⚠️ Select your experience
The steps depend on your interface version. Select a link to skip to the instructions for your version.
Customers who joined Drata on or after Feb 24, 2026 are automatically on the New Experience.
Instructions for the New Experience ⬇️
A service level agreement (SLA) defines the amount of time employees or contractors have to complete required onboarding steps before related compliance tests may begin to fail.
Drata uses SLAs to provide a grace period so new personnel can complete required tasks without immediately impacting your compliance results.
During the SLA window:
Personnel are monitored in Drata
Tasks and reminders appear
Compliance tests remain in a passing state
Once the SLA period ends, incomplete requirements may begin affecting compliance tests and control readiness.
Why this matters
Onboarding tasks are rarely completed on the first day. SLAs help you:
Avoid immediate compliance failures for new hires
Give personnel reasonable time to complete required actions
Align onboarding timelines with audit expectations
Auditors generally expect onboarding requirements to be completed within a defined timeframe.
Policies that include SLA monitoring
Some Drata policy templates include SLA monitoring by default, such as:
Information Security Policy
System Access Control Policy
Vulnerability Management Policy
These policies help ensure key onboarding, access, and vulnerability management requirements are completed within expected timeframes.
Configure an SLA
💡 SLA (grace period) for policy acknowledgements
The grace period you configure in the Information Security Policy for policy acceptance applies to all policy acknowledgements.
When you set a grace period in this policy, it becomes the single control point for acknowledgements. The same grace period is automatically applied to any published policies that are distributed to personnel.
Navigate to Governance → Policies.
Ensure you are on the Active tab on the Policies page.
Search and open the Information Security Policy policy.
In the Overview tab, select Edit in the Details section.
Scroll to the Service level agreements section.
Enter the timeframe allowed for personnel to complete required steps.
Select Save.
The updated SLA applies going forward.
To view other policies with SLA:
Navigate to Governance → Policies.
Open a policy that shows Monitored by Drata in the SLA column.
Policies that show "None" in that column do not have an SLA Drata is monitoring.
You can sort the SLA column if desired.
What happens after you update this setting
After you update and save an SLA in Drata, a few things happen behind the scenes:
New grace window is applied
For onboarding (Information Security Policy), the updated SLA sets the grace period starting from each employee's HRIS start date. During this time, onboarding-related compliance tests will not fail. Once the grace period ends, incomplete onboarding tasks may begin impacting compliance results.
For offboarding (System Access Control Policy), access removal for terminated employees is evaluated against the updated SLA timeframe (for example, 24 hours instead of 3 days).
Vulnerability due dates are recalculated
For policies tied to vulnerability management, Drata updates remediation timelines automatically.
On the Vulnerabilities page, Drata recalculates the SLA Due Date for open findings and reflects the updated deadlines in the table.
Notification timing also adjusts based on the warning period you've configured.
Monitoring tests start using the new thresholds
Compliance tests tied to onboarding, offboarding, or vulnerability SLAs will begin using the updated timeframe during the next monitoring cycle.
Policy cannot be archived
Policies with an active SLA display Monitored by Drata in the SLA column. Because these policies are tied to ongoing compliance monitoring, they may not be eligible for archiving while SLA enforcement is active.
Instructions for the Classic Experience ⬇️
Establishing a Service Level Agreement (SLA) for employee onboarding ensures that new personnel are integrated seamlessly into your organization's culture of security and compliance. Drata enables automated provisioning of employee and contractor accounts, allowing access through G Suite or Office 365 upon account activation. This ensures that new personnel are equipped to begin their compliance journey from day one.
This includes a standard grace period (e.g., 14 days) during which compliance tests will not penalize new hires who are still completing their onboarding requirements.
While the ideal scenario involves completing all onboarding steps—including background checks and security training—before granting access to critical systems or customer data, we understand that not all onboarding processes are completed on the first day. To balance operational flexibility with compliance needs, you can define an SLA specifying the allowable timeframe for onboarding completion in your organization's Information Security Policy.
Why Set an SLA for Onboarding?
Your employees and contractors serve as the first line of defense against external threats and risks. Ensuring timely completion of onboarding tasks—such as background checks, policy acknowledgments, and security training—is essential for maintaining a secure and compliant workplace.
During this period, employees are monitored but not penalized for compliance test metrics, ensuring that they are given ample time to complete necessary requirements.
By setting an SLA, you define the acceptable timeframe for completing onboarding steps before it impacts control tests and compliance metrics.
Before diving in
You must have an admin or information security lead to update the SLA for employee onboarding.
Here's how
Navigate to the Policy Center and select the 'Information Security Policy'.
Select the edit icon for Policy details.
Scroll down to the SLA section. Extend this section to specify the number of days allowed for new employees to complete their onboarding in Drata before your control test related to employee onboarding will be impacted.
Save your changes.