When dealing with cloud agreements there are a number of steps that business customers of cloud solutions should consider when entering into cloud arrangements. Following some of the 10 approaches outlined below, and some of the practical solutions in the next blog in this series, should make it a simpler and hopefully more cost efficient and timely contracting process:
- Manage Internal Expectations: It is important to manage internal business expectations at the outset of a cloud engagement. The nature of many cloud solutions is that the efficiencies and cost savings are derived from the very fact that they offer standardized services to hundreds or even thousands of customers. Because of this standardization certain cloud providers maintain that they cannot change certain terms, particularly those that relate to service levels and pricing. However, this standardization does not necessarily mean that it will be any easier or quicker to negotiate the contract, as compared to any other non-cloud agreement, particularly in highly regulated industries and where sensitive data is involved.
- Risk Spectrum: The approach to contracting will depend on the business requirements, concerns and the importance of the service to the business. The initial goal should be to determine where the particular service and agreement lies on the risk/reward spectrum. For example, the more important the data and service the more contractual protections that will be required, as they will likely not be reflected in the cloud provider's standard cloud agreement. Considering the points in this blog post will assist with this assessment.
- Do your Due-diligence; Service: Do due-diligence to determine if you know how the cloud solution works and if it suits the business's requirements. As the cloud agreement in most software as a service arrangements will deal with hosted data in some form, the fundamental issue will be to understand what types of data there are, how the data is processed, stored, protected, backed-up, accessed, transferred and deleted, where will all this happen, how it will be validated, and when? Developing this understanding will be even more important if such data is sensitive, for example, if it relates to personal information of customers or employees. The complexity of this analysis may not be appreciated by all stakeholders within the business, so it is best to address these questions early and for the parties to align on the key issues of security, privacy, confidentiality and audit as soon as possible, and perhaps before the rest of the negotiations. Requesting a demonstration or performing a pilot of the service is certainly worth considering.
- Do your Due-diligence; Service Provider: Do you know anything about the service provider and its standards of performance? For example, knowing if there have been security issues in the past will enable you to target questions and deal with issues up front. It may also assist with understanding what further assurances or performance guarantees may be required. Performing reference calls with other customers of the cloud provider can be extremely revealing – particularly with highlighting transition issues.
- Validate Your Understanding: Check your understanding and the business requirements against what is in the cloud agreement and supporting documentation. You may find that the cloud agreement consists of pages and pages of closely typed text on duplex paper written in technical language, particularly when considering the service levels and service descriptions. This type of content is not easy to interpret, and will require a detailed comparison against the business requirements. Ultimately you may find that the cloud solution does not actually fulfill all of the business's requirements. The contracting process will become protracted if parties have to address failures to understand the solution later in the negotiation process.
- Lack of Configurability: The cloud solution may not be as configurable as what the business wants, and customizations beyond standard configuration to fill gaps in business requirements may either be impossible or involve additional expense.
- Limitations of the Cloud Solution: What the business had before the cloud solution may not exist or be in a different form after it is implemented, particularly if there is a trade-off between reduced functionality and levels of service for reduced costs. A reduction or change in functionality may not be an issue for a junior employee, but if it takes away functionality from an executive, and he or she is not made aware in advance, there could be an internal issue to manage after implementation.
- Keep the Project Team Informed: It may seem obvious, but make sure that subject matter experts are brought up to speed as early as possible during the contracting process. Doing this too late could lead to internal resentment and material issues being raised late.
- Regulatory Environment: Issues can arise if the business is subject to regulation that is not reflected in the standard cloud agreement. For example, if the client is a federally regulated financial institution, and the outsourcing arrangement is material, then it will fall under the prescriptive regulatory provisions of the Office of the Superintendant of Financial Institutions B-10 Guideline. You may find that a cloud vendor is unwilling to provide you with on premise audit rights or the ability to request audit controls that a regulator or internal policies require. Cross-border data issues may also exist, particularly if you are a public body. Knowing these constraints sooner rather than later will save time. It is therefore important for both parties to fully understand the regulatory environment and resulting contractual requirements.
- Transition: Once you reach agreement it will be necessary to migrate to the cloud solution. This may not be easy, and may in fact require an entirely separate set of terms. Having an eye on transition complexities from day one will enable the parties to address any issues during the negotiation and contracting stage.
In summary, as certain contract terms will simply not be subject to change, it is important that business customers of cloud solutions enter the contracting process having conducted due diligence, and so that they are aware of the limitations of any cloud offering. In particular, dealing with data issues under a cloud model can be very complicated, particularly if there are cross border data transfers, and storage and accessing of data in foreign jurisdictions. In Part II of this blog post series, we consider some practical suggestions for resolving some of the issues.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.