Operations

SLA, BCP, DR, Incident Response, Architecture.

Procurement-grade operational documents. Honest, factual, written for the security questionnaire reviewer. Last reviewed June 2026.

Service Level Agreement

Uptime, response, and credits.

Uptime target

99.5% per calendar month (Pro+ tiers)

Uptime target — Enterprise

99.9% per calendar month, with credits

Maintenance window

Sunday 06:00–10:00 UTC; advance notice for any window over 30 minutes

Critical incident response

Within 1 hour, 24×7 (Enterprise); within 1 business day (Pro)

High-priority response

Within 4 business hours (Enterprise); 1 business day (Pro)

Service credits

Enterprise: 10% credit if monthly uptime <99.9%, 25% credit if <99.0%, 50% credit if <95.0%. Credit applied to next month's invoice.

Status page

Vercel + Supabase status feeds aggregate at gettaktly.com/status (in progress)

What we measure: HTTP availability of the public app surface plus authenticated workspace surface. Maintenance windows are excluded from uptime calculation. Force majeure (carrier outage, certificate authority failure, regional cloud outage) is excluded.

What we don’t measure: degraded LLM-assist performance from the underlying model provider (OpenAI). LLM-assist is best-effort and not part of the uptime SLA.

Business Continuity Plan

What keeps the business running.

Taktly is operated by a single founder backed by managed cloud providers (Supabase for data, Vercel for compute, Stripe for billing, Resend for email). The BCP focuses on the two failure modes that actually break a SaaS this size: founder unavailability and provider outage.

Founder availability

Vernon Lee is the named operator. Email and phone are documented in the customer MSA at signing.

A continuity contact (named at MSA signing) holds emergency access credentials and a runbook covering provider login, billing, customer notification, and known-issue resolution.

Customer data exports (per-project JSON; full org export at Enterprise tier) are available within 24 hours of request even if the founder is unavailable.

Provider continuity

Supabase: SOC 2 Type II, point-in-time recovery (7-day default; 30-day Enterprise), automated daily backups, managed Postgres replication.

Vercel: SOC 2 Type II, ISO 27001, global edge network with automatic failover; us-east-1 primary.

Stripe / Resend: SOC 2-attested; non-blocking for customer workspace operations (billing + email are async).

Communication

Status posted to gettaktly.com/status during any incident affecting customer access.

Direct email notification to all org admins for incidents lasting longer than 30 minutes.

Post-incident review (root cause + remediation) shared with enterprise customers within 5 business days.

Disaster Recovery

RTO 4 hours · RPO 1 hour.

RTO (Recovery Time Objective)

4 hours from incident declaration

RPO (Recovery Point Objective)

1 hour maximum data loss in worst-case provider failure

Backup frequency

Continuous WAL archive + daily snapshot (Supabase managed)

Backup retention

7 days standard, 30 days Enterprise

Backup encryption

AES-256 at rest, TLS 1.2+ in transit

Restore testing

Quarterly full-stack restore drill into a staging environment

Recovery procedure summary

Incident declared by founder or continuity contact (severity 1 or 2).

Status page updated; all org admins notified within 30 minutes.

Provider escalation opened (Supabase Pro support ticket; Vercel Enterprise support if applicable).

If provider-level outage persists past 2 hours, restore from latest point-in-time snapshot to a parallel project, swap DNS, validate smoke tests, restore service.

Post-incident review within 5 business days; runbook updated.

Incident Response Plan

Detect, contain, eradicate, recover, learn.

Taktly follows a NIST 800-61-aligned incident response lifecycle. Severity classification determines escalation path and customer notification timeline.

Severity classification

Sev 1 — Critical

Confirmed data breach, prolonged outage (>1h), customer data integrity loss. Founder + continuity contact paged immediately.

Sev 2 — High

Suspected breach under investigation, partial outage, authentication compromise. Founder paged within 30 minutes.

Sev 3 — Medium

Performance degradation, single-tenant issue, security finding under investigation. Acknowledged within 4 business hours.

Sev 4 — Low

Cosmetic, non-impacting findings. Acknowledged within 1 business day.

Customer notification timelines

Personal data breach (Sev 1): affected customers notified within 72 hours of confirmed breach (GDPR Article 33 alignment).

Service outage (Sev 1/2): status page updated within 30 minutes; org admins emailed for incidents over 30 minutes.

Security finding (Sev 3/4): included in monthly security update for Enterprise customers.

Lifecycle

Detection: Vercel + Supabase alerts, customer reports to security@gettaktly.com, monthly access audit.

Containment: revoke compromised credentials, rotate keys, block IP ranges if applicable, isolate impacted tables via RLS-tightening.

Eradication: root-cause analysis, patch deployment, regression testing.

Recovery: phased traffic restoration with monitoring; full restore confirmation within RTO.

Lessons learned: post-incident review document shared with Enterprise customers; runbook updated.

Reach security

security@gettaktly.com — monitored daily. PGP key available on request for sensitive disclosures. Responsible disclosure honored; we do not pursue legal action against good-faith researchers.

Architecture

What runs where.

Taktly is a single-tenant-per-organization SaaS running on managed cloud infrastructure. Multi-tenancy is enforced at the application layer (organization membership + Postgres Row-Level Security policies); every customer's data is logically isolated within a shared database, never co-mingled at the row level.

Stack

Application

Next.js 16 on Vercel (us-east-1 primary, global edge cache)

Database

Postgres on Supabase (us-east-1)

Authentication

Supabase Auth (email/password today; SAML 2.0 SSO + SCIM 2.0 on Enterprise roadmap)

File storage

Supabase Storage (S3-compatible, AES-256 at rest)

Background jobs

Vercel Functions + Supabase Edge Functions (us-east-1)

LLM-assist

OpenAI API, single-shot, no retention, never used to train any model

Resend (transactional only)

Billing

Stripe (PCI-DSS Level 1)

Monitoring + logs

Vercel Analytics, Supabase Logs, application-level audit trail in automation_events table

Network + isolation

All HTTP traffic terminates at Vercel TLS 1.2+ (HSTS enabled, modern cipher suites only).

Database access requires Postgres role + JWT verification; no public direct database connection allowed.

Per-org data isolation enforced by Postgres Row-Level Security policies tied to auth.uid() + org_members membership.

Service-role keys live only in Vercel server environment; never exposed to the browser.

Data flow

Where customer data goes.

Customer data inputs

Project text (problem statement, cause analysis, CAPA, etc.) → Supabase Postgres (us-east-1), encrypted at rest.

File uploads (charts, evidence) → Supabase Storage, per-project, RLS-scoped.

Authentication credentials → Supabase Auth; passwords bcrypt-hashed; Taktly never sees plaintext.

LLM processing path

Customer text sent to OpenAI for sharpening / weak-work detection / chart insight is single-shot: sent for one inference, never retained, never used to train any model.

Per OpenAI’s API agreement, prompts and completions are retained for abuse monitoring for up to 30 days then deleted, and excluded from training.

Enterprise customers can request a configuration that disables LLM-assist entirely if their data classification policy requires it.

Outbound notifications

Email notifications (project updates, approvals, support replies) → Resend.

Billing events → Stripe (no project content; only billing identifiers + amounts).

Logs

Application audit trail (classification, escalation, weak-work flags, exports, approvals) → automation_events table within the customer’s organization scope.

Infrastructure logs (Vercel access logs, Supabase query logs) → 30-day retention, accessible to Vernon for incident investigation only.

Data flow diagram (text-form)

Browser (TLS 1.2+)
   │
   ▼
Vercel Edge ──────► Vercel Functions (us-east-1)
                          │
                          ├──► Supabase Postgres (us-east-1) [AES-256, RLS]
                          ├──► Supabase Storage (us-east-1) [AES-256, RLS]
                          ├──► OpenAI API (single-shot, no training)
                          ├──► Resend (transactional email)
                          └──► Stripe (billing only)

All boundaries: TLS 1.2+ | All data at rest: AES-256 | All access: JWT + RLS

Need pre-filled SIG Lite, HECVAT, or CAIQ Full? Request the procurement package.