Taxpoynt logoTaxpoynt
Taxpoynt Docs

Compliance

Service level agreement

Availability targets, incident response, and data security commitments for Taxpoynt SI/AP services.

Version: 2025-12-17
Scope: Taxpoynt System Integrator (SI), Access Point (AP), and Hybrid services provided to taxpayers and integration partners.

This SLA is published for MBS submission and applies to taxpayers using Taxpoynt production SI/AP services. Specific commercial terms (pricing, service credits, and bespoke SLAs) may be finalized per customer agreement.

1) Service scope and environments

  • Production services covered: api.taxpoynt.com (SI/AP APIs), and app.taxpoynt.com (dashboard) where applicable to operations and support.
  • Sandbox services: provided on a best-effort basis for onboarding and testing; sandbox uptime and performance are not covered by the production SLA.
  • Dependencies: Taxpoynt integrates with third parties (e.g., FIRS MBS endpoints, Mono, Odoo, customer ERP/POS systems, webhook endpoints). Availability and response times of third parties are outside Taxpoynt control but are monitored and surfaced through logs/trace IDs and retry/DLQ controls.

2) Availability

  • Target: 99.5% monthly uptime for production SI/AP API availability (excluding scheduled maintenance).
  • Measurement: uptime is measured from external synthetic checks of critical endpoints (e.g., /health and core SI endpoints) and represents minutes of successful responses divided by total minutes in the month, excluding approved maintenance windows.
  • Maintenance windows: up to 2 hours/week, scheduled outside 10:00-18:00 WAT; announced at least 24 hours in advance where feasible.
  • Exclusions: customer-side issues (network, credentials, misconfiguration), third-party outages (FIRS, banks, ERPs, customer webhook hosts), and force majeure.

3) Support, response times, and issue resolution

  • Channels: email/support desk (support@taxpoynt.com). For Sev-1 incidents, an incident bridge may be activated.
  • Support hours: business hours (Mon-Fri, 09:00-18:00 WAT). Sev-1 and Sev-2 incidents are monitored 24x7 in production.
  • Severity definitions (examples):
    • Sev-1: production outage or material data integrity risk; core invoice processing is blocked for most requests.
    • Sev-2: major degradation; intermittent failures, elevated latency/error rate, or widespread callback failures.
    • Sev-3: limited impact; minor defects, documentation issues, or single-tenant non-blocking issues.
  • Response targets (acknowledgement / mitigation):
    • Sev-1: acknowledge within 1 hour; mitigation/workaround within 4 hours where possible.
    • Sev-2: acknowledge within 4 hours; mitigation/workaround within 8 hours where possible.
    • Sev-3: acknowledge within 1 business day; fix scheduled in a planned release.

4) Incident management and communications

  • Taxpoynt provides incident IDs, status updates at least hourly for Sev-1 (and at agreed intervals for Sev-2), and a post-incident report (PIR/RCA) within 3 business days of resolution.
  • Customers may be asked to provide request IDs, trace IDs, sample payloads, and/or webhook logs to accelerate troubleshooting.

5) Data security, privacy, and auditability

  • Data protection: NDPR-aligned handling; tenant-scoped access by organization/environment; encryption in transit (TLS) and at rest (managed storage encryption where applicable).
  • Key management: taxpayer secrets (API keys) are issued per organization/environment; FIRS credentials and cryptographic key material are managed operationally and are never exposed in the UI.
  • Webhook integrity: callbacks can be signed (HMAC) and should be verified by customers.
  • Audit trails: immutable audit logs for configuration changes, invoice processing stages, and callback deliveries/retries.
  • Breach notification: notification without undue delay, aligned to regulatory obligations and contractual terms.

6) Reliability controls and delivery semantics

  • Idempotency: supported for invoice submission and callback invocation to prevent duplicates.
  • Resilience: retries/backoff and circuit breaker patterns are applied around external calls where appropriate; failures surface trace IDs and are retained for investigation.
  • DLQ + replay: failed invoice processing and callback deliveries can be placed in a dead-letter queue (DLQ) with controlled replay to prevent data loss.
  • Connector health: connector registry and health pings surface upstream outages or degraded connectors.
  • Readiness gating: production flows may be blocked until required configuration/credentials/keys are present to prevent unsafe submissions.

7) Backups, retention, and disaster recovery

  • Managed database backups and point-in-time recovery (where supported by the deployed database tier).
  • Documented retention policies for invoice artifacts and logs; restore testing performed periodically.

8) Service credits (optional, contract-bound)

  • If monthly uptime drops below 99.5% due to Taxpoynt-caused incidents, a credit of up to 10% of that month's SI/AP fees may apply, subject to contract terms and notice within 30 days.

9) Customer obligations

  • Maintain accurate taxpayer configuration (TIN/Service ID/business details), secure credentials, and follow onboarding/runbooks.
  • Keep connector credentials and webhook URLs current; allowlist callback endpoints for sandbox testing.
  • Use supported endpoints and payload formats; avoid abusive traffic; provide test data and logs for troubleshooting when requested.

10) Change management

  • Breaking changes are announced at least 14 days ahead in sandbox and via release notes where feasible.
  • New versions roll to sandbox first; production cutovers are coordinated with customers when required.