Business Warrior Legal Support/SLA

Last updated: January 4, 2024.

Technical Support. Company shall provide support to Customer according to the terms of Company’s Service Level Agreement are incorporated herein by reference.

  • Customer is entitled to up to 10 hours of support per month without additional charge. Any additional support will be mutually agreed upon by the parties.
  • Expedited Support. Should Customer desire support on an expedited basis, Company may provide such support for an additional hourly fee. Expedited support typically will be billed at $250/hour. Expedited Support largely relates to Customer requested support. 
  • Maintenance. Company reserves the right to schedule routine system maintenance periods, and shall provide reasonable advance notice of such maintenance periods to Customer. Maintenance related Core Functionality deployments are made on a bi-weekly sprint schedule with most production launches occurring overnight (eastern) Tuesday and Wednesday and some exceptions on Thursday based on improvements.
  • Company reserves the right to modify, add, or remove features and components of the Core Functionality.
  • Company shall provide reasonable advance written notice and no later than thirty (30) calendar days in advance of implementing any substantial modification, or removal of features and components that may materially impact the Customer and/or Customer experience or functionality of the Core Functionality.
  • In the event of material changes to the Core Functionality that materially affect the Customer's business operations, the Customer reserves the right to cancel this Agreement. The Customer shall provide written notice of their intent to cancel within 30 days from the date of the material changes. The notice must clearly specify the material changes that have occurred and their adverse impact on the Customer's business Except as expressly modified by the Company, all other terms and conditions of this Agreement shall remain in full force and effect.

Procedures, Protocols and SLA

Company utilizes infrastructure-as-a-service from Amazon Web Services (AWS), one of the world’s premier cloud service providers, and is a trusted technology partner of international brands and government agencies. For a list of AWS Customer case studies, visit the AWS Case Studies Page.

The following is a high-level summary of the Company security and infrastructure framework hosted with AWS. For a comprehensive explanation of the AWS IaaS offering, please view the Intro to Security Processes Whitepaper.

The IT infrastructure that AWS provides to its Customers is designed and managed in alignment with best security practices and a variety of IT security standards, including:

  • SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70 Type II)
  • SOC2
  • SOC3
  • FedRAMP
  • DOD SRG Levels 2 and 4
  • PCI DSS Level 1
  • EU Model Clauses
  • ISO 9001 / ISO 27001 / ISO 27017 / ISO 27018
  • ITAR
  • IRAP
  • FIPS 140-2
  • MLPS Level 3
  • MTCS

In addition, the flexibility and control that the AWS platform provides allows Customers to deploy solutions that meet several industry-specific standards, including:

  • Cloud Security Alliance (CSA)
  • Motion Picture Association of America (MPAA)

AWS provides a wide range of information regarding its IT control environment to Customers through white papers, reports, certifications, accreditations, and other third-party attestations. More information is available in the Risk and Compliance Whitepaper.

Physical and Environmental Security

  • Fire detection and suppression
  • Power redundancy
  • Climate and temperature controls and monitoring
  • Storage Device Decommissioning

Business Continuity Management

  • N+1 redundancy on core applications
  • Data stored across multiple availability zones with rapid failover capability
  • 24x7/364 incident response (available)
  • Company-wide executive review of security policies
  • Daily incremental backups using EBS point-in-time snapshots with fast recoverability and the ability to mount a volume instantly
  • Comprehensive backups are retained for 30 days
  • Official exhibits are retained for 6 months.
  • If deleted by a user, data can be restored to production within these retention windows for a professional service fee

Network Security

  • Secure Access Points
  • Transmission Protection
  • Amazon Corporate Segregation
  • Fault-tolerant design

AWS Identity and Access Management and Multi-Factor Authentication

Access to the Company cloud management console requires two-factor authentication using a password and a Time-based One-time Password (TOTP) security token. Individual servers are accessed through an SSH connection using a password encrypted private key. Company servers are networked within an AWS Virtual Private Cloud (VPC) effectively isolating network traffic between servers.

Data Security

All access to the database (including application access) requires authentication. Passwords stored in the database are obfuscated using a one-way cryptographic hash algorithm.

Network Monitoring and Protection against:

  • DDoS Attacks
  • MITM Attacks
  • IP Spoofing
  • Port Scanning
  • Packet Sniffing by other tenants

Company utilizes the following AWS services:

  • Amazon Virtual Private Cloud (VPC)
  • Amazon Elastic Load Balancing (ELB)
  • Amazon Elastic Compute Cloud (EC2)
  • Amazon Relational Database Service (RDS)
  • Amazon Elastic Block Store (EBS)
  • Amazon ElastiCache
  • Amazon CloudWatch
  • Amazon Scalable Cloud storage(S3)
  • Amazon DNS and Domain registration (Route 53)
  • Amazon Lambda
  • Amazon Auto Scaling*
  • Amazon Simple Notification Services*
  • Amazon Simple Queue Services*

* As needed

AWS services status can be tracked at the AWS Service Health Dashboard.

Product Security

There are two distinct products in Company Application. The frontend and backend WebApp provides access to authorized users. The front end is a Customer facing portal for Customers to login and view information while the backend is a role-based system for admin and other backend users to view and perform their roles such as underwriting and approval.


Company incorporates authentication protocols to prevent unauthorized access to the system. Authentication information is always transmitted encrypted using SSL. The authentication token consists of a unique login name and user defined password. Passwords are obfuscated from view as the user enters them. Users only have access to the system through the Company Application, which restricts access based on account login and assigned role associations.

Secure Transmission

Once authenticated to the system, all data requests from the application interface are validated with a secure key before data is transmitted. All data is transmitted through encrypted SSL connections.

Service Level Agreement (SLA)

Service Availability

Company employs a wide range of technologies, engineering expertise, and streamlined failover processes to guarantee business continuity. Services such as Core Functionality recovery management, offCore Functionality backup, and customizable run-book policies keep data protected and accessible at all times.

Company shall make the Work Product Available, as measured over the course of each calendar month during the Term, at least 99.5% of the time. “Available” means the Services are available and operable for access and use by Customer, Lenders and the Users over the Internet in conformity with the Specifications.

  • If an Instance is not Available at least 99.5% of the time during a calendar month (not including any scheduled maintenance periods or periods where the Instance is not Available due to factors outside Company’s reasonable control), Customer may request a service credit that may be applied to the following month’s invoice, according to this schedule:
  • If an Instance is Available between 97% and 99.49% of the time, Customer will be entitled to a credit of 10% of their SaaS fee.
  • If an Instance is Available between 95% and 96.99% of the time, Customer will be entitled to a credit of 25% of their SaaS fee.
  • If an Instance is Available less than 95% of the time, Customer will be entitled to a credit of 50% of their SaaS fee.
  • If an Instance is Available less than 90% of the time during a calendar month (not including any scheduled maintenance periods or periods where the Instance is not Available due to factors outside Company’s reasonable control), Customer shall have the right to terminate the Agreement.

Support and Maintenance Services

Company shall provide to Customer all updates, bug fixes, enhancements, new releases, new versions and other improvements to the Services, including the Company Application, that Company provides at no additional charge to its other similarly situated Customers.

Company will respond to and make reasonable attempts to resolve all support questions or concerns sent to or phone calls made to (855) 294-2900, according to the priority/severity schedule below (as reasonably classified by Company), Monday to Friday during normal business hours of 8am to 8pm EST. The Company may require Customer to submit “support tickets” via an external or internal platform as provided by the Company. Generally, electronic support requests are not received via Slack, text messaging or other means.

SLA Table

Resolution Time
Service not available (All users and functions are not available)
1 hour
8 hours
Server down
Significant degradation of services (Large number of users or core business process is affected
2 hours
24 hours
Could not connect to credit bureau
Limited degradation of service - Business process can continue with workarounds
8 hours
48 hours
Cannot make payment from frontend. CS can take payments
Small service degradation
16 hours
72 hours
Small amount of Users cannot access bank transaction
Low impact issues
24 hours
72 hours
Some transactions are slow; Message not clear
General request from Customer
2 days
72 hours
How do I…?

Incident Response and Handling Purpose

To ensure that security incidents are addressed appropriately to protect Company Customer resources and data.


An incident is an event or series of events that comprise a threat to the security (i.e., confidentiality, integrity, availability) of Company’s systems or data. Sources of incidents include (but are not limited to) viruses, worms, and attacks from outside Company.

All security incidents are responded to immediately using a strategy of:

  • Identification – To determine whether one or more events comprise an incident and to assign a severity level to the incident.
  • Containment – To prevent further damage to a targeted system or spread of an attack to other systems.
  • Recovery and Investigation – To eradicate the attack and any resulting damage, return to a normal state of operation, preserve evidence of the attack, and identify exploited vulnerabilities to prevent future attacks.
  • The IT Team responds to any incident and immediately escalates any incident to the Head of Development (HD). If the HD is unavailable, the IT Team brings the incident to the attention of the CEO.



  1. Once an event or series of events is suspected to be an incident, it should be escalated promptly to the IT Team.
  2. The IT Team evaluates the evidence and circumstances, confirms that an incident exists, and escalates the incident to the HD.
  3. The IT Team and HD discuss the incident, and the HD assigns a severity level using the following guidelines:
  1. Level 1: The incident poses an immediate threat to Company’s critical systems.
  2. Level 2: The incident represents an incursion on a non-critical system or is an indication of an impending attack.

The HD bears responsibility for the severity level assignment. In cases where the severity is unclear or ambiguous, the HD may err on the conservative side and assign it a level 1 severity.

  1. Level 1 incidents should be reported to the CEO immediately so that they may consider any impact to business operations.

The HD, IT Team, or a delegate documents the incident and responses to the incident. Items that should be recorded include:

  • The date and time of the incident
  • How the incident was discovered or reported
  • The apparent target / intent of the incident
  • The apparent source of the incident
  • The severity level of the incident
  • Actions taken to respond to the incident
  • Evidence gathered during the course of the response


The IT Team monitors the attack by tracking network and system activity and determines a suitable approach to contain the attack. Containment tactics may include blocking an IP address or port at the firewall, disabling a compromised account, stopping a targeted network service, or unplugging a network cable. Level 1 attack may require a complete and abrupt shutdown of one or more systems. Though this tactic should be used with caution, the HD and IT Team have the authority to apply this tactic during severe situations. Such actions should be discussed and reported to the President as timely as possible.

Recover and Investigate

The HD oversees the recovery of the affected systems and consults with the IT Team to determine an approach to the recovery.

  1. The IT Team makes every reasonable effort to preserve evidence of the incident. They might preserve logs and any other signs of system activity or produce images of entire systems for investigation. When warranted, they may obtain professional forensic investigation services.
  2. The team investigates any vulnerability that was exploited during the course of the incident and addresses it by appropriate means (e.g., applying patches, changing configurations).
  3. All passwords on affected systems are changed.
  4. The approach to recovery may include restoring damaged files, restoring from backup, or rebuilding a system. Restoration of individual files or system components should only be pursued if the team is highly confident that the attack was contained. If the team opts to restore from backup, the team should be highly confident that backup volumes are not affected by the attack.
  5. Documentation of the incident is completed with all supporting documentation of evidence and the investigation.
  6. Regardless of the approach to recovery, system activity is closely monitored for five business days following recovery with thorough logging and frequent monitoring.
  7. After five days of seamless system operation, the incident may be declared closed at the discretion of the HD. The IT Team finalizes documentation of the incident and the HD signs off on the incident’s closure.

Customer Notification

When required by law, Company will notify affected Customers of an incident within 72 hours through email or other electronic means.