Service Level Agreement

SWORKSCYBER, LLC d/b/a Rovally

Cybersecurity & Compliance Services

Support Contact Information

support@rovally.com

Emergency Line: Available to contracted clients

This Service Level Agreement supplements the Master Services Agreement between Rovally and Client.

Last Updated: November 2025

1. INTRODUCTION

Summary: This SLA defines how we deliver support, our response times, and what to expect. It applies to all clients with an active Statement of Work.

1.1 Purpose

This Service Level Agreement ("SLA") forms part of the Master Services Agreement (the "Agreement" or "MSA") between SWORKSCYBER, LLC d/b/a Rovally ("Provider" or "Rovally") and the entity identified in the applicable Statement of Work ("Client"). This SLA defines the service levels, support commitments, and operational standards that Provider will maintain in delivering Services to Client.

1.2 Scope

This SLA applies to all Services provided under the Agreement, including but not limited to:

  • Cybersecurity and compliance consulting services
  • Managed security services
  • IT operations and support services
  • Compliance program management
  • Third-party platform management

Specific service levels for individual engagements may be modified or enhanced in the applicable Statement of Work. In the event of conflict between this SLA and an SOW, the SOW shall prevail.

1.3 Effective Date

This SLA is effective as of the effective date of the Agreement and remains in effect for the duration of the Agreement.

2. DEFINITIONS

Summary: Key terms used in this SLA, including how we define business hours, incidents, and different priority levels.

"Business Day" means Monday through Friday, excluding Observed Holidays (as defined in Section 5).

"Business Hours" means 9:00 AM to 6:00 PM Pacific Time on Business Days, unless otherwise specified in the applicable SOW.

"Emergency" means a Critical (P1) incident occurring outside of Business Hours that requires immediate attention to prevent or mitigate significant harm to Client's business operations or security posture.

"Incident" means any unplanned interruption to, or reduction in quality of, a Service, or any event that could potentially affect Service quality.

"Initial Response" means the first substantive communication from Provider acknowledging receipt of the request and providing initial assessment, assignment, or next steps. Automated acknowledgments do not constitute Initial Response.

"Resolution" means the point at which normal service operation is restored, or a workaround is in place that allows Client to continue business operations while a permanent fix is developed.

"Resolution Target" means the target timeframe for achieving Resolution, measured from the time of Initial Response. Resolution Targets are objectives, not guarantees, as resolution times depend on factors including issue complexity, third-party dependencies, and Client responsiveness.

"Service Request" means a request from Client for information, advice, access, or a standard change that is not an Incident.

3. SERVICE AVAILABILITY

Summary: We're available during business hours (9 AM - 6 PM Pacific) on business days. Emergency support is available 24/7/365 for critical security incidents.

3.1 Standard Support Hours

Provider delivers standard support during Business Hours:

  • Days: Monday through Friday (excluding Observed Holidays)
  • Hours: 9:00 AM to 6:00 PM Pacific Time
  • Time Zone: All times referenced in this SLA are Pacific Time (PT), observing Daylight Saving Time as applicable

3.2 Emergency Support

Provider maintains emergency support capability for Critical (P1) incidents:

  • Availability: 24 hours per day, 7 days per week, 365 days per year (including Observed Holidays)
  • Scope: Limited to Critical (P1) security incidents and emergencies as defined in Section 4
  • Access: Via designated emergency contact method provided during onboarding

Non-emergency requests received outside Business Hours will be addressed on the next Business Day.

3.3 Communication Channels

Provider supports the following communication channels for service requests:

Communication Channels Table
Channel Use Case Availability
Slack (Shared Channel) Day-to-day requests, questions, quick coordination Primary channel during Business Hours
Email Formal requests, documentation, non-urgent matters Monitored during Business Hours
Scheduled Meetings Strategy discussions, project reviews, complex issues As scheduled during Business Hours
Emergency Line Critical (P1) security incidents only 24/7/365

Note: Specific communication channels and contact information are provided during client onboarding and documented in the applicable SOW or welcome materials.

4. INCIDENT CLASSIFICATION AND RESPONSE

Summary: We classify issues by severity (P1-P4). Critical security incidents get 1-hour response; routine requests get 2 business day response. Resolution times vary by complexity.

4.1 Priority Definitions

Provider classifies incidents and service requests according to the following priority levels:

Priority 1 (P1) — Critical

Definition: A security incident or service failure that has immediate, severe impact on Client's business operations, security posture, or involves active compromise.

Examples:

  • Active security breach or ongoing attack
  • Ransomware or malware infection spreading across systems
  • Complete loss of critical security controls
  • Data breach with confirmed exfiltration
  • Compliance system failure during active audit

Priority 2 (P2) — High

Definition: A significant issue affecting security or operations with major impact, but not involving active compromise or complete service loss.

Examples:

  • Security tool failure (EDR, SIEM not functioning)
  • Suspected security incident under investigation
  • Compliance deadline at risk
  • MDM/device management platform outage
  • Multiple users unable to work due to IT issue

Priority 3 (P3) — Medium

Definition: An issue affecting a single user or limited functionality, with workarounds available, or a proactive request with defined timeline.

Examples:

  • Single user access or device issue
  • Policy update or document revision request
  • New employee onboarding (standard timeline)
  • Security questionnaire response (standard deadline)
  • Compliance evidence collection request

Priority 4 (P4) — Low

Definition: A minor issue, general question, or enhancement request with no immediate operational impact.

Examples:

  • General questions about policies or procedures
  • Documentation requests
  • Enhancement or feature requests
  • Training coordination
  • Scheduled reporting or metrics requests

4.2 Response Time Commitments

Provider commits to the following Initial Response times based on priority classification:

Response Time Commitments Table
Priority Initial Response Time Measurement Period
P1 — Critical 1 hour 24/7/365 (clock hours)
P2 — High 4 Business Hours Business Hours only
P3 — Medium 1 Business Day Business Days only
P4 — Low 2 Business Days Business Days only

4.3 Resolution Targets

Provider targets the following resolution timeframes. These are objectives based on typical issues and may vary based on complexity, third-party dependencies, and other factors:

Resolution Targets Table
Priority Resolution Target Update Frequency
P1 — Critical 4-8 hours Hourly until contained
P2 — High 1-2 Business Days Every 4 hours during Business Hours
P3 — Medium 3-5 Business Days Daily or as agreed
P4 — Low 5-10 Business Days Weekly or as agreed

Note: Resolution Targets represent typical timeframes. Complex issues, those requiring third-party vendor involvement, or those dependent on Client action may require extended timelines. Provider will communicate expected timelines during Initial Response.

4.4 Priority Assignment

Client may suggest a priority level when submitting a request. Provider reserves the right to adjust the priority based on actual impact assessment. Provider will notify Client if a priority is adjusted and provide rationale upon request.

4.5 Escalation

If Client believes an issue is not being addressed appropriately, Client may request escalation through the following process:

  1. First Escalation: Contact the assigned consultant or primary point of contact
  2. Second Escalation: Request escalation to Provider management via email to escalations@rovally.com
  3. Executive Escalation: For unresolved critical issues, Client's executive sponsor may contact Provider's executive team

5. OBSERVED HOLIDAYS

Summary: We observe major U.S. holidays when our offices are closed. Emergency support remains available 24/7. Holidays are observed on the actual calendar day they fall, following standard U.S. observation rules.

5.1 Holiday Schedule

Provider observes the following holidays annually ("Observed Holidays"). On Observed Holidays, Provider's offices are closed and standard support is unavailable. Emergency support for Critical (P1) incidents remains available.

Holiday Schedule Table
Holiday Observation
New Year's Day January 1 (or observed date)
Martin Luther King Jr. Day Third Monday of January
Presidents' Day Third Monday of February
Memorial Day Last Monday of May
Juneteenth National Independence Day June 19 (or observed date)
Independence Day July 4 (or observed date)
Labor Day First Monday of September
Thanksgiving Day Fourth Thursday of November
Day After Thanksgiving Fourth Friday of November
Christmas Eve December 24 (or observed date)
Christmas Day December 25 (or observed date)
New Year's Eve December 31 (or observed date)

5.2 Holiday Observation Rules

The following rules govern holiday observation:

  • Weekend Observance: When a holiday falls on a Saturday, it is observed on the preceding Friday. When a holiday falls on a Sunday, it is observed on the following Monday.
  • Floating Holidays: Holidays defined by day of week (e.g., "Third Monday of January") are observed on that day each year.
  • Fixed-Date Holidays: Holidays tied to specific dates (e.g., July 4, December 25) follow standard U.S. federal observation practices when they fall on weekends.
  • Calendar Determination: Observed Holiday dates are determined according to the calendar year in which the service is provided, following the observation rules above.

5.3 Holiday Support Coverage

During Observed Holidays:

  • Standard Support: Unavailable. Requests received on Observed Holidays will be addressed on the next Business Day.
  • Emergency Support: Available for Critical (P1) incidents via designated emergency contact.
  • Automated Monitoring: Security monitoring and alerting systems remain active; alerts meeting P1 criteria trigger emergency response.

5.4 Extended Closures

Provider may occasionally observe extended closure periods (such as the week between Christmas and New Year's). Provider will notify Client at least thirty (30) days in advance of any extended closure periods. Emergency support remains available during extended closures.

6. SCHEDULED MAINTENANCE

Summary: We occasionally need to perform maintenance on systems we manage. We'll give you advance notice and schedule it during low-impact times when possible.

6.1 Maintenance Windows

Provider may perform scheduled maintenance on managed systems and platforms. Whenever possible, maintenance is performed during low-impact periods:

  • Preferred Window: Weekends or outside Business Hours
  • Alternative Window: Early morning (before 9:00 AM PT) or evening (after 6:00 PM PT) on Business Days

6.2 Maintenance Notification

Provider will provide advance notice of scheduled maintenance:

  • Standard Maintenance: At least 5 Business Days notice for planned maintenance that may impact service availability
  • Emergency Maintenance: As much notice as reasonably possible for urgent security patches or critical updates
  • Vendor-Initiated Maintenance: Provider will forward vendor maintenance notifications as received; Provider does not control third-party vendor maintenance schedules

6.3 Third-Party Vendor Maintenance

Managed Third-Party Services (as defined in the MSA) are subject to vendor maintenance schedules. Provider does not control these schedules and is not responsible for service unavailability during vendor-initiated maintenance. Provider will communicate known vendor maintenance windows when notified by vendors.

7. SERVICE-SPECIFIC LEVELS

Summary: Different services have specific SLA details, such as onboarding timelines and questionnaire turnaround. These supplement the general response times above.

7.1 Compliance Program Management

  • Security Questionnaire Responses: 5-10 Business Days for standard questionnaires; expedited turnaround available upon request with advance notice
  • Policy Updates: 3-5 Business Days for standard policy revisions
  • Audit Support: Priority response during active audit periods; specific timelines coordinated with auditor requirements
  • Compliance Platform Updates: Continuous monitoring with issues addressed per standard priority classification

7.2 IT Operations & Help Desk

  • New Employee Onboarding: Completed by start date when request submitted 14+ Business Days in advance; best-effort for shorter notice
  • Employee Offboarding: Same-day or next Business Day for planned departures with 5+ Business Days notice; immediate for terminations
  • Device Provisioning: Dependent on hardware availability and shipping; typically 5-10 Business Days
  • Access Requests: 1-2 Business Days for standard access; same-day for urgent requests with appropriate authorization

7.3 Security Operations

  • Security Alert Triage: Critical alerts triaged within 1 hour; standard alerts within 4 Business Hours
  • Vulnerability Assessment: Critical vulnerabilities assessed and prioritized within 24 hours of discovery
  • Security Tool Configuration: Changes implemented within 1-3 Business Days depending on complexity and testing requirements

8. EXCLUSIONS AND LIMITATIONS

Summary: Some things are outside our control—vendor outages, client-caused issues, etc. This section clarifies what's not covered by our SLA commitments.

8.1 SLA Exclusions

The service levels in this SLA do not apply to:

  • Third-Party Vendor Issues: Outages, performance degradation, or limitations of Managed Third-Party Services that are outside Provider's control
  • Client-Caused Issues: Problems resulting from Client's actions, misconfigurations, or failure to follow Provider recommendations
  • Client-Managed Applications: Software and services that Client procures and manages independently
  • Force Majeure Events: Events beyond reasonable control as defined in the MSA
  • Incomplete Information: Delays caused by Client's failure to provide required information, access, or approvals
  • Out-of-Scope Services: Services not included in the applicable SOW
  • Beta or Preview Features: Features designated as beta, preview, or experimental

8.2 Response Time Exclusions

Response time measurements exclude:

  • Time awaiting Client response or action
  • Time awaiting third-party vendor response
  • Observed Holidays and outside Business Hours (except for P1 incidents)
  • Time required for hardware procurement or shipping

8.3 Client Responsibilities

To enable Provider to meet SLA commitments, Client agrees to:

  • Respond promptly to requests for information or clarification
  • Provide accurate and complete information when submitting requests
  • Designate authorized contacts for approvals and escalations
  • Follow Provider's reasonable recommendations and procedures
  • Maintain current contact information for notifications

9. REMEDIES

Summary: If we consistently miss SLA targets, you can request a service review. Our commitment is to continuously improve, not to provide financial credits—that keeps our pricing lower for everyone.

9.1 SLA Performance Review

If Client believes Provider is consistently failing to meet SLA commitments, Client may request a formal SLA performance review. Provider will:

  • Schedule a review meeting within 10 Business Days of the request
  • Provide documentation of service performance metrics
  • Develop and present a corrective action plan for identified deficiencies
  • Implement agreed-upon improvements within a reasonable timeframe

9.2 Chronic Failure

If Provider fails to meet Initial Response time commitments for more than 20% of requests in any calendar quarter (excluding documented exclusions), and fails to cure such deficiency within 30 days of written notice, Client may terminate the affected Services without penalty by providing 60 days written notice.

9.3 No Service Credits

This SLA does not provide for service credits or financial remedies for missed service levels. Provider's commitment is to provide high-quality services and to work collaboratively with Client to address any service concerns. The remedies set forth in this Section 9 and the termination rights in the MSA are Client's exclusive remedies for SLA failures.

10. REPORTING AND COMMUNICATION

Summary: We provide regular status updates and meeting cadences. You can request performance reports to see how we're doing against SLA targets.

10.1 Regular Communication

Provider maintains regular communication with Client through:

  • Recurring Meetings: Regular check-in meetings as agreed in the SOW (typically weekly or bi-weekly)
  • Status Updates: Proactive updates on ongoing projects and issues
  • Quarterly Business Reviews: Comprehensive reviews of service delivery, security posture, and compliance status (for applicable engagements)

10.2 Performance Reporting

Upon request, Provider will provide:

  • Summary of requests and response times for the requested period
  • Incident summary and resolution details
  • Project status and milestone tracking
  • Security and compliance status dashboards (where applicable)

11. AMENDMENTS AND MODIFICATIONS

Summary: We may update this SLA periodically. We'll give you 30 days notice of changes. Continuing to use our services after changes means you accept the updated SLA.

11.1 SLA Updates

Provider may update this SLA from time to time to reflect changes in service offerings, operational capabilities, or industry standards. Provider will notify Client of material changes at least thirty (30) days in advance.

11.2 SOW-Specific Terms

Individual Statements of Work may include service levels that modify or supplement this SLA for specific engagements. In the event of conflict, the SOW shall prevail for the services covered by that SOW.

11.3 Acceptance

Client's continued use of Services following notification of SLA changes constitutes acceptance of the updated SLA. If Client does not accept material changes, Client may terminate the affected Services in accordance with the MSA.

12. GENERAL PROVISIONS

12.1 Relationship to MSA

This SLA is incorporated into and subject to the terms of the MSA. All limitations of liability, disclaimers, and other provisions of the MSA apply to services provided under this SLA.

12.2 Entire Understanding

This SLA, together with the MSA and applicable SOWs, constitutes the complete agreement between the parties regarding service levels and support commitments.

12.3 Severability

If any provision of this SLA is found invalid or unenforceable, the remaining provisions shall continue in full force and effect.