Part 1 - Setting the scene, service levels and data

The conversation usually goes a little like this when you ask most cloud services providers to amend their terms.

"We're a one to many provider, our pricing is based on having a single offering with a consistent approach to risk"

"We don't control your data, the solution allows you to configure appropriate protections and you are responsible for back-ups"

"We don't even know what sorts of data you use through the solution"

At this point, it's time to do a practical risk assessment to work out which key issues you want to raise for negotiation, having regard to the factors which mitigate the risks associated with the agreement at a top level, such as:

  • the size, reputation and longevity of the supplier;
  • any existing relationship you have with the supplier (and the track-record of that relationship); and
  • the strategic and dollar value of the deal to both you and the supplier.

Once that assessment is complete, the key risk areas usually include issues such as service commitments (including service levels), intellectual property licensing and ownership considerations (including any period of exclusivity), data privacy and data security, governing law, term and termination rights (including auto-renewal), and of course allocation of liability through warranties, indemnities, liability caps and exclusions.

In this 'Part 1' we consider the factors which are relevant to assessing the real risk in relation to two areas which frequently arise in the context of reg tech solutions- the commitment to service provision; and data security and privacy, to help you determine the criticality and priority of any contract amendments during negotiations.

Area of concern Assessing the real risk
Consideration: Note:
Area of concern Assessing the real risk Consideration: Note: Poor (or no) service description, service standards or service level commitments

Solution criticality?

What is the purpose of the solution? E.g. is it customer facing, does it generate revenue, assist with regulatory compliance, drive efficiencies?

What is the impact if it's not available (either short/medium/long-term) - are there manual workarounds and what would implementing them cost?
  • If the reg tech solution assists you in meeting your compliance obligations (and there is no easy manual workaround) then it is likely that you will want greater clarity around exactly how the solution will help you meet those requirements including uptime commitments, technical support during relevant operating hours, and a strong governance framework to address any issues.
  • If the solution isn't business critical (e.g. it drives efficiency but you can satisfy your compliance obligations without it), then you may be willing to live with a service description or service level commitment which is lower than you would require for a business critical solution.

Market alternatives?

Are there real alternate solutions in market you could quickly/easily move to if dissatisfied?

Is the supplier or the solution a key player in the relevant market?
  • The fewer alternatives there are in market, or the trickier it would be to transition to alternatives, the more important it is to get the service standards and levels right.
  • You might be willing to live with poor service descriptions if the Supplier or the solution is a key player in the market. Equally, if you are comfortable with the current functionality of the solution, you may be able to get comfortable with a poor service description.

Contract flexibility?

Do you have the right to terminate for convenience at any time with a partial refund of any upfront fees?

Are you committing to a minimum term, minimum spends or any kind of exclusivity?

Will you require disengagement assistance?
  • If you don't have a right to terminate for convenience, or if you are agreeing to a minimum spend or exclusivity, it will be important to get the service standards and service levels right and to include appropriate rights to terminate and/or suspend the minimum spend and exclusivity commitments if those requirements are not met.
  • Consider what assistance you might need on disengagement and whether a formal plan should be agreed early on during the engagement so exercising your termination rights is actually a practical option.
Data security and privacy

Types of data involved?

What sorts of data will actually be uploaded to, or generated by the solution - in terms of nature, sensitivity and volume? For example, personal information of customers, personal information about employees, confidential information about your business plans?

What is the likelihood that serious harm would occur if data was compromised?
  • The more sensitive the data, and the greater volume of data that will pass through the solution, the more you will want to negotiate additional protections to mitigate against the regulatory and reputational impacts of a data breach/compromise.
  • Also, consider whether you can reduce the risks by:
    • de-identifying or redacting the information so that it is no longer personal information or highly confidential information before uploading or transmitting it to or via the solution; or
    • if the data is not personal or confidential in nature, whether risks around data security can be managed through regular backups.
Supplier location?
  • If the supplier is also located within Australia, or is located externally but will commit to hosting the solution from within Australia, the data risks reduce given the supplier will likely also have obligations under the Privacy Act.
  • If the supplier or the solution are offshore, consider the equivalency of any privacy and data security regimes which operate in those countries (and conflicting data-sovereignty issues, e.g. as a result of the US Patriot Act).
  • Data sovereignty issues are back in focus again after the recent Schrems II decision - click here to read more.

Supplier's security posture

What is the supplier's approach to security - are they compliant with industry standards such as ISO27001, PCI DSS?

How much do they invest in security?

What is their reputation for compliance with their stated security positions?
  • The more comfortable you can get from an operational perspective, the fewer amendments might need to be made to the agreement to reflect the actual level of data security.
  • For example, does the supplier already go through annual testing and certification of its data security arrangements consistent with industry standards? Do they share those certifications and annual testing reports?

Type of cloud solution?

Will you be using a public or private cloud solution?
  • If the solution is available on a public or shared cloud instance, will your data be held so that it is logically separate, with specific security controls to ensure it cannot be accessed by other tenants of the solution?
  • If you are using a private cloud solution, you may have a greater ability to negotiate specific data requirements into the contract.

By considering the real risks of a reg tech solution for you and your business (including whether there are any practical mitigations) you can determine the criticality and priority of contract amendments. Knowing your key negotiation points can streamline the negotiation to matters that really affect you, and ultimately lead to a more satisfactory outcome.

Please get in touch with the Digital and IP team at McCullough Robertson if you have any questions or need any further information.

Thank you to Meena Muthuraman for her contribution to this article.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.