Service Level Agreement
Effective Date: February 2026
Document Version: 2.0
This Service Level Agreement ("SLA") is incorporated by reference into the Terms of Service ("Agreement") between Rymeda, Inc. ("Rymeda," "we," "us") and the customer ("Customer," "you"). This SLA defines the service availability commitments, support response and resolution times, escalation procedures, incident communication, disaster recovery objectives, performance benchmarks, service credit terms, and reporting cadence for the Rymeda platform.
For Customers with an executed Business Associate Agreement ("BAA"), the availability, incident response, and disaster recovery commitments in this SLA apply to all services handling Protected Health Information ("PHI"). In the event of a conflict between this SLA and the BAA, the BAA shall control with respect to PHI-related obligations.
This SLA applies to production services only. Services designated as beta, preview, pilot, or experimental are excluded from all commitments herein unless expressly stated otherwise.
1. Definitions
"Monthly Uptime Percentage"
The total number of minutes in a calendar month minus the total number of minutes of Downtime in that month, divided by the total number of minutes in that month, expressed as a percentage. See Section 3 for the calculation formula.
"Downtime"
A period during which the Rymeda platform is materially unavailable to the Customer, as measured by Rymeda's external monitoring systems. Material unavailability means the Customer is unable to authenticate, access clinical workflows, or perform core platform functions. Downtime does not include Excluded Events (Section 5).
"Scheduled Maintenance"
Planned maintenance windows communicated at least forty-eight (48) hours in advance via email and in-platform notification. Standard maintenance windows are Sunday 2:00 AM – 6:00 AM Pacific Time. Scheduled Maintenance is excluded from Downtime calculations.
"Emergency Maintenance"
Unplanned maintenance required to address security vulnerabilities, data integrity risks, or imminent system failures. Emergency Maintenance may be performed with less than forty-eight (48) hours' notice. If Emergency Maintenance exceeds thirty (30) minutes, the excess time is counted as Downtime.
"Service Credit"
A credit applied to the Customer's account as the sole and exclusive remedy for failure to meet the Monthly Uptime Percentage commitment. Service Credits are applied to future invoices and do not entitle the Customer to a cash refund.
"Severity Level"
The classification assigned to a support incident based on its impact on the Customer's operations, as defined in Section 6. Severity Levels range from P1 (Critical) to P4 (Low).
"Response Time"
The elapsed time between the Customer's initial incident report and Rymeda's first substantive acknowledgment, including assignment of a Severity Level and case number.
"Resolution Time"
The elapsed time between the Customer's initial incident report and the restoration of normal service or implementation of a confirmed workaround. Resolution Time targets are best-effort objectives, not guaranteed commitments.
"Business Hours"
Monday through Friday, 8:00 AM – 6:00 PM Pacific Time, excluding U.S. federal holidays. P1 (Critical) support is available 24/7/365 regardless of Business Hours.
2. Service Availability Commitment
Rymeda commits to a Monthly Uptime Percentage of 99.9% for the production platform, measured on a calendar-month basis. This equates to no more than approximately forty-three (43) minutes and forty-nine (49) seconds of Downtime per month, or approximately eight (8) hours, forty-five (45) minutes, and fifty-six (56) seconds per year.
The 99.9% commitment applies to the following production services:
- Core Platform — Authentication, authorization, dashboard, navigation, and account management.
- Clinical Workflows — Patient records, clinical charts, clinical notes, vital signs, and care plan management.
- AI-Assisted Documentation — Voice note upload, transcription, AI-generated report creation, provider review, and signing workflows.
- ORIS Clinical AI — AI-assisted clinical decision support, task generation, and daily runbooks.
- Billing & Claims — Invoice creation, CPT/ICD-10 code management, and claim submission workflows.
- Marketplace — Product listings, vendor management, and checkout functionality.
- API Services — All documented REST API endpoints available to the Customer.
Availability is monitored continuously using independent, third-party synthetic monitoring. Current platform status is published at our status page with real-time updates and historical uptime data.
3. Uptime Calculation
Monthly Uptime Percentage is calculated using the following formula:
Monthly Uptime % = ((Total Minutes in Month − Downtime Minutes) / Total Minutes in Month) × 100
Measurement methodology:
- Monitoring interval: Health checks every sixty (60) seconds from multiple geographic regions.
- Downtime threshold: Service is considered unavailable when three (3) or more consecutive health checks fail from at least two (2) independent monitoring locations.
- Partial degradation: If the platform is available but materially degraded (e.g., response times exceed ten (10) seconds for sustained periods), Rymeda may, at its discretion, classify such periods as Downtime.
- Excluded time: Scheduled Maintenance, Emergency Maintenance (first thirty minutes), and Excluded Events (Section 5) are subtracted from Total Minutes before calculation.
In the event of a disagreement regarding Downtime measurements, the Customer may request Rymeda's monitoring logs for the disputed period. Rymeda's monitoring data shall be the authoritative source for uptime calculations.
4. Service Credits
If Rymeda fails to meet the 99.9% Monthly Uptime Percentage commitment, the Customer is eligible for Service Credits as follows:
| Monthly Uptime Percentage | Approx. Monthly Downtime | Service Credit |
|---|---|---|
| 99.0% – < 99.9% | 44 min – 7.3 hours | 10% of monthly fees |
| 95.0% – < 99.0% | 7.3 hours – 36.5 hours | 25% of monthly fees |
| Below 95.0% | > 36.5 hours | 50% of monthly fees |
4.1 Credit Request Process
- Service Credits must be requested in writing within thirty (30) days of the end of the calendar month in which the Downtime occurred.
- Requests must be submitted to support@rymeda.com and include the affected dates, times, and a description of the Downtime experienced.
- Rymeda will respond to credit requests within ten (10) business days with a determination and, if approved, the credit amount.
4.2 Credit Limitations
- Maximum Service Credits in any calendar month shall not exceed fifty percent (50%) of the monthly fees for the affected services.
- Service Credits are applied to future invoices and are not transferable, refundable as cash, or combinable with other credits or promotions.
- Service Credits are the Customer's sole and exclusive remedy for Downtime, subject to the limitation of liability in the Terms of Service.
- Customers who are in breach of the Agreement or have past-due invoices at the time of the credit request are not eligible for Service Credits.
- Service Credits are calculated against the base subscription fee and do not include one-time charges, setup fees, or overage charges.
5. Exclusions
The following events ("Excluded Events") are excluded from Downtime calculations and do not qualify for Service Credits:
5.1 Scheduled Maintenance
Planned maintenance windows communicated at least forty-eight (48) hours in advance. Standard window: Sunday 2:00 AM – 6:00 AM Pacific Time. Rymeda will use commercially reasonable efforts to minimize maintenance frequency and duration.
5.2 Force Majeure
Events beyond Rymeda's reasonable control, including but not limited to: natural disasters, acts of war or terrorism, government actions, pandemic or epidemic, power grid failures, telecommunications failures, or internet backbone outages.
5.3 Customer-Caused Issues
Downtime caused by the Customer's systems, networks, software, internet connectivity, misconfiguration, or use of the platform in a manner inconsistent with documentation or the Terms of Service.
5.4 Third-Party Infrastructure Outages
Outages of underlying infrastructure providers (e.g., Amazon Web Services regional outages) that are beyond Rymeda's reasonable control, provided that Rymeda has implemented commercially reasonable redundancy and failover measures. Rymeda will transparently communicate third-party outage impacts and coordinate with infrastructure providers for resolution.
5.5 Third-Party AI Service Degradation
Degradation or unavailability of third-party AI services (OpenAI, Google Gemini) that affect AI-assisted documentation or ORIS functionality, provided the core platform remains operational. See Subprocessor List for third-party service inventory.
5.6 Customer Agreement Breach
Downtime resulting from the Customer's breach of the Agreement, Acceptable Use Policy, or actions that trigger automated security protections (e.g., rate limiting, DDoS mitigation, account suspension).
5.7 Beta & Preview Services
Features, modules, or services explicitly designated as beta, preview, pilot, early access, or experimental. Such services are provided "as-is" without availability commitments.
6. Support Tiers
Rymeda provides tiered support based on incident severity classification. The Severity Level is assigned at initial triage and may be reclassified as the incident is investigated.
| Severity | Description | Response Time | Resolution Target | Availability |
|---|---|---|---|---|
| P1 — Critical | Platform completely unavailable, PHI exposure risk, or security breach in progress. All users affected with no workaround. | 15 minutes | 4 hours | 24/7/365 |
| P2 — High | Major feature or module unavailable or severely degraded. Multiple users affected. No acceptable workaround available. | 1 hour | 8 hours | Business Hours + On-Call |
| P3 — Medium | Feature impaired but functional. Limited user impact. Workaround available or non-critical function affected. | 4 hours | 2 business days | Business Hours |
| P4 — Low | General questions, feature requests, minor cosmetic issues, or documentation inquiries. No operational impact. | 1 business day | Best effort | Business Hours |
PHI-Related Incidents: Any incident involving potential PHI exposure, unauthorized access to clinical data, or breach of security controls is automatically classified as P1 (Critical), regardless of the number of users affected. Such incidents are additionally governed by the breach notification provisions of the Business Associate Agreement and Breach Notification Policy.
6.1 Support Channels
| Channel | Availability | Severity Levels |
|---|---|---|
| support@rymeda.com | All (P1 – P4) | |
| Phone | 24/7 for P1; Business Hours for P2 | P1, P2 only |
| Support Portal | 24/7 self-service ticket submission | All (P1 – P4) |
| In-Platform Chat | Business Hours | P3, P4 |
For P1 (Critical) incidents, Customers should use both email and phone to ensure immediate response. Submitting a P1 via email only may result in longer initial response times outside of Business Hours.
6.2 Severity Reclassification
Rymeda may reclassify an incident's Severity Level as the investigation progresses. Reclassification to a lower severity requires reasonable justification (e.g., workaround identified, scope reduced). The Customer may dispute a reclassification by contacting their account manager or escalating per Section 7.
7. Escalation Path
If a support incident is not being resolved within the target Resolution Time, or if the Customer is unsatisfied with the response, the following escalation path is available:
| Level | Escalation To | Trigger | Expected Response |
|---|---|---|---|
| L1 | Support Engineer | Initial incident report | Per Severity Level SLA |
| L2 | Senior Engineer / Team Lead | Resolution target exceeded, or L1 unable to resolve | Within 1 hour of escalation |
| L3 | Engineering Manager | L2 unable to resolve within 2x original target, or Customer request | Within 30 minutes of escalation |
| L4 | VP of Engineering | L3 unable to resolve, P1 exceeding 8 hours, or systemic issue | Within 15 minutes of escalation |
| L5 | Chief Technology Officer (CTO) | P1 exceeding 12 hours, data breach, or executive intervention requested | Immediate |
Customers may request escalation at any time by contacting their account manager or emailing security@rymeda.com. For P1 incidents involving PHI or security breaches, escalation to L3 or above occurs automatically.
8. Incident Communication
Rymeda is committed to transparent, timely communication during service incidents.
8.1 During Active Incidents
| Severity | Communication Channels | Update Frequency |
|---|---|---|
| P1 | Status page, email, phone (affected Customers) | Every 30 minutes until resolved |
| P2 | Status page, email | Every 2 hours until resolved |
| P3 | Support ticket | Daily until resolved |
| P4 | Support ticket | As needed |
8.2 Post-Incident Reports
For P1 and P2 incidents, Rymeda will provide a written post-incident report ("Post-Mortem") within five (5) business days of incident resolution. The report will include:
- Timeline — Chronological account of the incident from detection to resolution.
- Root Cause Analysis — Technical explanation of the underlying cause.
- Impact Assessment — Scope of affected services, users, and data (including PHI impact determination).
- Remediation Actions — Steps taken to resolve the incident and prevent recurrence.
- Preventive Measures — Systemic improvements to reduce the likelihood of similar incidents.
For incidents involving PHI, post-incident reports are additionally governed by the breach investigation and notification procedures in the Business Associate Agreement and Breach Notification Policy.
9. Disaster Recovery
Rymeda maintains a documented disaster recovery ("DR") plan designed to ensure business continuity and data protection in the event of a catastrophic failure.
9.1 Recovery Objectives
| Metric | Target | Description |
|---|---|---|
| Recovery Point Objective (RPO) | 1 hour | Maximum data loss window. Backups are performed continuously with point-in-time recovery capability. |
| Recovery Time Objective (RTO) | 4 hours | Maximum time to restore service to operational state after a disaster declaration. |
9.2 DR Infrastructure
- Multi-AZ deployment — Production services are deployed across multiple AWS Availability Zones for high availability within a region.
- Automated backups — Database backups with continuous replication and point-in-time recovery. Backup encryption using per-tenant AWS KMS keys (AES-256).
- Object storage redundancy — Clinical documents, voice recordings, and attachments stored in Amazon S3 with 99.999999999% (11 nines) durability.
- Infrastructure as code — All infrastructure is defined as code, enabling rapid re-provisioning in a secondary region if necessary.
- Encrypted backups — All backup data is encrypted at rest (AES-256) and in transit (TLS 1.3), consistent with the Information Security Policy.
9.3 DR Testing
Rymeda conducts disaster recovery exercises at least twice annually, including backup restoration, failover testing, and recovery time validation. Test results and improvement actions are documented and available upon request for Customers with an executed BAA.
10. Performance Metrics
In addition to the availability commitment, Rymeda maintains the following performance benchmarks for the production platform:
| Metric | Target | Measurement |
|---|---|---|
| API Response Time (p95) | < 500ms | 95th percentile latency for all documented REST API endpoints, measured server-side. |
| API Response Time (p99) | < 2,000ms | 99th percentile latency for all documented REST API endpoints. |
| Page Load Time | < 3 seconds | Time to interactive for primary dashboard and clinical workflow pages, measured from the browser. |
| Voice Transcription | < 60 seconds | Time from upload completion to transcript availability for recordings under 10 minutes in length. |
| AI Report Generation | < 90 seconds | Time from generation request to AI-drafted SOAP note availability for provider review. |
| Error Rate | < 0.1% | Percentage of API requests returning 5xx server errors, measured on a rolling 24-hour basis. |
Performance metrics are best-effort objectives and are not subject to Service Credits. Sustained performance degradation below these targets will be treated as a service incident and triaged per the Severity Level framework in Section 6.
Performance targets exclude network latency between the Customer's location and Rymeda's infrastructure, and may vary based on payload size, query complexity, and concurrent usage.
11. Reporting
Rymeda provides regular reports on service availability, performance, and incident history.
11.1 Monthly Reports
All Customers receive monthly uptime reports, including:
- Monthly Uptime Percentage and Downtime minutes.
- Incident summary (count by Severity Level, mean time to resolution).
- Maintenance windows completed.
- Service Credit eligibility determination.
11.2 Quarterly Enterprise Reviews
Enterprise Customers (as defined in the applicable Order Form) are entitled to quarterly business reviews, including:
- Detailed uptime and performance trend analysis.
- Support ticket volume and resolution metrics.
- Platform roadmap preview and upcoming changes.
- Security and compliance posture review.
- Capacity planning and optimization recommendations.
11.3 Real-Time Status
Rymeda maintains a public status page providing real-time service status, historical uptime data, and incident history. Customers may subscribe to status page notifications via email, SMS, or webhook.
12. Scheduled Maintenance
Rymeda performs scheduled maintenance to apply updates, patches, and improvements to the platform.
Standard Maintenance Window
Sunday, 2:00 AM – 6:00 AM Pacific Time. Not all maintenance windows will be used; Rymeda will only perform maintenance when necessary.
Advance Notice
At least forty-eight (48) hours for standard maintenance. At least seventy-two (72) hours for maintenance expected to exceed two (2) hours or involve data migration.
Notification Channels
Email to account administrators and in-platform banner notification. Status page update prior to maintenance commencement.
Emergency Maintenance
Security patches, critical vulnerability remediation, or data integrity issues may require immediate maintenance with abbreviated notice. Rymeda will provide as much advance notice as reasonably practicable and communicate via status page and email.
Zero-Downtime Deployments
Rymeda employs rolling deployment strategies to minimize or eliminate downtime for routine updates. When zero-downtime deployment is not feasible, the maintenance is scheduled within the standard maintenance window.
13. Customer Obligations
To ensure Rymeda can meet its SLA commitments, the Customer agrees to:
- Timely reporting — Report incidents promptly through designated support channels with sufficient detail for triage (affected functionality, reproduction steps, error messages, timestamps).
- Accurate severity classification — Assign an initial Severity Level consistent with the definitions in Section 6. Intentional misclassification to receive faster response may result in reclassification.
- Reasonable cooperation — Provide timely access to diagnostic information, logs, screenshots, and test environments as reasonably requested by Rymeda support.
- Contact information — Maintain current technical contact information for incident notifications and escalations.
- Platform updates — Use supported browser versions and maintain compatibility with Rymeda's documented system requirements.
- Security compliance — Follow security best practices as described in the Information Security Policy, including multi-factor authentication for clinical access.
14. SLA Modifications
Rymeda may update this SLA from time to time. Material changes will be communicated as follows:
- Improvements — Increased availability commitments, faster response times, or expanded coverage take effect immediately upon posting.
- Material reductions — Reductions in availability commitments, increased response times, or removal of support channels will be communicated at least thirty (30) days in advance via email.
- Objection rights — If a material reduction materially impacts the Customer's use of the platform, the Customer may terminate the Agreement without penalty within thirty (30) days of receiving notice.
For Enterprise Customers with custom SLA terms in an executed Order Form, the Order Form terms prevail over this standard SLA to the extent of any conflict.
15. Relationship to Other Agreements
This SLA is subject to and governed by the Terms of Service. In the event of a conflict between this SLA and the Terms of Service, the Terms of Service shall control, except that:
- The Business Associate Agreement controls for PHI-related obligations, including breach notification timelines and security incident handling.
- The Data Processing Agreement controls for personal data processing obligations under GDPR and CCPA/CPRA.
- An executed Order Form or Enterprise Agreement controls for customer-specific SLA terms negotiated therein.
Nothing in this SLA limits Rymeda's obligations under applicable law, including HIPAA, CMIA, or state breach notification statutes. See the Breach Notification Policy for legally mandated notification timelines.
16. Governing Law
This SLA is governed by the laws of the State of Delaware, without regard to conflict of laws principles, except that California law applies where it provides more stringent consumer or healthcare data protection. Disputes are subject to the dispute resolution provisions of the Terms of Service.
Contact
For SLA inquiries, support requests, credit claims, or escalations: