SLA — Uptime, Support, and Response Time Commitments

99.5%

Monthly uptime target

Measured against the public agent surfaces (Slack ingress, webhook endpoints, dashboard). Maintenance windows announced 48h ahead and excluded from the calculation.

First operator response

Acknowledged within four business hours (UTC) for any inbound support ticket. 24-hour maximum for any severity, including off-hours.

24h

Security breach notification

If a security incident affecting your data is confirmed, the workspace admin is notified within 24 hours of detection — by Slack DM and email, with the incident record in the dashboard.

30d

GDPR deletion SLA

Article 17 erasure requests complete within 30 days of submission. The deletion is recorded in a hash-chained audit trail preserved indefinitely for forensic verification.

Covered by the SLA

+Slack ingress (commands, events, interactions, OAuth callbacks)
+Public lead-webhook endpoints
+Authenticated dashboard at app.getmavrick.com
+Agent execution (Mavrick responses to @-mentions and scheduled tasks)
+Integration credential reads and tool-gateway proxies

Outside the SLA

–Outages caused by upstream vendor incidents (Slack, Anthropic, OpenAI, Stripe, Pipedream, Modal, Vercel, Supabase) — tracked separately on /status
–Workspace-level rate limits engaged due to per-customer concurrency caps
–Scheduled maintenance windows announced 48 hours in advance

> how we hold the line

The standing commitments behind the numbers.

Incident transparency

Active incidents that affect your workspace surface in your dashboard banner and as a Slack DM to admins. Post-mortems for severity-1 incidents are published on /status within 72 hours.

Compliance posture

SOC 2 in progress (roadmap below). DPA available on request. GDPR-aligned data handling, including subject-access (Art. 15) export and erasure (Art. 17) cron with audit trail.

Concurrency + cost safety

Per-workspace concurrency caps prevent one tenant from degrading another. An anomaly cron alerts our on-call within 15 minutes of catastrophic events or cost spikes.

Audit trail

Every credential decrypt, every API call, every deletion lives in a per-workspace audit_log with a cryptographic hash chain. Customers can verify chain integrity from the dashboard.

> compliance posture

SOC 2 roadmap + evidence trail

SOC 2 Type II report targeted for 2027-Q1 customer review. Every control mapped in the timeline below is LIVE today; the 90-day Type II observation window starts Q4-2026.

DPA available for any workspace that asks — required for any team handling EU resident data.

Trust + sub-processor table →Data Processing Agreement →Security overview →Request SOC 2 evidence →

> soc 2 audit timeline

Path to Type II — quarter by quarter.

Foundation milestones (Q2) are shipped and verifiable from open artifacts. Q3 / Q4 are scheduled and on-calendar. Procurement reviewers can request the full evidence pack at procurement@getmavrick.com.

Q2 2026

Foundation

✓RLS tautology audit complete
✓Supabase Vault credential encryption
✓Hash-chained audit log (migration 074)
✓GDPR Art. 17 + Art. 20 endpoints live
✓Per-workspace cost cap + incident notify
✓Public API + scoped key issuance

Q3 2026

Audit readiness

◔Quarterly access review cron
◔Mandatory 2nd-reviewer on customer PRs
◔Cookie consent + privacy refresh
◔Public status page
◔Customer-facing audit log UI
◔SOC 2 Type I (point-in-time snapshot)

Q4 2026

Type II observation

◔Type II observation window (90 days)
◔Third-party penetration test
◔Multi-region failover (Enterprise tier)
◔SSO via WorkOS (Enterprise tier)

Q1 2027

Report ready

◯SOC 2 Type II report available under NDA

✓ shipped today · ◔ scheduled · ◯ target

Something broken? Open a ticket.

In-product support escalation comes back inside the same Slack thread, with a ticket number you can reference.

Live status →Email support →

Service Level Agreement