The days of computing in any box, whether a small box or a large box, are gone. Increasingly, software and the data you need are processed through as a suite of solution oriented services from outside the walls of your enterprise. Whether those SaaS solutions are provided by an ASP; a utility or “on-demand” computing provider; through an outsourced or shared service arrangement; via a “hosted solution”; or from the infamous “cloud”, the traditional concepts, commercial practices, and licensing contract terms are no longer applicable to computing “out of the box”.
The following are eight important contracting differences between buying or licensing an IT product for your direct use and retaining another person to provide the same solutions as a service.
- Define the services or solution by setting out detailed operational, functional, activity specific, accessibility, compatibility, interoperability, and security specifications and requirements. You are interested in describing the outcome, not the products, tools or infrastructure that will be used to deliver that outcome. In the new paradigm, product specifications are replaced by “service levels” and outcomes.
- Whereas a licensee of software assumes the risk of that software's possession and proper use (subject to a limited warranty term), a service provider assumes the entire risk of acquiring and using all of the tools necessary to perform the service. Regardless of how your data processing services are structured, that performance risk transfers to the service provider based on the provider's agreement to provide and deliver operational “results” and outcomes.
- In order to address the inherent (and vast) differences in qualitative standards across service jurisdictions outside of Canada (especially into the cloud), your contract's service standards should expressly include a duty of care, diligence and professionalism that is reasonably commensurate with the standards and practices that such services are performed and delivered in Canada.
- Since services may be provided from outside your jurisdiction, consider contract provisions that require: compliance with the laws you are subject to; the compliance of the service with local standards (e.g. financial solutions that comply with Canadian GAAP); export/import control restrictions; the security of communications; provisions that enhance the contract's enforcement in the provider's jurisdiction; local support access and provider's immigration status; and, your own representations (after due diligence) that you have the right to process data, or even provide personal or other information, out of your jurisdiction (due to possible privacy, regulatory or third party contractual restrictions).
- All traditional representations and warranties must now apply to the performance of the service rather than to any products or to (now eliminated) license rights. For example, the performance of the service must not interfere with or breach third party rights – whether intellectual property, contractual or other rights.
- Remote data processing services may require express disaster recovery and contingency planning obligations. When you used software in your box within your enterprise, contingency planning for that use was your responsibility. Under the SaaS paradigm, that must now be the responsibility (and contractual obligation) of the service provider. Also, those obligations should also take into account all of the remote service infrastructure, including alternative (back-up) communications systems between you and the provider.
- Unlike buying an IT product and assuming the risk of that product's future obsolescence, the service provider's ownership and use of that infrastructure entirely shifts the risk of service quality assurance and continuous improvement to the service provider's duty to seek and secure infrastructure innovation, technology improvement, and ongoing infrastructure competitive “benchmarking”. Product improvement provisions in traditional license agreements are now replaced with comparative (and competitive) standards for improved operational performance and ongoing functional innovation.
- Since the data and processing infrastructure will be outside the four walls of your control and influence, the vital issues of service security, trade secret protection, information confidentiality, data integrity, compliance with privacy laws and regulations, and assurance of data segregation and isolation generally require very specific and detailed contractual prescriptions and obligations that service providers must adhere to – always subject to your inspection and audit, which can be jurisdictionally challenging – especially if the services are provided in the cloud.
Please note that this publication presents an overview of notable legal trends and related updates. It is intended for informational purposes and not as a replacement for detailed legal advice. If you need guidance tailored to your specific circumstances, please contact one of the authors to explore how we can help you navigate your legal needs.
For permission to republish this or any other publication, contact Amrita Kochhar at kochhara@bennettjones.com.