SErvice level agreement
TurboStack platform and Managed Services
Standard and Platinum SLA tiers
1. Purpose and legal status
This Service Level Agreement ("SLA") defines the service levels, support scope, responsibilities, limitations and service credit framework for Hosted Power managed TurboStack environments and related Managed Services.
This SLA applies only when referenced in an Order Form, Master Services Agreement, Statement of Work or other written agreement between Hosted Power BV ("Hosted Power") and the customer or partner ("Customer").
Plain-English principle
Hosted Power manages the infrastructure and platform layer. The Customer, reseller, agency or development partner remains responsible for application code, application behaviour, end-user content, customer-managed third-party services and business decisions. Security, performance and availability are shared responsibilities.
Contractual precedence: in the event of a conflict between this SLA and a signed Order Form, Master Services Agreement or specific addendum, the more specific signed document takes precedence.
All targets in this SLA are service targets and do not create a guarantee that incidents, security events, bot traffic, third-party outages or application issues will never occur.
2. Definitions
| Term | Meaning |
| Affected Service | The specific Hosted Power-managed server, node, environment, managed service or platform component impacted by an incident. |
| Business Hours | Monday to Friday, 09:00 to 17:00 CET/CEST, excluding Belgian public holidays, unless contractually agreed otherwise. |
| Covered Infrastructure | Infrastructure, nodes, operating systems and managed platform components provisioned, configured or managed by Hosted Power under the applicable agreement. |
| Emergency Hotline | The telephone channel reserved for qualifying P1 incidents affecting Covered Infrastructure or Managed Services. Non-critical requests may be redirected to support channels. |
| Incident | An unplanned interruption, degradation or security-related event affecting an Affected Service. |
| Managed Services | Services explicitly included in the Order Form or agreement, such as monitoring, managed backups, patching, managed platform components, incident handling, TurboShield and agreed support. |
| Security Event | Suspicious, malicious, abusive or abnormal traffic or activity, including bot traffic, scraping, brute force, credential stuffing, scans, application-layer attacks or DDoS attempts. |
| Service Credit | A credit on future invoices for the Affected Service, subject to the compensation rules and limitations in this SLA. |
| Third-party Edge Provider | Any customer-managed or external DNS, CDN, WAF, reverse proxy, DDoS protection or security layer placed in front of Hosted Power infrastructure, including Cloudflare. |
| TurboShield | Hosted Power managed traffic protection layer designed to reduce the impact of malicious traffic, abusive bots, suspicious request patterns and application-layer pressure. |
| TurboStack Platform | Platform service containing components including deployment tooling, templates, monitoring integrations and managed runtime components supported by Hosted Power. |
3. Turbostack service scope
TurboStackTurboStack is Hosted Power managed platform layer for performance-critical digital platforms. It is designed for developers, agencies, e-commerce teams, SaaS platforms and business-critical applications that require speed, stability, scalability and transparency.
TurboStack combines automated platform management with direct access to experienced engineers. It may include managed cloud infrastructure, supported operating systems, webserver and database components, caching, deployment tooling, monitoring, backups, security controls and TurboShield, depending on the selected package and SLA tier.
| Covered by default where applicable | Not covered by default unless agreed |
| Managed cloud infrastructure provisioned or managed by Hosted Power. | Application code, themes, plugins, modules, custom business logic and application bugs. |
| Supported operating system and managed platform components. | Third-party SaaS platforms, payment providers, external APIs, DNS registrars, marketing tools and mail reputation. |
| Core monitoring, alerting, incident handling and escalation. | Customer-managed Cloudflare, CDN, WAF, reverse proxy, DNS or firewall rules. |
| Managed backups and recovery support included in the selected tier. | Major application upgrades, replatforming, code-level performance tuning and custom development. |
| TurboShield traffic protection as described in this SLA. | Security events caused by customer code, leaked credentials, insecure modules or exposed endpoints. |
| Infrastructure-level guidance for scaling, performance, deployments and migrations. | End-user communication, commercial loss, lost revenue or business interruption damages beyond service credits. |
4. shared responsibility model
TurboStack is intentionally transparent and co-managed. Hosted Power takes responsibility for the managed platform layer. The Customer or partner remains in control of the application, content, data, users and commercial use of the environment.
| Area | Primary owner | Explanation |
| Infrastructure and platform availability | Hosted Power | Provide, operate and monitor Covered Infrastructure and Managed Services within the agreed scope. |
| Operating system and managed stack patching | Hosted Power | Apply security and stability updates for supported managed components according to operational risk and SLA tier. |
| TurboShield rules and infrastructure-level mitigation | Hosted Power | Operate and tune the Hosted Power-managed protection layer within the visibility and control available to Hosted Power. |
| Application code and application performance | Customer / agency / development partner | Maintain, test and secure code, plugins, themes, modules, queries, queues, cron jobs, endpoints and release processes. |
| Application-level security vulnerabilities | Customer / agency / development partner | Resolve vulnerabilities, insecure modules, exposed endpoints, form abuse, checkout abuse and business logic abuse in the application. |
| Customer-managed third-party edge services | Customer / third-party provider | Configure, monitor and support Cloudflare, DNS, CDN, WAF, reverse proxy or DDoS services unless separately managed by Hosted Power. |
| Traffic peaks and campaigns | Shared | Customer informs Hosted Power in advance; Hosted Power advises and prepares within available time, scope and tier. |
| Incident communication with end customers | Customer / reseller | Resellers and agencies remain responsible for first-line communication with their own customers unless otherwise agreed. |
5. SLA Tiers: standard and platinum
Hosted Power uses two SLA tiers to keep the offering clear. Standard is the default managed SLA for professional production environments. Platinum is intended for business-critical, campaign-sensitive or revenue-critical platforms where faster triage, broader monitoring, stronger recovery options and more proactive follow-up are required.
The SLA tier does not change ownership of customer code, data or third-party services. Platinum improves priority, visibility, communication, recovery options and operational follow-up. It does not convert application issues, bot traffic or third-party failures into Hosted Power infrastructure downtime.
| Capability | Standard SLA | Platinum SLA |
| Best fit | Production environments where stability, managed support and clear expectations are important. | Business-critical e-commerce, SaaS, B2B portals, campaign-sensitive or high-impact environments. |
| Incident management | 24/7/365 for P1 incidents on Covered Infrastructure. Non-critical incidents during support hours. | 24/7/365 for P1 incidents with priority escalation and stronger operational follow-up. |
| Emergency hotline | Available for qualifying P1 incidents only. | Available for qualifying P1 incidents with priority handling. |
| P1 initial response target | < 30 minutes after detection or valid report. | < 15 minutes after detection or valid report. |
| P2 initial response target | < 4 business hours. | < 1 business hour. |
| P3 / P4 response target | Next business day or planned according to support queue. | Same or next business day depending on priority and scope. |
| Mitigation target | Mitigation starts immediately after triage for P1 incidents. Restoration depends on cause, scope and dependencies. | Priority mitigation with senior escalation for P1 incidents. Restoration depends on cause, scope and dependencies. |
| Communication cadence | Status updates during active P1 handling when material progress is available. | More frequent P1 updates and clearer stakeholder coordination where required. |
| Monitoring | Core infrastructure and managed platform checks. | Advanced monitoring options, custom thresholds or synthetic checks where agreed and technically feasible. |
| TurboShield baseline | Included protection layer with standard rules, rate limiting and support-driven tuning. | Included protection layer with priority tuning, broader traffic review and stronger attack-response coordination. |
| Bot traffic response | Best-effort investigation and mitigation within Hosted Power visibility and control. | Priority investigation, tuning and post-incident recommendations for severe bot or abuse events. |
| Cloudflare or third-party edge coordination | Best-effort coordination if the Customer controls the edge layer and provides access/logs. | Best-effort coordination if the Customer controls the edge layer and provides access/logs. |
| Managed backups | Daily managed backups with 20-day retention unless agreed otherwise. | Daily managed backups with 20-day retention unless agreed otherwise. |
| Point-in-Time Recovery | Not included by default. Available as add-on where supported. | Included for supported database services where configured and contractually included. |
| Recovery support | Restore assistance for covered backups during support scope. | Priority recovery assistance and advanced recovery planning where available. |
| Security patching | Standard patching of supported managed components based on risk and maintenance windows. | Priority security patching for critical vulnerabilities and emergency changes where needed. |
| Major version upgrades | Limited guidance. Execution only if separately agreed. | Planning support for managed platform components where included. Application upgrades remain excluded unless agreed. |
| Scaling support | Standard scaling support during agreed support channels. | Priority scaling support, capacity planning and peak-readiness advice where applicable. |
| Root Cause Analysis | Optional or available as Expert Services. | Included for severe P1 incidents within Hosted Power control and for major managed security events where useful. |
| Service management meeting | On request or as commercially agreed. | Recommended periodic service review for critical environments. |
| DevOps assistance | Standard advisory support for infrastructure-level topics. | Advanced advisory support for infrastructure, deployment, scaling and performance topics within scope. |
| Expert Services | Available separately for audits, migrations, CI/CD optimization and custom configurations. | Available separately, often recommended for complex platforms or roadmap work. |
6. Incident priorities and response targets
Incidents are categorized by business impact and by whether the incident affects Covered Infrastructure or Managed Services. Response means that Hosted Power has acknowledged the incident, started triage and engaged the appropriate team or process. Response is not the same as full resolution.
| Priority | Definition | Standard response | Platinum response | Channels |
| P1 Critical | Complete outage or severe degradation of a covered production service under Hosted Power control, causing major business impact. | < 30 min | < 15 min | 24/7 via monitoring, support or emergency hotline. |
| P2 High | Major degradation, recurring instability, failed critical managed backup, or serious risk to a production service without full outage. | < 4 business hours | < 1 business hour | Business hours via support. Platinum hotline may be used if urgent. |
| P3 Medium | Non-critical defect, warning, capacity question, configuration request or degraded non-production service. | < 1 business day | < 4 business hours | Support channels. |
| P4 Low / Request | General question, planned change, advisory request, documentation, commercial or administrative support. | Planned | Planned / prioritized where relevant | Support or account management. |
7. Availability, uptime and service credits
Availability is measured monthly for covered production infrastructure and managed platform services under Hosted Power control. The measurement source is Hosted Power monitoring, unless the agreement explicitly defines another measurement source.
| Availability item | Standard SLA | Platinum SLA |
| Monthly infrastructure availability target | 99.99% | 99.99% |
| Measurement level | Covered Infrastructure and Managed Services under Hosted Power control. | Covered Infrastructure and Managed Services under Hosted Power control. |
| Measurement source | Hosted Power monitoring at the origin or agreed monitoring path. | Hosted Power monitoring at the origin or agreed monitoring path, potentially extended where agreed. |
| Public end-user path | Only included if Hosted Power manages the full relevant path or if explicitly agreed. | Only included if Hosted Power manages the full relevant path or if explicitly agreed. |
Downtime is excluded from availability calculations where caused by planned maintenance, emergency maintenance, customer or partner actions, application-level issues, third-party services, external network issues, security events not caused by Hosted Power-managed infrastructure failure, force majeure or lack of required customer cooperation.
Service credits may be requested if the applicable monthly availability target is missed for reasons within Hosted Power control. Credits must be requested in writing within 30 calendar days after the end of the affected month and must include reasonable supporting detail.
| Downtime band above SLA target | Credit |
| Up to 2 hours | 30% credit on the monthly recurring fee of the Affected Service. |
| Up to 4 hours | 60% credit on the monthly recurring fee of the Affected Service. |
| More than 4 hours | 100% credit on the monthly recurring fee of the Affected Service. |
The maximum compensation under this SLA is limited to the monthly recurring fee for the Affected Service. Credits are not cash refunds and do not apply to one-off projects, migrations, audits, development work, Expert Services, pass-through costs or third-party charges.
8. TurboShield and traffic protection
TurboShield is Hosted Power managed traffic protection layer designed to reduce the impact of malicious traffic, abusive bots, suspicious request patterns, scraping attempts, brute-force behaviour, vulnerability scanning, spam and application-layer pressure.
TurboShield may include rate limiting, firewall rules, request filtering, bot mitigation rules, IP reputation checks, allow/block lists, custom rules, WAF integrations, monitoring, alerting and manual tuning by Hosted Power engineers. The exact capabilities depend on the environment, selected SLA tier, available traffic visibility and commercial agreement.
Security reality
TurboShield significantly reduces risk and impact, but no bot mitigation, WAF or DDoS protection service can guarantee complete prevention of all malicious, automated or unwanted traffic. Bot mitigation is an ongoing process requiring continuous tuning, monitoring and cooperation between Hosted Power, the Customer and any involved agency or development partner.
8.1 Security events and SLA credits
Traffic caused by malicious actors, abusive bots, scraping, credential stuffing, denial-of-service attempts, vulnerability scanning, spam, application abuse or other hostile traffic does not qualify as SLA downtime unless the unavailability is directly caused by a failure of Hosted Power-managed infrastructure within the agreed SLA scope.
Response targets apply to incident handling, triage and mitigation efforts. They do not guarantee complete removal of all bots, attackers, scrapers, scans or unwanted traffic within a fixed timeframe.
| TurboShield topic | Standard SLA | Platinum SLA |
| Baseline protection | Standard TurboShield rules and managed response for covered environments. | Standard TurboShield rules plus priority tuning and stronger operational follow-up. |
| Attack investigation | Best-effort review of available logs, metrics and request patterns. | Priority review of available logs, metrics and request patterns. |
| Rule tuning | Support-driven tuning where safe and technically feasible. | Prioritized tuning and more specific rule recommendations where safe and technically feasible. |
| False-positive follow-up | Handled as support issue and tuned where appropriate. | Prioritized support and tuning where appropriate. |
| Post-incident analysis | Optional or Expert Services, unless otherwise agreed. | Included for severe managed security events where analysis is useful and data is available. |
8.2 Customer, reseller and agency responsibilities for TurboShield
Maintain secure application code, plugins, modules, dependencies, authentication flows, forms, APIs and exposed endpoints.
Provide timely access to relevant application logs, webserver logs, Cloudflare logs, deployment history, recent change information and technical contacts when investigating security events.
Inform Hosted Power in advance of campaigns, product drops, Black Friday, large mailings, imports, sales periods, expected bot-heavy traffic or other traffic peaks.
Avoid customer-managed firewall, DNS, CDN, WAF or application changes that reduce visibility or bypass agreed protections without prior alignment.
Accept that emergency mitigations, rate limits, blocks or challenges may temporarily affect legitimate traffic when required to protect the environment.
As reseller or agency, coordinate first-line communication with the end customer and avoid presenting application-level, third-party or customer-managed issues as Hosted Power infrastructure failures unless confirmed by Hosted Power.
8.3 Third-party edge providers
Where a third-party CDN, DNS provider, WAF, reverse proxy, DDoS protection or security layer such as Cloudflare is placed in front of the Hosted Power environment and is not fully managed by Hosted Power, Hosted Power cannot guarantee end-to-end public availability, traffic visibility, bot detection accuracy, cache behaviour, SSL/TLS behaviour, DNS behaviour or incident response times for that external layer.
In such cases, SLA measurements apply to the Hosted Power-managed origin infrastructure, provided Hosted Power has a reliable method to monitor the origin directly or through an agreed monitoring path.
The Customer must provide the required access, configuration, allowlisting, headers, logs, API access, origin health endpoints and monitoring exceptions where needed. Without this access or configuration, monitoring, incident analysis and TurboShield effectiveness may be limited.
If Cloudflare or another third-party edge provider blocks, challenges, caches, modifies, rate-limits, redirects, serves errors, terminates TLS incorrectly, masks origin errors, hides client IPs or fails to pass traffic to the origin, this is not considered Hosted Power downtime unless Hosted Power manages that component and the failure is within Hosted Power control.
If Hosted Power separately manages Cloudflare or another third-party edge service for the Customer, the managed configuration is handled under the agreed scope. Provider outages, platform-wide third-party failures, customer changes and limitations of the third-party service remain excluded unless explicitly agreed otherwise.
8.4 False positives and emergency mitigation
TurboShield rules may occasionally challenge, delay or block legitimate traffic, especially during active attacks, aggressive scraping or abnormal traffic patterns. Hosted Power will treat confirmed false positives as a support issue and tune rules where appropriate.
False positives caused by emergency mitigation, customer-approved rules, customer-managed Cloudflare/CDN/WAF settings, incomplete application context, missing logs or urgent protective action do not automatically qualify as SLA downtime.
9. Monitoring, backups and recovery
9.1 Monitoring
Hosted Power continuously monitors covered infrastructure and managed platform components. Monitoring is designed to detect technical failure, capacity risk and abnormal behaviour at the platform level. It does not replace application monitoring, business transaction monitoring, analytics, fraud detection or end-user monitoring unless explicitly agreed.
Core checks may include availability, system health, storage, CPU, memory, managed service processes, backup status and selected platform metrics. Platinum may include extended checks such as custom thresholds, synthetic monitoring or more detailed recommendations where agreed and technically feasible.
9.2 Backups and recovery
Managed backups are provided for covered systems according to the selected SLA tier and technical configuration. Unless contractually agreed otherwise, the default backup retention is 20 days.
Backups reduce risk but do not replace customer-side release discipline, application-level data validation, acceptance testing, export strategies or business continuity planning. Hosted Power does not guarantee that application data, customer-managed storage, third-party SaaS data or external systems are included unless explicitly configured and agreed.
| Backup item | Standard SLA | Platinum SLA |
| Default retention | 20 days unless agreed otherwise. | 20 days unless agreed otherwise. |
| Frequency | Daily managed backups for covered systems. | Daily managed backups plus PITR for supported database services where configured and included. |
| Restore support | Restore assistance for covered backups. | Priority restore assistance and advanced recovery planning where applicable. |
| RPO / RTO | No fixed RPO/RTO unless agreed in writing. | Improved recovery options where technically supported. Fixed RPO/RTO only if agreed in writing. |
10. Security, patching and maintenance
10.1 Security baseline
SSL/TLS is supported for hosted services to protect data in transit.
Supported operating systems and managed platform components receive security patching according to operational risk, support status and selected SLA tier.
DDoS mitigation may include rate limiting, load balancing, blackhole routing, provider coordination and TurboShield controls. Advanced third-party DDoS protection or CDN services can be used where separately agreed.
WAF capabilities such as ModSecurity, Fortinet FortiWeb or other controls may be available as optional services or add-ons, depending on the environment and agreement.
10.2 Planned maintenance
Routine updates, security patches, firmware updates, reboots and platform maintenance are normally scheduled outside business hours, typically between 22:00 and 04:00 CET/CEST where operationally possible. Hosted Power aims to notify Customers at least two business days in advance for non-standard planned maintenance that may affect availability.
10.3 Emergency maintenance
Hosted Power may perform emergency maintenance without the normal notice period when there is a critical security risk, active abuse, imminent failure, provider requirement or urgent operational need. Hosted Power will communicate as soon as reasonably possible.
10.4 Major upgrades and Expert Services
Major application upgrades, framework upgrades, database engine migrations, architecture redesign, custom performance tuning, CI/CD rebuilds and complex migrations are outside the standard SLA unless explicitly included. Hosted Power may offer these as Expert Services.
11. Customer responsibilities
A strong SLA only works when both sides keep the platform operable. The Customer, reseller, agency and/or development partner remains responsible for decisions and changes at the application and business layer.
Maintain, test and secure application code, plugins, modules, themes, dependencies, custom integrations and deployment pipelines.
Keep application owners, technical contacts and escalation contacts up to date and reachable during incidents and planned maintenance.
Notify Hosted Power of major campaigns, expected traffic peaks, imports, large deployments, unusual jobs, security risks or planned service interruptions at least one business day in advance. For high-impact campaigns, earlier notice is strongly recommended.
Avoid unmanaged changes to infrastructure, DNS, access controls, secrets, firewall rules, Cloudflare, CDN, WAF or critical configuration without alignment where such changes can affect availability or monitoring.
Provide timely logs, timestamps, URLs, error messages, screenshots, recent change information and business impact information when opening incidents.
Validate restored data and confirm business acceptance after recovery actions.
Use the correct support channels. The emergency hotline is reserved for qualifying P1 incidents.
Ensure that resold services and end-customer expectations reflect the actual Hosted Power SLA scope, exclusions and shared responsibility model.
12. Exclusions and limitations
The following are excluded from SLA availability calculations, response guarantees and service credits unless explicitly agreed otherwise:
Application-level bugs, slow queries, memory leaks, plugin conflicts, theme issues, code releases, cron jobs, queues, data corruption or performance issues caused outside Hosted Power control.
Customer, agency, reseller, developer or end-user actions, incorrect configuration, access misuse, credential leakage, deleted files, deleted databases or failed deployments.
Third-party providers or services, including DNS, registrars, CDN, Cloudflare, payment providers, external APIs, SaaS tools, email reputation, public cloud provider issues outside Hosted Power control or internet backbone issues.
Security events, bot traffic, scraping, credential stuffing, spam, denial-of-service attempts, vulnerability scanning, application abuse or hostile traffic, except where downtime is directly caused by failure of Covered Infrastructure under Hosted Power control.
Planned maintenance, emergency maintenance, provider-mandated maintenance and urgent protective measures.
Force majeure, legal orders, abuse handling, account suspension for breach, non-payment, sanctions, unlawful content or emergency actions needed to protect Hosted Power, other customers or the platform.
Services not explicitly included in the Order Form, including major migrations, audits, custom DevOps projects, application upgrades or code-level performance tuning.
Hosted Power liability under this SLA is limited to the service credits described in Section 7, unless a signed agreement states otherwise.
13. Escalation and contacts
13.1 Per type of escallation
| Customer escalation | Support Engineer -> Service Manager -> Operations Manager -> Technical Lead / COO |
| Internal technical escalation | Operations Engineer -> Technical Lead -> COO / CEO |
| Internal commercial escalation | Account Manager -> COO -> CEO |
13.2 Per type of inquiry
| Commercial | hello@hosted-power.com or your account manager |
| Technical support | support@hosted-power.com |
| Emergency hotline | BE: +32 53 599 000 NL: +32 85 888 4 555 FR: +33 483 97 97 97 |
| Billing | hello@hosted-power.com |
