The objective of Indusface is to provide complete website protection to all the websites that have subscribed to its solution, by:
- Finding vulnerabilities in the website through automated application scans
- Providing Manual Pen testing to find business logic vulnerabilities in the website
- Providing Proof of concepts for vulnerabilities found by scanner on request
- Protecting website against Layer 7 attacks through WAF which would be deployed in-line with the traffic
- Protection against Layer 7 DDOS attacks
- Monitoring and updating of rules in the WAF to ensure WAF is deployed in log & block mode without False positives
2. Scope of Service Level Agreement:
This document describes the standard level of service that would be rendered by Indusface within the framework of Security, including performance criteria, availability of services, action to be taken in cases of a service failure and response and repair times.
Indusface has the right to change, update, amend or modify this SLA at any time. Such changes will be intimated to the customer.
3. Additional Definitions :
For the purpose of this agreement, the following additional definitions are required:
- False positive in WAF means blocking of legitimate request as malicious request
- POC (proof of concept) means the proof given to show/validate the existence of the vulnerability found by the scanner in the application
- Management of WAF rules means monitoring of rules to ensure they are working and fine tuning them to avoid false positives.
- Layer 7 DDOS event, is considered as surge of traffic for 5 minutes of which 30% of traffic measured in requests is marked by Indusface as malicious
- Mitigation of DDOS event is considered when continuously for one hour the malicious traffic is less than 10%
- Manual Pen Testing, is testing done by security experts using standard ethical hacking techniques to identify vulnerabilities present in the application that are difficult to find using automated scanners
- Response time is the first response time taken by the Indusface team to respond for an issue or query raised by the customer
- Resolution time is the time taken to resolve the issue reported by the customer
- WAF configuration is the configuration & rules on the WAF which is applied by Indusface to ensure protection of the web application
- Virtual Patches are WAF rules written by Indusface team to protect against application vulnerabilities
- NI” or ‘Network Infrastructure’ shall mean the group of Indusface controlled systems (servers, hardware, and associated software) that are responsible for delivering the Services.
- Outage event is considered as any event resulting into complete unavailability of web application configured for protection due to any WAF configuration applied by Indusface or due to any unavailability of Network Infrastructure.
- “PI” or ‘Peripheral Infrastructure’ shall mean Indusface’s Portal and its APIs.
- “PI Outage” shall mean a period when the Indusface PI is unavailable, outside a Scheduled Maintenance window
- Scheduled maintenance means, maintenance work performed by Indusface to the WAF configuration or other peripheral components and resources. Indusface will notify the customer through email about the maintenance and expected time for service restoration at least 48 hours before the scheduled maintenance.
- Website availability – means the amount of time expressed as a percentage during which the website configured for protection will be available over the defined period.
- PI availability- means the amount of time expressed as a percentage during which the PI will be available for customer over the defined period
- Onboarding support means the support provided by Indusface to understand customer requirement and provide suggestions around configuration required as well as helping them out with changes required to onboard the site successfully.
- Indusface business hours Mon – Fri. 9am to 6pm
4. Uptime Commitment:
Indusface provides website availability commitment of 99.99% per month and PI availability commitment of 99.9% per month
5. Service level Commitments:
- Proof of Concept (POC) for vulnerabilities found through web application security scanning and requested from the portal will be delivered within the following time frame in business hours:
- For Critical Vulnerabilities – Within 24 Hours
- For High Vulnerabilities – Within 48 Hours
- For Medium Vulnerabilities – Within 72 hours
POC is not available for vulnerabilities with severity level of Low and Info.
- Virtual patches in WAF will be created if customer requests patching of vulnerabilities that are newly discovered. Estimated time of delivery of Virtual Patches in business hours are :
- For Critical Vulnerabilities– Within 24 hours
- For High Vulnerabilities – Within 48 hours
- For Medium Vulnerabilities – Within 72 hours
Virtual Patching is not available for vulnerability with severity level of low and Info.
- WAF rules will be monitored and updated to ensure zero false positive within 14 days of onboarding completion.
- Customers will be notified within 5 minutes of DDOS event detection by Indusface
- DDOS Mitigation will be done within 10 minutes of DDOS event detection
- Manual Pen-Testing will be done within 4 weeks of request raised by the Customer.
- Though not mandatory, customer can also choose to fix those vulnerabilities and request for validation of those fixes within 60 days from the report availability date
6. Software Support Coommitment
Once a Customer initiates a support request with Indusface, a support ticket number is generated and tracked by a support technician. A support ticket is assigned a severity number based on the nature of the issue. A support ticket can be assigned to any one of three possible severity levels. In all the three cases, an e-mail is sent to the customer informing them about the ticket along with the support ticket number
Support tickets will be assigned a severity level based on the following guidelines:
- Severity 1 is used for technical issues, which result in complete outage. A support technician will respond to the request within 2 hours of the reported problem. For Severity 1 issues, customer shall initiate contact with Indusface via telephone and indicate the probable category of the incident.
- Severity 2 is used for issues when a customer can access the software; however, one or more significant features of the software are unavailable. For Severity 2 issues, customer shall initiate contact with Indusface via telephone and indicate the probable category of the incident.
- Severity 3 is used for issues that do not prevent the customer from using key features of software or if the reported problem has been explained along with a workaround in the documentation. If there are questions or queries on the software functionality and/or reports, they will also be assigned Severity 3. For Severity 3 issues, customer may email or telephone the Indusface.
7. Resolution & Response Time Commitment:
Indusface commits for the following Resolution and Response time
- For Severity 1: 2hrs Response time , 2 days to resolution time
- Severity 2: 4hrs Response time , 10 days to resolution time
- Severity 3: 24hrs Response time , 24 days to resolution time
8. Support Coverage:
Indusface commits for the following support availability
- Support availability through Telephone – 24*7*365
- Support availability through Email -24*7*365
Escalation Support Tel – IN: +91 265 6133083; US: +1 866 537 8234
Email – email@example.com
In case of unresolved concerns or technical issues, please follow the chain of escalation as shared below. The initial response will arrive within one business day.
Indusface Support Manager – firstname.lastname@example.org
9. Penalty Credits:
Submission of Claims: To submit a claim for Credits, Customer must open a support ticket with Indusface technical support within seven (7) calendar days (168 hours) after the time in which the Outage occurred and provide detailed descriptions of the Outage, the duration of the Outage, network traceroutes, the site(s) affected and any attempts made by Customer to resolve the Outage. The ticket should mention the claim of credit
Review of Claim: Indusface will use all information reasonably available to it to validate claims and make a good faith judgment on whether there was an Outage and if Credits apply.
Exceptions: Credit is not applicable in case of out outage-
(a) Due to factors outside Indusface reasonable control;
(b) That resulted from Customer’s or third party hardware or software;
(c) That resulted from actions or inactions of Customer or third parties;
(d) Caused by Customer’s use of the Service after Indusface advised Customer to modify its use of the Service, if Customer did not modify its use as advised;
(e) During beta and trial Service (as determined by Indusface); Or
(f) Attributable to the acts or omissions of Customer or Customer’s employees, agents, contractors, or vendors, or anyone gaining access to Indusface’s Service by means of Customer’s Authorized Users’ accounts or equipment.
On Review of claim, if Indusface accepts the claim, then customer will be provided compensation in form of credit. Credit will be calculated as follows
- In case of Uptime commitment not honoured for a particular web application, Indusface commits to pay back for each day of outage 1/365th of payment collected for the affected web application in case of annual billing and 1/30th of payment collected for the affected web application in case of monthly billing
- In case of service level commitment not honoured for a particular web application, Indusface commits to pay back for each day of delay 1/365th of payment collected for the affected web application in case of annual billing and 1/30th of payment collected for the affected web application in case of monthly billing
- In case of software level commitment not honoured for a particular web application, Indusface commits to pay back for each day of delay 1/365th of payment collected for the affected web application in case of annual billing and 1/30th of payment collected for the affected application in case of monthly billing
- Cumulative penalty at no point can exceed 30 days of credit