Technology Matters

Saas, PaaS and the Cloud? Part 2: Top 5 Considerations for Purchasing Hosted Services

Posted in Cloud Computing, Commercial Contracts, Privacy and Security, SaaS, Software, Technology Procurement

You’ve read part 1 of our series, and you’re now armed with the knowledge about hosted services and cloud computing that you’ve been too embarrassed to ask.  To help you bring it home – virtually – we offer our top 5 considerations when purchasing hosted services for your organization:

  1. Implement processes for agreement to non-negotiable terms.  Many lower priced hosted services providers will present terms of use in a “click-through” or “click-wrap” agreement.  These “take it or leave it” terms are intended to avoid a costly negotiation over legal language where this is low profit margin for the services.  While the vast majority of click-through terms will be acceptable for the services being purchased, your organization should make sure individuals with purchasing authority are trained to recognize provisions that raise your organization’s risk profile, and to escalate those provisions for legal review.  For example, legal and IT security should review all terms relating to privacy and data security.  Additionally, users should escalate for legal approval any provision requiring indemnification by your organization, as well as any provision purporting to claim ownership of any of your organization’s data or intellectual property.
  2. Prepare appropriately for implementation.  Hosted services often require some work to integrate with your existing systems and implement use of the hosted product in your organization’s environment.  Implementation can be costly and complex, so be sure that fees for use of the product do not begin to accrue before the product has been implemented and you have provided acceptance sign-off.  A separate services agreement or implementation exhibit that clearly defines each party’s respective roles and responsibilities with respect to implementation, and that defines specific acceptance criteria, can be key to a successful implementation.
  3. Obtain availability commitments that make sense.  Contemplate the appropriate availability of the services with reference to the importance of the product to your organization.  Critical systems should be available virtually 100% of the time, with only limited downtime for maintenance that occurs during limited pre-scheduled maintenance windows.  Beware of general statements that the services are available on a 24/7/365 basis, with broad exclusions for “scheduled and emergency maintenance”; this language is the equivalent of “our service is up except when it is down”, and provides your organization with essentially no real commitment.  Make sure that you have a service level agreement that will permit you to terminate the overall arrangement and get service credits in the event of excessive downtime.
  4. Ensure updates do not impact your business.  Many hosted services providers automatically maintain the hosted product and quickly apply patches, fixes, updates and upgrades behind the scenes. For critical systems, consider whether the provider should be required to provide you advance notice of any update that would materially change the functionality of the product or affect interoperability with your external systems.  It is often beneficial in such cases to have the provider make the update available in a test environment, where you can test functionality and interoperability before the update is deployed.  A support agreement that sets forth response times and procedures, is also essential to ensuring your expectations are met.
  5. Pay attention to data usage, privacy and security.  Last (but certainly not least!), pay close attention to what data your users will input, what data will be generated through use of the service and how the provider will be storing, protecting and using that data.  If you are providing any company confidential information, personally identifiable information (“PII”) or protected health information (“PHI”), ensure that your organization conducts appropriate due diligence to ensure that security architecture, controls and procedures meet your organization’s requirements and data is treated in accordance with applicable laws governing the use of PII and PHI.  Also pay close attention to the data that the service provider collects regarding your users’ use of the service; while you might not be concerned with the use of this data to create aggregate statistics about service usage and performance, you should ensure that this data is treated in such a way that it cannot be traced back to you, your users or your customers.