“We’ll do better next quarter.” That’s what your BGV vendor told you last quarter. And the quarter before that. Your TA lead still has 15% of checks missing the TAT target. Your VP HR still can’t explain the cost overruns. The reason nothing changes? You have a service agreement, not a service level agreement. One has expectations. The other has consequences.
What Belongs in a BGV SLA
TAT Guarantees by Check Type (Not a Single Blanket Number)
Most vendors offer “average TAT of 48 hours.” That’s meaningless. Negotiate separate commitments:
| Check Type | Target TAT | Maximum TAT |
| Identity (Aadhaar/PAN) | 4 hours | 24 hours |
| Criminal database | 24 hours | 48 hours |
| Employment (EPFO) | 4 hours | 24 hours |
| Employment (HR outreach) | 5 business days | 10 business days |
| Education verification | 7 business days | 15 business days |
| Address — digital | 24 hours | 48 hours |
| Address — physical (metro) | 5 business days | 10 business days |
| Address — physical (non-metro) | 7 business days | 15 business days |
The “Maximum TAT” column is your P95 equivalent — the vendor commits that 95%+ of checks complete within this window.
Amber Rate Caps
Set maximum amber rates per quarter, benchmarked against industry best practice:
•Overall amber rate: below 5% (IDfy publicly claims 2-4%; use this as your benchmark)
•Employment verification amber: below 8%
•Education verification amber: below 10%
If the vendor exceeds these caps for two consecutive quarters, it triggers a mandatory remediation plan with monthly reviews.
Data Breach Notification (DPDPA-Aligned)
Under DPDPA, you as the Data Fiduciary must notify the Data Protection Board of breaches “without delay” (Section 8(6)). Your vendor must notify YOU within 24 hours of discovering a breach affecting your candidate data. Not 72 hours. Not “as soon as practicable.” Twenty-four hours. This timeline determines whether you can meet your own legal obligations.
Include: initial notification within 24 hours, detailed incident report within 72 hours, root cause analysis within 15 business days, and remediation confirmation within 30 days.
Uptime and Availability
If your TA team in Bangalore uses the vendor platform daily from 9 AM, downtime matters. Negotiate: 99.5% monthly uptime, scheduled maintenance only during 12 AM – 5 AM IST (not during working hours), and unplanned downtime exceeding 4 hours in any month triggers service credit.
Penalty and Credit Structure (SLAs Without Teeth Are Wishes)
TAT penalties: If more than 10% of checks in a quarter miss the Maximum TAT, the vendor provides a 5% service credit on that quarter’s invoice.
Amber rate penalties: If amber rate exceeds the cap for two consecutive quarters, 10% service credit plus mandatory remediation plan.
Breach notification delay: If notification exceeds 24 hours, 15% credit on the quarter’s invoice plus right to audit the vendor’s security practices.
Nuclear option: If TAT SLAs are missed for three consecutive quarters, you have the right to terminate with 30 days’ notice regardless of contract term.
Sample SLA Clause Language
“Provider commits that 95% of Identity Verification checks shall be completed within 24 hours of initiation, and 95% of Employment Verification (HR Outreach) checks shall be completed within 10 business days. Should Provider fail to meet these targets for more than 10% of checks in any calendar quarter, Client shall receive a service credit equal to 5% of that quarter’s total invoiced amount, applied to the following quarter’s invoice.”
Copy that. Adjust the numbers. Hand it to your vendor.
What Vendors Will Push Back On (And Your Response)
“We can’t control university response times.” Your response: “That’s why we set the education amber cap at 10%, not 0%. We’re building in tolerance. If you can’t hit 10%, your follow-up process needs improvement.”
“Penalty structures aren’t industry standard.” Your response: “If you’re confident in your service quality, penalties should never trigger. This protects us both — it gives you a clear target and gives us recourse.”
“72 hours for breach notification is more realistic.” Your response: “Under DPDPA, we must notify the Board ‘without delay.’ If you take 72 hours, we can’t meet our own legal obligations. This isn’t negotiable.”
SpringVerify’s standard SLAs include TAT guarantees by check type, proactive escalation protocols, and performance dashboards that both parties can monitor in real-time — because a 4.9-star rating across 5,800+ reviews comes from consistently meeting commitments, not just making them.
Key Takeaways:
•Negotiate TAT commitments by check type with both Target and Maximum columns — blanket numbers are meaningless
•Set amber rate caps with quarterly review triggers — use IDfy’s public claims (2-4%) as your benchmark
•Data breach notification must be 24 hours to enable your DPDPA compliance — this is non-negotiable
•Include specific penalty percentages and a nuclear termination clause for sustained underperformance
•Copy the sample SLA clause language, adapt the numbers, and hand it to your vendor tomorrow
