Service Level Agreement

Last updated: April 13, 2026 · Phoenix Holdings LLC

1. Introduction

This Service Level Agreement (“SLA”) sets forth the service availability commitments, support standards, and remedial measures that Phoenix Holdings LLC (“Provider,” “we,” “our,” or “us”) extends to all customers (“Customer,” “you,” or “your”) of the Deal Matrix CRM platform (“Service” or “Platform”).

This SLA is incorporated into and subject to the Deal Matrix CRM Terms of Service (“ToS”). This SLA should also be read in conjunction with our Privacy Policy and Data Processing Agreement (“DPA”), each available at dealmatrixcrm.com/legal. In the event of a conflict between this SLA and the ToS, the ToS shall control unless this SLA explicitly states otherwise. In the event of a conflict between this SLA and the DPA with respect to the processing of personal data, the DPA shall prevail.

We may update this SLA from time to time. If we make material changes that reduce our service commitments, we will notify you at least thirty (30) days in advance by email or in-app notification. Continued use of the Service after the effective date of a revised SLA constitutes your acceptance of the updated terms. Material reductions in service commitments shall not apply to your current subscription term until renewal.

2. Definitions

“Availability” means the percentage of time the Service is operational and accessible during a given calendar month, calculated as described in Section 3.

“Core Functionality” means the primary CRM functions of the Platform, including deal and pipeline management, contact management, organization and user authentication, and data storage and retrieval. Ancillary features such as calendar sync, email notifications, PDF generation, CSV/Excel import/export, and AI-assisted field mapping are not Core Functionality for purposes of Downtime calculation.

“Customer Data” has the meaning given to it in the Terms of Service, and generally means all data, content, files, and information that you or your Authorized Users upload, store, transmit, or process through the Service, including deal records, contact information, documents, and organization-level configurations. For the avoidance of doubt, Customer Data does not include account registration information, usage analytics, or aggregated de-identified data.

“Downtime” means any period during which Core Functionality is materially unavailable to a majority of users within your Organization, excluding Scheduled Maintenance and Excused Downtime. For clarity, degradation or unavailability of a non-core ancillary feature does not constitute Downtime, though it may constitute an Incident.

“Scheduled Maintenance” means planned maintenance of which we provide at least seventy-two (72) hours’ advance notice, typically performed between 2:00 AM and 6:00 AM Central Time on weekends.

“Excused Downtime” means unavailability resulting from: (a) Force Majeure events; (b) your acts or omissions, including misconfiguration; (c) your internet connectivity or equipment failures; (d) outages of third-party services beyond our reasonable control, including Supabase, Clerk, Vercel, Cloudflare, Resend, or Google API outages; or (e) actions we take at your express request.

“Incident” means any unplanned interruption or degradation in the quality of the Service, whether or not it constitutes Downtime.

“Service Credit” means a credit applied to your account, calculated as a percentage of your monthly subscription fees for the affected month. If you are on an annual or other non-monthly billing cycle, your monthly subscription fees for purposes of Service Credit calculation shall be determined by dividing the total fees for your current billing cycle by the number of months in that cycle.

“Response Time” means the time between our receipt of a support request and our initial substantive acknowledgment.

“Resolution Time” means the time between our receipt of a support request and the deployment of a fix, workaround, or mitigation that materially restores service.

“Business Hours” means Monday through Friday, 8:00 AM to 6:00 PM Central Time, excluding U.S. federal holidays.

“Sub-processor” means any third-party service provider that processes Customer Data on our behalf in connection with the Service, as identified in our Sub-processor List maintained at dealmatrixcrm.com/legal/sub-processors.

3. Service Availability

3.1 Tiered Uptime Commitment

Our Uptime Commitment varies by subscription plan:

Availability is calculated as:

Availability (%) = [(Total Minutes in Month – Downtime Minutes) / Total Minutes in Month] × 100

3.2 How We Measure Uptime

We monitor Availability using Sentry and supplemental synthetic monitoring at five-minute intervals from geographically distributed checkpoints. A five-minute interval counts as Downtime if Core Functionality returns HTTP 5xx errors or fails to respond to health-check requests for a majority of checkpoint locations during that interval.

3.3 Infrastructure and Sub-processors

The Platform runs on Vercel’s serverless infrastructure with Cloudflare DNS, Supabase PostgreSQL for data storage, Supabase Storage for file storage, and Clerk for authentication. These providers, along with Resend (transactional email), Google APIs (calendar sync), and Sentry (error monitoring), are Sub-processors as defined in our DPA. We maintain a current Sub-processor List at dealmatrixcrm.com/legal/sub-processors and will notify you at least thirty (30) days before adding or replacing a Sub-processor, in accordance with the DPA.

We are responsible for our application code and configuration. We do not guarantee the uptime of underlying Sub-processors, but we use commercially reasonable efforts to select, monitor, and manage them to meet the Uptime Commitment applicable to your plan.

3.4 Scheduled Maintenance

We schedule routine maintenance during low-usage periods (typically weekends, 2:00 AM–6:00 AM Central Time) and provide at least seventy-two (72) hours’ notice. Scheduled Maintenance will not exceed eight (8) hours per calendar month. Emergency maintenance for critical security vulnerabilities or data-integrity risks may occur with shorter notice, but we will use commercially reasonable efforts to provide at least four (4) hours’ advance notice.

4. Service Credits

4.1 Credit Schedule

If we fail to meet the Uptime Commitment applicable to your plan in any calendar month, you are entitled to Service Credits as follows:

4.2 How to Request Credits

To request a Service Credit, email support@dealmatrixcrm.com within sixty (60) days after the end of the month in which the Downtime occurred. Include the dates and times of the claimed Downtime, a description of the impact, and any supporting evidence. We will respond within fifteen (15) business days. We will also proactively notify you via email within ten (10) business days after any month in which Availability falls below your plan’s Uptime Commitment, including the measured Availability percentage.

4.3 Limitations

• Service Credits will not exceed fifty percent (50%) of your monthly subscription fees for the affected month.
• Service Credits are non-transferable and may not be converted to cash or applied to other products.
• Service Credits are your sole and exclusive remedy for our failure to meet the Uptime Commitment, except as otherwise provided in the ToS.
• You are not entitled to Service Credits if your account is in breach of the ToS at the time of the Downtime event.
• Free Trial accounts are not eligible for Service Credits.

5. Support

5.1 Support Channels

• Email: support@dealmatrixcrm.com — Monitored 24/7; responses provided during Business Hours (or 24/7 for Enterprise S1/S2 Incidents).
• In-App Help Center: Self-service documentation, FAQs, and guided troubleshooting, available 24/7.
• Status Page: Real-time system status and incident updates at status.dealmatrixcrm.com.

5.2 Incident Severity and Tiered Response Times

We classify all Incidents by severity. Response and resolution targets vary by plan:

Critical (S1) — Complete outage of Core Functionality; all users unable to access the Platform; confirmed data loss or corruption.

High (S2) — Major feature degradation; authentication failures; database write failures affecting multiple users.

Medium (S3) — Minor feature impairment; slow performance; non-critical integration failures (e.g., calendar sync, PDF generation).

Low (S4) — Cosmetic issues; documentation errors; feature requests.

5.3 Escalation

If an Incident is not resolved within its Resolution Target, escalation occurs automatically:

• First Escalation (1× target exceeded): Engineering Lead assigned; you receive a written status update.
• Second Escalation (2× target exceeded): VP of Engineering or CTO engaged; you receive a dedicated incident manager.
• Third Escalation (3× target exceeded): Executive leadership engaged; you receive a written post-incident report with root cause analysis within five (5) business days of resolution.

6. Data Protection and Security

6.1 Compliance Framework

We process Customer Data in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) where applicable. Our processing activities are governed by our Data Processing Agreement (DPA), which is incorporated into and forms part of the ToS. Our Privacy Policy details how we collect, use, and protect information.

6.2 Security Architecture

We implement multi-layered security, including:

• Authentication and Tenant Isolation: Clerk-managed authentication with organization-scoped isolation, custom org-scope helpers (orgWhere, orgValue), and defense-in-depth row-level security (RLS) policies at the database layer.
• Encryption in Transit: All data encrypted via TLS 1.2 or higher, with HSTS, Content Security Policy, and Permissions-Policy headers enforced.
• Encryption at Rest: All Customer Data stored in Supabase PostgreSQL and Supabase Storage is encrypted at rest using AES-256 encryption.
• Input Validation: All API inputs validated via Zod schema validation before processing.
• CSRF Protection: Origin-check-based mutation protection on all state-changing operations.
• Error Monitoring: Real-time error detection and alerting through Sentry.

6.3 Data Backup and Recovery

We maintain the following data protection practices. These are operational targets reflecting our current infrastructure capabilities, not guaranteed commitments subject to Service Credits:

• Automated daily backups of the Supabase PostgreSQL database with point-in-time recovery capability.
• File storage replication (vault documents, logos, valuation files) via Supabase Storage.
• Recovery Point Objective (RPO) target: We target no more than twenty-four (24) hours of data loss in a disaster recovery scenario.
• Recovery Time Objective (RTO) target: We target service restoration within four (4) hours of a declared disaster event.

We will use commercially reasonable efforts to meet these targets and will communicate transparently with affected customers during any disaster recovery event.

6.4 Data Isolation

The Platform uses a multi-tenant architecture with logical data isolation. Your data is scoped to your Clerk Organization and enforced at both the application layer (orgWhere/orgValue helpers in all queries) and the database layer (PostgreSQL RLS policies). We use commercially reasonable technical and organizational measures to prevent cross-tenant data access. In the unlikely event of a data isolation breach, we will promptly notify affected customers in accordance with the breach notification procedures in our DPA and applicable law.

6.5 Data Portability and Deletion

You may export your Customer Data at any time during your subscription using the Platform’s built-in export tools. Export formats include CSV and JSON. Upon termination of your subscription, we will make your Customer Data available for export for a period of thirty (30) days. After the export period, we will delete your Customer Data from our active systems within thirty (30) days. Copies may persist in backup systems for up to ninety (90) additional days before permanent deletion. Upon written request, we will provide written confirmation of deletion. These obligations are described in further detail in Sections 5.6 and 5.7 of the ToS.

6.6 AI-Assisted Features

The Platform includes AI-assisted features, including automated import field mapping, powered by third-party AI providers (currently Anthropic) as identified in our Sub-processor List. When you use AI-assisted features, portions of your Customer Data may be transmitted to and processed by these third-party AI providers for the sole purpose of delivering the requested functionality, in accordance with our DPA.

AI-assisted features are provided on an assistive basis only. Outputs generated by AI features are suggestions and are not guaranteed to be accurate, complete, or suitable for any particular purpose. You are solely responsible for reviewing and validating any AI-generated output before relying on it. AI-assisted features do not constitute professional, legal, financial, or other expert advice. The availability and performance of AI-assisted features are subject to the capabilities and availability of the underlying third-party AI providers and are not subject to the Uptime Commitment or Service Credits.

6.7 Data Residency

Customer Data is stored in Supabase’s cloud infrastructure hosted in the United States. Data may be processed in additional jurisdictions as necessary to provide the Service (e.g., edge computing via Vercel’s global network, authentication via Clerk’s infrastructure). International transfers of personal data are conducted in accordance with the transfer mechanisms described in our DPA and Privacy Policy, including Standard Contractual Clauses (SCCs) and/or the EU-U.S. Data Privacy Framework where applicable.

7. Performance Standards

We target the following application performance benchmarks under normal operating conditions:

These targets are measured at the 95th percentile (P95) and are aspirational benchmarks. They are not subject to Service Credits; however, persistent failure to meet them may be addressed during account reviews.

8. Incident Communication

8.1 Notification

We will notify affected customers of Critical (S1) and High (S2) Incidents within the Response Time applicable to your plan via email and status page update. Notifications include a description of the Incident, estimated scope of impact, and estimated time to resolution.

8.2 Ongoing Updates

During active Incidents, we provide status updates at the frequency specified in the severity tables in Section 5.2 for your plan tier. All updates are posted to our status page and delivered by email to your designated contacts.

8.3 Post-Incident Reports

For all S1 and S2 Incidents, we deliver a Root Cause Analysis (RCA) report within five (5) business days of resolution, including a timeline, root cause identification, customer impact assessment, remediation steps, and preventive measures.

8.4 Proactive Availability Reporting

We will proactively notify you via email within ten (10) business days after any month in which measured Availability falls below your plan’s Uptime Commitment. Monthly Availability and performance reports are also available upon request at any time.

9. Your Responsibilities

To help us deliver on these commitments, you agree to:

• Use a current, supported browser (latest two major versions of Chrome, Firefox, Safari, or Edge).
• Maintain reliable internet connectivity sufficient for SaaS application use.
• Safeguard your account credentials and notify us promptly of any suspected unauthorized access.
• Cooperate with us in diagnosing and resolving Incidents, including providing timely access to relevant information when requested.
• Comply with all applicable laws, our Terms of Service, our Privacy Policy, and our Acceptable Use Policy in connection with your use of the Service.
• Observe published API rate limits and usage guidelines. Usage exceeding published rate limits may result in throttling or temporary suspension of API access.
• Designate at least one (1) authorized administrative contact for SLA-related communications.

10. Exclusions

10.1 General Exclusions

This SLA does not apply to Downtime or performance degradation caused by:

• Force Majeure events, including natural disasters, acts of war, terrorism, pandemics, government actions, or other events beyond our reasonable control.
• Outages of third-party Sub-processors, including Vercel, Cloudflare, Supabase, Clerk, Google APIs, Resend, or Sentry, except where the outage results from our misconfiguration.
• Your actions, including misconfigured integrations, API usage exceeding published rate limits, or unauthorized modifications.
• Features designated as “Beta,” “Preview,” or “Experimental.”
• Planned Future Services prior to their Activation Date (see Section 10.2).
• Use of unsupported browsers, operating systems, or network configurations.
• Any period during which your account is suspended for breach of the ToS.
• Free Trial accounts, which are provided “as is” without SLA coverage.

10.2 Planned Future Services — Auto-Activation

The following services are planned for integration but are not yet operational as of the date of this SLA:

Each Planned Future Service automatically becomes subject to this SLA upon its “Activation Date” — the earlier of: (a) the date we announce the service as generally available; or (b) the date it is enabled in production and accessible to you. We will notify you within five (5) business days of each Activation Date.

Before a Planned Future Service’s Activation Date, any issues with that service do not count as Downtime and do not trigger Service Credits.

Services we integrate after the date of this SLA follow the same auto-activation mechanism unless we designate them as “Beta” or “Experimental” at launch.

11. Change Management

We maintain the following practices to ensure reliable, controlled updates to the Platform:

• All code deployments are managed via GitHub with automated deployment to Vercel from the main branch.
• Production deployments pass through a CI/CD pipeline with automated linting (ESLint 9), testing (Vitest with React Testing Library), and validation before release.
• Backward-incompatible API changes are communicated with at least thirty (30) days’ notice.
• Emergency patches for security vulnerabilities or critical bugs may be deployed outside standard windows, with post-deployment notification.

12. Reporting and Review

12.1 Monthly Reports

We make monthly Availability and performance reports available upon request, including uptime percentage, Incidents by severity, and mean time to resolution. For Enterprise plan customers, monthly reports are delivered proactively.

12.2 SLA Review

We review this SLA at least annually or when we make material changes to the Platform’s architecture or infrastructure. You may request a review by providing thirty (30) days’ written notice.

13. Disclaimer of Warranties

Except for the express commitments set forth in this SLA, the Service is provided “as is” and “as available.” To the maximum extent permitted by applicable law, we disclaim all warranties, whether express, implied, statutory, or otherwise, including without limitation any implied warranties of merchantability, fitness for a particular purpose, title, and non-infringement. We do not warrant that the Service will be uninterrupted, error-free, or free of harmful components, or that any data stored on the Service will not be lost or corrupted.

The foregoing disclaimer shall not apply to the extent prohibited by applicable law, and nothing in this section limits our obligations under the Data Processing Agreement or applicable data protection laws.

14. Indemnification

14.1 Your Indemnification of Us

You agree to indemnify, defend, and hold harmless Phoenix Holdings LLC and its officers, directors, employees, and agents from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys’ fees) arising from or relating to: (a) your use of the Service in violation of the ToS, this SLA, or applicable law; (b) Customer Data or other content you store, process, or transmit through the Service, including any claim that such data infringes or misappropriates a third party’s intellectual property or privacy rights; or (c) your end users’ use of the Service.

14.2 Our Indemnification of You

We will indemnify, defend, and hold harmless you and your officers, directors, employees, and agents from and against any third-party claim alleging that the Service, as provided by us and used in accordance with the ToS, infringes or misappropriates such third party’s U.S. patent, copyright, or trade secret rights. This obligation does not apply to claims arising from: (a) your modification of the Service; (b) your combination of the Service with products, services, or data not provided by us; (c) your continued use of a version of the Service after we have provided you with a non-infringing alternative; or (d) use of the Service in violation of the ToS.

14.3 Indemnification Procedures

The indemnified party must: (a) provide written notice of any claim within thirty (30) days of becoming aware of such claim; (b) grant the indemnifying party sole control over the defense and settlement of the claim; and (c) provide reasonable cooperation at the indemnifying party’s expense. Failure to provide timely notice shall not relieve the indemnifying party of its obligations except to the extent it is materially prejudiced by such failure. The indemnifying party shall not settle any claim that imposes obligations on the indemnified party without prior written consent.

15. Limitation of Liability

The Service Credits described in Section 4 are your sole and exclusive remedy, and our entire liability, for any failure to meet the service levels in this SLA.

To the maximum extent permitted by applicable law, in no event shall either party’s aggregate liability under this SLA exceed the total fees paid or payable by you for the Service during the twelve (12) months immediately preceding the event giving rise to the claim.

To the maximum extent permitted by applicable law, in no event shall either party be liable for any indirect, incidental, special, consequential, or punitive damages, including without limitation loss of profits, revenue, data, business opportunities, or goodwill, regardless of the theory of liability, even if such party has been advised of the possibility of such damages.

Nothing in this SLA limits liability for: (a) fraud or willful misconduct; (b) gross negligence; (c) breach of confidentiality or data protection obligations under the DPA; (d) either party’s indemnification obligations under Section 14; or (e) liability that cannot be limited under applicable law.

16. Termination Rights and Service Continuity

16.1 Termination for Chronic Underperformance

This SLA remains in effect for the duration of your active subscription. If we fail to meet the Uptime Commitment applicable to your plan for three (3) or more consecutive calendar months, you may terminate your subscription for cause by providing thirty (30) days’ written notice and will receive a pro-rata refund of prepaid, unused fees.

This termination trigger uses consecutive months, meaning a single month in which we meet your Uptime Commitment resets the count. This approach is consistent with industry-standard SaaS agreements and balances accountability with the reality that isolated incidents do not indicate systemic failure.

16.2 Service Discontinuation

If we decide to discontinue the Platform entirely or permanently remove a material feature of Core Functionality, we will provide at least ninety (90) days’ advance written notice to all affected customers. During the notice period, we will:

• Continue to operate the Service at the service levels described in this SLA;
• Make data export tools available so you can retrieve your Customer Data in CSV and/or JSON format;
• Provide reasonable migration assistance upon request, such as guidance on alternative platforms or data formatting.

Upon the effective date of discontinuation, you will receive a pro-rata refund of any prepaid, unused subscription fees. Data retention and deletion following discontinuation will follow the timelines described in Section 6.5 of this SLA, beginning from the effective date of discontinuation.

This Section does not apply to the removal, modification, or replacement of individual ancillary features (such as integrations, UI components, or non-core tools), which are governed by the change management practices in Section 11.

16.3 Survival

Upon termination or expiration of your subscription, this SLA automatically terminates. Sections 4 (Service Credits, to the extent credits have accrued but not yet been applied prior to termination), 6 (Data Protection), 13 (Disclaimer of Warranties), 14 (Indemnification), 15 (Limitation of Liability), 17 (Dispute Resolution), and 18 (General) survive termination.

17. Dispute Resolution

17.1 Informal Resolution

Before initiating any formal dispute resolution, either party shall provide written notice to the other describing the dispute and attempt to resolve it informally within thirty (30) days. Notices to us should be sent to support@dealmatrixcrm.com. Notices to you will be sent to the email address associated with your account.

17.2 Binding Arbitration

If the dispute is not resolved informally within thirty (30) days, it shall be resolved exclusively by binding arbitration administered by the American Arbitration Association (“AAA”) under its Commercial Arbitration Rules then in effect. The arbitration shall be conducted by a single arbitrator selected in accordance with AAA rules. The place of arbitration shall be Cook County, Illinois, or at the mutual agreement of the parties, by videoconference. The arbitrator’s decision shall be final and binding, and judgment upon the award may be entered in any court of competent jurisdiction.

Each party shall bear its own attorneys’ fees and costs in connection with the arbitration, unless the arbitrator determines that a claim or defense was frivolous or brought in bad faith, in which case the arbitrator may award reasonable attorneys’ fees to the other party. The arbitrator shall have the authority to award any relief that a court of competent jurisdiction could award, subject to the limitations set forth in Section 15.

17.3 Class Action and Jury Trial Waiver

You and Phoenix Holdings LLC each agree that any dispute resolution proceedings will be conducted only on an individual basis and not in a class, consolidated, or representative action. You hereby waive any right to participate in a class action lawsuit or class-wide arbitration against Phoenix Holdings LLC.

To the extent permitted by applicable law, both parties waive the right to a trial by jury in any action or proceeding arising out of or relating to this SLA.

17.4 Exceptions to Arbitration

Notwithstanding the foregoing, either party may: (a) seek injunctive or equitable relief in any court of competent jurisdiction to prevent or restrain infringement or misappropriation of intellectual property rights; or (b) bring an individual action in small claims court if the dispute qualifies. Nothing in this section prevents either party from participating in any investigation or proceeding brought by a governmental authority.

18. General Provisions

Entire Agreement. This SLA, together with the ToS, Privacy Policy, DPA, and Acceptable Use Policy, constitutes the complete agreement between you and Phoenix Holdings LLC regarding the subject matter hereof.

Severability. If any provision of this SLA is found invalid or unenforceable, the remaining provisions continue in full force. If the class action waiver in Section 17.3 is found unenforceable, the entirety of Section 17 (Dispute Resolution) shall be null and void, and disputes shall be resolved exclusively in the state or federal courts located in Cook County, Illinois.

Waiver. Our failure to enforce any provision of this SLA does not waive our right to enforce it in the future.

Assignment. You may not assign this SLA without our prior written consent. We may assign this SLA in connection with a merger, acquisition, reorganization, or sale of all or substantially all of our assets upon thirty (30) days’ notice to you.

No Third-Party Beneficiaries. This SLA is for the sole benefit of you and Phoenix Holdings LLC. Nothing in this SLA, express or implied, is intended to or shall confer upon any third party (including your end users, employees, or Authorized Users) any rights, benefits, or remedies of any nature whatsoever under or by reason of this SLA.

Notices. Notices under this SLA will be sent to the email address associated with your account. You may send notices to us at support@dealmatrixcrm.com.

Electronic Communications Consent. By accepting this SLA, you consent to receive all notices, disclosures, agreements, and other communications from us electronically, including via email and in-app notifications. You agree that all such electronic communications satisfy any legal requirement that communications be in writing. You are responsible for maintaining a current and valid email address in your account settings, and failure to receive a notice due to an outdated or invalid email address shall not affect the validity of that notice.

Version History. We maintain an archive of prior versions of this SLA. Each version is identified by its “Last Updated” date. In the event of a dispute regarding the terms in effect at a particular time, the version bearing the “Last Updated” date in effect during the applicable period shall control.

Governing Law. This SLA is governed by the laws of the State of Illinois, without regard to conflict of laws principles. Subject to Section 17, any disputes not subject to arbitration shall be resolved exclusively in the state or federal courts located in Cook County, Illinois, and each party consents to the personal jurisdiction of such courts.