SorbSecurity Cloud Email Security Service Level Agreement

Last Modified Date: August 1, 2022

1. Standard Terms Applicable to each SLA
A. Definitions
Except as otherwise modified or defined herein, all capitalized terms in this SorbSecurity Cloud Email Security(the “SCES“) Service Level Agreement have the same meanings as set forth in the SorbSecurity SCES End User License Agreement (the “Agreement”). For purposes of this SorbSecurity SCES Service Level Agreement the following definitions will apply.
A.1 “Scheduled Maintenance Window” means the window during which weekly scheduled maintenance of the SorbSecurity SCES Service (“Service”) may be performed. The Scheduled Maintenance Window shall be posted at the SorbSecurity SCES Service support site.
A.2 “Emergency Maintenance” means any time outside of Scheduled Maintenance Window that SorbSecurity is required to apply urgent patches or fixes, or undertake other urgent maintenance activities. If Emergency Maintenance is required, SorbSecurity will provide the expected start time and the planned duration of the Emergency Maintenance and if SorbSecurity expects the Service to be unavailable during the Emergency Maintenance through the SorbSecurity SCES Service support site.

B. Exclusions
Neither Customer nor Channel Partner shall have any remedies under any SLA to the extent any SLA claim is due to:
(i) use of the Service outside the scope described in the Agreement; (ii) Customer equipment and/or third party software, hardware or network infrastructure outside of SorbSecurity’s data center and not under the direct control of SorbSecurity; (iii) failure of Customer and/or Channel Partner to meet the configuration requirements for Customer equipment set forth in the documentation; or (iv) a force majeure event. These SLAs do not apply to any end of life product or software version.

2. Email Security Cloud Service SLAs Overview
A. Filtering System Availability SLA.
A.1 SorbSecurity warrants at least 99.99% System Availability, which is defined as % of total time during which email service connectivity on port 25 is available during each calendar year, excluding Scheduled Maintenance Window and Emergency Maintenance. For purposes of calculating System Availability, only downtime occurrences exceeding 30 seconds will apply.
A.2 Channel Partner and Customer Responsibilities. Channel Partner must ensure that Customer: (a) sets up MX records and outbound entries in accordance with the Getting Started guide; (b) identify the number of impacted users as a subset against the total number of licensed users; (c) if inbound email is impacted provide the time frames of the Service unavailability;
(d) if outbound email is impacted provide copies of impacted email with the original SorbSecurity headers complete and unaltered; and (e) provide ping and trace routes.A.3 Remedy. If the email System Availability is less than 99.99%, and if Customer has fulfilled all of its obligations under the Agreement and this SLA.

B. Email Delivery SLA
B.1 SorbSecurity warrants that the average of Email Delivery (as defined below) times, as measured in minutes over a calendar year, will be one (1) minute or less.
B.2 For purposes of this SLA “Email Delivery” is defined as the elapsed time from when a business email enters the Service network to when it exits the Service network. The Email Delivery average time measurement for a cluster is calculated using simulated or test emails. These test emails are sent at a periodic frequency and the fastest 95% email delivery times are tracked by SorbSecurity to calculate the average.
B.3 This SLA applies only to legitimate business email (e.g. not to non-solicited bulk email) delivered to valid Active User accounts that are contracted for the Service.
B.4 Customer shall not have any remedies under this SLA to the extent any SLA claim hereunder is due to (i) delivery of email to quarantine; (ii) email in deferral queues; or (iii) email loops.
B.5 Remedy. If in any calendar year the Email Delivery SLA is not met and if Customer has fulfilled all of its obligations under the Agreement and this SLA.

C. Malware Filtering SLA
C.1 For purposes of this SLA, the following definitions shall apply:
C.1.1 “Filter” means to detect and block or quarantine all email messages with known malware that:
(i) match an available malware signature generally available from the licensed anti-virus engine vendor; and
(ii) are identifiable by industry standard anti-virus engine heuristics; and
(iii) are propagated through registered attachment types that are recognized by the licensed anti-virus engine.
C.1.2 “Infection” means if an inbound email to an Active User is delivered with a known malware, or if an outbound email from an Active User is processed through the Service with a known malware without being quarantined.
C.1.3 “Malware” means a binary or executable code whose purpose is to gather information from the infected host (such as trojans), change or destroy data on the infected host, use inordinate system resources in the form of memory, disk space, network bandwidth or CPU cycles on the infected host, use the infected host to replicate itself to other hosts, or provide control or access to any of the infected host’s system resources.
C.2 This SLA does not apply to (i) text messages that use fraudulent claims to deceive the Customer and/or Channel Partner and/or prompt the Customer and/or Channel Partner to action (such as phishing); (ii) a binary or executable code installed or run by an end user that gathers information for sales and marketing purposes (such as spyware); (iii) a known malware that has been detected and has been cleaned by other malware scanning products; (iv) an ineffective or inactive malware contained in a bounced email; (v) a malware-infected email that is quarantined by the Service but is subsequently delivered to an end user or administrator by such end user or administrator; (vi) emails containing attachments that are password protected, encrypted or otherwise under an end user’s control; (vii) any action by a Customer end user or administrator that results in deliberate self-infection; or (viii) any Infection occurring within the first thirty (30) minutes of the anti-virus engine vendor’s new general release of a malware’s applicable signature.
C.3 Customer will not be eligible to receive a remedy under this SLA if Customer (i) has not enabled full malware protection for all Active Users for which a Service subscription has been purchased; (ii) does not provide SorbSecurity with conclusive written evidence (including the full known malware attachment for each email experiencing the Infection) that the malware was caused by an email that passed through the Service network; and (iii) emails exceeding the applicable anti-virus engine’s maximum scanning size limit identified in the vendor’s documentation.
C.4 Remedy. If a validated Infection occurs in any calendar year, and if Customer has fulfilled all of its obligations under the Agreement and this SLA.

D. Spam Inbound Effectiveness SLA
D.1 SorbSecurity warrants that the Service will detect 99% of inbound spam in each calendar year.
D.2 This SLA does not apply to false negatives to invalid Active User accounts. Additionally, this SLA applies only to spam messages processed through SorbSecurity’s Services and does not apply to email sent from users or domains that have been safelisted or whitelisted by Customer within the Service.
D.3 SorbSecurity will make a good faith estimation of the spam capture rate based on the regular and prompt submission to the SorbSecurity SCES support center of all false negatives to report spam missed by the Service.
D.4 SorbSecurity will estimate the percentage of spam detected by the Service by dividing the number of spam emails identified by the Service as recorded in the Service report logs by all spam emails sent to Customer. SorbSecurity will estimate all spam emails sent to Customer by adding the number of spam messages (false negatives) missed by the Service and reported to the Service support team to the number of spam emails detected by the Service.
D.5 Remedy. If the Service detects less than 99% of inbound spam in any calendar year, and if Customer has fulfilled all of its obligations under the Agreement and this SLA.

E. False Positive SLA
E.1 SorbSecurity warrants that the ratio of legitimate business email incorrectly identified as spam by the Service to all email processed by the Service for Customer in any calendar year will not be greater than 0.1%.
E.2 SorbSecurity will make a good faith estimation of the false positive ratio based on evidence timely supplied by Customer and/or Channel Partner.
E.3 This SLA does not apply to (i) bulk, personal, or pornographic email; (ii) emails containing a majority of non-English language content; (iii) emails blocked by a customized policies; (iiiii) poor sender reputations; or (iiiii) subscribed news letters or campaigns.
E.4 Remedy. If SorbSecurity does not meet this SLA in any calendar year, and if Customer has fulfilled all of its obligations under the Agreement and this SLA.

SLA Table