Skip to content 
SLA Hosting often seems clear, but a SLA breakage happens faster than the uptime guarantee promises. I'll show you what uptime web hosting really means, how to assess response time SLA and resolution time, how incident management works and which bonus-malus rules provide you with practical protection.
Key points
I implement the following points in the article and show them with examples and tactics.
- Definition of a hosting SLA: content, measuring points, exceptions
- Causes for SLA violations: Technology, people, third parties
- Receipts through monitoring and clean measurement methods
- Contract with bonus-malus, liability and escalation
- Resilience through architecture, automation and playbooks
What an SLA really regulates in hosting
A SLA defines what services a provider delivers, how outages are measured and what compensation applies. I pay attention to clear definitions of uptime, response time, resolution time, maintenance windows and security standards. Measurement points play a central role: is the measurement carried out at server, network or app level, and in which Time zone? Without clear wording, you won't be able to prove that a breach has occurred. I therefore demand reporting, audit and dashboard access so that I can check key figures at any time.
Common causes of SLA breaches
I see four Main drivers for breaches: Technology, people, attacks and capacity. Hardware defects, firmware bugs or routing problems quickly lead to downtime or severe degradation. Misconfigurations, unclean deployments or inadequate changes are just as reliable sources of trouble. External DDoS or malware incidents can block services, often with liability exclusions in the contract. Unexpected load peaks caused by campaigns or peaks overtax resources if scaling and limits are not set correctly.
SLA, SLO and OLA: cleanly separating terms
I make a clear distinction between SLA (contractual assurance to customers), SLO (internal service target, usually stricter than the SLA) and OLA (agreement between internal teams or with subcontractors). In practice, I formulate SLOs as resilient target values from which a Error budget is derived. If the error budget for a period is used up, I take countermeasures: Release freeze, focus on stabilization and targeted risk reduction. OLAs ensure that the network, database, CDN or DNS make their contributions so that the end-to-end SLA can be achieved at all. This separation prevents me from clarifying questions of guilt in an emergency instead of solving the problem.
Live examples from projects
A large store had a 99,99%-uptime guarantee, but a carrier routing error cut access in several regions. The contract only counted complete outages as a breach, regional degradation did not count - economically painful, formally not a breach. A web agency agreed 30 minutes response time and four hours resolution time for P1. Due to incorrectly configured alarms, the provider only saw the incident after hours and paid a small credit note, while the agency kept the revenue and image. An SME used a second data center; in the event of an outage, the emergency environment ran, but much more slowly and the planned maintenance was excluded from the uptime budget - legally clean, but still frustrating for customers.
Maintenance window and change policy without back doors
I keep maintenance windows lean and clear: planned time periods, advance notice, communication channels and measurable effects. I define strict criteria and a transparent approval process for emergency maintenance. I explicitly exclude blackout periods (e.g. sale phases) from changes. I demand that maintenance is optimized to minimize downtime and degradation (e.g. rolling changes, blue-green) and that it is communicated in my business time zone - not just in the data center zone.
- Lead times: at least 7 days for regular changes, 24 hours for urgent changes
- Limit maximum duration per maintenance and per month
- Impact classes: No-impact, degradation, downtime - each documented
- Contractually fix rollback plan and „no-go“ periods
What an SLA breach costs and what rights you have
A Credit note rarely covers the real damage. Service credits are often 5-25 % of the monthly fee, while lost sales and reputational damage are far higher. I agree special termination rights in the event of repeated or gross violations. Contractual penalties can be useful, but must be commensurate with the level of business risk. I also use QBRs with error analyses and catalogs of measures to ensure that problems are not repeated.
Transparency: status page, communication obligations, RCA deadlines
I define how and when information is provided: initial fault report, update frequency and final report. A status page or dedicated incident communication saves me having to search through support tickets. I oblige the provider to carry out a root cause analysis (RCA) with specific measures and deadlines.
- Initial notification within 15-30 minutes after detection, updates every 30-60 minutes
- Clear timeline: Detection, escalation, mitigation, recovery, close
- RCA within five working days, including root cause tree and prevention plan
- Designation of an owner per measure with due date
Measurability and proof: How to prove violations
I do not rely solely on provider metrics, but use my own metrics. Monitoring on. Synthetic checks from several regions and real user monitoring provide me with evidence if individual routes or regions fail. I document time zones, time sources and measuring points and compare them with contract definitions. I record every deviation with screenshots, logs and incident timelines. This overview helps me to select the right tool: Uptime monitoring tools.
Precise measurement methods: Brownouts instead of black and white
I don't just rate „on/off“, but also Brownouts - noticeable degradation without complete failure. To do this, I use latency thresholds (e.g. P95 < 300 ms) and Apdex-like values that record user satisfaction. I separate the network, server and application levels to avoid misallocations. I calibrate synthetic checks with timeouts, retries and a minimum proportion of error-free samples so that individual packet losses do not count as failures. I compare RUM data with the synthetic measurements to detect regional effects and CDN edge problems. Important: Synchronize time sources (NTP), define time zones and name measurement points in the contract.
Key figures in comparison: uptime, response time, resolution time
I agree on key figures that Risk and business. This includes uptime, response and resolution time per priority as well as performance targets such as P95 latency. I also require time-to-detect and time-to-recover so that the fault clearance remains measurable. Values without a measurement method are of little use, which is why I define measurement points and tolerances. The following table shows typical target values and their practical significance.
| Key figure | Typical target value | Practical effect | Orientation Downtime/month |
|---|---|---|---|
| Uptime guarantee | 99.90-99.99 % | Protects sales and reputation | 99.9 % ≈ 43.8 min; 99.99 % ≈ 4.4 min |
| Response time P0/P1 | 15-30 min | Fast start of fault clearance | Shortened Mean Time to Acknowledge |
| Solution time P0 | 1-4 hrs | Limited business-critical outages | Minimized MTTR |
| Performance P95 | < 300 ms | Better UX, higher conversion | Captured Latency instead of just uptime |
| Security | 2FA, TLS, backups, restore tests | Reduces the consequences of attacks | Faster Recovery |
Error budgets and prioritization in everyday life
I translate target values into a monthly error budget. Example: With 99.95 % uptime, I am entitled to around 21.9 minutes of downtime per month. If half of the budget is used up, I prioritize stabilization over feature development. I anchor this logic contractually as governance: if error budgets are exceeded, a coordinated action plan with additional reviews, increased on-call staffing and, if necessary, a change freeze takes effect. In this way, SLOs do not become deco key figures, but control development and operation.
Architecture resilience against SLA risks
I plan infrastructure in such a way that a Error does not stop business immediately. Multi-AZ or multi-region setups, active/active designs and autoscaling buffer outages and load peaks. Caching, CDN and circuit breakers keep requests flowing when subsystems wobble. Readiness and liveness probes, blue-green and canary deployments significantly reduce deploy risks. Emergency runbooks plus regular recovery tests show whether the concept works in an emergency.
Test culture: game days, chaos engineering and restore drills
I practise faults under controlled conditions: Game Days simulate realistic failures, from database locks and DNS errors to network jitter. Chaos experiments uncover hidden dependencies before they strike during operation. Restore drills with hard targets (RTO, RPO) show whether backups are really any good. I measure how long detection, escalation and recovery take - and adjust runbooks, alarms and limits accordingly. These tests make SLA targets not only achievable, but also verifiable.
Clear delimitation of liability and fair negotiation of bonus malus
I separate Responsibility clean: What lies with the provider, what with me, what with third parties such as CDN or DNS? I define cases of force majeure narrowly and for a limited period of time. I negotiate credits or upgrades for overfulfillment and tangible penalties with automatic credit for underfulfillment. I keep deadlines lean so that I don't only see money after the application. For contract work, I use best practices such as in the SLA optimization in hosting.
Example clauses that have proven their worth
- Automatic credit in case of violation, without application, within 30 days
- Degradations above threshold X (e.g. P95 > 800 ms) count proportionally as a failure
- RCA obligation with measures and deadlines; non-compliance increases the credit
- Credits accumulate for multiple violations per month; no „once per month“ cap
- No crediting of planned maintenance outside approved windows
- Special right of termination in the event of repeated P0 violations or non-compliance with the solution time
- „Credit ≠ Indemnification“: Credit notes do not exclude further claims
Incident management in everyday life: playbooks and escalation
I define clear Priorities P0-P3 and associated response and resolution times. An on-call plan, communication channels and escalation levels ensure that nobody has to improvise. Runbooks guide you step by step through diagnosis, rollback and recovery. After each incident, I record a post-mortem analysis and set measures with the deadline and owner. QBRs help to identify trends and use error budgets sensibly.
Escalation matrix and RACI
I determine who informs, who decides and who acts. A RACI matrix (Responsible, Accountable, Consulted, Informed) prevents idle time and duplication of work. Escalation follows fixed times: e.g. P0 immediately to On-Call, after 15 minutes to Teamlead, after 30 minutes to Management. I designate alternative channels (telephone, messenger) if email systems are affected. This means that the response time can be measured not by the calendar, but by actual availability.
DDoS & external disruptions: Protection without gray areas
I take Third explicitly in the contract: CDN, DNS, payment and email gateways. For DDoS attacks, I agree on protective measures, thresholds and response times instead of blanket exclusions. If a third-party provider fails, I clarify how the main provider coordinates and reports. I also test failover routes and rate limits to reduce the attack load. A helpful overview is provided by the DDoS protection for web hosting.
Third-party management and cascading errors
I require the main provider to coordinate chain incidents: one person responsible, one ticket, one common status. I clarify how external SLAs are incorporated into my end-to-end target and which redundancies make sense (e.g. multi-DNS, secondary payment provider). I record failover tests in writing: trigger criteria, return to normal operation and maximum duration in degradation mode. This allows cascading errors to be decoupled more quickly.
Contract checklist before signing
I check the Measuring method for uptime and performance and guarantee me inspection rights. I clearly define and document exceptions such as maintenance, force majeure and third-party providers. Credits should flow automatically and not be tied to tight application deadlines. I differentiate response and resolution times according to priority and time, including on-call windows. I negotiate backups, RTO, RPO and recovery tests just as bindingly as uptime.
Briefly summarized
I do not blindly rely on a Uptime-figure in the contract. Clear definitions, individual measurement, fair bonus-malus rules and a resilient architecture noticeably reduce the risk. I make response time, resolution time and performance KPIs such as P95 latency measurable and verifiable. I keep operations agile but controlled with incident playbooks, escalation and regular reviews. This allows me to document SLA violations, ensure compensation and reduce downtime in the long term.
