Section 7: Support & Maintenance

Once the platform is live, the vendor’s long-term commitment to customer service, system reliability, and regular maintenance becomes critical. This section of the RFP asks vendors to detail the level of support they offer, including service availability, update cycles, incident response, and business continuity plans. These details are essential to ensure the platform performs reliably and securely long after implementation.

‍

Customer and Technical Support

Vendors must outline the support services offered to ensure smooth daily operations and fast issue resolution. This includes both technical and general user support, with clear SLAs and escalation procedures.

• Available support channels (e.g., phone, chat, email)
  
  
• Defined hours of operation for standard and critical support
  
  
• SLA-driven maximum response times for critical, urgent, and non-urgent issues
  
  
• Clear escalation paths for unresolved tickets or outages
  
  
• Clarification of vendor access to client data and authentication procedures
  
  
• Optional premium support offerings (e.g., 24/7 support or US-based teams)
  
  

“Critical issues, such as system outages or security breaches, are responded to within one hour, 24/7. A dedicated emergency support line is available.”

‍

Software Release Cycle and Maintenance

Vendors must describe how the platform is updated and maintained over time, including transparency into release schedules and upgrade processes.

• Schedule and frequency of platform updates (major, minor, patches)
  
  
• Notification timelines and communication channels for upcoming changes
  
  
• Support duration for older versions of the platform
  
  
• QA testing before rollout of any releases or hotfixes
  
  

“Customers are notified two weeks in advance of major releases, with release notes and rollback plans provided.”

‍

Quality Assurance (QA) Related to CRM Releases

Nonprofit platforms often rely on integrations with tools like Salesforce, so compatibility with third-party systems is vital. Vendors must ensure timely QA testing against CRM updates.

• Regression testing procedures for upcoming Salesforce releases
  
  
• Specific QA processes to verify CRM integration stability
  
  
• CRM platform certifications, partnerships, or sandbox testing protocols
  
  

“We test all Salesforce-integrated features against new Nonprofit Cloud releases in a sandbox environment prior to public rollout.”

‍

Timely Updates and Patches

Vendors must commit to quickly resolving bugs and vulnerabilities after launch. The RFP should confirm expectations around patch turnaround.

• Timeframes for addressing security issues or performance regressions
  
  
• Ability to roll out emergency patches
  
  
• Communication plan for informing clients of patch availability
  
  

“Security vulnerabilities are triaged and patched within 72 hours. Clients are notified of the fix with validation steps.”

‍

Service Level Agreement (SLA)

A formal SLA protects the nonprofit from excessive downtime or slow response. Vendors should include an SLA that details platform availability and remediation procedures.

• Minimum uptime percentage (e.g., 99.9% monthly availability)
  
  
• Allowable planned maintenance windows (e.g., 1% of monthly uptime)
  
  
• Compensation or response if uptime drops below agreed levels
  
  
• Process for real-time outage communication and root cause analysis
  
  

“Our SLA guarantees 99.95% uptime, with planned maintenance restricted to midnight–4 a.m. local time. Downtime events are communicated within 30 minutes.”

‍

Disaster Recovery and Business Continuity

Vendors must demonstrate that they can sustain service during unexpected failures. This includes technical redundancy and formal disaster recovery protocols.

• Redundancy infrastructure (e.g., multi-region cloud hosting)
  
  
• Backup intervals and recovery time objectives (RTO/RPO)
  
  
• Business continuity plans for catastrophic failures
  
  

“Data backups occur hourly with a recovery time objective (RTO) of 2 hours. Our infrastructure supports automatic failover across regions.”

‍

Incident Response

The platform must include procedures for identifying, reporting, and resolving security incidents.

• Timeline for disclosing breaches or unauthorized access
  
  
• Documentation of internal incident response policies
  
  
• Notification commitment (e.g., within 72 hours of a confirmed breach)
  
  

“We notify clients within 48 hours of any confirmed unauthorized access to donor data, including full disclosure of remediation steps.”

‍

Training and Documentation

Ongoing access to updated materials helps internal teams stay informed and self-sufficient. Vendors should provide high-quality support content for staff beyond the go-live date.

• Comprehensive documentation (user/admin guides, API references)
  
  
• Access to knowledge bases or online learning resources
  
  
• Options for refresher training, webinars, or annual support reviews
  
  

“Each client receives a custom training portal with onboarding videos, admin how-tos, and quarterly update webinars.”