Service Level Agreement

1. Availability

The SaaS mode Nearbound Platform offers an availability rate of 99.9% (ninety-nine dot nine percent) per month, excluding the scheduled maintenance period planned to continuously improve the Nearbound Platform. 

• Once a month  between 9am and 12pm CET for service breaks of less than 1 hour; in this case, Customer will receive a notification at least 3 days in advance informing them of the occurrence of this outage. 
• 4 times a year, for a period of up to 8 hours. In this case, Customer will receive a notification at least 2 weeks in advance informing them of the occurrence of this outage. 

2. Corrective Maintenance

For the purpose of this Article, the following terms have the following signification: 

• "Anomaly" means any malfunction or non-compliance of the Product that prevents the normal functioning of all or part of the Nearbound Platform or that causes an incorrect result or inappropriate treatment while the Nearbound Platform is being used in accordance with the GTC;
• "Blocking Anomaly" means the impossible access the Nearbound Platform;
• "Minor Anomaly" means any Anomaly which does not prevent the full exploitation of the Nearbound Platform in all its functionalities ;
• "Semi-Blocking Anomaly" means any Anomaly allowing the use of only part of the Nearbound Platform.

Reveal takes charge of the corrective and evolutionary maintenance of the Nearbound Platform. 

A support service to deal with Anomalies is available every day from Monday to Friday, at the following email address help@reveal.co or via an in-app chat, as soon as the questions asked relate to the use of the Services.

Reports of Anomalies must be confirmed by email to Reveal without undue delay. The Customer shall provide Reveal with any information or document characterizing the anomaly that may facilitate Reveal's understanding of the issue encountered.

Reveal undertakes to diagnose the Anomaly and implement its correction under the following conditions:

• In the event of a Blocking Anomaly the report is taken into account within a maximum 4 (four) working hours period. Reveal shall endeavor to correct the blocking anomaly within 24 (Twenty four) hours in working days and shall propose a workaround solution. If Reveal fails to resolve the issue in a timely manner the blocked days will be deducted from the licensing fee on a pro rata basis.

• In the event of a Semi-Blocking Anomaly the report is taken into account within a maximum 8 (eight) working hours. Reveal shall make its best effort to correct the anomaly, and shall propose a workaround solution that allows the use of the failing functionalities in question within 5 (five) working days. If Reveal fails to resolve the issue in a timely manner, the blocked days will be deducted up to 50% from the licensing fee on a pro rata basis.

• In the event of a Minor Anomaly the report is taken into account as soon as possible, and Reveal proposes the correction of the Minor Anomaly when a new version of the Nearbound Platform is available.
  ‍

3. Technical support

Reveal’s technical support for the use of the Nearbound Platform includes the following services: 

• Provision by e-mail help@reveal.co or via an in-app chat, of technical advice, assistance and support to the Customer on the use and configuration of the Nearbound Platform every opening day from 03:00 am to 10:00 pm, ET;

• Provision of assistance regarding Nearbound Platform updates.
  ‍

4. Security 

4.1 Technical Measures

(a) Application Security

Reveal uses Sqreen.com to detect and block in real time attacks such as XSS, SQL Injections, Identity Theft etc. We also use Cloudflare to protect our services from Distributed Denial of Service (DDoS) attacks.

(b) Data Encryption in Transit

All HTTP traffic to and from Reveal services is encrypted using TLS with a version greater or equal to 1.2. HSTS is enforced to make sure the browser enforces HTTPS connections.

(c) Databases Security

Databases are hosted within Google Cloud datacenters in Belgium.

All customer data is encrypted at rest using AES-256 encryption, with encryption keys generated by Google Cloud Key Management System.

For the most sensitive data, encryption is applied at the application layer with symmetric encryption keys rotating every 30 days.

Daily backups are operated, which are in the end encrypted as well using AES-256.

(d) Passwords

Passwords are at least 8 characters long for our users, with at least 1 uppercase letter or numerical character.

They are never stored in clear but as a hash using the bcrypt2 algorithm with 11 stretches and a random salt to prevent brute force and rainbow attacks.

‍4.2 Organizational Measures

(a) Employees

Employees follow a security awareness training program on a yearly basis, including detection of social engineering, phishing, password management etc.

They are required to apply a strong password policy and to use a password manager to limit password reuse.

Multi-factor authentication is required whenever possible, including on the tools that Reveal develops to operate the service.

(b) Securing Devices

All devices are managed automatically using Kandji (MDM), and monitored using Vanta. This includes hard drive encryption, anti-malware installation, automatic updates, firewall configuration, password policy an many other controls (aligned to CIS level 2).

(c) Securing Software

Reveal develops applications following security best practices. Every piece of software written is reviewed by expert eyes, and goes through automated security gates before reaching production environments.

(d) Testing Security

Independent third parties are mandated to perform a various range of security tests: 

• Penetration testing (at least annually)
• Phishing attacks (at least annually)

Vulnerability scanning (continuous)

‍