Carrier SLA disputes: why evidence wins and screenshots lose

Every TowerCo, every colo operator, every CPO with a credit-bearing SLA has lived through this conversation. The tenant files a dispute. The tenant has screenshots from their own monitoring showing the outage on their side. The operator has dashboards showing the site as available. Both sides are looking at real data. Both sides are convinced the other side’s data is wrong. The dispute closes with a negotiated split that probably doesn’t reflect what actually happened.

Negotiated splits are a structural failure. They mean neither side’s evidence was strong enough to settle the question, which means the next dispute will look the same. The way out is not better negotiation — it’s evidence that is cryptographically dispute-grade. And the gap between a screenshot and dispute-grade evidence is wider than most operators realize.

Two parties with two different monitoring stacks observing the same physical infrastructure will produce two different timelines. This is not a bug. It is the expected behavior of any system where the monitoring is asynchronous, the network paths are different, the counting methodology is different, and the time bases may not be precisely synchronized.

A screenshot from a vendor RMS is a claim about state. A hash-chained event stream is a record of state. SLA disputes are settled on records, not claims.

A TowerCo’s vendor RMS may count a site as “available” as long as the site controller is reachable and the BTS aggregator reports power-good. The carrier-tenant’s NOC may count the same site as “down” if their core network has not received traffic from the cell sectors for 90 seconds. Both definitions are defensible. They’re measuring different things. Neither team is being dishonest.

A screenshot from a vendor RMS console is fundamentally a claim about what the system looked like at a moment in time. There is nothing in the screenshot itself that says: this rendering was generated from a specific set of underlying telemetry events; those events occurred at these specific times; the events have not been altered since they were recorded; the rendering applied this specific methodology.

When a dispute escalates and a third party — a legal team, an arbitrator, an auditor — tries to evaluate the screenshot as evidence, the screenshot answers approximately zero of the relevant questions. What was the underlying data? Was it complete? Could anyone have edited it between the event and the rendering? Did the dashboard apply the same methodology the SLA defines? Most vendor RMS systems cannot answer these questions because they were not designed to.

A dispute-grade event stream has four properties that a screenshot does not. Completeness: every state transition in the system is recorded — utility loss, ATS exercise, BTS power-good, sector RF re-up — at the transition, not as a summary rollup. Tamper-evidence: each event is hash-chained to the previous one and cryptographically signed at write time. INSERT-only persistence: the underlying storage forbids UPDATE and DELETE operations. And methodology-aware rendering: the per-tenant uptime number is computed against the SLA’s defined methodology, not the vendor’s preferred counting.

With dispute-grade evidence, the conversation with the tenant changes shape entirely. The tenant claims 47 minutes of downtime. The operator opens the sealed event stream for that window, applies the SLA methodology, and produces a 4-minute number with the underlying transitions attached. The tenant’s NOC can validate the calculation against their own telemetry, can see where the two stacks diverged — typically in the core network’s reconvergence time, on the tenant’s side of the demarc — and can withdraw the disputed portion.

Operators using sealed evidence streams routinely report that tenant-initiated dispute volume drops over the course of the first year, because the tenant’s NOC learns that the operator’s evidence will hold up. The disputes that remain are real edge cases worth resolving on the merits.

The other consequence of sealed evidence is regulatory. SOC 2, ISO 27001, NIS 2, and the various sectoral standards all increasingly require audit-grade event records with retention horizons measured in years. A screenshot cannot satisfy these requirements. A vendor RMS with monthly rollups cannot satisfy these requirements. A hash-chained sealed event stream can. Building the audit log into the platform from the start is dramatically cheaper than bolting it on later — and the dispute wins are a side-effect of operating, not a separate project.