Most enterprise software SLAs look impressive on paper — 99.9% uptime, 4-hour response times, defined recovery objectives. But the fine print renders them commercially meaningless. Understanding how to negotiate SLAs that create genuine accountability — not just marketing commitments — is one of the most undervalued skills in enterprise IT procurement.
This article is part of our IT Contract Negotiation Strategy guide. SLA negotiation interacts directly with liability provisions — the sole remedy trap is one of the most commercially dangerous provisions in enterprise software contracts. For context on how SLA failures relate to your broader contract risk exposure, see our IT negotiation firm rankings for firms that specialise in cloud and SaaS SLA review.
Enterprise software SLAs suffer from three fundamental structural problems that render the headline commitments far less valuable than they appear.
First, the measurement problem: most vendor SLAs measure uptime using the vendor's own monitoring infrastructure. The vendor's infrastructure reports availability from the vendor's point of view — not from your location, network path, or user experience. Network issues, CDN failures, partial service degradation, and geographic outages can all produce real-world unavailability that does not register against the vendor's measurement methodology.
Second, the exclusion problem: vendor SLAs typically exclude large categories of downtime from the uptime calculation. Scheduled maintenance windows (often several hours per month), "emergency maintenance," incidents caused by customer actions, third-party service dependencies, and force majeure events can collectively consume a substantial fraction of real-world downtime without triggering credit obligations.
Third, the sole remedy problem: even when downtime is properly measured and qualifies under the credit schedule, the service credit is typically the sole and exclusive remedy for service failure — eliminating any right to recover actual business losses. For a business-critical SaaS application, a 4-hour outage may produce £50K–£500K in real-world impact. The corresponding service credit may be £5K–£20K.
The SLA "sole remedy" clause is the most commercially dangerous provision that most IT buyers overlook. Ensure your legal review specifically addresses whether service credits are the sole remedy and whether consequential damages exclusions apply to SLA failures specifically.
A comprehensive enterprise software SLA should address eight distinct service dimensions. Many vendor standard SLAs address only two or three.
| SLA Metric | Definition | Why It Matters | Target Position |
|---|---|---|---|
| Availability / Uptime | % of time the service is accessible and functional | Foundation metric — but see exclusions carefully | 99.9% or 99.95% for critical systems |
| Incident Response Time | Time from incident report to first substantive vendor response | Critical during active outages; 4 hours is too slow for P1 | 15–30 min for P1; 4 hrs for P2 |
| Resolution Time | Time from incident report to full service restoration | Vendors rarely commit to resolution times; push hard for P1 | 4 hrs for P1; 24 hrs for P2 |
| RTO (Recovery Time Objective) | Time to restore service after a disaster or major failure | Business continuity planning depends on contractual RTO | 4 hrs for critical, 24 hrs for standard |
| RPO (Recovery Point Objective) | Maximum data loss measured in time after a disaster | Financial and operational data recovery depends on RPO | 1 hr for financial systems; 4 hrs for others |
| Scheduled Maintenance Window | Permitted downtime for vendor maintenance | Excluded from uptime calc; needs to be capped and notified | Max 4 hrs/month, 72-hr advance notice |
| Performance / Latency | Response time thresholds for key transaction types | Degraded performance is not "downtime" without specific metrics | Define p95 response times for key workflows |
| Support Hours | Hours during which support is available for P1/P2 incidents | 24x7 P1 support is critical for global operations | 24x7 for P1; business hours + on-call for P2 |
Understanding what each vendor typically commits to — and what is achievable — is essential for calibrating your negotiating position. The following benchmarks reflect standard vendor positions and achievable outcomes for enterprise customers.
| Vendor / Platform | Standard SLA | Achievable for Enterprise | Key Exclusions |
|---|---|---|---|
| Microsoft 365 | 99.9% | 99.9% (financially backed) | Maintenance windows excluded |
| Azure | 99.9%–99.99% (varies by service) | Tier-specific, financially backed | Multi-region required for highest tiers |
| Salesforce | 99.9% (standard) | 99.99% for enterprise contracts | Broad exclusion categories in standard terms |
| SAP S/4HANA Cloud | 99.7% (standard) | 99.9% achievable for large deals | Extensive scheduled maintenance exclusions |
| Oracle Cloud | 99.9% (OCI SLA) | Financially backed, multi-region available | Customer-caused issues broadly defined |
| ServiceNow | 99.8% (standard) | 99.9% for enterprise agreements | Scheduled maintenance and emergency changes excluded |
| Workday | 99.7% (standard) | 99.9% for large enterprise | Weekend maintenance windows standard |
99.9% uptime = 8.76 hours of permitted downtime per year. 99.95% = 4.38 hours. 99.99% = 52 minutes. The difference between 99.9% and 99.99% is 8 hours of additional permitted annual downtime — highly material for business-critical applications.
Service credit structures determine whether an SLA creates genuine financial accountability or merely symbolic gestures. The following principles distinguish effective from ineffective credit structures.
Standard vendor SLAs often require a formal, customer-initiated credit request within 30 days of the qualifying outage — creating an administrative burden that causes credits to be forfeited. Negotiate for automatic credit issuance: "Vendor shall automatically calculate and apply service credits to the next invoice following any month in which the SLA was not met, without requiring customer to submit a claim."
Vendor standard credit schedules are deliberately modest. A common structure: 10% credit for availability below 99.9%, 25% for below 99.5%, 50% for below 99.0%. For P1 outages in business-critical systems, the following escalating structure better reflects actual business impact:
| Monthly Availability | Vendor Standard Credit | Enterprise Target Credit |
|---|---|---|
| 99.9% – 99.5% | 10% monthly fee | 15% monthly fee |
| 99.5% – 99.0% | 25% monthly fee | 30% monthly fee |
| 99.0% – 95.0% | 50% monthly fee | 50% monthly fee |
| Below 95.0% | 100% monthly fee | 100% + termination right |
Many vendor SLA schedules cap total credits at 30–50% of monthly fees, regardless of how many incidents occur or how severe the downtime. Negotiate to remove this cap, or to increase it to 100% of monthly fees for months with severe outages.
Perhaps the most valuable SLA provision is a termination right triggered by repeated failure: "If Vendor fails to meet the availability SLA in three or more months within any rolling 12-month period, Customer shall have the right to terminate this Agreement upon 30 days' written notice without penalty." This provision transforms the SLA from a credit mechanism into a genuine performance guarantee — which is exactly why vendors resist it.
The "sole remedy" clause deserves particular attention because it fundamentally undermines the commercial value of every other SLA provision. A typical sole remedy clause reads: "Service credits as set out in the Service Level Schedule shall constitute Customer's sole and exclusive remedy for any failure by Vendor to meet the service levels described herein."
This provision, which appears in virtually every vendor-drafted SLA, means that regardless of the actual business impact of a service failure — lost revenue, regulatory penalties, customer compensation, staff overtime, data recovery costs — your maximum recovery is capped at the service credit schedule.
There are three positions to negotiate:
Best outcome: Delete the sole remedy clause entirely, allowing claims for actual damages (subject to the contract's general liability cap) in addition to service credits. Achievable with some vendors for enterprise contracts above £2M annually.
Acceptable outcome: Carve out data loss incidents from the sole remedy clause — meaning that while credits are the sole remedy for availability failures, data loss or corruption events are subject to the full liability provisions of the agreement. This is more commonly achievable because it addresses a specific category of harm that vendors can insure against.
Minimum acceptable: Ensure the sole remedy clause does not extend to willful misconduct, gross negligence, or breach of confidentiality — which should in any case be excluded from limitation of liability provisions but are sometimes inadvertently swept up in sole remedy language.
Your SLA may be creating false confidence about service accountability
Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are disaster recovery metrics that define the vendor's commitments in the event of a major platform failure — not a routine service interruption. These provisions are distinct from uptime SLAs and are frequently absent from standard vendor contracts entirely.
RTO defines how long it takes the vendor to restore the service following a major failure. Without a contractual RTO, vendors have no binding obligation to restore service within any defined timeframe — meaning a major data centre incident could result in days of downtime without triggering any contractual remedy.
RPO defines the maximum age of the data that can be recovered following a major failure — in other words, how much data you may lose. An RPO of 24 hours means you could lose up to a day's worth of transactions. For financial or operational systems where real-time data integrity is critical, this is commercially unacceptable.
Target positions for business-critical enterprise applications: RTO ≤ 4 hours, RPO ≤ 1 hour. These positions are achievable with major cloud platform vendors (AWS, Azure, GCP, Oracle Cloud) operating multi-region architectures, and increasingly achievable with SaaS vendors operating on those platforms. On-premise vendors running customer-hosted infrastructure will typically require higher values or leave these commitments to the customer's infrastructure design.
The following model provisions address the most critical SLA elements discussed above.
Specialist IT negotiation advisors know which SLA provisions create genuine accountability and which are designed to appear protective while providing none. Let them review your agreements before you sign.