Service Level Agreement

1. Scope

This Service Level Agreement ("SLA") is entered into between Longconsole Consulting Limited, trading as Flowpoint ("Provider"), and the Customer. It governs the availability, performance, security, incident response, and data handling commitments for the Flowpoint platform in its capacity as a certified NRS System Integrator (SI).

This SLA applies to the following services:

Real-time B2B invoice certification and NRS MBS submission
B2C invoice reporting within the 24-hour NRS window
Bulk / batch invoice processing and migration
Credit and debit note issuance against certified invoices
Compliance review workflows prior to NRS submission
Webhook notifications, audit logs, and data export
Sandbox and production environments (sandbox excluded from uptime credits)
Out of scope: tax calculation advice, legal interpretation of NRS rules, general ledger accounting, and payment processing.

2. Availability

Flowpoint targets the following uptime commitments measured on a rolling 30-day window:

Uptime is calculated as: (total minutes − unplanned downtime minutes) / total minutes × 100. The following events are excluded from downtime calculations:

Scheduled or announced maintenance windows
Outages caused by the NRS MBS government platform (force majeure on the transmission layer)
Customer-caused outages (malformed payloads, credential revocation, rate-limit exhaustion)
Third-party infrastructure failures outside Flowpoint's reasonable control

Metric	Target
Monthly uptime (rolling 30 days)	≥ 99.9% (≤ 43.2 minutes downtime / month)
Planned maintenance	≤ 4 hours / month, announced ≥ 72 hours in advance
Scheduled maintenance window	01:00 – 05:00 WAT, weekends only
Sandbox environment	Best-effort; not covered by uptime SLA

3. Performance

3.1 API Response Times

All times measured from the Flowpoint edge load balancer under normal operating conditions (≤ 70% capacity).

Operation	p50	p95	p99
API request (/api/v1/*)	200 ms	800 ms	1,500 ms
Invoice submission (end-to-end, excl. NRS MBS)	500 ms	2 s	4 s
Bulk batch processing (per 1,000 invoices)	—	—	≤ 10 min
Webhook delivery to customer endpoint	1 s	5 s	15 s
B2C reporting batch worker cycle	—	—	≤ 15 min

3.2 Infrastructure Capacity

The production API tier is sized for 500 invoice submissions per second (sustained) with burst capacity of 2,000 per second via queue smoothing. Worker concurrency is 15 parallel MBS submissions by default (5 per worker × 3 worker containers), configurable per tenant.

3.3 Rate Limits

Default per-IP rate limits are applied to protect platform stability. Tenant-level quotas are applied on top of IP limits as agreed at onboarding. Requests exceeding limits receive HTTP 429. Clients should implement exponential backoff.

Endpoint group	Limit
Authentication endpoints (/auth/*)	10 requests / minute / IP
API endpoints (/api/v1/*)	120 requests / minute / IP

5. Invoice Lifecycle Commitments

Flowpoint commits to processing invoices through the following states within the timeframes below:

Retry policy on transient MBS failures: immediate → 5 s → 30 s → 2 min → 5 min → 15 min (6 attempts). After 6 attempts, the invoice enters a dead-letter queue and the customer is notified for manual review.

State	Meaning	Flowpoint SLA
DRAFT	IRN generated; UBL payload built and validated locally.	< 2 seconds from submission
PENDING	Validate request sent to NRS MBS; QR code returned.	< 30 seconds (excl. MBS latency)
COMPLETE	Invoice signed (CSID applied) and cleared by NRS MBS.	< 60 seconds end-to-end (excl. MBS latency)
FAILED	MBS validation rejected the invoice.	Error surfaced to customer within 5 seconds
REPORTED (B2C)	B2C invoice reported to NRS within the 24-hour window.	Batch worker runs every 15 minutes; alert raised at 20-hour mark

6. Data Security, Confidentiality and Nigerian Data Residency

6.1 Nigerian Data Residency Commitment

In compliance with the National Regulatory Guideline for Electronic Invoicing in Nigeria (NITDA, 2025) and the Nigeria Data Protection Act 2023, Flowpoint commits that all electronic data is encrypted and stored or backed up on servers or data centres in Nigeria.

Primary processing and storage: a Nigerian-domiciled cloud platform (Lagos region) serving all API, database, worker, and cache workloads. Backup and disaster recovery: nightly encrypted snapshots retained for 7 days on a secondary Nigerian-domiciled data centre facility, with point-in-time recovery.

Transmission of invoice data to NRS MBS is performed exclusively via NITDA-accredited Access Point Providers operating within the Nigerian e-invoicing regulatory framework.

Flowpoint will notify Customers in writing within 5 business days of any material change to data storage or backup arrangements. Customers may request written confirmation of this commitment at any time by emailing [email protected].

Data Category	Primary Storage	Backup / DR
Invoice payloads (JSON / UBL)	Nigerian primary data centre — MySQL cluster	Nigerian DR facility — nightly snapshot
Audit logs (fp_submission_log)	Nigerian primary data centre — MySQL cluster	Nigerian DR facility — nightly snapshot
Invoice PDFs and QR codes	Nigerian-region object storage	Same region — cross-facility replication
NRS API credentials and tokens	Secrets manager — Nigerian primary data centre	HA replica — Nigerian DR facility
Tenant cryptographic keys	Nigerian primary data centre — AES-256 encrypted	Nigerian DR facility — encrypted
User records and access codes	Nigerian primary data centre — MySQL cluster	Nigerian DR facility — nightly snapshot

6.2 Encryption

In transit: TLS 1.3 for all inbound and outbound traffic. HSTS enforced. Mutual TLS available for server-to-server integrations.
At rest: AES-256 for database (MySQL InnoDB tablespace encryption), object storage (S3 SSE), and Redis persistence (encrypted volumes on Nigerian infrastructure).
Tenant cryptographic keys: stored in fp_tenant_keys with a separate KMS key; private keys are never retained server-side.

6.3 Access Controls and Authentication

Multi-factor authentication (TOTP / SMS) enforced for owner and admin roles by default, as required by Section 21(i) of the NITDA e-Invoicing Guideline 2025.
Six built-in RBAC roles: owner, admin, compliance, reviewer, accountant, viewer — with location-scoped access for multi-branch tenants.
SAML 2.0 and OpenID Connect (OIDC) SSO supported (Microsoft Entra ID, Google Workspace, Okta).
Sessions: JWT with 24-hour TTL and server-side revocation table.

6.4 Tenant Isolation

All invoice data, cryptographic keys, mappings, and tokens are scoped by tenant_id. Row-level filters are enforced on every query path. One tenant's data is never accessible to another.

6.5 Compliance Posture

Standard / Regulation	Status
NITDA National e-Invoicing Guideline 2025	Compliant. Data residency restricted to Nigerian data centres per Section 23(vii).
Nigeria Data Protection Act 2023 (NDPA)	Compliant. DPIA completed for invoice data processing. Consent management in place.
ISO/IEC 27001	Controls implemented per Annex A; certification in progress.
OWASP ASVS Level 2	Enforced in CI (Snyk, npm audit, Semgrep SAST).
VAPT (Penetration Testing)	Quarterly with CREST-accredited firm. High/critical issues closed within 14 days.
CBN Data Localisation	All sensitive personal and financial data stored within Nigeria only.

7. Incident Response

Initial response constitutes an acknowledgement with an incident ID and named owner. Customers report incidents via the support channels in Section 8. Flowpoint posts real-time status updates at https://status.flowpoint.ng.

Severity	Definition	Initial Response	Resolution Target
P0 — Critical	Platform fully unavailable; all submissions failing.	≤ 15 minutes	≤ 2 hours
P1 — High	MBS submission failures or database degradation affecting multiple tenants.	≤ 30 minutes	≤ 4 hours
P2 — Medium	Single-tenant impact or non-critical feature degradation.	≤ 2 hours	Next business day
P3 — Low	Cosmetic defects or documentation errors.	≤ 1 business day	Next sprint

8. Support

Channel	Details
In-app chat	Available 08:00–20:00 WAT, Monday–Friday
Email	[email protected] — P2/P3 issues
Phone hotline	Available for P0/P1 only; number provided at onboarding
Status page	https://status.flowpoint.ng — real-time and historical uptime
24/7 on-call	P0/P1 incidents outside business hours via on-call rotation

9. Service Credits

If monthly uptime falls below the 99.9% target, Customers are entitled to service credits applied against the following month's invoice:

Credit requests must be submitted within 30 days of the incident to [email protected] with subject line 'SLA Credit Request — [Month] [Year]'. Credits are not transferable and do not apply to sandbox environments or outages caused by NRS MBS unavailability.

Monthly Uptime	Credit (% of that month's fee)
≥ 99.9%	No credit applicable
99.0% – 99.89%	10%
95.0% – 98.99%	25%
< 95.0%	50%

10. Data Retention and Export

NRS-certified invoice audit records (request payloads, MBS responses, IRN, CSID) are retained for 7 years in line with NRS tax record-keeping guidance.
Customers may export all invoice data (JSON, CSV, UBL XML) at any time via the Flowpoint portal or GET /api/v1/invoices endpoint.
On contract termination, Flowpoint retains data in a read-only, export-accessible form for 60 days before archival. Archived records remain available for the balance of the 7-year period upon written request.
Object storage (PDFs, signed QR codes, NRS audit payloads) is subject to a 7-year lifecycle policy on S3-compatible storage.

11. Subprocessors

Flowpoint engages the following subprocessors. Each is bound by data processing agreements with equivalent security controls. A current and complete subprocessor list is maintained at https://flowpoint.ng/subprocessors. Customers will be notified with 14 days' advance notice of material changes to subprocessors.

Subprocessor	Service	Region
Primary cloud provider	Cloud hosting (API, worker, DB, Redis, cache)	Lagos, Nigeria
DR / backup facility	Disaster recovery, backup snapshots	Lagos, Nigeria
Object storage provider	Object storage: invoice PDFs, QR codes, NRS audit payloads	Lagos, Nigeria
Resend / Amazon SES	Transactional email delivery (email content only; no invoice data)	EU / US (email relay only)
Nigerian SMS Gateway	MFA SMS fallback	Nigeria
Secrets manager	Secrets management and key rotation	Nigerian primary data centre

12. Customer Obligations

The SLA commitments above are contingent on the Customer fulfilling the following obligations:

Maintaining a valid, active TIN registered with NRS throughout the service period.
Keeping cryptographic keys and certificates current; notifying Flowpoint promptly of any key compromise or expiry.
Submitting invoice payloads that conform to the Flowpoint API schema (documented at /api-documentation).
Not exceeding published API rate limits. Burst requirements beyond defaults must be agreed in advance.
Reporting incidents and suspected data breaches to Flowpoint within 24 hours of discovery.
Ensuring that any third-party ERP or accounting software integration (QuickBooks, Odoo, Sage, etc.) is configured to the current Flowpoint connector specification.

13. SLA Changes

Flowpoint may update this SLA with 30 days' written notice to the Customer's registered email address. Changes will not reduce existing commitments for the current calendar quarter. Continued use of the Flowpoint platform after the notice period constitutes acceptance of the revised SLA.

14. Limitation of Liability

Service credits under Section 9 are the Customer's sole and exclusive remedy for availability failures. Flowpoint's total liability under this SLA in any calendar month shall not exceed the fees paid by the Customer for that month. Flowpoint shall not be liable for indirect, consequential, or punitive damages arising from service interruptions.

15. Signatures

By signing below, both parties agree to the terms of this Service Level Agreement. This section is provided for reference when executing a formal agreement.

Party	Authorised Signatory	Name and Title	Date
Flowpoint (Longconsole Consulting Limited)
Customer