Service Level Agreement
A service level agreement, or simply SLA, defines the level of service you expect from a vendor, laying out the metrics by which service is measured, as well as remedies or penalties should agreed-on service levels not be achieved. A SLA sets the tone between an API producer and consumer and can be communicated as part of API change management practices.
Also known as: SLA, SLO, SLI, Service Level Objective, Service Level Indicator
Example
Standards
- ISO/IEC ISO/IEC 19086-1 — Cloud SLA Framework and Terminology
- ISO/IEC ISO/IEC 19086-2 — Metric Model
- ISO/IEC ISO/IEC 19086-3 — Core Requirements
- ISO/IEC ISO/IEC 19086-4 — Security and PII Protection
- Community OpenSLO
- IETF RFC 9457 — Problem Details for HTTP APIs
- SRE Google SRE — SLI / SLO / SLA terminology
- schema.org schema.org serviceArea
HTTP Headers
| Header | Direction | Spec | Description |
|---|---|---|---|
Retry-After |
response | RFC 9110 §10.2.3 | Hint to the client when service is expected to recover after a degradation. |
Content-Type |
response | RFC 9457 | application/problem+json for SLA-breach error responses. |
Status Codes
503 Service Unavailable— RFC 9110 §15.6.4 — Service temporarily unavailable; typically counted against availability SLOs.504 Gateway Timeout— RFC 9110 §15.6.5 — Upstream timeout; commonly part of latency SLO measurement.429 Too Many Requests— RFC 6585 §4 — May indicate the consumer exceeded the tier covered by their SLA.
Media Types
text/html— SLA documents are typically published as HTML.application/yaml— OpenSLO uses YAML manifests.application/problem+json— RFC 9457 — Used for structured SLA-breach error responses.
OpenAPI Expression
-
info.termsOfService(OpenAPI 3.x) — Frequently points to the SLA or links to it from the terms page. -
info.x-sla(OpenAPI extension (vendor)) — No standard OpenAPI field for SLAs; commonly carried as an extension.
Governance Rules
info-contact(Spectral built-in) — Customers need an owner to escalate SLA breaches to.info-license(Spectral built-in) — License and SLA are commonly cross-referenced in API metadata.
Risk & Compliance
Compliance:
- ISO/IEC 27001 A.15 — supplier relationships and service delivery
- SOC 2 A1.1 — availability commitments
- HIPAA Business Associate Agreements — often reference uptime SLAs
- GDPR Art. 28 — processor agreements typically include service-level terms
- FedRAMP / NIST SP 800-53 SA-9 — external information system services
Security: SLA documents publicly disclose architectural commitments (regions, failover, RTO/RPO). Avoid leaking internal incident-response playbooks; keep credits and remedies precise to avoid ambiguity during incidents.
Tools
- Nobl9 — SLO platform
- Sloth — Prometheus SLO generator (Apache-2.0)
- Pyrra — Open-source SLO (Apache-2.0)
- Datadog SLOs — Observability SLO
- Grafana SLO — Observability SLO
- PagerDuty — Incident response
Suggested Metrics
availability— Fraction of time the service is up versus the SLA target (e.g. 99.9%).latency_p95_ms— 95th-percentile request latency over the measurement window.latency_p99_ms— 99th-percentile request latency over the measurement window.error_budget_burn_rate— Rate of consumption of the allowed error budget for an SLO.mttr_minutes— Mean time to recover from incidents counted against the SLA.sla_credit_issued— Dollar value of service credits issued for breaches in the period.
Example Implementations
- AWS — Per-service SLAs with tiered credit percentages by monthly availability.
- Google Cloud — Service-specific SLAs published per product with credit schedules.
- Microsoft Azure — Per-service SLAs aggregated into a single SLA portal.
- Stripe — API uptime SLA published for enterprise customers.
Related Properties
Tags
- Change
- Legal
- Agreements