DOMA Technologies guarantees 99.95% application availability of the service over a trailing 365 period. Scheduled maintenance occurs on the last Sunday of the month between the hours of 12AM and 4AM EST. Emergency maintenance is performed as needed, with customer notification. Non-intrusive application, data replication, and backup processes run daily during non-business hours (5PM – 8AM EST). DOMA uses commercially reasonable efforts to promptly install security patches, updates, and service packs.
DOMA application upgrades will occur at DOMA’s discretion upon reasonable notice. Downtime associated with maintenance periods is not factored into overall availability metrics.
Security and Compliance is a shared responsibility between DOMA and the customer. This shared model can help reduce the customer’s operational burden as DOMA operates, manages and controls the application and infrastructure tasks (backup, recovery, redundancy, etc.). Customers should carefully consider the integration of our services into their IT environment, and applicable laws and regulations.
DOMA’s applications are deployed as Software as a Service (SaaS). In this model, DOMA manages the entire infrastructure as well as the application provided. The customers are responsible for the following responsibilities:
In layman’s terms, DOMA will manage and maintain the software – the customer will decide how they want to use the software. DOMA will provide as much, or as little, support in the management of data and data access as the customer needs, but it is ultimately the customer’s responsibility to enforce.
DOMA Technologies encrypts all customer data at rest and in transit. DOMA uses encryption algorithms validated by FIPS PUB 140-2, a U.S. government computer security standard used to accredit cryptographic modules. Each customer has uniquely generated encryption keys. DOMA maintains these keys in an encrypted database that is not customer accessible, nor does it reside with customer databases. Transport Layer Security (TLS) v1.2 is used for encryption in transit.
As a Software as a Service (SaaS) provider, DOMA provides services to many customers in multi-tenant and single-tenant environments. As such, DOMA safeguards each customer’s right to confidentiality in the event of an incident. DOMA defines the following allocation of security incident responsibilities and procedures between customer and provider (DOMA):
In the event that the customer would like to submit a request for digital evidence or other information from within the cloud computing environment, please direct all requests to firstname.lastname@example.org.
DOMA has a living, (updated and tested annually), Disaster Recovery Plan. DOMA follows AWS Best Practices and has designed our infrastructure using proven design patterns and architectural options to provide a redundant and resilient infrastructure. All systems are deployed in multiple Availability Zones (“AZ”) and customer data is never located in a single AZ. AZs are clusters of distinct, physically separate data centers within a geographic region. Snapshot and Image based backup and replication processes are used to ensure recovery of operations in the event of a loss of an entire region. DOMA currently provides an RTO (Recovery Time Objective) of 24 hours, and an RPO (Recovery Point Objective) of 4 hours.DOMA supports customer applications within the US-East, and GovCloud (US) Regions.
Customer data stored with Amazon Web Services (AWS) is encrypted prior to storage. DOMA’s architecture employs multiple AWS availability zones (AZ). This constitutes a built-in alternate storage site capability for customer data stored AWS S3. S3 uses multiple availability zones by default. The multiple AWS S3 availability zones provide identical security safeguards. The replication of S3 across Availability Zones constitutes a multi-storage site capability to address typical susceptibility to network, power, and hardware outages and provides immediate recovery time and recovery point. Additional redundancy is provided by cross-region replication for disaster recovery purposes.
Using AWS Backup, snapshots and Amazon Machine Image (AMI) backups are created on a daily (and hourly) basis depending on the criticality of the system. At a minimum, ALL systems have a daily backup created, all backups are encrypted, and all backup data is retained for one calendar year. Backups are randomly restored for verifying integrity of backup data during annual restoration exercises. Snapshots and AMI’s are stored using AWS S3.
The cloud service provider shall provide the specifications of its backup capabilities to the cloud service customer. The specifications shall include the following information, as appropriate: – scope and schedule of backups; – backup methods and data formats, including encryption, if relevant; – retention periods for backup data; – procedures for verifying integrity of backup data; – procedures and timescales involved in restoring data from backup; – procedures to test the backup capabilities; – storage location of backups. The cloud service provider shall provide secure and segregated access to backups, such as virtual snapshots, if such service is offered to cloud service customers.
All data backed up by AWS is protected via system and file access control mechanisms including AWS Identity and Access Management (IAM) account access controls and S3 bucket access control policies. Amazon does not have the ability to decrypt DOMA data. All data is maintained by DOMA staff; no third-party vendors handle customer data.
Unless otherwise stated, DOMA systems and timestamps within our applications follow U.S. Eastern Time. Systems use network time protocol (ntp) for clock synchronization provided by Amazon Time Sync Service.
DOMA maintains uploaded documents and data in the original format as added to the DOMA application. Edited images, regardless of original format are converted to industry standard TIF or PDF image format during the document check-in process. Original documents are never deleted or modified, and new versions are created upon any document change. While a customer account is active, customers may request a data export on a one-time or periodic schedule for an additional fee. Exports are provided with document/records in the original format, and metadata provided in a non-proprietary CSV format that should allow portability in most all cases.
For the purposes of this agreement, a support request is defined as a request for support to fix a defect in existing application code or a request for support that involves no modifications to application code. A request may also involve application availability to a user or group of users. A support request is necessary to begin a resolution process.
There are three severity levels of support provided under this SLA. An issue’s severity level will be determined exclusively by DOMA. These levels are defined as follows:
Level 1 – This is support provided by the DOMA Help Desk when it receives a support request. This represents generalist support. If this level of support cannot resolve the problem, the support request is passed to DOMA’s Level 2 support, which is the infrastructure support team.
Level 2 – This is support provided by an infrastructure support or subject matter specialist. This level of support does not perform software code modifications to resolve the problem. Operational issues will be resolved at this level. If resolution requires code modification, the support request is passed to DOMA’s Level 3 support team.
Level 3 – This is support provided by a DOMA application developer. This level of support does perform software code modifications, if required to resolve the problem.
To contact support for DOMA Technologies, customer may send an email to email@example.com detailing the problem and contact information. Contacting support is available via the DX application beacon. Standard support is available during business hours, M-F 8AM – 5PM ET. After hours calls are forwarded to on-call technicians who will respond within the appropriate time frame defined by the service agreement. Premium support is available 24×7. Afterhours calls without premium coverage or any support calls not directly related to DOMA will be charged a $150 per incident charge.
The following chart is an explanation of the support severity levels and response times:
Guaranteed Response Time
Estimated Correction Time
Critical. The program is unusable. Data is corrupted or system hangs during normal operations. The error severely impacts customer operations.
Best efforts to resolve the problem within 24 hours.
Major. An important function is not available. Data is not corrupted, but the Customer is unable to accomplish tasks. The error severely restricts customer operations.
Best efforts to resolve the problem within 2 business days.
Minor. The program does not perform the task in a proper, orderly manner. The customer’s productivity is not seriously affected.
Best efforts to resolve the problem within 4 business days.
Very minor. that is not significant to the Customer’s operations. Irritations to the customer causing. The Customer can circumvent the issue with a slight loss of productivity.
Best efforts to resolve the problem within 6 business days.
Cosmetic. (Graphical user interface GUI, misspellings, etc.….). No loss of productivity.
Best efforts to resolve the problem within 14 business days.
Limitations to Standard Support Offering
The following list requests types (but not limited to) is not covered by Standard Support Offering:
Such requests are available for an additional fee agreed upon by primary contacts of both parties.
DOMA has a mature change management program. Application and infrastructure changes go through development and staging environments before being put into a production environment. Changes are documented and must be approved before a major change takes place. A major change is defined as changes that could adversely affect the DOMA service or peer service provider. Once approved, customers will be notified in advance from the DOMA Account Management Office (AMO). Customer notification will include:
Minor changes, defined as changes that will not cause system downtime, occur only during non-business hours: M – F 8PM – 8AM ET, and weekends. Customers are not notified of minor changes.
The standard maintenance period occurs on the last Sunday of the month from 12AM – 4AM ET. Typical patch management processes occur during this maintenance window.
Metrics reporting against the SLA resolution targets identified in this agreement will focus on the time to resolve tickets by application and severity. This metric will include only the support requests that are referred to DOMA support for resolution. The metrics will be reported via existing standard problem-ticket system reports as available. Quarterly reports will be available upon request.
Issues that have Severity Levels designated 1 or 2 that do not meet the maximum acceptable resolution time will result in a customer service credit prorated against the monthly application storage charge for the amount of time over the maximum acceptable resolution time. All requests for compensation must be received within five (5) business days of the incident in question. The amount of compensation may not exceed the customer’s monthly recurring charge. This SLA does not apply for any month that the customer has been in breach of the Agreement or if the account is in default of payment.
For intellectual property rights complaints, please contact firstname.lastname@example.org.
Except in the case of material breach as described in Paragraph 5.2 of the Master Services Agreement, ninety (90) days termination notice must be given prior to canceling DOMA service. Upon cancellation date or termination of agreement, DOMA will remove site access and permanently delete all customer data to include record/document images, record metadata, database, storage locations, as well as all backup and replicated data. Depending on the sensitivity of the customer data, federal laws and regulations, and specific requirements outlined in the customer Master Services Agreement, different methods may be used to delete, clean, purge or destroy data and media containing data. In all cases, when customer accounts are no longer active, all customer data is permanently removed. It is in the customer’s best interest to request a data export prior to the actual cancellation date, typically this is requested at the time of the initial notification to cancel service.
Notwithstanding any other provision of the Agreement to the contrary, DOMA hereby reserves the right to modify this SLA at any time, at its sole discretion. DOMA will notify Customer of any modifications to this SLA in writing or via its website.