Service Level Agreement
Effective: 2026-05-15
This Service Level Agreement ("SLA") sets out Boffy's commitments for service availability, support response, and incident handling. It applies to all paid Boffy plans (Starter, Growth, Enterprise) for customers on a current billing cycle. It supplements but does not replace our Terms of Service.
1. Service availability
Boffy targets a monthly uptime of 99.5% for the production application surfaces:
boffy.io(marketing + signup)/admin(organisation admin)/portal(merchant portal)/api/v1/*(public REST API, on plans that include it)
Availability is measured as the percentage of total minutes in a calendar month during which the listed surfaces return a HTTP 2xx or 3xx response to an automated synthetic check executed at least every five minutes.
2. Service credits
If monthly uptime falls below the target, customers may request a service credit on the affected month's recurring fee:
| Monthly uptime | Credit |
|---|---|
| 99.5% – 99.0% | 10% of monthly fee |
| 98.9% – 95.0% | 25% of monthly fee |
| < 95.0% | 50% of monthly fee |
Credits must be requested in writing within thirty (30) days of the affected month and are applied to the next billing cycle. They are the customer's sole and exclusive remedy for missed uptime targets.
3. Excluded events
Downtime caused by the following does not count against the availability target:
- Scheduled maintenance windows announced at least 24h in advance (currently planned: under 1h per quarter).
- Failures originating in an upstream third-party service we depend on but do not operate — for example Stripe, Brevo (transactional email), AWS / Neon (database), or Vercel (hosting) — where the third party publicly reports an outage of their own.
- Force majeure events (natural disasters, government action, widespread internet outages).
- Customer-caused issues (misconfiguration, abuse, exceeding published rate limits).
- Beta or preview features explicitly labelled as such.
4. Support response targets
Support is provided by email at info@boffy.io during business hours (Monday – Friday, 09:00 – 18:00 Central European Time, excluding German public holidays).
| Severity | Description | First response |
|---|---|---|
| P1 — Critical | Production unavailable; data loss or security incident | 4 business hours |
| P2 — High | Major feature broken; usable workaround unavailable | 1 business day |
| P3 — Normal | Feature degraded with workaround | 3 business days |
| P4 — Low | Cosmetic, documentation, or general question | 5 business days |
Response times are the time from receipt of the support email to a substantive first reply. They are not commitments to resolve the underlying issue within that window.
5. Data protection and continuity
- Backups. Automated point-in-time recovery retains a rolling window of at least 7 days. Off-site logical dumps are taken weekly and verified by an automated restore-drill into a throwaway database.
- Recovery objectives.Recovery Point Objective (RPO): ≤ 1 hour. Recovery Time Objective (RTO): ≤ 4 hours for the production application surfaces listed in §1.
- Encryption at rest. Sensitive secrets (integration credentials, MFA seeds) are stored under AES-256-GCM with a key isolated from session-signing material.
- Encryption in transit. All public endpoints are served over HTTPS with HSTS preload.
- Data location. Customer data is stored in the European Union (Frankfurt, AWS eu-central-1) unless expressly agreed otherwise in a Data Processing Agreement.
6. Incident communications
For confirmed P1 incidents we will notify the primary contact email on the affected organisation account within 30 minutes of confirmation, post status updates at least every 60 minutes until resolution, and publish a post-mortem within 5 business days of resolution.
7. Changes to this SLA
We may amend this SLA from time to time. Material changes affecting the uptime target, service-credit schedule, or response-time commitments will be communicated to active customers by email at least 30 days in advance. The latest version is always available at boffy.io/sla.
Contact: info@boffy.io.