Sometimes, the transformation of IT to a cloud infrastructure can seem like the Oklahoma land rush: Get there fast, get there first, stake your claim or miss out.
‘Not so fast,’ say the people holding the purse strings ‘ and rightly so. As Michelle Tyde writes in a September 6, 2016, article on the Daily Report, cloud service providers often lack the adaptability of traditional outsourcing services in the types and prices of packages they offer their customers. In their haste to stake a claim to the cost and efficiency benefits of cloud services, many companies fail to consider the unique legal, security, and service-level requirements of their cloud data strategies.
These and other pertinent matters need to be addressed during the provider selection and contract negotiation process, according to Tyde. That starts with an understanding of the differences between the three predominant cloud service models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Next, comes the decision about which deployment model best serves the organization: public cloud, private cloud, or hybrid cloud.
Once you’ve settled on a service and deployment model, the nitty-gritty of the selection and negotiation process can begin. The two most important considerations for any data service are security and reliability; the vendor’s assurances in these areas are the cornerstones of your cloud operations. Nearly as important but easy to overlook are the potential to be locked into a service, ensuring accessibility to your data resources under any circumstances, and interoperability of your internal operations with the vendor’s platform.
It isn’t unusual for a cloud service to offer only a standard set of terms and conditions, often a click-wrap agreement that puts the service provider in the driver’s seat. A multi-layered cloud contract will include the terms and conditions as well as an acceptable-use policy, privacy policy, and service-level agreement. Providers selling SaaS on a public cloud are the least likely to negotiate terms because of their use of shared infrastructure, but those offering other types of services are more amenable to negotiating the contract terms.
What terms should you bargain for? Price, obviously, but also the term of the contract, service-level guarantees, limitation of liabilities, termination rights, and the right of the provider to alter service features and policies unilaterally. A common mistake of legal counsel involved in cloud negotiations is to treat the process as they would a software license or technology acquisition. In particular, the negotiations should consider such matters as intellectual property rights, insurance, and force majeure.
One area where customers have a negotiating edge over cloud services is the service-level agreement. The first of the five negotiating tips offered by David Chou in a July 18, 2016, article in CIO is to demand a high level of specificity in the SLA details covering uptime, backup frequency, recovery time, and other important matters. While some services may want to be measured quarterly, businesses in the healthcare, finance, and similar industries will require measures reported monthly or more frequently.
When conducting due diligence of a potential cloud-services partner, verify the company’s financial health and the data-security measures it implements. Source: Paul Armitage, Gowlings, via SlideShare
It’s important to ask the cloud vendor where your data will be stored; if overseas, ask which country’s regulations will be applied to protect the data. Also, specify the data file formats so you’re able to migrate the data easily when the time comes. Many cloud services require a notice of non-renewal within a particular time, so ask whether you can opt out of or otherwise negotiate the termination notice requirement.
Data retention regulations require that many industries retain data for a specified time, but your cloud service’s policy may be to delete your data upon termination of the contract, or within 30 days of the contract’s end. If your organization is subject to data-retention rules, negotiate an extended time for the service to retain and provide access to that data ‘ usually 60 or 90 days. This also gives you sufficient time to ensure your data migrated smoothly to your new service.
Finally, an incentive for both you and the service provider is to add a low renewal rate guarantee into this contract. Even if you can’t get an assurance of a discount on your next agreement, you may be able to avoid a rate increase being applied when you renew.
While service levels are likely to be the primary negotiation point in most contracts for cloud services, it’s nearly impossible to spend too much time going over the details for data security protections, as well as the steps that will be taken in the event of a breach of security. Mike Chapple explains in an August 15, 2016, article on EdTech that the contract proposed by the vendor is likely to protect the vendor’s interests rather than yours. The contract must state clearly the level of security to be maintained, as well as the consequences of the vendor’s failure to meet the contract’s security requirements.
Before you can set security requirements, you have to know the level of risk your organization is facing in terms of the sensitivity of the data and applications to be maintained by the cloud service. The knee-jerk reaction may be to avoid placing any sensitive data in the cloud, but consider that cloud services often provide a higher degree of security than is being used to safeguard your in-house data. The cloud may offer security equivalent to or greater than you’re paying for now, and at a much lower cost.
For example, the Morpheus cloud application management platform sets and performs backups automatically for each database and app stack component you provision with the service. You determine the time and frequency of the backups, and where the backups are stored (in the cloud or on the premises). Access controls can be determined with a high degree of granularity, so just the right people have just the right privileges.
There is nothing simple about IT contract negotiations. Executives do themselves and their organization a disservice by trying to simplify what is an increasingly complicated process. Much of the complexity is the result of rules and regulations specific to various industries, such as finance, healthcare, and telecommunications. Other aspects apply to all companies, such as human resources, data retention, customer relationship management. Finally, there’s the added complication of dealing with new companies in an entirely new industry, where the ‘rules’ are in constant flux.
In a May 10, 2016, article, CIO’s David Adler lists the five key areas C-level executives must focus on when negotiating a contract for cloud services. The first step is to determine who owns the proprietary and confidential information in the organization. Adler recommends creating an intellectual property checklist (pdf) for managing and safeguarding your companies IP assets.
When negotiating price and payment, bargain for a reduced price if you’ll be paying in full at the commencement of the contract term, as is typical for software licenses, or when payment for services will be ‘Net 30.’ It’s almost certain that some of the contract terms will be modified during the term as your needs and other unforeseen circumstances dictate. Be sure the contract includes a mechanism for accommodating the inevitable, unpredictable changes that will occur.
Equally important, according to Adler, is to consider how you’ll be able to get out of the contract if necessary. For example, even if you negotiate immediate unilateral termination in the event of a breach of a material obligation, you’ll still be left holding the bag if you’ve prepaid on the contract. State laws vary widely in whether and how they allow consequential damages resulting from a material breach, as well as in how they provide equitable relief via contract reformation.
Be particularly cautious about the contract’s disclaimers and other attempts by the vendor to limit their liability and to cap any potential liability awards. These clauses are intended to shift the risk entailed in the contract, and courts generally rule that the disclaimers are enforceable. The caps may be a fixed sum, such as the amount paid for the service, or they may apply to the types of damages for which compensation will be available, including personal injury, property damage, or liability for confidentiality violations.
The more ‘what if’ scenarios you consider before you sign on the dotted line, the less likely you’ll be caught unawares when a contract-related problem arises.