The Aegix platform includes three client applications: Aegix One (parent and student safety communications and check-in), Aegix AIM (on-site staff and emergency responder incident management, mapping, and coordination), and Aegix SMS (SIS integrations, reunification management, visitor management, and on-site administration). This SLA covers all platform services, integrations, and client applications.
Effective January 1, 2025
1. AGREEMENT OVERVIEW
This Service Level Agreement ("SLA") is entered into between Aegix Global, LLC, a Utah limited liability company ("Provider"), and an organization that subscribes to the Aegix platform (the "Authorized Customer" or "Customer") to define the terms of service delivery, performance standards, and support for the Aegix platform.
Parties and Purpose
Provider: Aegix Global, LLC, 94 Lone Hollow Dr., Sandy, UT 84092
Customer: Subscribing organization. Examples include K-12 Local Education Agencies and charter networks; colleges and universities; federal, state, local, tribal, and military government agencies; hospitals, clinics, and health systems; corporate, religious, summer-camp, sports, and entertainment-venue site operators; and other organizations operating physical sites that require real-time safety communication and incident management.
Service: Cloud-hosted SaaS delivery of the Aegix platform for safety communication, incident management, indoor and outdoor mapping, push-notification delivery, reunification, visitor management, and (where the Authorized Customer has enabled it) Digital 911 Routing to certified public-safety dispatch providers.
Governance: This SLA operates in conjunction with the applicable Student Data Privacy Agreement (DPA) and the executed Master Subscription Agreement (
../customer-portal/master-subscription-agreement.md)
Effective Date and Renewal
Effective Date: This SLA is effective upon the date of execution by both parties
Renewal: This SLA renews automatically on an annual basis unless terminated in writing at least 60 days prior to renewal date
2. SERVICE DESCRIPTION
Aegix platform is a cloud-native safety and incident-management platform delivered as a Software-as-a-Service (SaaS) solution. The Service includes:
Safety communication system for emergency alerts, incident notifications, and two-way messaging across the Authorized Customer's site or sites
Incident management workflow for documenting, tracking, and responding to safety incidents
Indoor and outdoor mapping integration for location-aware safety responses
Push notification capabilities via certified delivery infrastructure
Reunification, visitor-management, and on-site administrative functions appropriate to the Authorized Customer's sector
Web and mobile applications accessible via modern browsers and iOS / Android platforms
Data processing in compliance with applicable privacy laws, including (where the Authorized Customer's sector triggers them) FERPA, COPPA, the SDPC v3 16-state Data Privacy Agreement framework for K-12, FedRAMP-environment controls for government, and the BAA-on-request HIPAA pathway for healthcare
3. SERVICE AVAILABILITY & UPTIME
Uptime Commitment
Provider commits to 99.9% uptime availability measured on a calendar month basis, excluding scheduled maintenance windows and force majeure events.
Critical safety features (emergency alerts, incident reporting) are targeted at 99.99% availability during the Authorized Customer's Operating Hours to ensure reliability when safety needs are greatest.
Operating Hours Definition
"Operating Hours" are defined by sector. The default for K-12 and higher-education Authorized Customers is 6:00 AM to 8:00 PM local time, Monday through Friday, during the Authorized Customer's published academic calendar (excluding scheduled closures, holidays, and summer breaks). For healthcare Authorized Customers, Operating Hours are 24 hours per day, every day. For government Authorized Customers, Operating Hours follow the Authorized Customer's published business hours unless the Order Form specifies otherwise (e.g., 24/7 for emergency-services agencies). For corporate, religious, summer-camp, sports, entertainment-venue, and other site-operating Authorized Customers, Operating Hours are as specified in the Order Form, defaulting to the Authorized Customer's published site hours. References elsewhere in this SLA to "School Hours" are deemed to mean "Operating Hours" as defined here for non-K-12 / non-higher-education Authorized Customers.
Uptime Calculation
Uptime is calculated using the following formula:
((Total Minutes in Month – Downtime Minutes) / Total Minutes in Month) × 100
Downtime is measured from the moment Provider becomes aware of an outage affecting 5% or more of Customer’s user base until full service restoration and verification.
Individual user connectivity issues, browser caching, and local network problems are not counted as Provider downtime.
Scheduled Maintenance
Standard Maintenance Windows: Weekends (Saturday–Sunday) or after 10:00 PM local time, with 72-hour advance written notice
Emergency Maintenance: Critical security patches and urgent infrastructure repairs may occur anytime with best-effort advance notice (minimum 4-hour notice when possible)
Maintenance Exclusion: Scheduled maintenance windows are excluded from uptime calculations
4. SERVICE CREDIT SCHEDULE
If monthly uptime falls below 99.9%, Customer is eligible for service credits applied to the next billing cycle. Credits are the sole and exclusive remedy for downtime.
| Monthly Uptime | Service Credit |
| 99.0% – 99.9% | 5% of monthly service fees |
| 95.0% – 99.0% | 10% of monthly service fees |
| Below 95.0% | 25% of monthly service fees |
Credit Claim Process
Credits must be requested in writing within 30 days of the month in which the outage occurred
Provider will validate uptime calculations using system logs and monitoring data
Credits are applied automatically to the next month’s invoice within 10 business days of verification
Credits do not apply during scheduled maintenance, force majeure events, or Customer-side connectivity issues
5. INCIDENT RESPONSE & SUPPORT TIERS
Provider operates a 24/7/365 support program with tiered response based on incident severity. All incidents reported during the Authorized Customer's Operating Hours receive prioritized handling.
| Priority | Definition | Response Time | Support Hours |
| P1 Critical | Safety system outage or confirmed data breach | 1 hour | 24/7 (continuous work) |
| P2 High | Major feature degradation or suspected unauthorized access | 4 hours | 24/7 during academic year; Business hours off-season |
| P3 Medium | Minor feature issue or non-critical bug | 8 hours | Business hours; Next-business-day resolution target |
| P4 Low | Cosmetic issues or feature requests | Next business day | Business hours |
Support Channels
Email Support: support@aegix.global (standard inquiries and P3/P4 tickets)
Web Portal: Self-service ticketing at aegix.global/support
Emergency Phone Line: Dedicated P1 hotline available during 24/7 support windows
6. DATA SECURITY COMMITMENTS
Provider implements a comprehensive, defense-in-depth security architecture aligned with NIST SP 800-53 Rev 5 and industry best practices appropriate to the Authorized Customer's sector — K-12, higher education, government, healthcare, or other regulated environments.
Encryption
Data at Rest: AES-256 encryption for all stored student and operational data
Data in Transit: TLS 1.2 or higher for all network communications
Cloud Infrastructure
Primary Infrastructure: AWS with multi-AZ deployment across US regions
AWS Security Services: GuardDuty (threat detection), CloudTrail (audit logging), Security Hub (security posture), CloudWatch (monitoring), Inspector (vulnerability assessment), KMS (encryption key management)
Network Security: VPC isolation, WAF protection, DDoS mitigation (Shield Standard), CloudFront CDN with WAF rules
Secondary Services: GCP used exclusively for outdoor mapping and push notification delivery
Compliance and Audits
NIST Alignment: Controls aligned with NIST SP 800-53 Rev 5
Penetration Testing: Annual third-party penetration testing and vulnerability assessments
SOC 2 Type II: Audit in progress; results will be provided to Customers upon completion
Data Residency: All data resides in United States AWS regions; no international transfers without explicit DPA amendment
Logical Isolation: Multi-tenant architecture with role-based access controls (RBAC) and database-level data isolation
Backup and Redundancy
Automated Backups: Daily automated backups with 30-day retention
Point-in-Time Recovery: Capability to restore data to any point within the last 30 days
Multi-AZ Replication: AWS multi-AZ replication for automatic failover and redundancy
7. SECTOR-SPECIFIC REGULATORY COMPLIANCE
Provider has implemented policies and technical controls to comply with the universal privacy posture described in the Aegix Privacy Policy (CPRA, VCDPA, CPA, CTDPA, TDPSA, OCPA, and analogous state comprehensive privacy laws), and with sector-specific obligations triggered by the type of organization the Authorized Customer is. Data processing is limited to the purposes contracted in the Order Form and the executed sector-specific addendum (SDPA, BAA, or other), and to security, fraud-prevention, and legal-compliance purposes.
Universal Restrictions (apply to all Authorized Customers)
No Sale: Customer Data is never sold to third parties
No Commercial Use: Customer Data is not used for commercial purposes, behavioral profiling, or market research outside the contracted Service
No Targeted Advertising: Customer Data is not used for targeted advertising or marketing
Limited Processing: Data processing is strictly limited to the contracted purposes
Subprocessor governance: All subprocessors with access to Customer Data are listed in the Subprocessor List and bound by contract to obligations equivalent to those in this SLA
K-12 and youth-serving Authorized Customers
FERPA (20 U.S.C. § 1232g): Provider operates as a "school official" with legitimate educational interest; no disclosure of student records without Authorized Customer authorization
COPPA (15 U.S.C. § 6501–6506): Parental consent for children under 13 is managed through the Authorized Customer; Provider does not collect independent consent
16-State SDPC v3 Coverage: Student data is protected under all applicable state Student Data Privacy Agreements where the Authorized Customer operates, including MA, ME, CO, IL, IA, MO, NE, NH, NJ, NY, OH, RI, TN, VT, VA, and WA
NY Education Law § 2-d & 8 NYCRR Part 121: Compliance with NY student data governance requirements where the Authorized Customer operates schools subject to NY § 2-d
State-Specific Requirements: Timely notification, data destruction timelines, and breach remediation per applicable state student-data-privacy law
DPA Governance: All Student Data processing is governed by the applicable Student Data Privacy Agreement executed between Provider and the K-12 Authorized Customer
Higher-education Authorized Customers
FERPA: Applies to higher-education student records; Provider operates as a "school official" with legitimate educational interest when processing student records on behalf of a higher-education Authorized Customer that has so designated Provider in writing
State student-data-privacy laws may apply where the Authorized Customer's enrollment includes minors
Government Authorized Customers (federal, state, local, tribal, military)
FedRAMP environment: Provider's cloud infrastructure operates within Amazon Web Services environments authorized at the FedRAMP Moderate impact level; the Aegix Service itself is not FedRAMP-authorized as of the Effective Date. Government Authorized Customers requiring full FedRAMP Moderate or High Service-level authorization should engage Provider on roadmap and scope
FISMA: Provider's security controls are aligned with NIST SP 800-53 Rev 5 in accordance with FISMA expectations for the Moderate impact level
CJIS: Where the Authorized Customer is a law-enforcement agency or operates within a CJIS-regulated workflow, Provider will reasonably cooperate with CJIS-driven configuration and access-control needs
FOIA / public-records cooperation: Provider will reasonably assist Government Authorized Customers with FOIA-driven data-export requests, subject to the executed contract
Healthcare Authorized Customers
HIPAA / PHI: The Service is not designed to process PHI as a primary record system and is not HIPAA-authorized in its default configuration. Healthcare Authorized Customers must not transmit PHI through the Service unless and until a Business Associate Agreement ("BAA") is executed between Provider and the Authorized Customer. Provider will execute a BAA on request from a covered entity or business associate
State health-privacy laws (CMIA, MHMD, analogous regimes) — applicability determined per Authorized Customer
Other Site-Operating Authorized Customers (corporate, religious, summer-camp, sports / entertainment venue, etc.)
The universal posture above applies in full
Sector-specific obligations are the responsibility of the Authorized Customer to identify and configure for; Provider will reasonably assist with technical configuration as part of the executed contract
Where the Authorized Customer enrolls minors (e.g., a summer camp serving children under 13, a youth sports program), the K-12 / youth-serving provisions above apply by analogy
8. DATA BREACH NOTIFICATION
In the event of a confirmed or suspected security breach involving Customer Data, Provider will notify Customer immediately and provide comprehensive support for breach remediation. Specific notification timelines depend on the Authorized Customer's sector and applicable law.
Notification Timeline
Standard Notification (all Authorized Customers): Within 72 hours of discovery of the breach
Virginia Expedited: Within 24 hours where Virginia state law applies
K-12 Authorized Customers — NY Education Law § 2-d: Notification within 60 calendar days with Customer-approved remediation plan, subject to law-enforcement-delay provisions
Healthcare Authorized Customers under executed BAA: HIPAA Breach Notification Rule timelines apply (without unreasonable delay, no later than 60 days from discovery)
Government Authorized Customers: Agency-specific timelines per the executed contract; for federal agencies, FISMA / OMB M-22-01 incident-reporting cooperation is the default
Post-Incident Report: Detailed technical report within 30 days of resolution
Notification Content
Nature of the breach and data affected
Number of individuals and records involved
Remediation steps taken and in progress
Contact information for Provider's privacy and security team
Cooperation Plan: Provider’s commitment to assisting Customer with notification to parents/guardians
9. BACKUP & DISASTER RECOVERY
Provider maintains a comprehensive backup and disaster recovery program to minimize data loss and ensure rapid service restoration in the event of infrastructure failure.
Recovery Objectives
| Metric | Non-Critical Services | Critical Services |
| RPO (Recovery Point Objective) | 1 hour | 1 hour |
| RTO (Recovery Time Objective) | 24 hours | 4 hours |
Backup and Testing
Backup Frequency: Automated daily backups
Retention: 30-day backup retention with incremental snapshots
Disaster Recovery Testing: Annual DR testing with documented results
Transparency: Test results and DR plan are available to Customer upon request
10. CHANGE MANAGEMENT
Material Service Changes: 30-day advance written notice via email to designated Customer contact
Data Processing Changes: Changes affecting Customer Data processing require amendment of the executed sector-specific addendum (SDPA / BAA / DPA / equivalent) and Customer acknowledgment
Security Patches: Emergency security patches are exempt from advance notice but will be communicated as soon as practicable
Feature Deprecation: Deprecated features will have at least 180 days notice with migration guidance
11. TERMINATION & DATA HANDLING
Data Export
Format: Customer data is available for export in standard, non-proprietary formats (CSV, JSON)
Timeline: Available within 30 days of written request
Data Destruction
Timelines: Destruction timelines comply with applicable state law requirements:
NY: 90 calendar days
IL, CO: 30 calendar days
Other states: Per applicable DPA
Methods: NIST SP 800-88 Rev 1 compliant destruction methods, including cryptographic erasure
Certification: Written certification of destruction provided upon completion
12. SERVICE REPORTING
Monthly Uptime Reports: Available upon request with detailed availability metrics
Quarterly Security Summaries: Overview of security assessments, penetration test results, and remediation status
Annual Compliance Attestation: Documentation of compliance with applicable sector-specific privacy laws (FERPA, COPPA, and state student-data-privacy laws for K-12 Authorized Customers; FedRAMP / FISMA posture for government Authorized Customers; HIPAA posture-on-BAA for healthcare Authorized Customers; CPRA and analogous comprehensive state privacy laws for all)
Incident Reports: Detailed reports for any P1/P2 incidents within 5 business days
13. ESCALATION PROCEDURES
Provider operates a multi-level escalation process to ensure rapid resolution of critical incidents.
| Level | Role | Trigger | Action |
| 1 | Support Team | Initial incident report | Triage, diagnose, attempt resolution |
| 2 | Engineering Lead | Unresolved P1/P2 after 4 hours | Engineering assessment and remediation |
| 3 | CPTO | Unresolved P1 after 8 hours | Executive oversight and resource allocation |
| 4 | CEO | Critical incident unresolved 24+ hours | Strategic decision-making and external coordination |
Data Privacy Concerns
- For data protection and privacy concerns, Customer may contact Provider’s designated Privacy Officer at privacy@aegix.global
14. LIMITATIONS & EXCLUSIONS
This SLA does not apply to, and service credits are not available for, downtime or performance issues caused by:
Customer’s internet connectivity, network, or firewall issues
Customer-modified integrations, customizations, or unsupported configurations
Third-party service outages (including Apple Push Notification Service, Google Cloud Messaging, or other external vendors)
Force majeure events (natural disasters, war, public health emergencies, government actions)
Scheduled maintenance windows with proper notice
Customer's misuse or violation of the Acceptable Use Policy, End User License Agreement, or Master Subscription Agreement
Remedy Limitations
- Service credits are the sole and exclusive remedy for any service availability or performance issues. In no event shall Provider be liable for indirect, incidental, or consequential damages.
15. AGREEMENT SIGNATURES
This Service Level Agreement is executed by and between the parties as of the date last signed below.
AEGIX GLOBAL, LLC
By: _____________________________________________
Name: _____________________________________________
Title: _____________________________________________
Date: _____________________________________________
LOCAL EDUCATION AGENCY (CUSTOMER)
By: _____________________________________________
Name: _____________________________________________
Title: _____________________________________________
Organization: _____________________________________________
Date: _____________________________________________
Appendix: Vendor Compliance Documentation References
The following vendor documentation provides supporting evidence for the compliance claims and technical controls referenced in this document. These resources should be reviewed periodically to ensure alignment with current vendor certifications and capabilities.
Amazon Web Services (AWS)
AWS Compliance Programs: https://aws.amazon.com/compliance/programs/
AWS SOC Reports FAQ: https://aws.amazon.com/compliance/soc-faqs/
AWS ISO 27001 FAQ: https://aws.amazon.com/compliance/iso-27001-faqs/
AWS Shared Responsibility Model: https://aws.amazon.com/compliance/shared-responsibility-model/
AWS Artifact: https://docs.aws.amazon.com/artifact/latest/ug/what-is-aws-artifact.html
AWS FERPA Compliance: https://aws.amazon.com/compliance/ferpa/
Cloud Management Platform (DuploCloud)
DuploCloud Security and Compliance: https://docs.duplocloud.com/docs/automation-platform/security-and-compliance
DuploCloud SOC 2 Compliance: https://duplocloud.com/solutions/security-and-compliance/soc-2/
Note: AWS compliance reports (SOC 2 Type II, ISO 27001) are available for download through AWS Artifact in the AWS Management Console. Contact the CPTO for access credentials.