Service Level Agreement (SLA)
Template — South Africa

Precisely defines the services covered by the SLA — distinguishing between core services (fully covered by SLA commitments), ancillary services (best-effort, no SLA commitments), and excluded services (explicitly outside the SLA's scope). This section prevents scope disputes by specifying what is and is not covered, the relationship between the SLA and the underlying master service agreement, and the hierarchy of documents in case of conflict. It also addresses multi-service SLAs where different services have different performance targets, and the treatment of new services added during the agreement term.

Defines specific, measurable key performance indicators (KPIs) with quantitative targets. Common metrics include: availability/uptime percentage (99.5%, 99.9%, 99.99%), response time (time from incident report to first response — measured in minutes or hours by severity level), resolution time (time from incident report to full resolution — measured in hours by severity level), throughput (transactions per second, API calls per minute), error rates (percentage of failed requests), latency (millisecond response time for API calls or page loads), backup frequency and recovery time objectives (RTO/RPO), and customer satisfaction scores (CSAT, NPS). Each metric has a defined measurement methodology, data source, and calculation formula to eliminate disputes over whether targets were met.

Establishes a severity classification system that determines the response and resolution time commitments for different types of incidents. Typical classifications include: Severity 1 (Critical — service completely unavailable or major functionality impaired, affecting all users), Severity 2 (Major — significant functionality degraded, workaround may be available, affecting multiple users), Severity 3 (Moderate — minor functionality issue, workaround available, limited impact), and Severity 4 (Low — cosmetic issue, enhancement request, no operational impact). The classification criteria, escalation triggers, and examples for each severity level are defined to prevent disputes over incident categorisation.

Specifies how performance is measured and reported. Addresses: the monitoring tools and systems used (Nagios, Datadog, custom dashboards, third-party monitoring services), the measurement intervals (real-time, hourly, daily), the calculation methodology for each metric (including which events are excluded from calculations — see exclusions), the reporting frequency (monthly reports with additional real-time dashboard access), the report format and content (actual vs target, trend analysis, incident summaries), and the process for the customer to challenge or dispute reported metrics. Transparency in measurement is critical — if the provider controls the measurement tools, the customer should have audit rights or independent verification capability.

Defines the financial remedies when SLA targets are not met. Service credits are structured as genuine pre-estimates of the customer's loss for underperformance — not penalties, which are unenforceable under the Conventional Penalties Act 15 of 1962 unless actual loss is proved. The section specifies: the credit calculation formula for each metric (typically a percentage of the monthly fee based on the magnitude of the shortfall), the maximum credit cap per billing period (typically 20% to 30% of the monthly fee — the provider is not expected to provide services for free), the credit request process and timeline, how credits are applied (offset against future invoices, not cash refunds unless the agreement terminates), and whether credits are the customer's sole and exclusive remedy for SLA breaches or whether they can claim additional damages.

Establishes a structured escalation framework for service issues — ensuring that unresolved incidents are escalated to progressively senior levels of management on both sides. The escalation matrix includes: the escalation triggers (elapsed time without resolution, severity level, business impact), the designated contacts at each escalation level (names, titles, phone numbers, email addresses) for both the provider and the customer, the response time requirement at each level, and the process for escalating to executive management. For critical (Severity 1) incidents, the section specifies real-time communication requirements — conference calls, incident war rooms, and continuous status updates until resolution.

Defines when the service provider may perform scheduled maintenance on its infrastructure, and the impact on SLA calculations. Covers: the standard maintenance window (typically Sunday 02:00-06:00 SAST), the advance notice requirements for scheduled maintenance (48 to 72 hours), the maximum permitted maintenance hours per month, emergency maintenance procedures (shorter notice period with executive approval), and critically — whether downtime during scheduled maintenance windows is excluded from availability calculations. The section also addresses the provider's obligation to minimise the impact of maintenance through rolling upgrades, redundant systems, and non-disruptive deployment practices.

Defines events that do not count against SLA metrics — the circumstances where the provider is excused from meeting performance targets. Common exclusions include: force majeure events (natural disasters, civil unrest, government action — see Section 67 of the CPA for force majeure in consumer agreements), customer-caused incidents (misconfiguration, unauthorised changes, insufficient resources), third-party service failures outside the provider's control (upstream ISP outage, DNS provider failure), pre-approved scheduled maintenance, and periods where the customer was notified of a potential impact but chose not to take recommended action. Exclusions must be narrowly drafted to prevent abuse — a provider who excludes too many events effectively guts the SLA.

Where the service provider processes personal information on behalf of the customer, this section establishes the POPIA compliance framework required by Sections 20-21. Addresses: the processing purposes and limitations, the security measures the provider must implement (aligned with POPIA Section 19 — encryption, access controls, regular assessments), data breach notification obligations (POPIA Section 22 requires notification "as soon as reasonably possible"), data location and cross-border transfer restrictions, data return and destruction upon termination, and the provider's obligation to assist the customer with data subject requests. This section can reference a separate data processing agreement if the POPIA provisions are extensive.

Defines the service provider's disaster recovery and business continuity commitments — the Recovery Time Objective (RTO, the maximum acceptable time to restore service after a disaster), the Recovery Point Objective (RPO, the maximum acceptable data loss measured in time — e.g., "last 4 hours" means up to 4 hours of data may be lost), backup frequency and testing procedures, geographic redundancy (whether backups are maintained in a separate data centre or region), the disaster recovery testing schedule (typically bi-annually with customer participation), and the communication procedures during a disaster event.

Establishes the process for reviewing and evolving the SLA over time. Covers: the review frequency (quarterly operational reviews, annual strategic reviews), performance trending analysis (identifying systemic issues rather than isolated incidents), the process for adjusting KPI targets (both tightening and relaxing, by mutual agreement), the introduction of new metrics as the service matures, benchmarking against industry standards, and the continuous improvement commitments that the provider makes — such as conducting root cause analysis for every Severity 1 incident and implementing preventive measures.

Defines the customer's right to terminate the underlying service agreement if the SLA is persistently breached — going beyond the credit remedy for individual failures. Typical triggers include: maximum credits reached in consecutive months (e.g., credits at the cap for 3 consecutive months), a specified number of Severity 1 incidents within a rolling period, or a consistent pattern of underperformance that demonstrates the provider cannot meet the committed service levels. The section specifies the termination notice period, whether termination fees are waived for SLA-driven termination, and the provider's obligations during the transition to a replacement provider.

Establishes that the SLA and the underlying service agreement are governed by the laws of the Republic of South Africa. For SLA-specific disputes (measurement methodology, credit calculations, exclusion applicability), the section provides for expedited technical review by designated senior technical representatives from both parties. For broader disputes, the process escalates from negotiation to mediation under AFSA rules to binding arbitration. Arbitration is preferred for technology disputes because arbitrators with technical expertise can be appointed, proceedings are confidential, and resolution is typically faster than litigation.