Service Level Agreement

Effective date: June 2026 · Version 1.0

This SLA covers the availability, performance, support, and security commitments for Yona's e-invoicing platform services, including invoice lifecycle management, payment collection, billing and subscription management, API Gateway and authentication services, webhook event delivery, and sandbox environment for integration testing.

This SLA applies to the production environment only. Sandbox environments are provided on a best-effort basis.

1. Service Availability

1.1 Uptime Commitment

MetricTarget
Monthly uptime99.9%
Maximum scheduled downtime per month45 minutes
Scheduled maintenance windowSundays 02:00–04:00 WAT (with 48-hour advance notice)

Uptime is measured as the percentage of minutes in a calendar month during which the API Gateway returns successful health check responses, excluding scheduled maintenance.

1.2 Uptime Calculation

Uptime % = ((Total minutes in month − Downtime minutes) / Total minutes in month) × 100

1.3 Service Credits

Monthly UptimeCredit (% of monthly invoice)
99.0% – 99.9%10%
95.0% – 99.0%25%
Below 95.0%50%

Service credits must be requested within 30 days of the affected month. Credits are applied to future invoices and do not exceed 50% of the monthly service fee.

2. Performance

2.1 API Response Times

MetricTarget
P50 (median) response time< 200ms
P95 response time< 500ms
P99 response time< 1,500ms

Measured at the API Gateway for standard CRUD operations (invoice create, read, list). Excludes PDF generation (async, typically < 5s), tax authority submission (dependent on external NRS API), and payment provider calls (dependent on Paga/Paystack/Stripe APIs).

2.2 Webhook Delivery

MetricTarget
First delivery attemptWithin 30 seconds of event
Retry policyExponential backoff, up to 5 retries over 24 hours
Delivery success rate (recipient reachable)> 99%

2.3 Event Processing

MetricTarget
Invoice creation to tax authority submission< 10 seconds
Payment webhook receipt to invoice reconciliation< 30 seconds
Credit deduction processing< 5 seconds

3. Support

3.1 Support Channels

ChannelAvailability
Email supportMonday–Friday, 09:00–18:00 WAT
In-app support / chatMonday–Friday, 09:00–18:00 WAT
Critical incident hotline24/7 (P1 incidents only)
API status page24/7 (automated)

3.2 Incident Severity and Response Times

PriorityDefinitionResponse TimeResolution Target
P1 — CriticalService completely unavailable; all customers affected; data loss risk30 minutes4 hours
P2 — HighMajor feature degraded; significant subset of customers affected2 hours8 hours
P3 — MediumNon-critical feature impaired; workaround available8 business hours3 business days
P4 — LowMinor issue, cosmetic, or feature request2 business daysBest effort

Response time = time from incident report to acknowledgment with assigned owner. Resolution target = time from acknowledgment to service restoration or workaround deployment. Root cause analysis for P1/P2 incidents delivered within 5 business days.

3.3 Escalation Path

Escalation LevelTimeframeContact
Level 1 — Support EngineerImmediateSupport channel
Level 2 — Engineering LeadAfter 2 hours (P1) / 4 hours (P2)Internal escalation
Level 3 — CTO / ManagementAfter 4 hours (P1) / 8 hours (P2)Direct communication

4. Data Security and Privacy

4.1 Encryption

LayerStandard
Data in transitTLS 1.3 enforced on all API endpoints
Data at rest (database)AES-256 (AWS RDS encryption)
Data at rest (application-level)AES-256-GCM (sensitive credentials), AES-256-CFB (invoice downloads)
Passwordsbcrypt one-way hashing
Invoice signingRSA-2048 / ECDSA digital signatures
Webhook signaturesHMAC-SHA256 (outbound), HMAC-SHA512 / SHA-512 (inbound provider verification)

4.2 Access Control

  • JWT-based authentication with configurable token expiry
  • API key authentication with mode-specific keys (sk_test_ / sk_live_)
  • Role-based permissions on all endpoints
  • TOTP-based two-factor authentication (enforced for admin users)
  • Trusted device management with 30-day inactivity expiration
  • Rate limiting on all public endpoints

4.3 Environment Isolation

  • Sandbox and production environments are fully isolated (separate databases, separate API keys, separate webhook delivery)
  • Sandbox data never crosses into production
  • API mode is immutable on API keys and propagated through all service layers

4.4 Data Retention and Deletion

  • Customer data retained for the duration of the service agreement plus any regulatory retention period
  • Data deletion upon written request, completed within 30 days, with confirmation
  • Audit logs retained for 12 months minimum

4.5 Compliance

StandardStatus
ISO 27001:2022Certified
NDPR (Nigeria Data Protection Regulation)Compliant
AWS infrastructure certificationsSOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, PCI DSS (inherited)

5. Change Management

5.1 Planned Maintenance

  • Scheduled maintenance communicated 48 hours in advance via email and status page
  • Maintenance windows: Sundays 02:00–04:00 WAT (preferred)
  • Maximum scheduled downtime: 45 minutes per month

5.2 API Versioning

  • API is versioned (e.g., /v1/)
  • Breaking changes introduced only in new major versions
  • Minimum 90 days deprecation notice before retiring an API version
  • Non-breaking additions (new optional fields, new endpoints) deployed without version bump

5.3 Emergency Changes

  • Emergency patches (security vulnerabilities, critical bugs) may be deployed outside maintenance windows
  • Customers notified within 1 hour of emergency deployment
  • Post-incident report within 5 business days

6. Disaster Recovery and Business Continuity

MetricTarget
Recovery Point Objective (RPO)< 1 hour (database point-in-time recovery)
Recovery Time Objective (RTO)< 4 hours
Database backupsAutomated daily snapshots with 30-day retention (AWS RDS)
InfrastructureMulti-AZ Kubernetes deployment for high availability
Message durabilityRabbitMQ durable queues with dead-letter exchange; no message loss on service restart

7. Reporting

7.1 Availability Reports

  • Monthly uptime report provided to Customer upon request
  • Incident post-mortems for P1/P2 incidents delivered within 5 business days

7.2 Security Reports

  • Annual security review summary available upon request
  • Penetration testing conducted periodically; summary findings shared under NDA

8. Exclusions

This SLA does not apply to:

  • Sandbox environments — provided on a best-effort basis
  • Third-party dependencies — downtime or degradation of Paga, Paystack, Stripe, Nigeria Revenue Service (NRS), or other external APIs
  • Force majeure — natural disasters, government actions, internet backbone failures
  • Customer-caused issues — misconfigured webhooks, invalid API usage, exceeded rate limits
  • Scheduled maintenance — within the announced maintenance window

9. Term and Review

  • This SLA is effective for the duration of the service agreement
  • Reviewed annually or upon material changes to the service architecture
  • Amendments communicated 30 days in advance

Contact

Elyonar Technologies Ltd

Legal: legal@elyonar.ng

Support: support@elyonar.ng

Website: elyonar.ng