Service Level Agreement

Find The Breach commits to maintaining a monthly uptime percentage of at least 99.9% for the Service ("Uptime Commitment"). Monthly uptime percentage is calculated as follows:

"Downtime" means any period during which the Service is materially unavailable to users, as measured by Find The Breach's monitoring systems. Downtime does not include periods of scheduled maintenance or any exclusions defined in Section 6 of this SLA.

Find The Breach provides tiered support based on the severity of the issue and the customer's subscription plan:

Response times are measured during business hours (Monday through Friday, 8:00 AM to 6:00 PM Pacific Time), except for Critical (P1) issues, which are supported 24 hours a day, 7 days a week, 365 days a year.

Find The Breach commits to the following target completion times for vulnerability scans initiated through the Service:

Scan completion times are measured from scan initiation to results availability. Times may be extended for targets with large attack surfaces (>1,000 endpoints) or during high-demand periods, with notification provided to the User. Scan performance SLAs apply to paid subscription plans only.

Find The Breach performs scheduled maintenance to ensure the continued reliability and security of the Service. The following terms apply:

• Maintenance Window: Scheduled maintenance will occur during the standard maintenance window of Sundays from 2:00 AM to 6:00 AM Pacific Time, unless otherwise communicated.
• Advance Notice: We will provide at least seventy-two (72) hours' advance notice for scheduled maintenance via email and in-app notification. Emergency maintenance required for security purposes may be performed with shorter notice.
• Duration: Scheduled maintenance windows will not exceed four (4) hours per occurrence and will not exceed eight (8) hours total per calendar month.
• Exclusion: Scheduled maintenance periods are excluded from the Uptime Commitment calculation.

Emergency Maintenance

In exceptional circumstances requiring urgent security patches, critical infrastructure fixes, or zero-day vulnerability mitigations, Find The Breach may perform emergency maintenance outside scheduled windows. For emergency maintenance:

• (a) Advance Notice: Find The Breach will provide as much advance notice as reasonably practicable, with a target of at least 1 hour for P1/P2 issues and 4 hours for P3/P4 issues.
• (b) Notification: Notifications will be posted on the status page (/status) and sent via email to affected account administrators.
• (c) Maximum Duration: Emergency maintenance windows shall not exceed 4 hours per incident unless a critical security threat requires extended mitigation.
• (d) SLA Impact: Emergency maintenance exceeding 4 hours in a calendar month will be counted toward downtime calculations for SLA credit purposes.
• (e) Post-Incident Summary: A post-incident summary will be published within 48 hours of emergency maintenance completion.

Disaster Recovery

FindTheBreach maintains a comprehensive disaster recovery plan as described at findthebreach.com/disaster-recovery. Key recovery targets include:

• Recovery Time Objective (RTO): 4 hours for P1 services (scan engine, portal, API), 8 hours for P2 services (reports, scheduled scans, integrations).
• Recovery Point Objective (RPO): 1 hour for database backups (PostgreSQL continuous archiving), 15 minutes for scan queue state.
• Geographic Redundancy: EU-based backup infrastructure with Hetzner Online GmbH data centers in Falkenstein and Nuremberg, Germany.
• DR Plan Testing: Disaster recovery procedures are tested semi-annually. Test results and recovery metrics are available to Enterprise customers upon request.
• Data Durability: Scan results and vulnerability data are retained in accordance with the data retention policy described in the Privacy Policy. Backup verification is performed daily with automated integrity checks.

Find The Breach classifies service incidents according to the following severity levels, which determine response times and escalation procedures:

For DORA-regulated financial sector customers, P1 incidents trigger the 4-hour initial classification notification as specified in the Data Processing Agreement.

In the event of an unplanned service disruption or security incident, Find The Breach will follow these procedures:

• Detection: Automated monitoring systems continuously track service availability, performance, and security metrics. Alerts are escalated to the on-call engineering team immediately upon detection.
• Communication: Affected customers will be notified within thirty (30) minutes of incident confirmation via email and through the Find The Breach status page.
• Updates: Status updates will be provided at least every sixty (60) minutes during an ongoing incident until resolution.
• Post-Incident Report: A root cause analysis (RCA) report will be provided to affected customers within five (5) business days of incident resolution, including a description of the incident, root cause, impact assessment, and corrective actions taken.

If Find The Breach fails to meet the Uptime Commitment in any given calendar month, you may be eligible for service credits as described below:

• Service credits must be requested within thirty (30) days of the end of the month in which the Uptime Commitment was not met.
• Requests must be submitted in writing to contact@findthebreach.com and must include the dates and times of the downtime experienced.
• Service credits are applied to future invoices and are not redeemable for cash.
• The maximum aggregate service credit for any calendar month shall not exceed fifty percent (50%) of the monthly subscription fee for that month.
• Service credits constitute your sole and exclusive remedy for any failure to meet the Uptime Commitment.

The Uptime Commitment and service credits do not apply to any downtime, performance issues, or service disruptions resulting from:

• Scheduled maintenance performed in accordance with Section 3 of this SLA
• Force majeure events, including but not limited to natural disasters, acts of war or terrorism, government actions, pandemics, and widespread internet or telecommunications failures
• Actions or omissions of the customer, including misconfiguration, unauthorized modifications, or use of the Service in a manner not contemplated by the documentation
• Failures of third-party services, platforms, or infrastructure not under Find The Breach's direct control
• Denial-of-service attacks or other malicious activity directed at Find The Breach's infrastructure
• Issues arising from the customer's network, hardware, software, or internet connectivity
• Beta, preview, or experimental features explicitly designated as not covered by this SLA

Find The Breach provides transparency into service performance through the following mechanisms:

• Status Page: A publicly accessible status page is maintained at all times, providing real-time information about service availability, active incidents, and scheduled maintenance.
• Uptime Reports: Monthly uptime reports are available to customers upon request and may be accessed through the customer dashboard for Enterprise plan subscribers.
• Incident History: A historical log of all incidents, including post-incident reports, is maintained and accessible to customers.
• Notifications: Customers may subscribe to real-time notifications for service status changes via email, SMS, or webhook integration.

For questions about this Service Level Agreement or to submit a service credit request, please contact: