Tier 3 · Managed

We run the stack so your team doesn’t have to.

Ongoing operation of a deployed XyDromatics environment. 24×7 monitoring, patch and upgrade management, capacity planning, audit-trail attestation. Defined SLAs with named technical contacts — not a generic helpdesk queue.

Discuss an engagement See SLA tiers
SLA tiers · In scope / out · Operational rhythm · How we connect · Pricing · FAQ

SLA tiers

Three coverage levels.

Match the tier to your clinical operations. Most hospitals end up on M2; ambulatory sites on M1; tertiary referral centers and large health systems on M3. Tiers are per-site — a multi-site customer can run different sites at different tiers based on each site’s clinical profile.

Tier M1

Business Hours

Mon–Fri, 8am–6pm Eastern. After-hours best-effort via on-call.

Severity Response Resolution target
Sev 1 — clinical-impacting outage 15 minutes (business hours); 1 hour (after hours) 4-hour target
Sev 2 — degraded performance 1 hour (business hours) 8-hour target
Sev 3 — non-impacting issue 4 hours (business hours) 5-business-day target
Sev 4 — request / question 1 business day Engagement-dependent

Best fit: Imaging centers and ambulatory sites without 24x7 clinical operations.

Tier M2

24x7 Standard

24x7x365 monitoring. After-hours response covers Sev 1 and Sev 2.

Severity Response Resolution target
Sev 1 — clinical-impacting outage 15 minutes, 24x7 4-hour target
Sev 2 — degraded performance 1 hour, 24x7 8-hour target
Sev 3 — non-impacting issue 4 hours (business hours next-day) 5-business-day target
Sev 4 — request / question 1 business day Engagement-dependent

Best fit: Hospitals and health systems with overnight imaging operations (ED, ICU, after-hours reads).

Tier M3

24x7 Critical

24x7x365 monitoring + on-call engineer + named secondary on standby. Active synthetic monitoring against your environment with proactive alerting.

Severity Response Resolution target
Sev 1 — clinical-impacting outage 5 minutes, 24x7 2-hour target
Sev 2 — degraded performance 30 minutes, 24x7 4-hour target
Sev 3 — non-impacting issue 1 hour, 24x7 3-business-day target
Sev 4 — request / question 4 business hours Engagement-dependent

Best fit: Tertiary referral centers, trauma centers, and large multi-site health systems where any imaging downtime translates to clinical impact within minutes.

Response times are clock-on-receipt, not ticket-creation. Resolution targets are best-effort within scope; complex cross-system incidents may require coordinated work with your team or third-party vendors. Service-credit schedule is in the Master Services Agreement.

Coverage

What’s included, what’s not.

Explicit about both. The clearer the boundary, the fewer friction points during a real incident — when the question "is this our problem or yours?" needs to be answered in minutes, not relitigated across email.

In scope

Operational monitoring

  • 24x7 health monitoring of XyDromatics services
  • DICOM AE-Title reachability checks
  • Storage utilization + capacity forecasting
  • Database health (PostgreSQL / SQL Server / Oracle catalog backends)
  • Synthetic transaction monitoring (Tier M3)
  • Audit-log integrity verification (hash-chain validation)

Lifecycle management

  • Patch management — minor releases applied during scheduled windows
  • Upgrade management — major releases scheduled and tested with you
  • License renewal coordination
  • DICOM port reconciliation when modality stack changes
  • Certificate renewal (TLS, AE-Title certs where applicable)
  • Backup verification + periodic restore drills

Capacity & performance

  • Quarterly capacity planning report
  • Storage tiering recommendations (hot / warm / cold)
  • Performance baselining and trend analysis
  • Pre-emptive scaling guidance ahead of modality additions

Compliance & audit

  • Audit-trail attestation packages for SOC 2 / 21 CFR Part 11 reviews
  • Documentation refresh coordination with QMS document control
  • Annual security review with you
  • Incident-response runbook maintenance

Communication & reporting

  • Named primary + secondary technical contacts on Synthology side
  • Monthly operations report (uptime, throughput, incidents, capacity)
  • Quarterly business review with usage + capacity reporting
  • Annual security + compliance attestation package
  • Defined escalation path with phone numbers

Out of scope

  • Customer infrastructure (servers, storage, network) — your team or your infrastructure provider
  • Third-party imaging applications (PACS, viewer, reporting) — vendor responsibility
  • EMR / EHR systems — your EMR vendor
  • Modality firmware or modality-side configuration
  • Workstation imaging or radiologist workstation support
  • Custom report development not part of the operational baseline
  • Major version upgrades that require contractual amendment (typically annual cadence)
  • Disaster recovery activation — separate DR engagement, scoped per customer

Items above are typically owned by your team, your infrastructure provider, or another vendor. We’ll coordinate across boundaries during an incident, but we’re not the responsible party.

Operational rhythm

A predictable cadence, not surprise activity.

Managed Services runs on a published schedule so you know what to expect from us and when.

Cadence Activity
Continuous Health monitoring + alerting + auto-remediation where defined
Daily On-call shift handoff with active-incident review
Weekly Operational status email to your team
Monthly Operations report + 30-minute review call
Quarterly Quarterly Business Review (capacity, incidents, roadmap)
Semi-annually Restore-drill verification
Annually Security review + compliance attestation + contract renewal

How we actually connect

SynthGateway — the secure tier underneath managed services.

Every promise on this page — proactive monitoring, 5-minute Sev 1 response, recorded engineer-initiated remote sessions — relies on us being able to see + reach your environment fast, on your terms. SynthGateway is the purpose-built communication tier that makes that possible.

It replaces the messy alternative — ad-hoc VPNs, screen-share tools, customer-side firewall openings, vendor-controlled remote-desktop products. Outbound-only mTLS WebSocket from each deployed XyDromatics / Synthology product to our gateway server, two channels, both default-off, both customer- authorized per signed agreement (DOC-2026-329).

Channel 1 — health_telemetry

Periodic structured health data — system health, disk space, queue depth, error/log telemetry (PHI-scrubbed at the agent). Default-off; customer enables when signing managed-services agreement.

  • System health checks (service state, daemon liveness)
  • Disk space monitoring (per-volume + thresholds)
  • Queue depth (DICOM ingest, HL7, sync, job-runner backlogs)
  • Error + log telemetry (PHI-scrubbed two-layer)

Channel 2 — remote_support

Engineer-initiated interactive sessions — SSH / HTTPS / RDP multiplexed through a sidecar daemon. Recorded end-to-end. Default-off; per-session customer notification.

  • Outbound-only mTLS WebSocket — no inbound firewall openings
  • Every interactive session recorded end-to-end (audit + replay)
  • Engineer roles + per-session approval routing (e.g. PHI-bearing clinical-archive sessions require weekly Privacy Officer sign-off)
  • Revocation takes effect within one heartbeat (≤ 5 min)

Customer-side guarantees. Both channels are default-off; you authorize each one explicitly per signed agreement (DOC-2026-329, Customer Authorization). Either channel can be revoked from your side at any time — revocation propagates fleet-wide within one heartbeat. PHI never crosses the gateway (two-layer scrubber at the agent strips it before transmission). Full controlled-document set: DOC-2026-326 (Service Procedure), DOC-2026-327 (Cybersecurity Threat Model Addendum), DOC-2026-328 (Technical Specification), DOC-2026-331 (Engineer Console UX), DOC-2026-332 (Scaffold Reference). Available under NDA.

Pricing examples

Annual subscription, scaled to deployment.

Pricing is annual subscription tied to the deployed product surface area, modality count, and SLA tier. Multi-year commits (24 / 36 months) carry rate locks and can save 5–15%. Indicative ranges below; real customers are quoted off scope after a discovery conversation.

Deployment shape SLA tier Indicative range
Single-site VNA Repository, ~5 PB archive, 8 modalities Tier M1 (Business Hours) $4,500 – $7,500 / month
Single-hospital Router + VNA Repository deployment Tier M2 (24x7 Standard) $8,000 – $14,000 / month
Multi-site VNA + Router + Migration Engine, 4 hospitals Tier M2 (24x7 Standard) $22,000 – $38,000 / month
Tertiary referral center, 9-product XyDromatics deployment Tier M3 (24x7 Critical) $45,000 – $75,000 / month

Onboarding (4–6 weeks before the SLA clock starts) is a separately-quoted project. Disaster Recovery activation (DR plan execution under a real-event scenario) is its own scoped engagement, not part of the standing subscription.

Frequently asked

The questions we get most.

Why is Managed Services XyDromatics-only?

Two reasons. First, Managed Services covers the operational lifecycle (patches, upgrades, license reconciliation) of the specific products we ship — we have deep expertise on our own codebase and can't commit to the same depth on a competitor's product where we don't see source. Second, the SLA structure depends on direct access to product engineering for sev-1 escalations. For non-XyDromatics environments, the right service is Professional Services staff augmentation.

How does Managed Services interact with our existing IT team?

We're an extension of your team, not a replacement. Your team still owns infrastructure, network, and the broader imaging stack. We own the operational lifecycle of the XyDromatics products specifically. Most customers run a weekly sync where our named contact joins their imaging-IT standup.

What's the contract length?

Standard contract is 12 months with auto-renewal. Multi-year commits (24 / 36 months) get rate locks and can save 5–15%. 90-day exit clause for cause — we don't lock you in if the service is materially degraded.

Do you take over our existing XyDromatics deployment, or only ones you implemented?

Either. Most Managed Services customers come through our Implementation Services tier, but we also onboard environments deployed by other implementation partners. Onboarding engagement is a 4–6 week scoped project that produces the environment runbook before the SLA clock starts.

What happens during an SLA miss?

Service credits per the SLA terms. Repeated misses inside a rolling 12-month window trigger an escalation to your executive sponsor and an internal RCA on our side. The full SLA terms with response-time definitions and credit schedule are in every Master Services Agreement.

Where does your team work from?

Synthology team members are US-based, primarily East Coast and Mountain time zones. On-call coverage is provided by named Synthology engineers — not by an offshore NOC. The higher SLA tiers carry higher cost partly because we don't subcontract on-call to a generic helpdesk.

How do you handle data access for managed environments?

Least-privilege: Synthology engineers have read-only access by default; write access is granted per-incident with audit logging. Sensitive PHI access is gated by a named-engineer allowlist that you review quarterly. Full access policies are in the Managed Services SOW addendum.

How do you actually connect to our environment? Do we have to open firewall ports or run a VPN?

Neither. SynthGateway is the secure communication tier built specifically for this — outbound-only mTLS WebSocket from each deployed Synthology / XyDromatics product to our gateway server. No inbound firewall openings on your side. Two channels, both default-off, both customer-authorized: health_telemetry (PHI-scrubbed structured health data; enables our 24x7 monitoring) and remote_support (engineer-initiated SSH/HTTPS/RDP sessions, recorded end-to-end; enables fast Sev-1 response). You can revoke either channel from your side at any time; revocation propagates within one heartbeat (≤5 min). See the "How we connect" section above for the full architecture, or ask for the controlled-document set (DOC-2026-326..332) under NDA.

Can we transition from Managed back to self-managed later?

Yes. The runbook produced during onboarding is yours, and we provide a 60–90 day knowledge-transfer engagement at exit. No proprietary tooling locks you in — operations run against standard XyDromatics interfaces that any qualified team can operate.

Talk through a Managed engagement.

Tell us about your deployed environment and clinical operations profile. We’ll come back within one business day with a proposed SLA tier and the named technical contact who would own the relationship.

Discuss an engagement Back to all services