CloFix WAF
Service Level Agreement
This SLA defines the uptime commitments, response time targets, incident severity classification, service credit policy, and exclusions that govern all CloFix WAF support plans.
The following terms have the meanings set out below throughout this Agreement.
This SLA applies to all Customers with an active paid support subscription (Standard or Enterprise) and, where explicitly noted, to Free Tier users. The terms become effective on the date a Customer's subscription is activated and remain in force until the subscription is terminated or superseded by a written amendment.
Free Tier users receive support on a best-effort basis only. Response times, uptime credits, and service credit provisions in this SLA do not apply to the Free Tier unless separately agreed in writing.
CloFix commits to the following minimum monthly uptime percentages for the core WAF proxy and admin dashboard, measured per calendar month.
Uptime is measured continuously using CloFix's internal health-check probes and validated by a mutually agreed third-party monitoring service where applicable. Measurement intervals are 60 seconds. Three consecutive failed checks constitute confirmed downtime.
Enterprise 24/7 commitment: Enterprise plans include 24/7 monitoring and proactive alerting. CloFix will initiate incident response without waiting for Customer notification when our systems detect a P1 or P2 condition.
All incidents are classified at intake using the following severity matrix. CloFix reserves the right to reclassify a ticket after initial investigation; the Customer will be notified of any reclassification.
| Severity | Definition | Examples | Business impact |
|---|---|---|---|
| ● P1 - Critical | Complete service unavailability or active security breach affecting production traffic. | WAF proxy down, all traffic blocked, active DDoS bypass, firewall rule engine failure | Severe / revenue-impacting |
| ● P2 - High | Major feature degradation significantly impacting security posture or operations. | CRS rules not enforcing, DDoS detection offline, dashboard inaccessible, alert pipeline broken | High / operations impacted |
| ● P3 - Medium | Partial degradation or non-critical feature failure with a viable workaround available. | Log export delays, WASM module errors on non-critical paths, reporting anomalies, UI display bugs | Moderate / workaround available |
| ● P4 - Low | General questions, documentation requests, feature suggestions, cosmetic issues. | How-to queries, configuration guidance, minor UI polish, billing enquiries | Minimal / informational |
The following targets apply per support tier. Response time is the time to first substantive engineer reply. Target resolution is the goal for full resolution or accepted workaround - not a hard guarantee, as complex issues may require extended investigation.
| Severity | Free Tier | Standard | Enterprise |
|---|---|---|---|
| P1 - Critical | Best effort | < 6 hours | < 15 minutes (24/7) |
| P2 - High | Best effort | < 6 hours | < 1 hour (24/7) |
| P3 - Medium | Best effort | < 12 hours | < 4 hours |
| P4 - Low | Best effort | < 48 hours | < 24 hours |
| Severity | Free Tier | Standard | Enterprise |
|---|---|---|---|
| P1 - Critical | No target | < 8 hours | < 2 hours |
| P2 - High | No target | < 24 hours | < 8 hours |
| P3 - Medium | No target | < 72 hours | < 24 hours |
| P4 - Low | No target | Next release cycle | < 72 hours |
Standard plan response times apply during Business Hours only (09:00–22:00 BST, Sun–Thu). Enterprise P1 and P2 response targets apply 24 hours a day, 7 days a week, including public holidays.
CloFix follows a structured incident lifecycle to ensure consistent, transparent handling of all reported issues.
- 1. Detection & logging - Incident detected via Customer report, automated monitoring, or internal alert. Ticket created with timestamp and assigned severity.
- 2. Acknowledgement - Engineer confirms receipt, validates severity classification, and assigns ownership. Response time SLA clock starts at ticket creation, not acknowledgement.
- 3. Investigation & triage - Root cause analysis begins. Customer receives status update within 30 minutes of acknowledgement for P1/P2.
- 4. Mitigation - Interim workaround or hotfix deployed to restore service. Customer notified immediately upon mitigation.
- 5. Resolution & verification - Permanent fix implemented and verified. Customer confirms restoration before ticket is closed.
- 6. Post-incident review (PIR) - For P1 incidents on Enterprise plans, a written Root Cause Analysis (RCA) report is delivered within 5 business days of resolution.
- If a P1 incident is not resolved within 2 hours on Enterprise, the incident is automatically escalated to CloFix senior engineering leadership.
- Customers may request manual escalation at any time by contacting their dedicated account manager or emailing escalate@clofix.com.
When CloFix fails to meet the uptime commitments in §3 for Standard or Enterprise plan Customers, the Customer is entitled to a Service Credit calculated as a percentage of their monthly subscription fee for the affected calendar month.
- Claims must be submitted within 15 calendar days of the end of the affected month by emailing sla-claims@clofix.com with subject line "SLA Credit Claim - [Account ID] - [Month/Year]".
- CloFix will review and respond to credit claims within 10 business days.
- Approved credits are applied to the Customer's next invoice. Credits are non-transferable and have no cash value.
- Total credits in any calendar month shall not exceed 50% of the monthly fee for that month.
- Service credits are the Customer's sole and exclusive remedy for SLA breaches.
The uptime commitment and service credit provisions in this SLA do not apply to downtime or degradation caused by any of the following Excluded Events.
- CloFix will provide a minimum of 48 hours' advance notice for planned maintenance affecting Service availability, published via the CloFix status page and emailed to the Customer's registered technical contact.
- Standard maintenance windows are scheduled between 01:00–05:00 BST on Fridays to minimise disruption. CloFix will endeavour to complete all maintenance within these windows.
- Emergency security patches may be deployed with as little as 30 minutes' notice where a critical vulnerability requires immediate remediation. Such events are still excluded from downtime calculations.
- Enterprise Customers may request maintenance window adjustments, subject to CloFix engineering availability, by providing at least 5 business days' notice.
- Actual downtime during a notified maintenance window shall not count toward the Monthly Uptime % calculation.
- Real-time status page - Live service status and incident updates are published at status.clofix.com.
- Monthly uptime report - Standard and Enterprise Customers receive a monthly uptime summary report by the 5th of the following month.
- Quarterly business review (Enterprise) - Dedicated account managers conduct quarterly reviews covering SLA performance, security posture, and roadmap alignment.
- Incident post-mortems (Enterprise P1) - Written RCA delivered within 5 business days; includes root cause, timeline, remediation steps, and preventive measures.
- Custom dashboards (Enterprise) - Access to a shared monitoring dashboard showing real-time WAF health metrics, request throughput, and block rates.
To ensure CloFix can meet its SLA commitments, Customers must:
- Maintain at least one designated Technical Contact who is reachable during incidents and authorised to make operational decisions.
- Report incidents promptly via the official support channels - email, WhatsApp, or the support portal - rather than through unofficial channels such as personal messaging.
- Provide reasonable cooperation during incident investigation, including relevant log samples, reproduction steps, and configuration details when requested.
- Keep the CloFix WAF software within two major versions of the current release. CloFix does not guarantee SLA coverage for installations more than two versions behind the current release.
- Ensure subscription invoices are settled within the agreed payment terms. SLA credits cannot be claimed on accounts with outstanding payments.
- Notify CloFix of any significant changes to protected infrastructure (e.g. new domains, major traffic increases, architecture changes) that may affect WAF performance.
- CloFix reserves the right to amend this SLA at any time. Customers will receive at least 30 days' written notice of material changes via email to their registered account address.
- Continued use of the Service after the effective date of an amendment constitutes acceptance of the revised SLA.
- Customers who do not accept an amendment may terminate their subscription within the 30-day notice period without penalty by notifying CloFix in writing.
- This SLA is reviewed at minimum annually. The most current version is always available at clofix.com/sla.
- Enterprise Customers may negotiate custom SLA terms. Any custom terms must be agreed in a signed written addendum that explicitly supersedes the relevant clauses of this document.
This Agreement is governed by and construed in accordance with the laws of the People's Republic of Bangladesh. Any dispute arising out of or in connection with this Agreement that cannot be resolved by good-faith negotiation shall be referred to the courts of competent jurisdiction in Dhaka, Bangladesh.
Before initiating formal legal proceedings, the parties agree to engage in at least 30 days of good-faith mediation. Either party may invoke this mediation clause by written notice to the other.
This SLA does not limit, exclude, or supersede any rights the Customer may have under applicable consumer protection legislation in Bangladesh or any other applicable jurisdiction.