Cloud computing is not a new phenomenon. However, over the past 18-24 months we have worked with an ever increasing number of businesses investing in cloud computing technologies in order to develop their IT systems. We have seen this cloud evolution spread across a number of sectors, from banking to agriculture, and this trend is set to continue.
Having advised on the successful delivery of numerous cloud computing projects, our technology lawyers have identified areas where organisations procuring cloud services can take an early lead in project negotiations.
What is cloud computing?
In brief, cloud computing is the on-demand provision by a cloud service provider (CSP) of one or more of the following services:
- Software as a Service (SaaS) – the remote hosting and management of software applications (e.g. accounting applications, media player, email) and associated support services.
- Platform as a Service (PaaS) – the remote hosting of applications provided by third parties (for example, Microsoft Azure, Amazon’s AWS, the Salesforce Platform and Google Cloud Platform).
- Infrastructure as a Service (IaaS) – the delivery and management of computing resources (such as storage, back-up and recovery) via the internet.
Streamlining project closure and maximising value
Listed below is a non-exhaustive list of common operational/technical issues that arise in the majority of cloud computing projects. All too often we see these issues being negotiated at the very end of a project where both parties are under pressure to close the deal.
In all likelihood we will be raising these questions when we are brought on-board with a project. Therefore, it is advisable that you and the CSP consider the following points as early on in a project as possible. This will help us to help you hit your project timeframe and augment value.
- Timetable. What milestones are you expecting to be hit and by when?
- Detailed service specification. Do both parties understand and agree what services are in, and what services are out, of scope? Has this been clearly documented in a service specification?
- CSP governance. Have you agreed service levels and service credits, service availability and system/helpdesk response times with the CSP?
- Implementation, configuration and testing. Practically, what implementation, configuration and testing steps will you require? Is this provided for in the service specification?
- Cost transparency. Are the charges for the services clearly defined? Do you have visibility of the cost of any service add-ons that you may require in the future?
- Exit management. Data portability will be key to ensure the effective transition to a new service provider on expiry or termination. Practically, have you considered what exit management services you will require? Is exit management provided for in the service specification?
- Data. To what extent is personal data being shared with the CSP? Where will the CSP be storing that personal data (i.e. inside or outside the UK)? Do you have appropriate notices and consents in place to share such personal data with the CSP? Note, personal data may be shared deliberately or inadvertently with the CSP during the pre-contract proposal/tender/testing stages of a project – the GDPR requires that a contract be in place to deal with this data sharing.
- Cybersecurity. What cybersecurity measures is the CSP offering? Are such measures proportionate to the project risk and do such measures align with your technical requirements?
- New software releases. Will you require access to the CSP’s new releases? Do you have visibility as to what (if any) charges will be due in respect of such new releases? From a technical perspective, will you require the opportunity to test any new releases before they “go live”?
- Avoiding lock-in. If you are heavily reliant on one CSP and that CSP has a major outage, this will likely have serious consequences and may impact upon your operational resilience. Have you considered how to mitigate this risk? One option may be to place a copy of the underlying source code into escrow and ensure that the data shared with the CSP is regularly backed-up. The CSP should also be under an obligation to implement adequate disaster recovery and business continuity plans; such an obligation pays dividends when circumstances, such as the current COVID-19 crisis, arise.
- Regulatory compliance. Depending on the sector in which your business operates, there may be regulatory requirements that you and the CSP will need to comply with. This is particularly poignant in the banking and finance sector where the procurement of cloud computing services may be considered to be a critical outsourcing.
Where the points above are agreed (in whole or in part) with the CSP, it is advisable that the agreed position is documented. This will assist with contract drafting and avoid non-linear negotiations.
As with all technology projects, we can add greater value if we are brought on-board with a cloud computing project at an early stage. We can then ensure that any key legal issues are flagged and closed-off without causing slippage to your project timeframe.
If you are in the early stages of a cloud computing project and require advice, please do get in touch.
Enjoy That? You Might Like These: