Service Level Agreement (SLA)

Document Reference: GRSCIA-SLA-2025-V2.0 Version: 2.0 Effective Date: January 1, 2025 Last Updated: January 4, 2026 Agreement Term: 1 Year (Auto-Renewal) Governing Standard: ADHICS V2 (Abu Dhabi Healthcare Information and Cyber Security Standard)

PARTIES TO THIS AGREEMENT

Service Provider:

GRSCIA, powered and managed by CISOSHARE INSPECTION AUDIT SERVICES - L.L.C - S.P.C Commercial Registration Number: CN-5499111 Address: وسط المدينة, الربينة, 118 : شارع حصة بنت محمد , مبنى, الشيخه شمسه بنت زايد بن سلطان Telephone: +971501123842 Email: info@grscia.ae (hereinafter referred to as "GRSCIA", "Provider", "We", "Us", or "Our")

Customer:

The entity subscribing to GRSCIA services as identified in the applicable subscription agreement or order form. (hereinafter referred to as "Customer", "Client", "You", or "Your")

1. INTRODUCTION AND PURPOSE

1.1 Agreement Overview

This Service Level Agreement ("SLA") establishes the terms, conditions, and commitments governing the provision of GRSCIA's healthcare compliance platform services. This SLA is incorporated into and forms part of your Master Service Agreement, Terms of Use, and any applicable subscription agreement.

1.2 Purpose

This SLA defines:

The scope and description of services provided
Service availability and uptime commitments
Support response times and escalation procedures
Data protection, security, and privacy obligations
Performance metrics and monitoring
Incident response and breach notification procedures
Service credits and remedies for SLA breaches
Customer and Provider responsibilities
Termination, transition, and data portability provisions

1.3 ADHICS Compliance Context

GRSCIA operates as a Healthcare Technology and Services Provider under ADHICS V2 and is committed to implementing controls as per the "Service Provider" control category. This SLA is designed to support our Customers' ADHICS compliance obligations across all applicable control domains.

1.4 Precedence

In the event of any conflict between this SLA and other contractual documents, the order of precedence shall be:

Order Form (specific commercial terms)
Master Service Agreement (MSA)
Data Processing Agreement (DPA) for data protection and processing matters
This Service Level Agreement (SLA) for service-level, support, and operational commitments
Terms of Use
Privacy Policy
Cookie Policy

2. DEFINITIONS AND INTERPRETATIONS

2.1 Service Definitions

Term	Definition
"Availability"	The percentage of time the Service is operational and accessible for normal use during a given measurement period
"Business Hours"	Sunday through Thursday, 9:00 AM to 6:00 PM UAE Standard Time (GST+4), excluding UAE public holidays
"Critical Data"	Any Protected Health Information (PHI), Personally Identifiable Information (PII), or other sensitive data as defined by ADHICS
"Downtime"	Any period during which the Service is unavailable or materially degraded, excluding Scheduled Maintenance and Exclusions
"Incident"	Any event that is not part of the standard operation of the Service and which causes, or may cause, an interruption to, or a reduction in, the quality of the Service
"Monthly Uptime Percentage"	(Total minutes in calendar month - Downtime minutes) / Total minutes in calendar month × 100
"PHI"	Protected Health Information as defined by ADHICS, including demographic, medical, insurance, and other data collected to identify and provide care
"PII"	Personally Identifiable Information including name, Emirates ID, mobile number, email, address, biometric data, and other identifying information
"Platform"	The GRSCIA healthcare compliance management software-as-a-service platform
"Recovery Point Objective (RPO)"	The maximum acceptable amount of data loss measured in time
"Recovery Time Objective (RTO)"	The maximum acceptable time to restore service after a disruption
"Scheduled Maintenance"	Planned maintenance activities announced at least 48 hours in advance
"Security Incident"	Any actual or suspected unauthorized access, use, disclosure, modification, or destruction of data or systems
"Service Credit"	Credit applied to Customer's account as compensation for SLA breaches
"Tenant"	An isolated instance of the Platform provisioned for a specific Customer organization

2.2 ADHICS Domain References

This SLA references the following ADHICS V2 control domains:

HR - Human Resource Security
AC - Access Control
AM - Asset Management
CO - Communications and Operations Management
CS - Cloud Security
DP - Data Privacy and Protection
IM - Incident Management
PE - Physical and Environmental Security
SA - System Acquisition, Development and Maintenance
SC - Information Systems Continuity Management
TP - Third Party Security

3. DESCRIPTION OF SERVICES

3.1 Platform Services

GRSCIA provides a comprehensive healthcare compliance management platform consisting of the following service categories:

3.1.1 Core Compliance Management Services

Service Module	Description	ADHICS Domain
Compliance Assessment	ADHICS control assessment framework with evidence management, reporting periods, snapshots, and audit-ready export packages	All Domains
Policy Management	Policy creation, versioning, approval workflows, acknowledgment tracking, and compliance verification	CO, DP
Document Management	Document lifecycle management including creation, collaborative editing, approval workflows, digital signatures, and UAE Pass integration	CO, DP
Audit Trail & Logging	Tamper-evident audit logging with SHA-256 hashing, activity tracking, and compliance verification	IM, DP

3.1.2 Human Resource Security Services

Service Module	Description	ADHICS Domain
Employee Management	Employee lifecycle management, bulk import, onboarding workflows, and training tracking	HR
Contractor Management	Contractor onboarding, background checks, and access provisioning	HR, AC
Training Management	Training attendance tracking, completion certificates, and compliance reporting	HR
Background Verification	Background check submission, approval workflows, and documentation	HR

3.1.3 Security Operations Services

Service Module	Description	ADHICS Domain
Incident Management	Full incident lifecycle (acknowledge, investigate, contain, eradicate, recover, resolve, post-incident review) with SLA tracking	IM
Violation Tracking	Security violation management with investigation, appeal workflows, and disciplinary tracking	IM, HR
Access Control	Access request management, grant workflows, role-based access control, and asset-level permissions	AC
DoH Notification	Department of Health breach notification tracking and compliance reporting	IM, DP

3.1.4 Asset and Physical Security Services

Service Module	Description	ADHICS Domain
Asset Management	Asset inventory, relationships mapping, maintenance scheduling, disposal workflows, and end-of-life tracking	AM
Physical Security	Secure areas management, visitor logs, physical key management, and access logs	PE
Vendor Management	Vendor directory, contracts management, third-party assessments, and onboarding workflows	TP

3.1.5 AI-Powered Services

Service Module	Description	ADHICS Domain
AI Compliance Assistant	ADHICS knowledge base powered by AI, providing instant answers to compliance questions with requirement references	All Domains
AI Document Processing	AI-powered field extraction, document classification, and identity verification	CO, DP
Compliance Checklist Generation	AI-generated compliance checklists based on facility type and compliance level	All Domains

3.2 Deployment Options

GRSCIA offers two deployment models to accommodate varying Customer requirements:

3.2.1 Cloud Deployment (Multi-Tenant)

Fully managed platform hosted within UAE
Automated provisioning and scaling
Managed database and storage infrastructure
Per-tenant data isolation and encryption
High availability architecture
Automated backups and disaster recovery

3.2.2 BYOD Deployment (Bring Your Own Database)

On-premise agent deployment
Customer-hosted database with data residency control
Encrypted agent communication via mutual TLS (mTLS)
Agent health monitoring and version tracking
Platform-controlled execution plans with cryptographic verification (RSA-SHA256)
Suitable for organizations requiring complete data sovereignty

3.3 Service Exclusions

The following are explicitly excluded from the scope of services:

Custom software development beyond platform capabilities
Hardware procurement or management
Network infrastructure management at Customer premises
Third-party software licensing or support
Legal, audit, or regulatory compliance advice
Physical security implementation at Customer facilities

4. SERVICE AVAILABILITY AND UPTIME COMMITMENTS

4.1 Availability Commitment

GRSCIA commits to maintaining the following availability levels:

Service Tier	Monthly Uptime Target	Maximum Monthly Downtime
Enterprise	99.95%	21.9 minutes
Professional	99.9%	43.8 minutes
Basic	99.5%	219 minutes

4.2 Availability Measurement

4.2.1 Measurement Method

Availability is measured using automated monitoring systems operating from multiple geographic locations within the UAE
Measurements are taken at 1-minute intervals across all critical service endpoints
Availability is calculated based on successful responses to health check requests

4.2.2 Measurement Points

The following service components are included in availability calculations:

Web application endpoints
API gateway
Authentication services
Database services
Document storage services
AI/MCP services

4.2.3 Status Monitoring

Real-time service status: https://status.grscia.ae
Customers may subscribe to automated notifications for service disruptions
Historical availability reports available upon request

4.3 Exclusions from Downtime Calculation

The following events are excluded from Downtime calculations:

4.3.1 Scheduled Maintenance

Scheduled maintenance windows announced at least 48 hours in advance
Maximum scheduled maintenance: 4 hours per calendar month
Preferred maintenance window: Friday 10:00 PM to Saturday 2:00 AM UAE time
Emergency maintenance for critical security patches (notification provided as soon as practicable)

4.3.2 Customer-Caused Issues

Issues arising from Customer's infrastructure, network connectivity, or devices
Misuse or misconfiguration of the Service by Customer or its users
Customer's failure to implement recommended security measures
Actions taken at Customer's request that result in service degradation

4.3.3 External Factors

Force majeure events (natural disasters, war, terrorism, civil unrest, pandemic)
Internet service provider failures outside GRSCIA's control
DDoS attacks specifically targeting Customer's tenant
Government-mandated service restrictions or telecommunications outages
Third-party service failures (payment processors, identity providers, etc.)

4.3.4 Non-Production Environments

Beta, preview, or sandbox features explicitly marked as non-production
Development or testing environments
Features under early access programs

4.4 Data Residency Commitment

In compliance with ADHICS CS 1.2 and UAE Federal Law No. 2 of 2019:

GRSCIA enforces strict UAE residency for the platform database and tenant databases
Backup and disaster-recovery handling for these database layers is operated within UAE-controlled scope
Approved non-database operational exceptions (including MCP and billing processing) are disclosed and contractually governed
Transfer safeguards and sub-processor obligations are governed in detail by the DPA

5. SUPPORT SERVICES

5.1 Support Channels

Channel	Contact Information	Availability
Email Support	info@grscia.ae	24/7 (response times vary by priority)
In-Platform Support	Support ticket system within the Platform	24/7 submission, Business Hours response
Emergency Hotline	+971501123942	P1 Critical incidents only, 24/7/365
Escalations	security@grscia.ae	Business Hours

5.2 Support Hours

Support Type	Hours of Operation
Standard Support	Sunday - Thursday, 9:00 AM - 6:00 PM UAE Time
P1 Critical Support	24 hours, 7 days a week, 365 days a year
Holiday Coverage	P1 Critical issues only during UAE public holidays

5.2.1 Automated SLA Clocks

Support response and resolution timers are calculated automatically by platform policy (plan + priority), with breach computation and owner-portal in-app notices generated by the platform scheduler. Manual edits may add operator notes but do not replace system due-clock computation.

5.3 Incident Priority Classification

Incidents are classified according to ADHICS IM domain requirements and industry best practices:

5.3.1 Priority 1 - Critical (Emergency)

Definition: Complete service outage, data breach, security incident, or condition that renders the Service completely unusable for all users with no workaround available.

Examples:

Platform-wide outage affecting all tenants
Confirmed data breach or security incident involving PHI/PII
Complete loss of access to critical compliance functions
Ransomware or malware infection affecting the Service

Metric	Target
Initial Response	30 minutes
Status Updates	Every 30 minutes
Resolution Target	2 hours
DoH Notification	Near real-time (per ADHICS IM requirements)

5.3.2 Priority 2 - Severe (High)

Definition: Major feature unavailable, significant performance degradation affecting multiple users, or security vulnerability with high exploitation risk.

Examples:

Authentication system failure for a specific tenant
Document management system unavailable
Compliance assessment features non-functional
Significant performance degradation (>5x normal response times)

Metric	Target
Initial Response	1 hour
Status Updates	Every 1 hour
Resolution Target	4 hours
DoH Notification	Within 1 hour of acknowledgment (if applicable)

5.3.3 Priority 3 - Moderate (Medium)

Definition: Feature degradation with workaround available, intermittent issues affecting limited users, or non-critical functionality impaired.

Examples:

Reporting features experiencing delays
Non-critical integrations failing intermittently
UI/UX issues affecting specific browsers
Scheduled jobs delayed but not failing

Metric	Target
Initial Response	4 hours
Status Updates	Every 4 hours
Resolution Target	24 hours
DoH Notification	Within 4 hours (if applicable)

5.3.4 Priority 4 - Low (Normal)

Definition: Minor issues, cosmetic defects, general questions, feature requests, or issues with minimal business impact.

Examples:

Minor UI inconsistencies
Documentation clarifications
Feature enhancement requests
General usage questions

Metric	Target
Initial Response	8 business hours
Status Updates	Every 24 hours
Resolution Target	Best effort (within 5 business days)
DoH Notification	Within 24 hours (if applicable)

5.4 Escalation Procedures

5.4.1 Customer-Initiated Escalation

If response time targets are not met, Customers may escalate:

Escalation Level	Contact	Trigger
Level 1	security@grscia.ae	Response time exceeded by 50%
Level 2	Executive escalation via account manager	Response time exceeded by 100%
Level 3	Written notice to admin@grscia.ae	Repeated SLA failures

5.4.2 Escalation Requirements

When escalating, Customer must provide:

Original ticket/case number
Date and time of original submission
Priority level assigned
Description of impact
All previous communications

5.5 Language Support

Support is available in:

English (Primary)
Arabic (Available upon request)

6. DATA PROTECTION AND SECURITY

6.1 Security Framework

GRSCIA implements security controls aligned with:

ADHICS V2 (Service Provider category)
UAE Information Assurance Regulation (UAE IAR)
ISO/IEC 27001 (alignment in progress)
Industry best practices for healthcare data protection

6.2 Data Classification

Customer data is classified and handled according to the following categories:

Classification	Color	Description	Examples	Handling Requirements
Secret	Red	Information requiring substantial and multilevel protection due to its highly sensitive nature. Disclosure could seriously impact national security, social cohesion, or public order	VIP health information, research and proprietary data, intellectual property	Multilevel access controls, need-to-know basis, full encryption at rest and in transit, enhanced audit logging
Confidential	Orange	Information requiring robust protection. Includes all PII and PHI per ADHICS mandate. Information the entity has a duty of care to hold in safe custody	PHI, PII, medical records, financial information, employee payroll data, audit reports, risk registers, network diagrams, security incident reports	Role-based access control, encryption at rest and in transit, data loss prevention, regular access reviews
Restricted	Blue	Information requiring limited confidentiality protection due to its use in day-to-day operations. Disclosure could have limited adverse impact on the entity	Policies, procedures, SOPs, internal circulars, non-critical project contracts, operational correspondences	Authenticated access, standard protection controls, distribution limited to authorized personnel
Public	Green	Information intended for public domain use with no legal, regulatory, or organizational restrictions on access	Website information, published documentation, marketing materials, news articles	Integrity verification, no confidentiality requirements

6.3 Encryption Standards

6.3.1 Data at Rest

Algorithm: AES-256-GCM
Key Management: Customer-controlled keys where applicable (BYOD), Provider-managed keys with HSM protection (Cloud)
Scope: All PHI, PII, credentials, and sensitive configuration data

6.3.2 Data in Transit

Protocol: TLS 1.3 (minimum TLS 1.2)
Certificate Management: Automated certificate rotation
Agent Communication: Mutual TLS (mTLS) for BYOD deployments

6.3.3 Data in Processing

Memory Protection: Secure memory handling, no persistence of decrypted sensitive data
Log Sanitization: PII/PHI automatically redacted from system logs

6.4 Access Control

6.4.1 Authentication

Multi-factor authentication (MFA) mandatory for all users
Supported methods: TOTP authenticator apps, UAE Pass OAuth2, Email OTP
Session management with configurable timeout policies
Failed login attempt monitoring and lockout

6.4.2 Authorization

Role-based access control (RBAC) with three-tier hierarchy:
- Owner: Full administrative privileges
- Admin: Operational management privileges
- Member: Standard user privileges
Principle of least privilege enforced
Regular access reviews recommended

6.4.3 Audit Logging

All access and actions logged with tamper-evident hashing (SHA-256)
Correlation IDs for request tracing
Log retention: Minimum 2 years (configurable)
Audit logs available for Customer review and export

6.5 Data Segregation

6.5.1 Multi-Tenant Isolation (Cloud Deployment)

Logical tenant isolation at application and database levels
Per-tenant encryption keys
Network-level isolation between tenant workloads
No cross-tenant data access possible

6.5.2 BYOD Isolation

Complete data isolation in Customer-controlled database
Execution plans cryptographically signed and verified
No direct platform access to Customer database

6.6 Vulnerability Management

Activity	Frequency	Description
Vulnerability Scanning	Weekly	Automated scanning of all platform components
Penetration Testing	Annually	Independent third-party assessment
Code Security Review	Per release	Static and dynamic analysis
Dependency Scanning	Continuous	Automated supply chain security
Patch Management	Per severity	Critical: 24h, High: 7 days, Medium: 30 days, Low: 90 days

6.7 Security Certifications and Assessments

Certification/Assessment	Status	Notes
ADHICS V2 Compliance	Active	Service Provider category
ISO 27001	In Progress	Certification targeted
SOC 2 Type II	Planned	Implementation roadmap available
Annual Security Assessment	Active	Independent third-party audit

7. BACKUP AND DISASTER RECOVERY

7.1 Backup Services

7.1.1 Backup Schedule

Data Type	Backup Frequency	Retention Period
Database (Full)	Daily	30 days
Database (Incremental)	Hourly	7 days
Database (Transaction Log)	Continuous	7 days
Document Storage	Real-time replication	30 days versioning
System Configuration	Daily	90 days
Audit Logs	Daily archive	2 years minimum

7.1.2 Backup Security

All backups encrypted using AES-256
Backup encryption keys stored separately from backup data
Backup media integrity verified weekly
Backup restoration tested monthly

7.1.3 Backup Location

Primary backups stored in UAE data center
Secondary backups stored in geographically separate UAE facility
No backup data stored outside UAE

7.2 Recovery Objectives

Metric	Cloud Deployment	BYOD Deployment
Recovery Point Objective (RPO)	1 hour	Customer-defined
Recovery Time Objective (RTO)	4 hours	Customer responsibility

7.3 Disaster Recovery

7.3.1 DR Capabilities

Active-passive disaster recovery configuration
Automated failover for critical infrastructure components
Regular DR testing (quarterly)
Documented DR procedures and runbooks

7.3.2 DR Testing

Full DR test: Annually
Partial DR test: Quarterly
Tabletop exercises: Semi-annually
Test results and reports available upon request

7.4 Customer Responsibilities for Backup

Customers are responsible for:

Exporting and maintaining independent copies of critical data
Testing data exports for completeness and integrity
Maintaining backup copies of custom configurations
BYOD deployments: Implementing their own backup strategy for on-premise databases

8. INCIDENT MANAGEMENT AND BREACH NOTIFICATION

8.1 Incident Response Framework

GRSCIA maintains an incident response capability aligned with ADHICS IM domain requirements:

8.1.1 Incident Response Phases

Detection: Automated monitoring, user reports, security alerts
Acknowledgment: Incident classification and initial response
Investigation: Root cause analysis, scope determination
Containment: Limiting incident impact and spread
Eradication: Removing threat and vulnerabilities
Recovery: Restoring normal operations
Post-Incident Review: Lessons learned, process improvements

8.2 Security Incident Notification

8.2.1 Notification to Customer

Incident Severity	Initial Notification	Updates
P1 Critical	Within 1 hour of detection	Every 30 minutes until resolved
P2 Severe	Within 4 hours of detection	Every 2 hours until resolved
P3 Moderate	Within 24 hours of detection	Daily until resolved
P4 Low	Within 48 hours of detection	As significant updates occur

8.2.2 Notification Content

Security incident notifications shall include:

Nature and scope of the incident
Types of data potentially affected
Actions taken to contain and remediate
Recommended actions for Customer
Contact information for incident response team

8.3 Data Breach Notification (ADHICS DP 1.7 Compliance)

In the event of a confirmed data breach involving PHI or PII:

8.3.1 Notification Timeline

Action	Timeline	Responsibility
Initial breach detection to Customer	Within 24 hours	GRSCIA
Data Breach Form to DoH	Within 72 hours of acknowledgment	Customer (GRSCIA assists)
Affected data subject notification	As determined by risk assessment	Customer (GRSCIA assists)
Full investigation report	Within 30 working days	GRSCIA

8.3.2 GRSCIA Obligations

Immediately notify Customer of any suspected or confirmed breach
Provide full cooperation in breach investigation
Preserve all evidence related to the breach
Provide technical assistance for DoH notifications
Implement immediate containment measures
Provide detailed incident report with root cause analysis

8.3.3 Customer Obligations

Maintain current contact information for breach notifications
Complete and submit required regulatory notifications (DoH, etc.)
Notify affected data subjects where required
Cooperate with GRSCIA in breach investigation
Implement recommended remediation measures

8.4 DoH Security Operations Center (SOC) Notification

For incidents requiring DoH SOC notification per ADHICS requirements:

Priority	Notification Timeline	Update Frequency
P1 Critical	Near real-time	Real-time
P2 Severe	Within 1 hour	Every 1 hour
P3 Moderate	Within 4 hours	Every 4 hours
P4 Low	Within 24 hours	Every 24 hours

9. SERVICE CREDITS

9.1 Credit Eligibility

Service Credits are available when GRSCIA fails to meet the availability commitments specified in Section 4.1.

9.1.1 Credit Calculation

Monthly Uptime Achieved	Service Credit (% of Monthly Fee)
99.9% - 99.0%	10%
99.0% - 97.0%	25%
97.0% - 95.0%	50%
Below 95.0%	100%

9.1.2 Support Response Time Credits

Failure Type	Service Credit
P1 Response > 1 hour	5% of monthly fee
P1 Resolution > 4 hours	10% of monthly fee
P2 Response > 2 hours	2% of monthly fee
P2 Resolution > 8 hours	5% of monthly fee

9.2 Credit Limits

Maximum Service Credit per calendar month: 100% of that month's subscription fee
Service Credits are not cumulative across months
Service Credits cannot be exchanged for cash or other consideration
Service Credits must be applied within 12 months of issuance

9.3 Credit Request Process

9.3.1 Submission Requirements

To claim a Service Credit, Customer must:

Submit a claim in the Owner Portal workspace scope (/admin/workspaces/:slug/sla-claims) within 30 days of the incident
Include: Account name, tenant identifier, dates and times of unavailability, description of impact
Provide any relevant ticket or case numbers

9.3.2 Review and Approval

GRSCIA admin reviewers will adjudicate claims within 10 business days
Approved claims are posted as auditable billing credit transactions
Disputed claims may be escalated per Section 5.4

9.4 Credit Exclusions

Service Credits are not applicable for:

Downtime during Scheduled Maintenance
Exclusions listed in Section 4.3
Customer's failure to meet its obligations under this SLA
Suspension of services due to non-payment or breach
Force majeure events
BYOD deployments where the issue originates in Customer infrastructure

10. CUSTOMER RESPONSIBILITIES

10.1 General Obligations

Customer agrees to:

10.1.1 Account Management

Maintain accurate and current account information
Designate authorized contacts for support and escalations
Promptly notify GRSCIA of any changes to contact information
Manage user access appropriately within the Platform

10.1.2 Security Cooperation

Implement and enforce MFA for all users
Maintain confidentiality of credentials and access tokens
Promptly report any suspected security incidents
Cooperate with security investigations and incident response
Implement security recommendations provided by GRSCIA

10.1.3 Acceptable Use

Use the Service in compliance with applicable laws and regulations
Not attempt to breach, circumvent, or test security controls
Not use the Service to store or transmit malicious code
Not share access credentials with unauthorized parties
Not exceed licensed usage limits or service quotas

10.1.4 Data Management

Ensure accuracy and legality of data uploaded to the Platform
Maintain independent backups of critical data
Classify data appropriately within the Platform
Manage data retention and deletion according to internal policies

10.2 ADHICS Compliance Responsibilities

While GRSCIA provides tools to support compliance, Customer remains responsible for:

Overall ADHICS compliance program management
Policy development and approval (using Platform templates as appropriate)
Control implementation within their organization
Evidence collection and management
Regulatory notifications and communications with DoH
Staff training and awareness programs
Third-party and vendor management
Physical security implementations

10.3 BYOD-Specific Responsibilities

For BYOD deployments, Customer is additionally responsible for:

Database provisioning, maintenance, and security
Network infrastructure and connectivity
Agent host system security and patching
Backup and disaster recovery implementation
Database performance optimization
Storage capacity management

11. PROVIDER RESPONSIBILITIES

11.1 Service Delivery

GRSCIA commits to:

Maintain the Platform in accordance with this SLA
Provide services with reasonable skill and care
Employ qualified personnel for service delivery
Maintain appropriate security certifications and assessments
Continuously improve service quality and security posture

11.2 Support Obligations

GRSCIA shall:

Provide support services as described in Section 5
Maintain documented support procedures
Train support personnel on Platform features and security
Escalate issues appropriately within the organization
Communicate proactively about known issues and resolutions

11.3 Security Obligations

GRSCIA shall:

Implement and maintain security controls per Section 6
Conduct regular security assessments and penetration testing
Apply security patches within defined timeframes
Maintain incident response capabilities per Section 8
Notify Customer of security incidents per defined timelines

11.4 Compliance Support

GRSCIA shall:

Maintain ADHICS Service Provider compliance
Provide audit support and evidence upon reasonable request
Update the Platform to reflect regulatory changes where applicable
Provide compliance reporting features within the Platform

11.5 Data Processing

GRSCIA shall:

Process Customer data only as instructed and for service provision
Not use Customer data for any other purpose
Not share Customer data with unauthorized third parties
Implement appropriate technical and organizational measures for data protection
Return or delete Customer data upon termination per Section 12

12. TERMINATION AND TRANSITION

12.1 Termination Rights

12.1.1 Termination for Convenience

Either party may terminate this Agreement:

At the end of the current term with 30 days' written notice
Immediately upon the other party's material breach (subject to cure period)

12.1.2 Termination for Cause

GRSCIA may terminate immediately if Customer:

Fails to pay undisputed fees within 30 days of due date
Materially breaches security or acceptable use provisions
Uses the Service for illegal purposes
Becomes insolvent or enters bankruptcy proceedings

Customer may terminate immediately if GRSCIA:

Fails to meet availability commitments for 3 consecutive months
Suffers a material security breach affecting Customer data
Materially breaches data protection obligations
Becomes insolvent or enters bankruptcy proceedings

12.2 Transition Assistance

Upon termination or expiration, GRSCIA shall provide:

12.2.1 Data Export

Export requests are submitted in the owner portal workspace scope and are available for 30 days post-termination.
Cloud deployment output: full tenant DB dump, all tenant files accessible in cloud tenant storage, and control-plane lifecycle/billing timing records.
BYOD deployment output: control-plane lifecycle/billing timing records only.
BYOD primary database and document/file bulk extraction remain Customer-managed in Customer infrastructure.

12.2.2 Data Formats

Deployment Mode	Export Scope	Format
Cloud	Full tenant DB dump + all tenant cloud files + lifecycle/billing timing records	ZIP archive containing DB dump + files + CSV/JSON records
BYOD	Control-plane lifecycle/billing timing records only	ZIP archive containing CSV/JSON records

12.2.3 Transition Support

Reasonable cooperation with successor service provider
Knowledge transfer sessions (up to 8 hours, additional available at standard rates)
API access for data migration (30 days post-termination)
Written documentation of data structures and mappings

12.3 Data Deletion

12.3.1 Post-Termination Retention

Data retention obligations and legal hold handling are governed by the DPA and applicable law
This SLA supports transition/export operations during the agreed post-termination window

12.3.2 Secure Deletion

Secure deletion is performed according to DPA requirements and controlled operational procedures
Deletion confirmation or certification is provided where contractually agreed

12.3.3 ADHICS Compliance (TP 2.1)

In accordance with ADHICS third-party requirements, GRSCIA provides reasonable transition cooperation, including standardized export support where applicable.

Knowledge handover provided as appropriate

13. CONFIDENTIALITY

13.1 Confidential Information

Each party agrees to maintain the confidentiality of the other party's Confidential Information, which includes:

Technical information about the Service
Business plans, pricing, and customer lists
Security configurations and procedures
Any information marked as confidential

13.2 Exclusions

Confidential Information does not include information that:

Is or becomes publicly available without breach
Was known to the receiving party prior to disclosure
Is independently developed without use of Confidential Information
Is disclosed with the prior written consent of the disclosing party

13.3 Permitted Disclosures

Confidential Information may be disclosed:

To employees and contractors with need to know, under confidentiality obligations
As required by law or regulation (with advance notice where permitted)
To professional advisors under confidentiality obligations
As authorized in writing by the disclosing party

13.4 Duration

Confidentiality obligations survive termination for a period of 3 years, except for trade secrets which remain confidential indefinitely.

14. AUDIT RIGHTS

14.1 Right to Audit

In accordance with ADHICS TP 2.1 requirements, Customer has the right to:

Request and receive compliance reports and certifications
Review audit logs and security reports
Conduct or commission security assessments (with reasonable notice)
Request evidence of compliance with this SLA

14.2 Audit Process

14.2.1 Request Procedure

Written request at least 30 days in advance
Scope and objectives clearly defined
Audit conducted during business hours
Costs borne by requesting party (unless audit reveals material breach)

14.2.2 GRSCIA Cooperation

GRSCIA shall:

Provide reasonable access to relevant personnel and documentation
Respond to audit inquiries within 10 business days
Address audit findings within agreed timeframes
Not obstruct legitimate audit activities

14.3 Regulatory Audits

GRSCIA shall cooperate with:

Department of Health audits and inspections
ADHICS certification audits (TASNEEF-RINA)
Other regulatory examinations as required by law

15. LIMITATION OF LIABILITY

15.1 Limitation Cap

EXCEPT FOR EXCLUDED CLAIMS (SECTION 15.3), GRSCIA'S TOTAL AGGREGATE LIABILITY UNDER THIS SLA SHALL NOT EXCEED THE GREATER OF:

THE TOTAL FEES PAID BY CUSTOMER IN THE 12 MONTHS PRECEDING THE CLAIM, OR
AED 100,000 (ONE HUNDRED THOUSAND UAE DIRHAMS)

15.2 Exclusion of Damages

NEITHER PARTY SHALL BE LIABLE FOR:

INDIRECT, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES
LOSS OF PROFITS, REVENUE, OR BUSINESS OPPORTUNITIES
LOSS OF DATA (EXCEPT AS PROVIDED FOR DATA BREACH)
REPUTATIONAL HARM
PUNITIVE OR EXEMPLARY DAMAGES

15.3 Excluded Claims

The limitations in Sections 15.1 and 15.2 do not apply to:

Gross negligence or willful misconduct
Breach of confidentiality obligations
Indemnification obligations
Fraud or fraudulent misrepresentation
Liability that cannot be excluded by law

15.4 Sole Remedy

SERVICE CREDITS ARE CUSTOMER'S SOLE AND EXCLUSIVE REMEDY FOR GRSCIA'S FAILURE TO MEET THE SLA COMMITMENTS. ACCEPTANCE OF SERVICE CREDITS CONSTITUTES WAIVER OF ANY OTHER CLAIMS ARISING FROM THE SAME INCIDENT.

16. CHANGES TO THIS SLA

16.1 Modification Process

16.1.1 Material Changes

30 days' advance written notice required
Notice provided via in-app Owner Portal legal notice
Changes effective at next renewal unless Customer objects

16.1.2 Non-Material Changes

Clarifications, corrections, or improvements
Effective upon posting to GRSCIA website
Notification via status page or in-platform announcement

16.2 Customer Rights

If Customer objects to material changes:

Written objection within 30 days of notice
Parties shall negotiate in good faith
Customer may terminate without penalty if agreement cannot be reached
Prior SLA version remains in effect until termination

16.3 Version Control

All SLA versions archived and available upon request
Current version available at: https://grscia.ae/legal/sla
Version number and effective date clearly indicated

17. GOVERNING LAW AND DISPUTE RESOLUTION

17.1 Governing Law

This SLA shall be governed by and construed in accordance with the laws of the United Arab Emirates, without regard to conflict of law principles.

17.2 Jurisdiction

The courts of Abu Dhabi, United Arab Emirates shall have exclusive jurisdiction over any disputes arising from or relating to this SLA.

17.3 Dispute Resolution Process

17.3.1 Informal Resolution

Parties shall first attempt to resolve disputes through good faith negotiation:

Written notice of dispute provided to other party
30-day period for informal resolution
Escalation to senior management if needed

17.3.2 Mediation

If informal resolution fails:

Parties shall submit to non-binding mediation
Mediator selected by mutual agreement
Mediation conducted in Abu Dhabi
Costs shared equally

17.3.3 Litigation

If mediation fails:

Dispute submitted to courts per Section 17.2
Prevailing party entitled to reasonable legal fees

17.4 Service Continuity

During any dispute:

GRSCIA shall continue to provide services (subject to payment)
Customer shall continue to pay undisputed amounts
Neither party shall take unilateral action to disrupt services

18. GENERAL PROVISIONS

18.1 Entire Agreement

This SLA, together with the Master Service Agreement, Terms of Use, Privacy Policy, Cookie Policy, and Data Processing Agreement, constitutes the entire agreement between the parties regarding the subject matter hereof.

18.2 Severability

If any provision of this SLA is found unenforceable, the remaining provisions shall continue in full force and effect.

18.3 Waiver

Failure to enforce any provision shall not constitute a waiver of future enforcement rights.

18.4 Assignment

Neither party may assign this SLA without prior written consent, except to an affiliate or in connection with a merger or acquisition.

18.5 Force Majeure

Neither party shall be liable for delays or failures due to circumstances beyond reasonable control, including natural disasters, war, terrorism, pandemic, government actions, or telecommunications failures.

18.6 Notices

All notices shall be in writing and delivered to:

Email addresses designated in the account
Physical addresses specified in the subscription agreement

Notices are effective upon confirmed delivery.

18.7 Independent Contractors

The parties are independent contractors. Nothing in this SLA creates an employment, agency, partnership, or joint venture relationship.

18.8 Third-Party Rights

This SLA does not confer any rights on third parties except as expressly stated.

18.9 Survival

Sections 6 (Data Protection), 10 (Customer Responsibilities), 12 (Termination), 13 (Confidentiality), 14 (Audit Rights), 15 (Limitation of Liability), 17 (Governing Law), and 18 (General Provisions) survive termination.

19. CONTACT INFORMATION

19.1 Service Provider Contact Details

GRSCIA, powered and managed by CISOSHARE INSPECTION AUDIT SERVICES - L.L.C - S.P.C

Purpose	Contact
General Inquiries	info@grscia.ae
Technical Support	info@grscia.ae
Security Incidents	security@grscia.ae
Escalations	security@grscia.ae
Legal/Compliance	compliance@grscia.ae
Emergency Hotline	+971501123842
Website	https://www.grscia.ae
Status Page	https://status.grscia.ae

19.2 Regulatory Contacts

For ADHICS-related inquiries:

Abu Dhabi Health Information Security Program: aamen@doh.gov.ae
ADHICS Standard Inquiries: adhics@doh.gov.ae
DoH Security Operations Center: soc@doh.gov.ae, +971 2 419 3777

20. ACKNOWLEDGMENT

By accepting this Service Level Agreement, Customer acknowledges that:

Customer has read and understood all terms and conditions herein
Customer agrees to be bound by the obligations set forth in this SLA
Service Credits are Customer's sole remedy for SLA availability breaches
Customer is responsible for its own ADHICS compliance program
Customer will maintain accurate contact information for notifications
Customer will cooperate with security incident response procedures
This SLA is valid for 1 year and auto-renews unless terminated per Section 12

Document Information:

Field	Value
Document Reference	GRSCIA-SLA-2025-V2.0
Version	2.0
Effective Date	January 1, 2025
Last Updated	January 4, 2026
Review Cycle	Annual
Next Review	January 2027
Document Owner	GRSCIA Legal & Compliance
Approval Authority	GRSCIA Management

This Service Level Agreement is designed to meet the requirements of ADHICS V2 Third Party Security (TP) domain and UAE Federal Law No. 2 of 2019 on the Use of ICT in Healthcare.