Support Services & SLAs

Last Updated: January 24, 2025
Version 3.1

Blackwell Security, Inc. (“Blackwell”) | Support Services

1. Service Level Agreements:

This Service Level Agreement applies to the Blackwell Security Essentials and Advanced Managed Healthcare Detection and Response (MHXDR) offerings.

Definitions:

  1. “Scheduled Downtime” means the total amount of time during any calendar month, measured in minutes, during which Customer is not able to access Blackwell Pulse due to planned system maintenance performed by Blackwell. Blackwell will provide Customer with reasonable prior notice of such Scheduled Downtime.
  2. “Total Monthly Time” means the total minutes in the relevant calendar month less Scheduled Downtime. For any partial calendar month during which Customer subscribes to the Service, availability will be calculated based on the entire calendar month, not just the portion for which Customer subscribed.
  3. “Unscheduled Downtime” means the total amount of time during any calendar month, measured in minutes, during which the Customer is not able to access the features and functions of Blackwell Pulse including e-mail notifications, other than Scheduled Downtime, as defined above. Unscheduled Downtime shall not include any period during which Blackwell Pulse is unavailable as a result of (i) non-compliance by Customer with any provision of this SLA; (ii) incompatibility of Customer’s equipment or software with the Blackwell Service; (iii) actions or inactions of Customer or third parties; (iv) account suspension or termination due to Customer’s breach of the Terms; (v) acts or omissions of Customer or Customer’s employees, agents, contractors, or vendors, or anyone gaining access to Blackwell Pulse by means of Customer’s passwords or equipment; (vi) performance of Customer’s systems or the Internet; (vii) any systemic Internet failures; (viii) network unavailability or Customer’s bandwidth limitations; (ix) any free, proof-of-concept, beta, design/founding partner, or unpaid trial services; or (x) Scheduled Downtime.
  4. “Blackwell Pulse Availability” means, with respect to any particular calendar month, the difference between Total Monthly Time and Unscheduled Downtime, divided by the Total Monthly Time. Blackwell Pulse Availability for any particular calendar month is determined as follows:

Blackwell Pulse Availability = (Total Monthly Time–Unscheduled Downtime)/Total Monthly Time

  1. Performance and Remedy for Breach:
    1. Blackwell Pulse Availability. Blackwell will undertake commercially reasonable measures to ensure that Blackwell Pulse Availability equals or exceeds ninety-nine point nine-five percent (99.95%) during each calendar month.
    2. Credits Against Fees: In the event Blackwell Pulse does not meet or exceed the 99.95% Blackwell Pulse Availability SLA, Customer will be entitled to credits against its next invoice as set forth in this table.
Blackwell Pulse Availability Credit as a Percentage of One Month of Service
99.95%-100% 0% of the Monthly Fee
99.00%-99.94% 2% of the Monthly Fee
95.00%-98.99% 5% of the Monthly Fee
Less than 95% 10% of the Monthly Fee
  1. Customer’s rights to Service Credits are Customer’s sole and exclusive remedy with respect to any Unscheduled Downtime and the maximum amount of Service Credits that Blackwell will issue to Customer for Unscheduled Downtime in a single calendar month will not exceed 10% of the Monthly Fee.
  2. Service Credits: to receive a Credit, Customer must provide written notice to Blackwell seeking the Credit within five (5) days following the end of the calendar month in which the Blackwell Pulse Availability SLA was not met, providing a reasonable amount of detail to include identifying the date and time of the Unscheduled Downtime to support the claim. If Customer fails to request any Service Credits to which Customer is entitled, Blackwell will have no obligation to issue such Service Credits to Customer.
2. Overage Terms:

If Customer exceeds contracted capacity included in an applicable Order Form by 5%, then Customer will need to upgrade to the next quantity or Service tier within 30 days to get back into compliance.

  1. GB/Day is measured against the daily average over the course of each month.
  2. Assets and user counts include all assets and users seen over the course of each month.
  3. For Managed Add-Ons, capacity is limited to the quantity referenced in the Order Form for each respective defined Unit of Measure.
3. On-demand Services:

On-Demand Services will be performed at a rate of $350/hour unless specifically agreed to in an applicable Order Form. Examples of On-demand Services include, but are not limited to:

  1. Additional Blackwell Declared Security Incident coverage beyond the included capacity within each Service Offering.
  2. Blackwell support for manual investigations around activity identified by the customer outside of Blackwell Pulse or Blackwell support for a Customer requested security investigations.
  3. Extended Red/Blue Team exercise participation.
  4. Advisory Services.
4. Services Descriptions
4.1 MHXDR Essentials Service

4.1.1 Unify

Blackwell will ingest data from Included Sources for each respective Service. Included Sources means the class of supported technologies connected with each Blackwell Service Offering as outlined and defined here. Customers must have active subscriptions to these technologies, and vendors must support the integration. In its sole discretion, Blackwell may add, remove, and change the Included Sources across its Offerings from time to time. If changes occur on the vendor side, Blackwell reserves the right to address these changes as deemed appropriate. Specific products referenced below are for example only, and the current list of Supported Products for each Included Source can be found on Blackwell’s Supported Product List.

  1. On Premise IT Infrastructure: On-premise infrastructure, network, and operating system logs. May be collected via connection to an existing customer-owned and managed SIEM or directly collected via a Blackwell collector or agent.
  2. Identity Platform: Standard on-premise and cloud identity providers (AD, AAD, Google, LDAP, etc.), centralized identity management providers (Okta, Imprivata, SailPoint, etc.), multifactor authentication providers, and privileged access management providers.
  3. Network Data: Security events and Packet data from Network and IPS / IDS solutions such as Palo Alto, Cisco, Fortinet, etc.
  4. Endpoint Protection: Event and alert data from Endpoint Protection and Next Gen AV solutions, such as CrowdStrike, Sentinel One, Cortex XDR, FortiEDR, etc.
  5. Productivity: Events and alerts from Microsoft M365 or Google Workspace productivity suites, dependent upon the level of licensing procured and deployed by customer IT teams.
  6. Email Phishing Response: Client-identified phishing investigation, containment, and cleanup submitted to the Blackwell Phishing inbox. Does not include integration with an enterprise email security solution.
  7. Infrastructure Vulnerability: Traditional network-based vulnerability scans, web application scans, or continuous agent-based vulnerability data are ingested to identify emerging or new zero-day threats and to enrich organizational context for threat detections.
  8. Cloud Infrastructure: Security Logs and alerts from major cloud providers, such as AWS Cloud Trail or CloudWatch logs, Azure security logging and auditing or Azure Monitor, and Google Cloud Logging.
  9. Cloud Security Posture Management: CSPM or the examination of cloud configurations with Center for Internet Security (CIS) Benchmarks for potential vulnerabilities or exploitable misconfigurations. This includes identification and notification only; it does not include remediation or policy enforcement.
  10. Clinical Apps Authentication Logging: Ingestion of a limited set of Clinical Application logs, typically includes authentication security logging provided by EHR application vendors and other clinical applications. Typically, this includes authentication logging of local and privileged accounts and does not include all clinical application audit logs.

4.1.2 Analyze

  1. Threat Detection: Detect threats using alert-level and application-level data ingested (from offering-level included sources) combined with signature, rule, and UEBA analytics.
  2. Advanced Threat Detection: Detect threats using alert-level, application-level data, and raw data ingested from Client security solutions combined with advanced analytics, behavioral-based detection, machine learning, anomaly detection, and more.
  3. Threat Intelligence Enrichment: Provide signature based automated threat intelligence sources and enrichment to enhance threat detection.
  4. Cloud Security Posture Management: Discover assets in cloud environments (AWS, GCP, and Azure), evaluate cloud workloads against security guidelines defined by the Center for Internet Security (CIS) for misconfigurations, and then scan active workloads for vulnerabilities weekly. When the scan runs, a snapshot of all cloud workloads in a region is taken using the snapshot APIs of the cloud service provider. These are then analyzed for vulnerabilities.
  5. Security Control Asset Coverage: Asset mapping and monitoring to identify assets and provide clear security control coverage details. Identify security control coverage gaps for resolution to enhance security posture.
  6. MITRE ATT&CK Coverage: Attack surface mapping and monitoring to identify vulnerabilities or misconfigurations within supported environment. Provide prescriptive recommendations to reduce client risk exposure to identified gaps and develop tailored plans to enhance coverage across the MITRE ATT&CK framework.
  7. Phishing Triage: Automated phishing email triage. Analyze email and attachments for indicators of compromise.

4.1.3 Response & Remediation

  1. Response Ops: Create a record to track investigation efforts with an appropriate priority based on data from the original system that identified a threat combined with enrichment data from related security systems to contextualize the threat.
  2. Escalate to Client: Blackwell will deliver standardized recommendations that are supported by known healthcare industry best practices. Client is responsible to implement recommendations.
  3. Security Incident Management Essentials: Blackwell will provide a supporting role during a declared security incident, including simulated security incidents (also known as tabletop exercises). That role includes guidance only, requests related to forensic efforts will be supported, but not lead by Blackwell. Blackwell will not draft any statements, incident reports, or similar documents for the client.
  4. Dashboards and Reporting: Blackwell will provide client with access to the Pulse portal.
4.2 MHXDR Advanced Service

4.2.1 Unify

Blackwell will ingest data from Included Sources for each respective Service. Included Sources means the class of supported technologies connected with each Blackwell Service Offering as outlined and defined here. Customers must have active subscriptions to these technologies, and vendors must support the integration. In its sole discretion, Blackwell may add, remove, and change the Included Sources across its Offerings from time to time. If changes occur on the vendor side, Blackwell reserves the right to address these changes as deemed appropriate. Specific products referenced below are for example only, and the current list of Supported Products for each Included Source can be found on Blackwell’s Supported Product List.

  1. On Premise IT Infrastructure: On-premise infrastructure, network, and operating system logs. May be collected via connection to an existing customer-owned and managed SIEM or directly collected via a Blackwell collector or agent.
  2. Identity Platform: Standard on-premise and cloud identity providers (AD, AAD, Google, LDAP, etc.), centralized identity management providers (Okta, Imprivata, SailPoint, etc.), multifactor authentication providers, and privileged access management providers.
  3. Network Data: Security events and Packet data from Network and IPS / IDS solutions such as Palo Alto, Cisco, Fortinet, etc.
  4. Endpoint Protection: Event and alert data from Endpoint Protection and Next Gen AV solutions, such as CrowdStrike, Sentinel One, Cortex XDR, FortiEDR, etc.
  5. Productivity: Events and alerts from Microsoft M365 or Google Workspace productivity suites, dependent upon the level of licensing procured and deployed by customer IT teams.
  6. Email Phishing Response: Client-identified phishing investigation, containment, and cleanup submitted to the Blackwell Phishing inbox. Does not include integration with an enterprise email security solution.
  7. Cloud Infrastructure: Security Logs and alerts from major cloud providers, such as AWS Cloud Trail or CloudWatch logs, Azure security logging and auditing or Azure Monitor, and Google Cloud Logging.
  8. Cloud Security Posture Management: CSPM or the examination of cloud configurations with Center for Internet Security (CIS) Benchmarks for potential vulnerabilities or exploitable misconfigurations. This includes identification and notification only; it does not include remediation or policy enforcement.
  9. Infrastructure Vulnerability: Traditional network-based vulnerability scans, web application scans, or continuous agent-based vulnerability data are ingested to identify emerging or new zero-day threats and to enrich organizational context for threat detections.
  10. Email Flow and Authentication Logs: Email Flow Logs track the movement of emails, including sender and recipient information, timestamps, email subjects, status codes, attachment details, and spam actions. Authentication Logs record system access attempts, capturing user information, timestamps, IP addresses, authentication methods, success or failure statuses, device details, and error messages.
  11. Data Security: Commonly referred to as Data Loss Prevention and/or Data Security Posture Management tools. Ingestion contains Alerts only; all metadata will be contained in the DLP solution to prevent incidental PHI exposure.
  12. SaaS Applications: To the extent made available by the SaaS application vendor via an API connection, Identity Logs and Security Alerts are included. Complete application logs (i.e., observability or application performance logs) are not included.
  13. Healthcare/Medical Connected Device Security: Passive security solutions for identifying Connected Medical Devices and Vulnerabilities, such as Claroty/Medigate, Palo Alto, Cynerio, Phosphorus, and others.
  14. Clinical Apps Authentication and Audit Logging: Ingestion of a custom set of Clinical Application logs, including root and privileged administrator authentication Security logging provided by EHR application vendors and other clinical applications. Typically, this includes authentication logging of local and privileged accounts and may include limited clinical application audit logs related to improper access or data exporting and reporting.

4.2.2 Analyze

  1. Threat Detection: Detect threats using alert-level and application-level data ingested (from offering-level included sources) combined with signature, rule, and UEBA analytics.
  2. Advanced Threat Detection: Detect threats using alert-level, application-level data, and raw data ingested from Client security solutions combined with advanced analytics, behavioral-based detection, machine learning, anomaly detection, and more.
  3. Client Threat Profiling: Identify elements of a client’s organizational profile that are relevant to their cyber security threat profile, map those elements to assist within client’s environment and use the resulting data to enrich threat intelligence findings.
  4. Threat Intelligence Enrichment: Leverage signature based automated threat intelligence and Blackwell curated threat intelligence sources to enrich and enhance threat detection.
  5. Dedicated Threat Intelligence Enrichment: Leverage customer dedicated threat intelligence sources to enhance threat detection. Customer is required to provide active dedicated threat intelligence feed subscription, and grant necessary access roles to Blackwell Security.
  6. Dark Web Monitoring: Leverage Blackwell curated dark web monitoring sources to enhance threat detection and preventative actions.
  7. Threat Hunting: Combines curated intelligence with contextual, risk-aware approaches to identify threats and prioritize response. When a threat is detected across any customer, we hunt for it across your environment. Threat hunts operate both proactively and reactively to look for relevant behaviors and indicators of compromise from significant cybersecurity events or zero-day vulnerabilities. Threat hunting effectiveness is contingent upon the variety and depth of data sources supplied by the client.
  8. Cloud Security Posture Management: Discover assets in cloud environments (AWS, GCP, and Azure), evaluate cloud workloads against security guidelines defined by the Center for Internet Security (CIS) for misconfigurations, and then scan active workloads for vulnerabilities weekly. When the scan runs, a snapshot of all cloud workloads in a region is taken using the snapshot APIs of the cloud service provider. These are then analyzed for vulnerabilities.
  9. Security Control Asset Coverage: Asset mapping and monitoring to identify assets and provide clear security control coverage details. Identify security control coverage gaps for resolution to enhance security posture.
  10. MITRE ATT&CK Coverage: Attack surface mapping and monitoring to identify vulnerabilities or misconfigurations within supported environment. Provide prescriptive recommendations to reduce client risk exposure to identified gaps and develop tailored plans to enhance coverage across the MITRE ATT&CK framework.
  11. Improper PHI Handling: Identification of PHI or potential PHI to correctly prioritize response escalation, contain, and remove PHI from non-clinical systems.
  12. Phishing Triage: Automate phishing email triage. Analyze email and attachments for indicators of compromise, including isolated malware payload detonation.

4.2.3 Response & Remediation

  1. Response Ops: Create a ticket to track investigation efforts with an appropriate priority based on data from the original system that identified a threat combined with enrichment data from related security systems to contextualize the threat.
  2. Automated Containment: Blackwell will automate asset and user containment and will notify client of automated actions. Client is required to provide and implement an active Endpoint Protection subscription, and/or an Identity Security subscription, and must configure correct roles and access to permit Blackwell Security actions.
  3. Escalate to Client: Blackwell will notify client of recommended corrective actions customized to the client provided risk priorities. Client is responsible to implement corrective actions for environments that are out of the scope of Blackwell services.
  4. Security Incident Management Advanced: Blackwell will integrate their best practices with the customer provided incident management process by providing a supporting role during a declared security incident, including simulated security incidents (also known as tabletop exercises). Requests related to forensic efforts will be supported, but not lead by Blackwell. Blackwell will draft incident reports with client assistance. Client must declare a formal incident and will be responsible for providing their incident management process and collaborating with the Blackwell team to ensure accurate and comprehensive incident documentation. Client owns risk management and the incident management process, including the scheduling of meetings and assignment of an incident commander.
  5. Dashboards and Reporting: Blackwell will provide client with access to the Pulse portal.
*********

Blackewll logo
Blackwell is cybersecurity made for healthcare.

Our comprehensive security platform and expert managed services provide the most complete protection for healthcare organizations. Leading providers across North America trust Blackwell to reduce cyber risk, stay compliant, and build trusted experiences across the care continuum.

© 2025 Blackwell Security | Privacy Policy | Sitemap