This Service Level Agreement (this “SLA”) outlines the Tag1 Drupal 7 Extended Support Services (“Services”) provided by Tag1 Consulting, Inc. (“Service Provider”) for your Drupal 7 website(s) after the End of Life (“EOL”) of Drupal 7. This SLA is executed by Service Provider and you (“Client”) and supplements the Tag1 D7ES Terms and Conditions (“Agreement”) available at https://d7es.tag1.com/terms, which govern the relationship between Service Provider and Client. In the event of any conflict between this SLA and the Agreement, the Agreement shall prevail. 

 

By clicking “I Agree,” you, Client, confirm that you have read the terms of this SLA, understand them, and agree to be bound by them. So long as you continue to access the Services this SLA shall be in effect. If you do not agree with terms of this SLA, you may not access or use the Services.

 

We reserve the right, at our sole discretion, to modify or replace this SLA at any time. If a revision is material we will make best efforts to provide at least 30 days' notice prior to any new SLA taking effect. What constitutes a material change will be determined at our sole discretion.

 

1. Service Description and Performance Metrics 

The Service Provider regularly reviews and addresses Drupal 7 security vulnerabilities, helping ensure the ongoing security and integrity of the Client's Drupal 7 website by maintaining up-to-date core software, and contrib modules and themes. The Service Provider agrees to adhere to all applicable laws and regulations in the provision of D7ES and commits to following the policies outlined by the Drupal Security Team, and the Drupal Association Certified D7ES Partner Program.

 

The Services are available for (a) all Drupal 7 modules and themes that are actively or minimally maintained by the Drupal Security Team when Drupal 7 is designated EOL; and (b) patches are only tested and guaranteed to work on the actively maintained versions of PHP documented at https://docs.tag1.com/faqs/#what-are-the-php-requirements-for-tag1-d7es. All updates provided through the Services will be provided under the same open-source license as Drupal (GPLv2+). Service Provider will provide the Services to maintain the continued security and functionality of Drupal 7 through the plans documented at https://d7es.tag1.com/plans.

 

Service Provider will provide timely security updates. Response times (“Response Times”) are based on the severity of the vulnerability and are determined using the Drupal Security Risk Calculator available here: https://www.drupal.org/drupal-security-team/security-risk-calculator. Service Provider has agreed to work within the constraints of the Drupal Security Team and the Drupal Association Certified D7ES Partner Program. Service Provider is therefore unable to disclose information about upcoming security issues and can not apply patches or updates to any Client's prior to their official public announcement and release. Best efforts will be made to release Security patches on the same day a vulnerability is publicly disclosed. The Response Times for releasing patches for supported modules and themes are as follows, with the response time starting at public disclosure:

 

Risk Level

Response Time

Highly critical

Within 24 hours

Critical

Within 24 hours

Moderately critical

7 calendar day review and response

Less critical

14 calendar day review and response

Not critical

21 calendar day review and response

 

2.  Service Level Credit

In the event Service Provider fails to meet the agreed-upon Response Time (“Default”), Client will be entitled to the following exclusive remedy: (a) 25% credit on the monthly fee (based on Client’s plan) for each incident where Response Time is exceeded by more than 50% (a “Service Level Credit”). The maximum Service Level Credit that Client may receive will not exceed 50% of the monthly fee paid by Client to Service Provider. A Service Level Credit shall not be payable unless Client requests it within thirty (30) days following the end of the calendar month in which the Default occurred. Service Level Credits shall be applied against the next invoice, or if Client has made final payment to Service Provider for the Term (as defined below) and no further invoices will be issued, Service Provider shall issue a refund to Client equal to the applicable Service Level Credit within thirty (30) days of Client’s request. 

Patch Application (Premium Customers): For Premium customers, Service Provider will not only notify Client when patches are available, as outlined in the Response Times above, but also apply them within 48 hours of patch release. This applies to patches for Drupal 7 core, contributed modules, and themes that are part of the Service.

3. Client Responsibilities

To ensure effective support and security management, Client agrees to:

  • Report Defaults through designated support channels provided in their service plan.
  • Maintain secure and up-to-date backups of all data.
  • Perform careful testing of each update provided by the Service in a non-production environment before applying it to production.
  • Ensure that all software installations are current and compliant with Service Provider's guidelines.

Module and Update Disclosure: To facilitate effective security management, Client shall:

  • Use the D7ES module to monitor installed modules, or
  • Regularly provide Service Provider with an up-to-date list of modules, themes, and dependencies on Client's Drupal 7 website. This ensures that Service Provider has accurate information about the installed modules and can provide relevant security updates.

4. Reporting

Service Provider shall, once in any calendar quarter, publish a written report regarding Service Provider’s compliance with the Response Time performance requirements specified above. Client may independently audit the report at its sole cost and expense.

 

5. Security Vulnerability Process

As part of the Services, Service Provider shall implement a vulnerability management process in accordance with Drupal Security Team standards and the Drupal Association Certified D7ES Partner Program. The process includes:

  • Confidentiality measures to protect reported vulnerabilities until a public disclosure is made.
  • Review and evaluation of reported and confirmed vulnerabilities in all versions of Drupal, assessing their impact on Drupal 7 core, contributed modules, and themes.
  • Creation, review, and testing of security fixes to security issues impacting Drupal 7.
  • Public reporting of vulnerabilities in accordance with industry best practices.

Client Communication: Due to the potential impact on modern Drupal installations and the need to protect the broader Drupal community, vulnerability information will not be shared directly with Client until public disclosure is made. This ensures that sensitive information is not inadvertently revealed, which could potentially compromise the security of other Drupal versions and sites.

6. Exclusions

This SLA does not cover issues arising from (a) modules that have been custom-developed or modified by Client; (b) modules that break due to changes in third-party APIs; (c) modules that are under a closed license or are otherwise not open-source; (d) modules that are insecure or unmaintained as of January 5, 2025.