Free Service Level Agreement Template

SERVICE LEVEL AGREEMENT

SLA  ·  England And Wales

This Service Level Agreement (this "Agreement") is made on 2026-05-01 between Nexus IT Solutions Ltd (Company No. 09876543) of 15 Tech Park, Manchester, M1 2AB (the "Service Provider") and BrightPath Retail Ltd (Company No. 05123456) of 80 High Street, London, EC1A 1BB (the "Client"). The parties agree as follows.

"Services" means the services described in Clause 2 and any Schedule. "Service Hours" means the hours during which the Services are made available as set out in Clause 3. "Incident" means any event that causes, or is reasonably likely to cause, an interruption to or reduction in the quality of the Services. "Critical Incident" means an Incident that causes complete failure of the Services, severe degradation of a core function, or loss of access by a majority of users. "High Incident" means an Incident that causes material degradation affecting normal business operations but with a workaround available. "Normal Incident" means any other non-critical Incident affecting ancillary functionality. "Response Time" means the elapsed time between notification of an Incident by the Client and acknowledgement, triage and commencement of remediation by the Service Provider (and does not mean resolution). "Uptime" means the percentage of the Service Hours in a calendar month during which the Services are available, excluding pre-approved Scheduled Maintenance and Excluded Events (Clause 8).

The Service Provider shall provide the Client with the following services (the "Services"): Cloud hosting, IT support, managed network monitoring and cybersecurity services for BrightPath's retail estate (25 stores) and head office. The Service Provider shall provide the following key deliverables: 24/7 infrastructure monitoring, incident ticketing via the Nexus portal, weekly backups with 30-day retention, quarterly penetration testing and annual disaster-recovery exercise. The following matters are expressly excluded from the Services: Third-party SaaS failures outside Nexus's control; end-user device hardware replacements; bespoke development beyond standard configuration. The Service Provider shall perform the Services with reasonable care and skill, as required by the term implied under section 13 of the Supply of Goods and Services Act 1982, and within a reasonable time where no time is fixed, as required by section 14 of that Act.

The Services shall be made available during the following Service Hours: 24 hours a day, 7 days a week, including public holidays. Outside the Service Hours, the Service Provider shall use reasonable endeavours to respond to Critical Incidents within the Response Times set out in Clause 4. Scheduled Maintenance shall be carried out at times agreed between the parties or, failing agreement, outside the Service Hours on no less than 48 hours' written notice to the Client.

The Service Provider shall target the following Response Times, measured from the time an Incident is reported by the Client through the Service Provider's designated channels:

(a) Critical Incident: acknowledgement and commencement of remediation within 1 hour(s);
(b) High Incident: acknowledgement and commencement of remediation within 4 hour(s);
(c) Normal Incident: acknowledgement and commencement of remediation within 8 business hour(s).

The Service Provider further guarantees minimum monthly Uptime of 99.9%, calculated in accordance with Clause 5, excluding pre-approved Scheduled Maintenance and Excluded Events under Clause 8.

Uptime and Response Time shall be measured using Pingdom and New Relic monitoring with five-minute polling intervals, cross-referenced against the Nexus incident management system. Uptime is calculated as ((Total Service Hours in the month − Downtime) ÷ Total Service Hours in the month) × 100, where Downtime excludes Scheduled Maintenance and Excluded Events. The Service Provider shall retain Incident logs, availability data and measurement records for a minimum of twelve (12) months and make them available to the Client on reasonable written request.

Where the Service Provider fails to meet a service level set out in Clause 4 in a given calendar month, the Client shall be entitled to a service credit calculated as follows: 5% of the monthly Service Fees for the first 0.1% shortfall below the guaranteed Uptime, rising by a further 5% for each additional 0.1% shortfall, up to a maximum of 50% of the monthly Service Fees. Service credits shall be applied against the Service Fees invoice for the month immediately following the month in which they accrued and, if the Agreement has been terminated, shall be paid to the Client within 30 days. The parties acknowledge that service credits: (a) are a genuine and proportionate pre-estimate of the loss likely to be suffered by the Client and protect the Client's legitimate interest in timely performance, and accordingly are not a penalty applying the principles in Cavendish Square Holding BV v Talal El Makdessi [2015] UKSC 67; and (b) are the Client's sole financial remedy for failure to meet the agreed service levels, save in the case of a persistent or material breach (defined as three or more qualifying breaches in any rolling six-month period) in which case the Client's ordinary contractual remedies shall also apply.

The Service Provider shall provide the Client with a written service performance report on a monthly basis. Each report shall include: (a) Uptime statistics for the reporting period; (b) a summary of Incidents (number, severity and duration) and their resolution; (c) Response Time metrics against the targets in Clause 4; (d) details of any Scheduled Maintenance and Excluded Events; (e) service credits accrued (if any); and (f) root-cause analysis of any persistent or material failure.

The Service Provider shall not be liable for failure to meet the service levels where such failure arises from (each an "Excluded Event"): (a) circumstances beyond the Service Provider's reasonable control, including acts of God, war, terrorism, pandemic, civil unrest, failure of third-party telecommunications or cloud infrastructure (except where used by the Service Provider as its own sub-processor), cyber-attack by a third party (excluding any attack facilitated by the Service Provider's negligence), strikes (other than of its own workforce) and governmental acts or orders; (b) pre-approved Scheduled Maintenance windows notified under Clause 3; (c) acts or omissions of the Client, its personnel or third parties under the Client's control; (d) use of the Services contrary to the Documentation or the Service Provider's reasonable written instructions; or (e) failure of equipment, software or networks not supplied, managed or specified by the Service Provider. The affected party shall notify the other without undue delay, shall use reasonable endeavours to mitigate and resume performance, and if the event continues for more than 60 days, either party may terminate on written notice.

The Client shall pay the Service Provider fees of £8,500 (the "Service Fees"), monthly in arrears within 30 days of the date of invoice. All sums are exclusive of VAT, which shall be charged at the rate prescribed by the Value Added Tax Act 1994. Any sum not paid by its due date shall bear interest and fixed-sum compensation under the Late Payment of Commercial Debts (Interest) Act 1998, including statutory interest at 8% above the Bank of England base rate (section 6) and compensation under section 5A. Where the Client disputes any portion of an invoice in good faith, it shall pay the undisputed portion on time and notify the Service Provider of the disputed amount with supporting reasons within 14 days of the invoice date.

UK Late Payment Reform (forthcoming): The parties acknowledge the UK Government's late-payment reform package announced on 24 March 2026, which will (once in force, expected late 2026 / early 2027) cap payment terms imposed by a large business on a smaller supplier at 60 days (reducing to 45 days after further consultation), render the 8% statutory-interest entitlement mandatory and incapable of contractual exclusion, deem invoices accepted if not disputed within 30 days of receipt, and confer enforcement powers on the Small Business Commissioner (including fines for persistent late payers). To the extent any term of this Agreement becomes inconsistent with that statutory regime, the statutory regime shall prevail.

Where an Incident is not resolved within the agreed Response Time or where a persistent or material failure arises, the Client may escalate the matter to Mark Davies, Director of Operations (mark.davies@nexusit.co.uk). If the matter is not resolved within 5 business days of escalation, it shall be referred to senior management of each party (the Service Provider's Head of Service Delivery or equivalent, and the Client's operational sponsor) for a documented review meeting within a further 10 business days.

To the extent the Services involve the processing of personal data (as defined in Article 4(1) of the UK GDPR), the parties shall comply with their obligations under the UK GDPR, the Data Protection Act 2018 as amended by the Data (Use and Access) Act 2025 (Commencement No. 6 Regulations SI 2026/82, in force 5 February 2026) and applicable Information Commissioner's Office codes of practice. Where the Service Provider acts as a processor on behalf of the Client, the parties shall enter into (or the Client shall procure the execution of) a data processing agreement meeting the requirements of Article 28 UK GDPR before any processing begins. Each party shall implement appropriate technical and organisational measures in accordance with Article 32 UK GDPR. Personal data shall not be transferred outside the United Kingdom save in accordance with Chapter V of the UK GDPR (including reliance on UK adequacy regulations, the International Data Transfer Agreement or the UK Addendum to the EU SCCs), and any such transfer shall be assessed by reference to the "data protection test" introduced by Schedule 7 of the DUA Act 2025 (whether the recipient regime is materially lower than the UK standard, replacing the previous "essentially equivalent" test). Each party shall notify the other without undue delay, and in any event within 48 hours, of any personal data breach affecting the Services, and shall cooperate in good faith with any investigation or regulatory notification.

Where the Service Provider uses artificial-intelligence or automated tools (including generative-AI products) to process Client personal data, it shall comply with the automated decision-making and profiling regime under Articles 22 to 22D UK GDPR as reformed by section 80 of the Data (Use and Access) Act 2025 (in force 5 February 2026 under SI 2026/82) — in particular, where a "significant decision" is taken based solely or predominantly on automated processing, the Service Provider shall ensure data subjects receive (i) information about the decision, (ii) the right to make representations, (iii) the right to obtain human intervention, and (iv) the right to contest the decision. The Service Provider shall not use Client personal data to train, fine-tune or otherwise improve any AI / ML model offered to third parties without the Client's prior written consent.

Nothing in this Agreement excludes or limits either party's liability for: (a) death or personal injury caused by negligence (section 2(1) Unfair Contract Terms Act 1977); (b) fraud or fraudulent misrepresentation (section 3 Misrepresentation Act 1967); (c) where the Client is a consumer, any liability that cannot be excluded under the Consumer Rights Act 2015; or (d) any other liability which cannot lawfully be excluded or limited. Subject to the foregoing, neither party shall be liable to the other, whether in contract, tort (including negligence), breach of statutory duty or otherwise, for: (i) loss of profits; (ii) loss of sales or business; (iii) loss of agreements or contracts; (iv) loss of anticipated savings; (v) loss of or damage to goodwill; (vi) loss of or corruption of data; or (vii) any indirect or consequential loss. Subject always to the foregoing, the total aggregate liability of the Service Provider to the Client in respect of all claims arising under or in connection with this Agreement shall not exceed the total Service Fees paid by the Client in the twelve (12) months immediately preceding the first event giving rise to liability. The parties acknowledge that these limitations are reasonable for the purposes of section 11 of the Unfair Contract Terms Act 1977 and section 3 of the Misrepresentation Act 1967, having regard to the Service Fees, the availability of insurance and the allocation of risk.

Each party that is a UK-registered company, limited liability partnership, registered overseas entity or other body registered or required to be registered at Companies House warrants that: (a) each of its directors, members (in the case of an LLP) and registrable Persons with Significant Control ("PSCs") has had their identity verified with Companies House (whether directly or via an Authorised Corporate Service Provider) under sections 1110A to 1110F of the Companies Act 2006 as inserted by section 62 of the Economic Crime and Corporate Transparency Act 2023; (b) the identity verification regime commenced on 18 November 2025 (voluntary phase from 8 April 2025) and the 12-month transition for existing directors and PSCs concludes in mid-November 2026 — each party warrants compliance with the timetable applicable to it; (c) the signatory executing this Agreement on its behalf has the authority to do so and, where required by law, has personally completed identity verification under the above regime. A material misstatement under this clause (i) is a material breach of this Agreement, (ii) may constitute an offence under section 1112 Companies Act 2006 (false statement to the registrar) and (iii) may amount to a "relevant offence" for the purposes of section 199 ECCTA 2023.

Each party warrants that, where it constitutes a "large organisation" within the meaning of section 199 of the Economic Crime and Corporate Transparency Act 2023 (meeting at least two of: ≥250 employees, >£36m turnover, >£18m balance sheet), it maintains reasonable fraud-prevention procedures as required by that section (in force 1 September 2025) and that neither it nor, to its knowledge, any "associated person" within the meaning of s.199 has committed a "relevant offence" in connection with this Agreement or the Services. Each party shall promptly notify the other if it becomes aware of any actual or suspected fraud connected with the Services. The Service Provider acknowledges that its directors, employees, agents and subcontractors providing the Services may be "associated persons" of the Service Provider for the purposes of s.199.

The parties acknowledge the UK Government's late-payment reform package announced on 24 March 2026, which is expected to be enacted in late 2026 / early 2027 by primary and secondary legislation amending the Late Payment of Commercial Debts (Interest) Act 1998. The key elements are: (a) a 60-day cap on payment terms imposed by a large business on a smaller supplier (reducing to 45 days following further consultation); any longer term shall be unenforceable; (b) the 8% statutory-interest entitlement (above the Bank of England base rate) becomes mandatory and cannot be excluded or reduced by contract — any such waiver shall be void; (c) invoices undisputed within 30 days of receipt shall be deemed accepted and full payment (with any accrued statutory interest) shall become due; (d) the Small Business Commissioner shall be empowered to investigate poor payment practices, adjudicate disputes and impose substantial fines for persistent late payers. The parties agree to operate this Agreement in good faith with these reforms in view, and to amend any inconsistent provision (in writing, in good faith) once the relevant legislation is in force.

The parties acknowledge that the Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 (introduced to the House of Commons on 12 November 2025, with Royal Assent expected in late 2026 and phased commencement via secondary legislation) will bring Managed Service Providers (MSPs) under direct regulatory oversight of the Information Commission. Where the Service Provider falls within the definition of an MSP (an organisation providing ongoing third-party IT services that connect to client systems), the Service Provider shall, on and from the date the relevant provisions come into force: (a) implement appropriate technical and organisational measures to manage the cybersecurity risks to its network and information systems, comparable to the obligations on "relevant digital service providers" under the Network and Information Systems Regulations 2018; (b) operate the two-stage incident-reporting regime — initial notification within 24 hours and a full report within 72 hours — to the Information Commission and, in parallel, to the National Cyber Security Centre (NCSC) as the designated CSIRT; (c) cooperate with any audit, inspection or investigation by the Information Commission, including provision of information and access to relevant records; and (d) acknowledge that non-compliance may attract penalties of up to £17 million or 4% of global turnover (whichever is higher) for serious breaches, or £10 million or 2% of global turnover as a standard maximum. The Service Provider shall notify the Client of any incident affecting the Services and shall cooperate with the Client's own statutory or regulatory reporting obligations.

This Agreement shall commence on 2026-05-01 and continue until terminated in accordance with this Clause. Either party may terminate for convenience on not less than ninety (90) days' written notice. Either party may terminate with immediate effect by written notice if the other: (a) commits a material breach and (where remediable) fails to remedy within 30 days of written notice; (b) commits persistent breaches (three or more qualifying service-level breaches in any six-month period shall be deemed persistent); or (c) becomes insolvent, enters administration, liquidation or analogous insolvency procedure under the Insolvency Act 1986, or ceases or threatens to cease business. This Agreement shall be reviewed annually on each anniversary of the Effective Date, or upon any material change in the scope of services. Either party may propose amendments to the service levels by providing not less than 30 days' written notice; amendments take effect only when agreed in writing by both parties.

Before commencing court proceedings (other than for urgent injunctive relief or recovery of undisputed debts), the parties shall attempt in good faith to resolve any dispute arising under this Agreement by mediation in accordance with the Centre for Effective Dispute Resolution (CEDR) Model Mediation Procedure. If the dispute is not resolved within 30 days of the start of the mediation, either party may commence proceedings in the courts of England and Wales.

This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales. Subject to Clause 14, the parties irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction to settle any such dispute or claim.

Entire agreement: This Agreement (including any Schedule) constitutes the entire agreement between the parties and supersedes all prior negotiations, representations and agreements, save that nothing in this clause limits any liability for fraud or fraudulent misrepresentation.

Variation: No variation of this Agreement is effective unless in writing and signed by or on behalf of both parties.

Waiver: No failure or delay to exercise any right or remedy operates as a waiver, nor does any single or partial exercise prevent any further exercise.

Severance: If any provision is or becomes invalid, illegal or unenforceable, it shall be modified to the minimum extent necessary, with the remainder of this Agreement unaffected.

Assignment: Neither party may assign, transfer or sub-contract any of its rights or obligations without the prior written consent of the other (such consent not to be unreasonably withheld), save that either party may assign to a group company or successor in title.

Third-party rights: A person who is not a party to this Agreement has no rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any of its terms.

Notices: Notices shall be given in writing to the addresses stated in this Agreement and shall be deemed received on delivery by hand, on the next business day if sent by first-class post, or on the next business day following transmission if sent by email.

Counterparts: This Agreement may be executed in counterparts, and delivery of an executed counterpart by email (PDF) or qualified electronic signature is effective.

IN WITNESS WHEREOF, the parties have executed this Agreement as of the date indicated.