NOTE: I am not an attorney. You should always consult an attorney for any legal advice when entering into a contract. These suggestions are based on my experience as an IT professional negotiating many cloud services contracts.
When you sign up for a cloud application you are relieved of the burden and expense of hosting the application yourself. While that is an obvious benefit, the fact that the vendor is hosting the application and your data presents certain risks. For Biotech and Life Science organizations data is particularly valuable , so ensuring that your data and timely access to that data is adequately protected is vital.
Managing Cloud Risk
One aspect of managing the risk of inadequate data protection is through investigation of the vendor’s security, backup, disaster recovery, and operational processes prior to signing on. I’ll post a handy set of questions you can ask cloud vendors to evaluate those factors in a follow-on post. The other way to manage that risk is by ensuring there are certain terms in the contract.
The guiding factor is the criticality of the application and your data. How big of an impact would loss of data or lack of access to the solution and data have? How sensitive is the data? The more critical and sensitive the data the more important it is that you have certain contractual terms such as the ones below.
Suggested Contract Terms:
The terms below are business and IT-related. Your attorney will have legal terminology they will look for.
- Data Ownership & Location: The contract should be clear that you own your data. The vendor agrees to maintain its confidentiality and to protect it. Their use of the data is limited to what is required to deliver the services/solution. All copies of your data are removed within some specified period after the termination of services. But the vendor should not dispose of your data without first notifying you and giving you an opportunity to retrieve the data. It should also be specified in which country the data will reside as different countries have different data privacy laws.
- Breach notification requirements: The vendor should commit to notifying you of a breach within a specific time such as 24 hours (rather than vague wording such as “promptly”). This is especially important when the data includes Personally Identifiable Information (PII) or Personal Health Information (PHI), both of which are subject to regulations that require certain notifications of breach.
- Termination: Under what conditions can you get out of the contract? Preferably you have the right to terminate at any time without cause. How exactly do you terminate? Are there early termination fees? How do you get your data back when you terminate and how quickly will they deliver it? The contract should specify they will assist you in transitioning to another vendor or yourself. Note that the vendor may require that you pay them for providing that migration assistance.
- SLAs: SLAs usually include uptime and tech support response/resolution times (based on incident severity). They may also include solution responsiveness/performance commitments. There should be penalties for not meeting SLAs. Repeated or unresolved failure should allow termination. As a pre-agreed standard of performance which can be objectively measured SLAs are important for enabling you to terminate for breach of contract.
- Technical Support: How and when can you reach tech support? Who can call tech support? Any user? Or only designated contacts?
- SOC 2: If the solution is hosted in a private data center the vendor should agree to send you the data center SOC 2 report annually. The SOC 2 report demonstrates they have controls in place to mitigate risks to the service they provide.
- Not Withhold Services: Request a general provision prohibiting the vendor’s withholding of services due to a fee dispute. The return of your data should not be contingent on your payment of all fees owed. The vendor must terminate the contract under the termination clause if they want to stop providing services.
- Vendor Financial Condition: Include a provision providing you the right to terminate the agreement in the event of a vendor bankruptcy. If you are not confident of a vendor’s financial stability (small private company for example), you may require periodic reports on its financial condition, and you want the right to terminate for financial instability.
Signing up for a cloud application is different than purchasing a license for a self-hosted application and that difference requires a different approach to your contractual arrangement with the vendor. By carefully evaluating the vendor beforehand and ensuring you are contractually protected you can gain the benefits of cloud computing while mitigating the risks of cloud computing.
GizmoFish is a Boston-based Managed Service Provider dedicated to meeting the unique and evolving needs of clients across all industries. If you need IT assistance that understands the unique characteristics of the Biotech and Life Science industries, you can contact us at 617-965-6800 or provide your contact information below. We keep your business healthy, so that you can keep your customers healthy.