Indusface

Service Level Agreement

1. Objective

The objective of Indusface is to provide complete protection to all the applications that have subscribed to its solution, by:

  • Finding vulnerabilities in applications through automated application scans
  • Providing Manual Pen Testing to find business logic vulnerabilities in applications
  • Providing Proof of Concepts for vulnerabilities found by scanner, on request
  • Protecting applications against Layer 7 attacks through WAF deployed in-line with the traffic
  • Protection against Layer 7 DDoS attacks
  • Monitoring and updating WAF rules to ensure deployment in log & block mode without false positives

2. Scope of Service Level Agreement

This document describes the standard level of service rendered by Indusface within the framework of Security, including performance criteria, availability of services, action to be taken in cases of a service failure, and response and repair times.

Indusface has the right to change, update, amend or modify this SLA at any time. Such changes will be intimated to the customer.

3. Additional Definitions

For the purpose of this agreement, the following additional definitions apply:

  • False positive in WAF — Blocking of a legitimate request as a malicious request.
  • POC (Proof of Concept) — Proof given to show or validate the existence of a vulnerability found by the scanner in the application.
  • Management of WAF rules — Monitoring of rules to ensure they are working and fine-tuning them to avoid false positives.
  • Layer 7 DDoS event — A surge of traffic for 5 minutes of which 30% of traffic (measured in requests) is marked by Indusface as malicious.
  • Mitigation of DDoS event — When, continuously for one hour, the malicious traffic is less than 10%.
  • Manual Pen Testing — Testing done by security experts using standard ethical hacking techniques to identify vulnerabilities that are difficult to find using automated scanners.
  • Response time — The first response time taken by the Indusface team to respond to an issue or query raised by the customer.
  • WAF configuration — The configuration & rules on the WAF applied by Indusface to ensure protection of the web application.
  • Virtual Patches — WAF rules written by the Indusface team to protect against application vulnerabilities.
  • NI (Network Infrastructure) — The group of Indusface controlled systems (servers, hardware, and associated software) responsible for delivering the Services.
  • Outage event — Any event resulting in complete unavailability of a web application configured for protection, due to WAF configuration applied by Indusface or unavailability of Network Infrastructure.
  • PI (Peripheral Infrastructure) — Indusface's Portal and its APIs.
  • PI Outage — A period when the Indusface PI is unavailable, outside a Scheduled Maintenance window.
  • Scheduled maintenance — Maintenance work performed by Indusface to the WAF configuration or other peripheral components. Indusface will notify the customer by email at least 48 hours before the scheduled maintenance.
  • Application availability — The amount of time, expressed as a percentage, during which the application configured for protection is available over the defined period.
  • PI availability — The amount of time, expressed as a percentage, during which the PI is available to the customer over the defined period.
  • Onboarding support — Support provided by Indusface to understand customer requirements, provide configuration suggestions, and assist with changes needed to onboard a site successfully.
  • Indusface business hours — Monday to Friday, 9am to 6pm.

4. Uptime Commitment

Indusface provides an application availability commitment of 100% and a PI availability commitment of 99.99% per month.

5. Service Level Commitments

  • Proof of Concept (POC) for vulnerabilities found through web application security scanning and requested from the portal, will be delivered within the following timeframes (business hours):
    • Critical Vulnerabilities — Within 24 hours
    • High Vulnerabilities — Within 48 hours
    • Medium Vulnerabilities — Within 72 hours

    POC is not available for vulnerabilities with severity level of Low and Info.

  • Virtual Patches in WAF will be created if the customer requests patching of newly discovered vulnerabilities. Estimated delivery times (business hours):
    • Critical Vulnerabilities — Within 24 hours
    • High Vulnerabilities — Within 48 hours
    • Medium Vulnerabilities — Within 72 hours

    Virtual Patching is not available for vulnerabilities with severity level of Low and Info.

  • WAF rules will be monitored and updated to ensure zero false positives within 14 days of onboarding completion.
  • DDoS event notification: Customers will be notified within 5 minutes of DDoS event detection by Indusface.
  • Manual Pen-Testing will be completed within 4 weeks of request raised by the customer.
    • Though not mandatory, the customer can choose to fix vulnerabilities and request validation of those fixes within 60 days from the report availability date.

6. Software Support Commitment

Once a Customer initiates a support request with Indusface, a support ticket number is generated and tracked by a support technician. A support ticket is assigned a severity number based on the nature of the issue. A support ticket can be assigned to any one of three possible severity levels. In all the three cases, an e-mail is sent to the customer informing them about the ticket along with the support ticket number.

Support tickets will be assigned a severity level based on the following guidelines:

Severity 1
Severity 1 is used for technical issues, which result in complete outage. A support technician will respond to the request within 2 hours of the reported problem. For Severity 1 issues, customer shall initiate contact with Indusface via telephone and indicate the probable category of the incident.
Severity 2
Severity 2 is used for issues when a customer can access the software; however, one or more significant features of the software are unavailable. For Severity 2 issues, customer shall initiate contact with Indusface via telephone and indicate the probable category of the incident.
Severity 3
Severity 3 is used for issues that do not prevent the customer from using key features of software or if the reported problem has been explained along with a workaround in the documentation. If there are questions or queries on the software functionality and/or reports, they will also be assigned Severity 3. For Severity 3 issues, customer may email or telephone Indusface.

7. Response Time Commitment

Indusface commits to the following response times:

  • Severity 1 — 2 hours response time
  • Severity 2 — 4 hours response time
  • Severity 3 — 24 hours response time

8. Support Coverage

Indusface commits to the following support availability:

  • Support via Telephone — 24×7×365
  • Support via Email — 24×7×365

Escalation Support Tel — IN: +91 265 6133083  |  US: +1 866 537 8234

Emailsupport@indusface.com

Escalation Chain

In case of unresolved concerns or technical issues, follow the escalation chain below. The initial response will arrive within one business day. Indusface Support Manager — support-manager@indusface.com

9. Penalty Credits

Submission of Claims

To submit a claim for Credits, the customer must open a support ticket with Indusface technical support within seven (7) calendar days (168 hours) after the Outage occurred. The ticket must include detailed descriptions of the Outage, its duration, network traceroutes, the site(s) affected, and any attempts made to resolve the Outage. The ticket must mention the claim for credit.

Review of Claim

Indusface will use all information reasonably available to it to validate claims and make a good faith judgment on whether there was an Outage and if Credits apply.

Exceptions

Credit is not applicable in the case of outage:

  • Due to factors outside Indusface's reasonable control
  • That resulted from Customer's or third-party hardware or software
  • That resulted from actions or inactions of Customer or third parties
  • Caused by Customer's use of the Service after Indusface advised the Customer to modify its use, if the Customer did not modify its use as advised
  • During beta and trial Service (as determined by Indusface)
  • Attributable to the acts or omissions of Customer or Customer's employees, agents, contractors, or vendors, or anyone gaining access to Indusface's Service through Customer's Authorized Users' accounts or equipment

Credit Calculation

On review of a claim, if Indusface accepts it, the customer will receive compensation in the form of credit, calculated as follows:

  • In case of an Uptime commitment not honoured for a particular web application, Indusface commits to pay back for each day of outage 1/365th of payment collected for annual billing and 1/30th for monthly billing.
  • In case of a Service Level commitment not honoured for a particular web application, Indusface commits to pay back for each day of delay 1/365th of payment collected for annual billing and 1/30th for monthly billing.
  • In case of a Software Support commitment not honoured, Indusface commits to pay back for each day of delay 1/365th of payment collected for annual billing and 1/30th for monthly billing.
  • Cumulative penalty cannot exceed 30 days of credit at any point.