Expel Service Level Agreement

This Service Level Agreement applies to the following Expel products:

  • Expel Managed Detection and Response (MDR)
    • Expel MDR for Cloud Control Plane
    • Expel MDR for Cloud Workload
    • Expel MDR for Endpoint and Network
    • Expel MDR for SaaS and Identity
  • Expel Managed Phishing
  • Expel Hunting
  • Expel Vulnerability Prioritization
  1. Definitions. The following capitalized terms will have the definitions set forth below. All other capitalized terms that are not defined herein shall have those meanings accorded to them in Expel’s Terms and Conditions.
    • “Alert” means an alert to be analyzed by Expel that is generated by a Supported Product or by Expel’s own technology.
    • “Covered System” means a computing device (to the extent supported by Expel) that Customer specifies as within the scope of the Expel Service on which a Supported Product is installed.
    • “Event” means an Alert cursorily reviewed by Expel and deemed to be a potential compromise of one or more of Customer’s Covered Systems that subsequently results in creation of either an Investigation or an Incident.
    • “Expel Service” means the SaaS offerings and related services made available by Expel that are designed to help customers manage their security operations, that may include alert analysis, investigations, incident reporting, non-remedial alerts, and access to Expel Workbench™ that allows the customer to review such alerts, investigations and incidents, as ordered pursuant to a Sales Order.
    • “Incident” means a report of confirmed compromise of one or more of Customer’s Covered Systems.
    • “Investigation” means the process executed by Expel to confirm whether possible compromises are false positives or true compromises.“Scheduled Downtime” means the total amount of time during any calendar month, measured in minutes, during which Customer is not able to access Expel Workbench™ due to planned system maintenance performed by Expel. Expel will provide Customer with reasonable prior notice of such Scheduled Downtime.
    • “Supported Product” means any of the supported technologies found here. Expel, in its sole discretion, may add, remove and change the Supported Products from time to time.
    • “Total Monthly Time” means the total minutes in the relevant calendar month less Scheduled Downtime. For any partial calendar month during which Customer subscribes to the Service, availability will be calculated based on the entire calendar month, not just the portion for which Customer subscribed.
    • “Unscheduled Downtime” means the total amount of time during any calendar month, measured in minutes, during which the Customer is not able to access the features and functions of Expel Workbench™, including e-mail notifications of incidents, other than Scheduled Downtime, as defined above. Unscheduled Downtime shall not include any period during which Expel Workbench™ is unavailable as a result of (i) non-compliance by Customer with any provision of this SLA; (ii) incompatibility of Customer’s equipment or software with the Expel Service; (iii) actions or inactions of Customer or third parties; (iv) Customer’s use of the Expel Service after Expel has advised Customer to modify its use of the Expel Service, if Customer did not modify its use as advised; (v) acts or omissions of Customer or Customer’s employees, agents, contractors, or vendors, or anyone gaining access to Expel Workbench™ by means of Customer’s passwords or equipment; (vi) performance of Customer’s systems or the Internet; (vii) any systemic Internet failures; (viii) network unavailability or Customer’s bandwidth limitations; or (ix) Scheduled Downtime.
    • “System Availability” means, with respect to any particular calendar month, the difference between Total Monthly Time and Unscheduled Downtime, divided by the Total Monthly Time. Represented algebraically, System Availability for any particular calendar month is determined as follows:
  2. Scope of Service. During the Term, Expel will provide Customer with the Expel Services described in this Section 2, as set forth on the Sales Order and in accordance with the Expel Terms and Conditions.
    1. Covered Systems. Expel will ingest data from the Customer’s Covered Systems, which are in scope as part of the Services to generate Alerts.
    2. Alert Analysis and Investigations. Expel will analyze Alerts on a 24x7x365 basis for signs of malicious activity. If Expel determines that an Event is indicative of potentially malicious activity, Expel will create an Investigation. If the Investigation results in sufficient evidence of malicious activity, Expel will create an Incident.
    3. Event Notifications. Customer may opt-in to receiving Event Notifications from Expel, provided that Customer has the required additional technology to receive such notifications (e.g., Slack and email servers are implemented). Expel will use reasonable efforts to provide Event Notifications after identifying the Event. Event notifications will include information known to Expel at the time the Event is identified, but may not include impact and severity details customarily determined through an Investigation or Incident report.
    4. Incident Reporting. Upon confirmation of malicious activity by Expel, Expel will publish an Incident to the online user portal and notify (which may include e-mail notification) Customer of the new Incident. At its discretion, Expel may perform an extended investigation, and/or may aggregate and review multiple Alerts from related Covered systems to determine the extent of activity related to the Incident. Expel analysts may append results from the extended investigation or subsequent Alert analysis to the initial Incident report if Expel determines that additional or subsequent Alerts are related, and in such cases, Expel will not be required to publish a separate Incident for each such related Alert.
    5. Non-Remediable Alerts. Expel has no obligation to notify Customer or generate new Incidents for new Alerts that are directly related to previously published Incidents for which Expel has already provided recommended remediation steps, when Customer has acknowledged the prior Incident but cannot, or chooses not to, remediate the cause of these Alerts.
    6. Expel Workbench™ Access. Alerts, Investigations and Incidents will be provided through Expel Workbench™.For Expel Managed Phishing only:Support for Forwarded Emails. Customer must ensure that the email fetch feature is enabled. If this feature is not enabled, Email submissions without an .eml file will not be processed or analyzed by Expel. Instructions for enabling this feature can be found in the Expel Help Center. “Email” means each unique email analyzed by Expel that is forwarded by an Authorized User from their inbox. The same email or very similar emails that are submitted either multiple times by the same Authorized User or by multiple Authorized Users are counted as separate Emails for the purposes of this Service Level Agreement.
  3. System Performance
    1. System Availability; Response and Resolution Times: Expel will undertake commercially reasonable measures to ensure that System Availability equals or exceeds ninety-nine point nine five percent (99.95%) during each calendar month (the “Service Standard”). Customer may initiate support tickets through the support portal at https://support.expel.io/.
    2. Unscheduled Downtime: Customer may report Unscheduled Downtime at any time 24 hours a day, 7 days week, 365 days a year (“24x7x365”) by sending Expel an e-mail to outage@expel.io. Expel will exercise commercially reasonable efforts to respond to reports of Unscheduled Downtime within 15 minutes of each such report.
    3. System Monitoring and Measurement: Expel uses a third party service (“Monitoring Service”) to monitor System Availability on an ongoing basis. Measurements of System Availability will be calculated on a monthly basis for each calendar month during the Term based on the records of such Monitoring Service. Customer acknowledges that the Monitoring Service may become unavailable for reasons outside Expel’s control, and in such an event, Expel will make commercially reasonable efforts to notify Customer promptly in the event such unavailability materially affects Expel’s ability to monitor System Availability.
  4. Customer Networks and Customer Requirements. The Expel Service may only be provided for computer systems and networks leased to or owned by Customer, and under Customer’s control, up to the quantity set forth on the applicable Sales Order. Customer is responsible for maintenance and management of its computer network(s), servers, and software, and any equipment or services related to maintenance and management of the foregoing. Customer is responsible for correctly configuring its systems in accordance with any instructions provided by Expel, as may be necessary for provision of access to the features and functions of the Service.
  5. Remedy for Breach of Section 3.1:
    1. Credits Against Fees: In the event Unscheduled Downtime occurs, Customer will be entitled to credits against its subsequent payment obligations (as set forth in the applicable Sales Order) (“Service Credits”) according to the following table:
      System Availability *Credit as a Percentage of One Month of Service
      99.95% – 100.00% 0%
      99.00% – 99.94% 10%
      95.00% – 98.99% 25%
      Less than 95.0% 50%

      Notwithstanding the foregoing, System Availability below 94.00% will be deemed a breach by Expel consistent with the termination section of the Expel Terms and Conditions.

      Customer’s rights under this Section 5.1 are Customer’s sole and exclusive remedy with respect to any Unscheduled Downtime or any failure by Expel to meet the Service Standard required by Section 3.1.

    2. Maximum Service Credits: The maximum amount of Service Credits that Expel will issue to Customer for Unscheduled Downtime in a single calendar month will not exceed fifty percent (50%) of the Fees for such month.
    3. Requesting Service Credits: As a condition to Expel’s obligation to provide Service Credits to Customer, Customer must request such Service Credits by sending an e-mail identifying the date and time of the Unscheduled Downtime for which Customer is requesting Service Credits, with sufficient evidence (including description of the incident and duration of the incident) to credit@expel.io within thirty (30) days following such Unscheduled Downtime. If Customer fails to request any Service Credits to which Customer is entitled in accordance with this Section 5.3, Expel will have no obligation to issue such Service Credits to Customer.
  6. Surge. Any Customer requested on-demand services (“Surge”) will be performed at the rate defined on the applicable Sales Order and is subject to Expel’s availability. Examples of these requests may include, but are not limited to:
    • On-demand investigations: A manual investigation is a request for Expel to review and provide feedback on an anomaly identified by the customer that was NOT generated by an alert within the Expel Workbench™ platform;
    • Extended Red/Blue Team exercise participation; and
    • Expel support for customer requested security investigations.