Generic selectors
Exact matches only
Search in title
Search in content
Search in posts
Search in pages
Join Our Email List

DOMA's Service Agreement

Last Updated 11/25/2020

  1. Service Availability

DOMA Technologies guarantees 99.95% application availability of the service over a trailing 365 period. Scheduled maintenance occurs on the last Sunday of the month between the hours of 12AM and 4AM EST. Emergency maintenance is performed as needed, with customer notification. Non-intrusive application, data replication, and backup processes run daily during non-business hours (5PM – 8AM EST). DOMA uses commercially reasonable efforts to promptly install security patches, updates, and service packs.

DOMA application upgrades will occur at DOMA’s discretion upon reasonable notice. Downtime associated with maintenance periods is not factored into overall availability metrics.

  1. Shared Responsibility Model

Security and Compliance is a shared responsibility between DOMA and the customer. This shared model can help reduce the customer’s operational burden as DOMA operates, manages and controls the application and infrastructure tasks (backup, recovery, redundancy, etc.). Customers should carefully consider the integration of our services into their IT environment, and applicable laws and regulations.

DOMA’s applications are deployed as Software as a Service (SaaS). In this model, DOMA manages the entire infrastructure as well as the application provided. The customers are responsible for the following responsibilities:

  • Data Security – All data within the application is customer data and customer managed. Audit logs and reporting tools are available for customer use.
  • Access Management – Access to the application is customer managed. Users, groups, and permissions of users and groups are customer managed and customer defined. Multi-factor Authentication is available for customer use. User activity logs and reporting tools are available for customer use.

In layman’s terms, DOMA will manage and maintain the software – the customer will decide how they want to use the software. DOMA will provide as much, or as little, support in the management of data and data access as the customer needs, but it is ultimately the customer’s responsibility to enforce.

  1. Encryption

DOMA Technologies encrypts all customer data at rest and in transit. DOMA uses encryption algorithms validated by FIPS PUB 140-2, a U.S. government computer security standard used to accredit cryptographic modules. Each customer has uniquely generated encryption keys. DOMA maintains these keys in an encrypted database that is not customer accessible, nor does it reside with customer databases. Transport Layer Security (TLS) v1.2 is used for encryption in transit.

  1. Incident Response

As a Software as a Service (SaaS) provider, DOMA provides services to many customers in multi-tenant and single-tenant environments. As such, DOMA safeguards each customer’s right to confidentiality in the event of an incident. DOMA defines the following allocation of security incident responsibilities and procedures between customer and provider (DOMA):

  • The scope of information security incidents that DOMA will report to the customer is limited to exposure of DOMA owned intellectual property, peer services, and/or customer specific data.
  • DOMA provides Limited Disclosure in the event of a security incident, limiting the exposure level to customers, peer service providers, and partners immediately affected by the detection of an information security incident and the associated responses.
  • DOMA will notify customers of incident within 24 hours of discovery.
  • DOMA Account Management Office (AMO) will contact customer designated points of contact via email accounts on file.
  • Handling of issues relating to information security incidents can be directed to infosec@domaonline.com.

In the event that the customer would like to submit a request for digital evidence or other information from within the cloud computing environment, please direct all requests to infosec@domaonline.com.

 

  1. Disaster Recovery

DOMA has a living, (updated and tested annually), Disaster Recovery Plan. DOMA follows AWS Best Practices and has designed our infrastructure using proven design patterns and architectural options to provide a redundant and resilient infrastructure. All systems are deployed in multiple Availability Zones (“AZ”) and customer data is never located in a single AZ. AZs are clusters of distinct, physically separate data centers within a geographic region. Snapshot and Image based backup and replication processes are used to ensure recovery of operations in the event of a loss of an entire region. DOMA currently provides an RTO (Recovery Time Objective) of 24 hours, and an RPO (Recovery Point Objective) of 4 hours.DOMA supports customer applications within the US-East, and GovCloud (US) Regions.

Amazon Web Services Chart
  1. Location of Data

Customer data stored with Amazon Web Services (AWS) is encrypted prior to storage. DOMA’s architecture employs multiple AWS availability zones (AZ). This constitutes a built-in alternate storage site capability for customer data stored AWS S3. S3 uses multiple availability zones by default. The multiple AWS S3 availability zones provide identical security safeguards. The replication of S3 across Availability Zones constitutes a multi-storage site capability to address typical susceptibility to network, power, and hardware outages and provides immediate recovery time and recovery point. Additional redundancy is provided by cross-region replication for disaster recovery purposes.

Using AWS Backup, snapshots and Amazon Machine Image (AMI) backups are created on a daily (and hourly) basis depending on the criticality of the system. At a minimum, ALL systems have a daily backup created, all backups are encrypted, and all backup data is retained for one calendar year. Backups are randomly restored for verifying integrity of backup data during annual restoration exercises. Snapshots and AMI’s are stored using AWS S3.

The cloud service provider shall provide the specifications of its backup capabilities to the cloud service customer. The specifications shall include the following information, as appropriate: – scope and schedule of backups; – backup methods and data formats, including encryption, if relevant; – retention periods for backup data; – procedures for verifying integrity of backup data; – procedures and timescales involved in restoring data from backup; – procedures to test the backup capabilities; – storage location of backups. The cloud service provider shall provide secure and segregated access to backups, such as virtual snapshots, if such service is offered to cloud service customers.

All data backed up by AWS is protected via system and file access control mechanisms including AWS Identity and Access Management (IAM) account access controls and S3 bucket access control policies. Amazon does not have the ability to decrypt DOMA data. All data is maintained by DOMA staff; no third-party vendors handle customer data.

Unless otherwise stated, DOMA systems and timestamps within our applications follow U.S. Eastern Time. Systems use network time protocol (ntp) for clock synchronization provided by Amazon Time Sync Service.

  1. Data Accessibility and Portability

DOMA maintains uploaded documents and data in the original format as added to the DOMA application. Edited images, regardless of original format are converted to industry standard TIF or PDF image format during the document check-in process. Original documents are never deleted or modified, and new versions are created upon any document change. While a customer account is active, customers may request a data export on a one-time or periodic schedule for an additional fee. Exports are provided with document/records in the original format, and metadata provided in a non-proprietary CSV format that should allow portability in most all cases.

  1. Customer Support

For the purposes of this agreement, a support request is defined as a request for support to fix a defect in existing application code or a request for support that involves no modifications to application code.  A request may also involve application availability to a user or group of users.  A support request is necessary to begin a resolution process.

There are three severity levels of support provided under this SLA. An issue’s severity level will be determined exclusively by DOMA.  These levels are defined as follows:

Level 1 – This is support provided by the DOMA Help Desk when it receives a support request. This represents generalist support. If this level of support cannot resolve the problem, the support request is passed to DOMA’s Level 2 support, which is the infrastructure support team.

Level 2 – This is support provided by an infrastructure support or subject matter specialist. This level of support does not perform software code modifications to resolve the problem. Operational issues will be resolved at this level. If resolution requires code modification, the support request is passed to DOMA’s Level 3 support team.

Level 3 – This is support provided by a DOMA application developer. This level of support does perform software code modifications, if required to resolve the problem.

To contact support for DOMA Technologies, customer may send an email to support@domaonline.com detailing the problem and contact information. Contacting support is available via the DX application beacon. Standard support is available during business hours, M-F 8AM – 5PM ET. After hours calls are forwarded to on-call technicians who will respond within the appropriate time frame defined by the service agreement. Premium support is available 24×7. Afterhours calls without premium coverage or any support calls not directly related to DOMA will be charged a $150 per incident charge.

The following chart is an explanation of the support severity levels and response times:

Severity

Description

Guaranteed Response Time

Estimated Correction Time

1

Critical. The program is unusable. Data is corrupted or system hangs during normal operations. The error severely impacts customer operations.

1 hour

Best efforts to resolve the problem within 24 hours.

2

Major. An important function is not available. Data is not corrupted, but the Customer is unable to accomplish tasks. The error severely restricts customer operations.

3 hours

Best efforts to resolve the problem within 2 business days.

3

Minor. The program does not perform the task in a proper, orderly manner. The customer’s productivity is not seriously affected.

8 hours

Best efforts to resolve the problem within 4 business days.

4

Very minor. that is not significant to the Customer’s operations. Irritations to the customer causing. The Customer can circumvent the issue with a slight loss of productivity.

24 hours

Best efforts to resolve the problem within 6 business days.

5

Cosmetic. (Graphical user interface GUI, misspellings, etc.….). No loss of productivity.

48 hours

Best efforts to resolve the problem within 14 business days.

Limitations to Standard Support Offering

The following list requests types (but not limited to) is not covered by Standard Support Offering:

  • Performance improvements and PC tuning
  • Disinfection of malware infected computers
  • On-site support
  • Off-hours support
  • Questions relating to the function or 3rd party applications or operating systems
  • Patching of operating systems, and 3rd party applications, vulnerability patching
  • Best practices of network security configuration
  • Product training and/or assistance with features and functions
  • Product deployment walkthroughs
  • Product health checks and tune-ups

Such requests are available for an additional fee agreed upon by primary contacts of both parties.

  1. Change Management

DOMA has a mature change management program. Application and infrastructure changes go through development and staging environments before being put into a production environment. Changes are documented and must be approved before a major change takes place. A major change is defined as changes that could adversely affect the DOMA service or peer service provider. Once approved, customers will be notified in advance from the DOMA Account Management Office (AMO). Customer notification will include:

  • Categories of changes (any changes affecting information security will be highlighted)
  • Planned date and time of the changes
  • Technical description of the changes to the service and underlying systems
  • Notification of the start and the completion of the changes
  • Notification of When a cloud service provider offers a cloud service that depends on a peer cloud service provider, then the cloud service provider shall inform the cloud service customer of changes caused by the peer cloud service provider.
 

Minor changes, defined as changes that will not cause system downtime, occur only during non-business hours: M – F 8PM – 8AM ET, and weekends. Customers are not notified of minor changes.

The standard maintenance period occurs on the last Sunday of the month from 12AM – 4AM ET. Typical patch management processes occur during this maintenance window.

  1. Dispute Mediation

Metrics reporting against the SLA resolution targets identified in this agreement will focus on the time to resolve tickets by application and severity. This metric will include only the support requests that are referred to DOMA support for resolution. The metrics will be reported via existing standard problem-ticket system reports as available.  Quarterly reports will be available upon request.

Issues that have Severity Levels designated 1 or 2 that do not meet the maximum acceptable resolution time will result in a customer service credit prorated against the monthly application storage charge for the amount of time over the maximum acceptable resolution time.  All requests for compensation must be received within five (5) business days of the incident in question.  The amount of compensation may not exceed the customer’s monthly recurring charge. This SLA does not apply for any month that the customer has been in breach of the Agreement or if the account is in default of payment.

For intellectual property rights complaints, please contact support@domaonline.com.

  1. Exit Strategy

Except in the case of material breach as described in Paragraph 5.2 of the Master Services Agreement, ninety (90) days termination notice must be given prior to canceling DOMA service. Upon cancellation date or termination of agreement, DOMA will remove site access and permanently delete all customer data to include record/document images, record metadata, database, storage locations, as well as all backup and replicated data. Depending on the sensitivity of the customer data, federal laws and regulations, and specific requirements outlined in the customer Master Services Agreement, different methods may be used to delete, clean, purge or destroy data and media containing data. In all cases, when customer accounts are no longer active, all customer data is permanently removed. It is in the customer’s best interest to request a data export prior to the actual cancellation date, typically this is requested at the time of the initial notification to cancel service.

  1. Modification

Notwithstanding any other provision of the Agreement to the contrary, DOMA hereby reserves the right to modify this SLA at any time, at its sole discretion.  DOMA will notify Customer of any modifications to this SLA in writing or via its website.

Work smarter and automate your processes with DOMA’s DX Software. Powered by Amazon Web Services (AWS) our platform makes it easy to create, collaborate, share, automate, and transform the way you manage your data.

Get in Touch

841 Seahawk Circle
Virginia Beach, VA

© DOMA Technologies - All Rights Reserved