Service level agreement
Legal and Privacy Service level agreement

Service level agreement

Download document

1. Purpose and Scope

This Service Level Agreement (“SLA”) defines the service levels, availability,
support response targets, and operational commitments for the software-as-a-
service (SaaS) platform provided by Keto Software to its customers.
This SLA forms an integral part of the Keto Licensing Agreement (KLA) or Order
Form and applies to all standard licensed Services unless otherwise agreed in
writing.

2. Definitions

Services
The cloud-based software platform provided by Keto, including its modules and APIs.
Downtime
Unplanned, full unavailability of core application functionality due to issues in Keto infrastructure. Excludes Planned Downtime, Customer issues, third-party outages, and force majeure (see GTC).
Planned Downtime
Announced maintenance work, upgrades, or updates. Not considered Downtime.
Uptime
Monthly availability of the Services, measured as a percentage of total time excluding Planned Downtime, Customer issues, third-party outages, and force majeure (see GTC).
Incident
A support-relevant disruption in service quality or accessibility.
Notification Event
Time between the Notification Event and Keto’s initial acknowledgment.
Response Time
The maximum time available for Keto to provide a first response to a Customer Notification calculated on Opening Hours starting from a Notification Event. A ticket is created.
Resolution Time
The maximum time available for Keto to fix the defect, calculated from the moment of Keto’s response to the Customer Notification based upon Keto’s headquarter Opening Hours in Hyvinkää, Finland (EEST only). The Resolution Time is calculated in Opening Hours, except for the Resolution Time for Priority 1, which is calculated in calendar hours for Monday to Friday, excluding weekends and other public holidays.
Priority 1 (P1)
Fatal defect (highest priority). A defect meaning that all Services and/or Software purchased by Customer are substantially unusable, no workaround solution is possible, and the Customer is completely unable to perform any job function within Keto.
Priority 2 (P2)
Critical defect (high priority). A defect meaning that one or more features of the Services and/or the Software purchased by Customer are significantly degraded and have a substantial impact on job users’ usability and performance.
Priority 3 (P3)
Material defect (medium priority). Customers use of the Services and/or Software are materially, but not substantially, impaired, the user experience is impacted, but the job function is not impaired. A workaround solution might be possible and can be conditioned to the package purchased by the Customer.
Priority 4 (P4)
Cosmetic defect (low priority). Customers use of the Service and/or Software is not materially impaired, but there are some small bugs and/or errors that require to be fixed.
RPO (Recovery Point Objective)
Max period for potential data loss in disaster recovery (daily backups; max 24h).
RTO (Recovery Time Objective)
Max time for service recovery after a major disruption (≤24h for P1 defects).

3. Service Availability

Keto targets a monthly uptime of 98.0% for production environments. Uptime Calculation:

The percentage of Uptime (Actual Availability) is calculated as follows:

Availability (%) = (Expected Uptime − Downtime) ÷ Expected Uptime × 100%

Planned downtime, customer-side issues, third-party failures, and force majeure events are excluded from this calculation.

4. Maintenance and Updates

Planned Maintenance will be announced at least 48 hours in advance and typically scheduled outside local business hours.

Keto regularly enhances its platform through performance, security, and feature updates. Standard updates are included in the subscription; custom development or integrations are excluded unless agreed otherwise.

Keto aims to limit Planned Downtime to a maximum of 6 hours per calendar month.
Planned Downtime is not considered Downtime in SLA uptime calculations.

5. Hosting & Security

Hosted on Google Cloud Platform (GCP), with data centres in Hamina (Finland) and London (UK)

Customer data is logically separated and encrypted:

  • In transit: TLS 1.2+
  • At rest: AES-256 encryption

Compliant with ISO/IEC 27001, SOC 2 Type II, and relevant cloud standards

6. Support Services

Support Hours & Contact
Available: Monday–Friday, 08:00–17:00 (local time, excluding holidays)
Contact: [helpdesk@ketosoftware.com]
Support is limited to named admin users; end-user support is not included.

Incident Classification and Target Response Times

SLA Standard

  • Cost: Free
  • Expected Uptime: 98.0 % per month
Support:
  • P1: Response Time 8 h, Resolution Time 24 h
  • P2: Response Time 16 h, Resolution Time 48 h
  • P3: Response Time 36 h, Resolution Time Best Efforts
  • P4: Response Time Best Efforts, Resolution Time Best Efforts

SLA Premium

  • Cost: €9,600* yearly
  • Expected Uptime: 99 % per month
Support:
  • P1: Response Time 4 h, Resolution Time 16 h
  • P2: Response Time 8 h, Resolution Time 36 h
  • P3: Response Time 16 h, Resolution Time Bi-yearly release
  • P4: Response Time 48 h, Resolution Time Best Efforts

7. SLA credits

If monthly uptime falls below 98%, the Customer may request service credits as follows:

  • Credits must be requested in writing within 30 days after the affected month.
  • Credits are applied to future invoices and are not cash refunds.
  • This is the sole and exclusive remedy for service level breaches.

8. Data Backup & Disaster Recovery

Customer data will be backed up and stored outside the hosting data centre. The service backups are generated daily and stored for 30 days. Backups includes all databases and application installation folder (Application and its settings)

In the event of an unrecoverable loss of a data storage device then data availability would be restored with a Recovery Time Objective (RTO) of 48 hours and a Recovery Point Objective (RPO) of 24 hours.

In the event of a long-term data centre failure (disaster recovery situation) then a new platform would be built in an alternative data centre and the service restored with a RTO of 2 weeks and a RPO of 24 hours. Supplier will conduct an annual business continuity and disaster recovery audit to determine whether the appropriate controls are in place to comply with the business continuity and disaster recovery plans. Supplier will  promptly resolve any deficiencies identified by the audit.

9. Vulnerability & Penetration Testing

Customer are permitted to carry out, or contract third parties to perform, vulnerability or penetration testing of Supplier SaaS environments subject to the following conditions,

  1. The Customer should inform their supplier Service Manager of the proposed test at least five working days prior to commencement. Details of the planned tests must be provided.
  2. Supplier will review the test plans. Limits may be imposed by supplier on validation efforts (specifically, potentially invasive validation) to ensure the integrity of the overall production environment and continuity of service to Supplier’s other customers.
  3. The test must be carried out by a competent party and must be performed in accordance with industry best practices and applicable laws.
  4. Physical penetration testing of Supplier’s utilized data centres is not permitted.
  5. The test will not exploit any vulnerability discovered or perform any denials of
    service or brute force attacks.

Critical issues (that pose an immediate risk to Customer systems or data) will be classified as security incidents and resolved as soon as possible with the highest development priority while other issues will be resolved as part of standard service maintenance and updates.

10. Business Continuity

Keto maintains a documented and tested Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP). These include:

  • Incident detection and escalation
  • Failover and data restoration
  • Internal and external communication procedures

11. Updates and Governance

Keto may amend this SLA with 30 days’ notice.
This SLA is governed by the laws and jurisdiction set out in the KLA, Order Form
and GTCs.

The latest version will be published at:
www.ketosoftware.com/legal-and-privacy/