The days of computing in any box, whether a small box or a large
box, are gone. Increasingly, software and the data you need are
processed through as a suite of solution oriented services from
outside the walls of your enterprise. Whether those SaaS solutions
are provided by an ASP; a utility or "on-demand"
computing provider; through an outsourced or shared service
arrangement; via a "hosted solution"; or from the
infamous "cloud", the traditional concepts, commercial
practices, and licensing contract terms are no longer applicable to
computing "out of the box".
The following are eight important contracting differences
between buying or licensing an IT product for your direct use and
retaining another person to provide the same solutions as a
Define the services or solution by setting out detailed
operational, functional, activity specific, accessibility,
compatibility, interoperability, and security specifications and
requirements. You are interested in describing the outcome, not the
products, tools or infrastructure that will be used to deliver that
outcome. In the new paradigm, product specifications are replaced
by "service levels" and outcomes.
Whereas a licensee of software assumes the risk of that
software's possession and proper use (subject to a limited
warranty term), a service provider assumes the entire risk of
acquiring and using all of the tools necessary to perform the
service. Regardless of how your data processing services are
structured, that performance risk transfers to the service provider
based on the provider's agreement to provide and deliver
operational "results" and outcomes.
In order to address the inherent (and vast) differences in
qualitative standards across service jurisdictions outside of
Canada (especially into the cloud), your contract's service
standards should expressly include a duty of care, diligence and
professionalism that is reasonably commensurate with the standards
and practices that such services are performed and delivered in
Since services may be provided from outside your jurisdiction,
consider contract provisions that require: compliance with the laws
you are subject to; the compliance of the service with local
standards (e.g. financial solutions that comply with
Canadian GAAP); export/import control restrictions; the security of
communications; provisions that enhance the contract's
enforcement in the provider's jurisdiction; local support
access and provider's immigration status; and, your own
representations (after due diligence) that you have the right to
process data, or even provide personal or other information, out of
your jurisdiction (due to possible privacy, regulatory or third
party contractual restrictions).
All traditional representations and warranties must now apply
to the performance of the service rather than to any products or to
(now eliminated) license rights. For example, the performance of
the service must not interfere with or breach third party rights
– whether intellectual property, contractual or other
Remote data processing services may require express disaster
recovery and contingency planning obligations. When you used
software in your box within your enterprise, contingency planning
for that use was your responsibility. Under the SaaS paradigm, that
must now be the responsibility (and contractual obligation) of the
service provider. Also, those obligations should also take into
account all of the remote service infrastructure, including
alternative (back-up) communications systems between you and the
Unlike buying an IT product and assuming the risk of that
product's future obsolescence, the service provider's
ownership and use of that infrastructure entirely shifts the risk
of service quality assurance and continuous improvement to the
service provider's duty to seek and secure infrastructure
innovation, technology improvement, and ongoing infrastructure
competitive "benchmarking". Product improvement
provisions in traditional license agreements are now replaced with
comparative (and competitive) standards for improved operational
performance and ongoing functional innovation.
Since the data and processing infrastructure will be outside
the four walls of your control and influence, the vital issues of
service security, trade secret protection, information
confidentiality, data integrity, compliance with privacy laws and
regulations, and assurance of data segregation and isolation
generally require very specific and detailed contractual
prescriptions and obligations that service providers must adhere to
– always subject to your inspection and audit, which can
be jurisdictionally challenging – especially if the
services are provided in the cloud.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
On March 11, 2009, the Office of the Superintendent of Financial
Institutions of Canada (OSFI) released a revised version of Guideline B-10, Outsourcing of Business Activities, Functions and Processes.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).