💡 Still using the classic Drata experience? Refer to Creating an SLA for employee onboarding completion for the original UI.
A service level agreement (SLA) defines the amount of time employees or contractors have to complete required onboarding steps before related compliance tests may begin to fail.
Drata uses SLAs to provide a grace period so new personnel can complete required tasks without immediately impacting your compliance results.
During the SLA window:
Personnel are monitored in Drata
Tasks and reminders appear
Compliance tests remain in a passing state
Once the SLA period ends, incomplete requirements may begin affecting compliance tests and control readiness.
Why this matters
Onboarding tasks are rarely completed on the first day. SLAs help you:
Avoid immediate compliance failures for new hires
Give personnel reasonable time to complete required actions
Align onboarding timelines with audit expectations
Auditors generally expect onboarding requirements to be completed within a defined timeframe.
Policies that include SLA monitoring
Some Drata policy templates include SLA monitoring by default, such as:
Information Security Policy
System Access Control Policy
Vulnerability Management Policy
These policies help ensure key onboarding, access, and vulnerability management requirements are completed within expected timeframes.
Configure an SLA
💡 SLA (grace period) for policy acknowledgements
The grace period you configure in the Information Security Policy for policy acceptance applies to all policy acknowledgements.
When you set a grace period in this policy, it becomes the single control point for acknowledgements. The same grace period is automatically applied to any published policies that are distributed to personnel.
Navigate to Governance → Policies.
Ensure you are on the Active tab on the Policies page.
Search and open the Information Security Policy policy.
In the Overview tab, select Edit in the Details section.
Scroll to the Service level agreements section.
Enter the timeframe allowed for personnel to complete required steps.
Select Save.
The updated SLA applies going forward.
To view other policies with SLA:
Navigate to Governance → Policies.
Open a policy that shows Monitored by Drata in the SLA column.
Policies that show “None” in that column do not have an SLA Drata is monitoring.
You can sort the SLA column if desired.
What happens after you update this setting
After you update and save an SLA in Drata, a few things happen behind the scenes:
New grace window is applied
For onboarding (Information Security Policy), the updated SLA sets the grace period starting from each employee’s HRIS start date. During this time, onboarding-related compliance tests will not fail. Once the grace period ends, incomplete onboarding tasks may begin impacting compliance results.
For offboarding (System Access Control Policy), access removal for terminated employees is evaluated against the updated SLA timeframe (for example, 24 hours instead of 3 days).
Vulnerability due dates are recalculated
For policies tied to vulnerability management, Drata updates remediation timelines automatically.
On the Vulnerabilities page, Drata recalculates the SLA Due Date for open findings and reflects the updated deadlines in the table.
Notification timing also adjusts based on the warning period you’ve configured.
Monitoring tests start using the new thresholds
Compliance tests tied to onboarding, offboarding, or vulnerability SLAs will begin using the updated timeframe during the next monitoring cycle. If the new SLA is shorter or longer than before, some test results may update to reflect whether items are now within or outside the allowed window.
Policy cannot be archived
Policies with an active SLA display Monitored by Drata in the SLA column. Because these policies are tied to ongoing compliance monitoring, they may not be eligible for archiving while SLA enforcement is active.