthly uptime (measured in UTC, excluding scheduled maintenance)
- Measurement: Percentage of successful validation API responses (HTTP 200/400/424) vs. infrastructure failures (HTTP 5xx)
- Scheduled Maintenance: Announced 72 hours in advance, capped at 6 hours per month
- Unscheduled Downtime: Emergency maintenance announced immediately via email and status updates
Downtime Credits
If uptime falls below 99.5% in a calendar month:
| Uptime Achieved | Service Credit |
|---|---|
| 99.0% – 99.5% | 10% monthly fee |
| 98.0% – 99.0% | 25% monthly fee |
| < 98.0% | 50% monthly fee |
Credit Redemption: Applied to next invoice upon client request within 30 days of incident; no cash refunds.
2. Performance Targets
Validation Latency (p95)
- Standard Validations (
/v2/validate): 50-200ms - Async Validations (
/v3/intent): <10ms acknowledgment, 50-200ms background processing - Health Checks (
/v2/health): <100ms - Agent Rollback (
/v3/rewind/{agent_id}): <200ms
Measurement: Time from API request receipt to validation outcome delivery, measured at application layer.
Throughput Limits (Per Tier)
| Tier | Requests/Second | Burst Capacity | Concurrent Validations |
|---|---|---|---|
| Standard | 50 req/s | 100 req/s (30s) | 10 |
| Professional | 200 req/s | 400 req/s (60s) | 50 |
| Enterprise | Custom | Custom | Custom |
Rate Limit Handling: HTTP 429 responses when exceeded; no automatic queuing (client implements retry logic).
3. Deployment Models
Cloud-Hosted API (Primary)
- Single-Region Availability: US-East-1 (additional regions available for Enterprise tier)
- Horizontal Scaling: Automatic load balancing across multiple instances
- TLS 1.2+ Encryption: All data in transit
- Infrastructure: FastAPI + Uvicorn on containerized deployment
- Database: SQLite for Standard/Professional; PostgreSQL recommended for Enterprise
Self-Hosted Deployment
Client Responsibility: Infrastructure uptime, network security, resource allocation, backups
Oriphim Provides:
- Python package installation (
pip install -e .) - FastAPI application code
- SQLite schema initialization
- Documentation and integration examples
- Update Cadence: Security patches via GitHub releases; feature updates quarterly
- Support: Limited to application configuration and API integration—not underlying OS/infrastructure
Hybrid Deployment (Enterprise Only)
- Validation Engine: On-premises Python deployment (client VPC/data center)
- Audit Logging: Local SQLite or client-managed PostgreSQL
- Compliance PDF Export: Generated on-premises, no cloud transmission required
- Support: Custom integration assistance included in Enterprise tier
4. Security Commitments
Authentication & Access
- API Authentication: Request-level validation via headers (no API key system in v1.0)
- Self-Hosted Security: Client manages access control to deployment endpoint
- Network Security: Recommend deployment behind VPN/firewall for production use
- Future Roadmap: API key authentication planned for Q2 2026
Data Handling
- Minimal PII Storage: Validation requests stored in local SQLite (agent_id, samples, metrics)
- Audit Log Storage: SQLite with hash-chained integrity verification
- Log Retention: Client-configurable (default: unlimited for self-hosted; 12 months for cloud)
- Client Isolation: Not applicable for self-hosted; cloud deployments use dedicated instances per client
Vulnerability Management
- Security Updates: Published via GitHub releases with CVE details
- CVE Response: Critical vulnerabilities patched within 72 hours (client applies updates)
- Incident Notification: Security breaches disclosed immediately via email and GitHub advisory
- Dependency Management: Regular updates to FastAPI, Pydantic, and sentence-transformers
5. Support & Escalation
Response Time Commitments
| Priority | Definition | Response Time | Resolution Target | Channels |
|---|---|---|---|---|
| P1 – Critical | API crashes, database corruption, total validation failure | 4 business hours | 2 business days | Email, GitHub Issues |
| P2 – Major | Degraded latency (>500ms p95), incorrect validation logic | 1 business day | 5 business days | Email, GitHub Issues |
| P3 – Minor | Non-critical bugs, documentation errors, feature gaps | 2 business days | 10 business days | Email, GitHub Issues |
| P4 – Enhancement | Feature requests, integration questions, optimization requests | 3 business days | Best effort | Email, GitHub Discussions |
Support Tiers
Standard Tier ($10-20k/mo):
- Email support (business hours: 9 AM – 6 PM ET, Mon–Fri)
- GitHub issue tracking
- Access to documentation and demo materials
- Monthly validation analytics report (self-service via
/v2/health)
Professional Tier ($30-40k/mo):
- All Standard features
- Slack channel access with engineering team
- Extended support hours (8 AM – 8 PM ET, Mon–Fri)
- Quarterly integration review calls
- Custom constraint configuration assistance
Enterprise Tier ($50k+/mo):
- All Professional features
- Dedicated Slack channel with priority response
- Named technical account manager
- Custom validation rule development and tuning
- Monthly executive reports with compliance analytics
- On-call support for P1 incidents (4-hour response, 24/7)
6. Change Management
Version Control
- Semantic Versioning: MAJOR.MINOR.PATCH (e.g., v1.0.0, current release)
- Backward Compatibility: API endpoints maintain compatibility within MAJOR version
- Version Pinning: Clients self-host and control update cadence; cloud clients notified 30 days before MAJOR updates
Update Notifications
- Security Patches: Immediate notification via email + GitHub security advisory
- Feature Releases: 14-day advance notice via email with changelog (GitHub releases)
- Deprecations: 90-day notice before endpoint or feature removal
Testing Environments
- Local Testing: Clients run
uvicorn app.main:app --reloadfor development testing - Demo Environment:
/demofolder includes mock exchange and agent examples - Staging Recommendation: Deploy separate instance with test data before production rollout
7. Monitoring & Transparency
Health Monitoring
/v2/health Endpoint: Real-time system health metrics
- Uptime request count
- Recent divergence average
- Violation rate
- Drift detection status
- GREEN/YELLOW/RED indicator
Client Responsibility: Monitor endpoint via external service (e.g., Datadog, Prometheus)
Analytics & Reporting
Built-in visibility via API responses:
- Validation Outcomes: Each response includes
indicator(GREEN/YELLOW/RED) - Confidence Scoring: Per-request confidence assessment (0.0-1.0)
- Drift Alerts: Behavioral anomaly detection in
/v2/health - Audit Trail: SQLite database query access for historical analysis
Incident Post-Mortems
For P1/P2 incidents affecting cloud-hosted clients:
- Root cause analysis within 10 business days
- GitHub issue with detailed timeline and corrective actions
- Transparent disclosure (unless security-sensitive)
8. Proof of Concept (POC) Terms
POC Scope (30-Day Duration)
No SLA Enforcement: Performance and uptime targets are best-effort during POC
POC Success Criteria
Mutually defined before POC start. Example metrics:
- "Block ≥3 constraint violations that current system would miss"
- "Detect ≥5 hallucination attempts via divergence scoring"
- "Demonstrate <200ms rollback capability"
POC to Production Migration
Zero-downtime upgrade—validation rules and audit logs preserved. Self-hosted: Same deployment, upgrade support tier.
9. Limitations & Exclusions
SLA Does Not Cover:
- Client Infrastructure: Server outages, network failures, insufficient CPU/memory allocation
- Misconfiguration: Incorrect constraint thresholds, improperly formatted API requests
- Third-Party Dependencies: OpenAI API failures (for live LLM demos), market data provider outages
- Force Majeure: Natural disasters, acts of war, government-mandated service disruptions
10. Compliance & Legal
Regulatory Alignment (Startup Reality)
- SOC 2 Type II: Not currently certified. Roadmap for 2027 pending customer demand and funding
- GDPR/CCPA Compliance:
- Minimal data collection by design (no customer PII required)
- Audit logs client-controlled (self-hosted) or isolated per client (cloud)
- Data deletion requests honored within 30 days
- Financial Regulations:
- Hash-chained audit trails designed to support FINRA/SEC record-keeping requirements
- Cryptographic event integrity verification (SHA-256)
- Compliance PDF export via
/v3/compliance/export - Note: Oriphim provides audit tooling; regulatory interpretation is client responsibility
SLA Enforcement
This SLA applies only to clients with active, paid contracts under a Master Service Agreement. Oriphim reserves the right to update this SLA with 30 days' written notice to Professional/Enterprise clients; Standard tier may be updated with 14 days' notice.
Dispute Resolution
SLA credit disputes submitted via email within 30 days of incident. Oriphim responds within 10 business days. If unresolved, binding arbitration per MSA terms applies.
11. Contact & Escalation
Technical Support: [email protected]
Sales & Onboarding: [email protected]
Documentation: GitHub Repository: https://github.com/oriphim/oriphim-infra
12. SLA Review Cadence
- Quarterly: Performance metrics review with Professional/Enterprise clients (self-service reports via
/v2/healthand audit logs) - Annually: SLA terms renegotiation aligned with MSA renewal
- Ad-Hoc: Post-major incident (P1/P2) or upon client request
Last Updated: February 23, 2026
Version: 3.0 (Production-Ready Self-Hosted + Cloud Hybrid)
© 2026 Oriphim Labs LLC. All rights reserved.