Service Level Agreement

§1 · Uptime

Availability commitment by tier

Monthly uptime measured as the percentage of minutes in a calendar month during which the system is reachable and serving requests on the public URL. Measured by independent third-party uptime monitor (UptimeRobot) plus our internal probes. Excludes scheduled maintenance windows declared at least 7 days in advance.

Tier	Monthly uptime target	Max downtime / month	Service credit if missed
Starter	99.5%	~3h 39m	5% of monthly fee for 99.0–99.5%; 10% below 99.0%
Hospital	99.5%	~3h 39m	10% of monthly fee for 99.0–99.5%; 20% below 99.0%
Enterprise / Group	99.9% (negotiable to 99.95% with multi-region)	~43m	Custom remedies negotiated per contract; typically 15–30% of monthly fee

99.95% requires multi-machine high availability + multi-region failover and is Stage 2 capability (unlocked when we move from single-machine bluegreen-equivalent to multi-machine Postgres). Enterprise customers requiring 99.95% today should request the per-hospital server deployment instead — that's a self-managed on-prem deployment with no internet-link dependency.

§2 · Disaster recovery

Recovery Point Objective & Recovery Time Objective

Metric	Target	Achieved today
RPO (data)	< 1 hour	~1 hour (hourly snapshots + tiered local retention + client-side encrypted off-host backup)
RPO (audit chain)	< 5 minutes	~60 seconds (mirror flush cadence to B2 Object Lock)
RTO	< 1 hour	~30 minutes per the documented disaster-recovery runbook
Backup retention (local)	30 days	48h hot + 28d daily + 30d age cap
Backup retention (off-host)	≥ 90 days	90-day hide + 30-day delete (120 days total) on B2
Audit-chain retention	7 years	7 years on B2 Object Lock Compliance mode (cannot be altered or deleted within retention window — even by us)

DR drills

Quarterly disaster-recovery drill exercises the full off-host restore path read-only without touching production: authenticates to both B2 buckets, downloads latest backup, decrypts client-side, extracts, verifies manifest SHA-256 hashes, runs the audit-chunk verifier. Drill output is committed to the governance directory as evidence; available to Enterprise customers on request.

§3 · Response times

Incident response matrix

When a customer reports an issue or our monitoring detects one, the response-time clock starts at the moment we receive notification. Different SLAs apply by severity:

Severity	Definition	Acknowledgement	First fix shipped
Critical (P1)	System unavailable; data loss or active breach in progress; clinical workflow blocked at scale	1 hour, 24×7	7 days
High (P2)	Major feature broken; one tenant affected; clinical safety concern	4 hours, business hours	30 days
Medium (P3)	Bug with workaround; performance degradation; non-blocking display issue	24 hours, business hours	90 days
Low (P4)	Cosmetic; feature request; suggestion	7 days	Best effort; queued for roadmap

Enterprise tier negotiates tighter SLAs per contract (typically: P1 30-min ACK, 24-hour fix; P2 1-hour ACK, 7-day fix). A premium support uplift brings P1/P2 to 24×7 coverage with the Enterprise-tier targets.

§4 · Incident communication

How and when we tell you

Initial notification within the acknowledgement SLA — email to the customer's nominated technical contact + emergency phone for P1. For widespread incidents affecting multiple tenants, we update the public status page.
Updates every 2 hours during a P1 incident, every business day during a P2.
Resolution notification when the incident is closed, including a brief root-cause summary.
Post-incident review (PIR) within 7 days of any Medium-severity-or-above incident — written, shared with affected customers.
Breach notification per the Data Protection Policy: 24 hours to controller of confirmed breach scope; controller-led regulator notification within jurisdictional window (typically 72 hours).

§5 · Maintenance windows

Planned maintenance is predictable

Scheduled maintenance windows are announced at least 7 days in advance via email to your nominated technical contact and on the public status page.

Default window: Sunday 03:00–05:00 Accra time (GMT+0). Outside peak clinical hours across our supported regions.
Frequency: typically once per quarter for major version upgrades; ad-hoc for security patches (with shortened notice if critical).
Duration: typical maintenance is 15–30 minutes; we reserve up to 2 hours per window. Longer windows announced separately.
Scheduled maintenance does not count against uptime SLA — but unplanned outages do, regardless of cause.
Per-hospital server customers control their own maintenance windows; we provide signed binary releases and you choose when to apply.

§6 · Remedies

What happens if we miss

If we miss an uptime commitment in a calendar month, a service credit is automatically issued against your next invoice. Service credits are calculated as a percentage of the monthly subscription fee for that tier — see the table in §1.

Service credit cap

Maximum service credit in any one calendar month: 50% of the monthly subscription fee.
Service credits are not cash refunds; they offset future invoices.
If the system is unavailable for more than 7 consecutive days due to our fault, you may terminate the contract for cause with a full refund of any prepaid period beyond the failure date.

Force majeure

Outages caused by events outside our reasonable control (declared sub-processor outages, regional internet failures, regulatory action, natural disasters affecting our or our sub-processors' facilities) do not count against the uptime SLA. We will still communicate during force-majeure events per §4.

§7 · Measurement and reporting

How uptime is measured

Independent uptime measurement by UptimeRobot, probing the customer-facing URL every 5 minutes from multiple regions. Internal probes complement this with API-endpoint health checks every 60 seconds. Monthly uptime reports available on request for Hospital and Enterprise tier customers; quarterly for Starter tier.

Live component health, active incidents, planned maintenance, and 90-day uptime are public at medicarehis.com/status. Monthly per-customer reports remain available to Hospital and Enterprise customers on request.

Honest caveats

What we are NOT promising

99.99% uptime ("four nines"). Not promised at any tier. Our architecture is single-region single-machine today; four-nines is multi-region multi-machine territory. Enterprise customers needing it should pursue the per-hospital server option or wait for our Stage 2 multi-machine unlock.
Real-time replication to a secondary region. Not in scope today. RPO is achieved via 60-second audit-chain replication + hourly data snapshots, not synchronous streaming.
Zero-downtime upgrades. The "immediate" deploy strategy has a ~10–30 second swap window. We schedule deploys during low-traffic times where possible. Bluegreen (zero-downtime) is Stage 2 capability.
Liability beyond the service credit cap. Our maximum liability for service-availability issues is the service credit cap defined in §6. Liability for breach, data loss, or other forms of damage is governed by the Master Services Agreement, not this SLA.

Companion documents: Procurement evidence pack · Brochure · Security whitepaper · Deployment architecture · Compliance roadmap · Support · Onboarding