Software as a Service Agreements

Transcription

1 A Better Partnership Software as a Service Agreements Janet Knaus, Nate Steed and Ken Coleman 2013 Warner Norcross & Judd LLP. All rights reserved. WNJ.com

2 2013 Warner Norcross & Judd LLP. All rights reserved. Page 2

3 Distinct Delivery Models 1. Infrastructure as a Service (IaaS) 2. Platform as a Service (PaaS) 3. Software as a Service (SaaS) 2013 Warner Norcross & Judd LLP. All rights reserved. Page 3

4 Software as a Service (SaaS) Business application delivered over the Internet in which users interact with the application through a web browser. Vendor provides the business application in a complete, ready-to-run state, with the application residing on computing infrastructure that is either owned or managed by the SaaS vendor or outsourced to a third-party vendor in a hosted or IaaS model Warner Norcross & Judd LLP. All rights reserved. Page 4

5 Key Considerations 1. Data Type of data (e.g., PHI, PII, PCI, highly sensitive corporate) Geographic location of the owners of the data and the data itself 2. Nature of the business application(s) (e.g., mission critical) 2013 Warner Norcross & Judd LLP. All rights reserved. Page 5

6 Pre-Contracting Due Diligence Mechanisms include questionnaires, requests for proposals, interviews, reference checks and review of any public filings. One of the goals is to identify gaps in your requirements and the ability of the provider to meet those requirements Warner Norcross & Judd LLP. All rights reserved. Page 6

7 Pre-Contracting Due Diligence The process should elicit information about the provider regarding: its history of compliance its insurance coverage and claims history the financial condition of the provider its security infrastructure, including the policies and procedures it has in place to ensure the administrative, technical, and physical security of the data it handles the location of the data its use of subcontractors its existing service levels and capacity to increase those levels its disaster recovery and business continuity processes 2013 Warner Norcross & Judd LLP. All rights reserved. Page 7

8 Contract Structure Click-through agreements Referenced terms posted on website. Concerns: Unilateral amendments No notices of changes 2013 Warner Norcross & Judd LLP. All rights reserved. Page 8

9 Key Contract Issues 1. Data processing and storage 2. Security 3. Service level agreements (SLAs) 2013 Warner Norcross & Judd LLP. All rights reserved. Page 9

10 Data Processing and Storage 1. Data conversion 2. Ownership 3. Use of data by the provider 4. Location 5. ediscovery 6. Data transition 2013 Warner Norcross & Judd LLP. All rights reserved. Page 10

11 Data Conversion Determine whether: Your data from legacy systems can be directly imported into the provider's software; data conversion is needed; and if needed, data conversion will be done at the provider's or your cost. When checking the provider's references, ask about other customers' data migration experiences. Consider a test run to determine the ease or difficulty of the provider's mapping scheme Warner Norcross & Judd LLP. All rights reserved. Page 11

12 Ownership of Data The contract should clearly affirm your ownership of data that will reside on the provider's system. Depending on the nature of your data and how it is processed, you might need to negotiate language to affirm your ownership of the results of any processing of its data that occurs on the provider's system Warner Norcross & Judd LLP. All rights reserved. Page 12

13 Provider's Use of Customer Information Require that the provider to maintain the confidentiality of your information and expressly prohibit the provider from using for any other purpose except in its performance of the agreement. Specify which, if any, uses of your data are permitted (e.g., aggregated, de-identified data to provide customers within an industry with data trending and analysis) Warner Norcross & Judd LLP. All rights reserved. Page 13

14 Location of Data List all locations and service providers that store, process, transmit or access your data. Require prior consent before the data can be moved outside of specific pre-defined countries Warner Norcross & Judd LLP. All rights reserved. Page 14

15 E-Discovery Central Question: Do you have sufficient contractual rights from the provider to meet obligations to which you yourself are subject? 2013 Warner Norcross & Judd LLP. All rights reserved. Page 15

16 ediscovery You should try to include the following types of clauses in order to mitigate your e-discovery risks: Ownership of data. Right to export data and method of doing so. Storage and export of data (including corresponding metadata) in specified form. Accessibility of data on-demand and by counsel and e- discovery vendors as designated by the business. Establishment of time periods the provider will keep data before deleting it pursuant to the business s and/or provider s retention schedules Warner Norcross & Judd LLP. All rights reserved. Page 16

17 ediscovery Suspension of auto-delete settings and retention schedules when litigation is reasonably anticipated. Limitation (or at least identification) of physical locations where data may be stored. Implementation of specified security measures to protect against unauthorized third-party access. Notification of any data breaches. Notification of any requests for data by third-parties in advance of any production so that the business can oppose or take action to limit the disclosure of data Warner Norcross & Judd LLP. All rights reserved. Page 17

18 Data Transition Include the right to access data during the term and upon termination or expiration of the agreement: Include the timeframe within which the provider needs to provide access and/or return data. Identify the appropriate data format. Data provided in a proprietary or otherwise inaccessible format will be of little or no use Warner Norcross & Judd LLP. All rights reserved. Page 18

19 Data Transition Require the provider to destroy all remaining customer information on the provider's servers at termination Warner Norcross & Judd LLP. All rights reserved. Page 19

20 Security 1. Policies 2. Audits and certifications 3. Breaches 2013 Warner Norcross & Judd LLP. All rights reserved. Page 20

21 Security Policies Have a data security professional review the provider's security policies. If acceptable, incorporate the provider's hardware, software and data security policies in the agreement. Verify the provider's data security capabilities through a third party's physical visit or an industryapproved audit process Warner Norcross & Judd LLP. All rights reserved. Page 21

22 Security Audits and Certifications There is no common standard for cloud computing certifications Most commonly used SSAE 16 SOC 2 (replaced SAS70) Other currently used cloud computing certifications include: 1. Systrust issued by the AICPA 2. ISO issued by the International Standards Organization 3. Certification under the Federal Information Security Management Act (FISMA) Warner Norcross & Judd LLP. All rights reserved. Page 22

23 Security Breaches Require that if a breach of security or confidentiality occurs necessitating notice to your employees, customers or others under applicable privacy law: you have sole control over the timing, content and method of the notice; and the provider is prohibited from notifying affected customers unless the customer explicitly directs the provider in writing to do so. Require the provider to reimburse you for your out-of-pocket costs and expenses (including remediation costs). Exclude these costs from the disclaimers of certain damages Warner Norcross & Judd LLP. All rights reserved. Page 23

24 Service Leval Agreements (SLAs) Types: 1. Uptime 2. Performance and response time 3. Problem resolution time 4. Infrastructure/security 2013 Warner Norcross & Judd LLP. All rights reserved. Page 24

25 Uptime SLA Requires that the software be available for access and use for a certain percentage of time during specified hours, as measured over an agreed time period. Define the term "unavailability" to include both severe performance degradation and inoperability of any software feature Warner Norcross & Judd LLP. All rights reserved. Page 25

26 Uptime SLA Require prior notice of scheduled downtimes and require that they occur during specified time periods so they align with the times your institution has critical access. Require the provider to proactively detect downtime by constant monitoring of its servers Warner Norcross & Judd LLP. All rights reserved. Page 26

27 Problem Resolution SLA Include a service level escalation matrix designating levels of severity for performance issues, and specifying timetables for the provider to correct or provide an acceptable workaround for those issues. Response time measurements should require the provider to correct (not merely to respond to) a problem within a specified period Warner Norcross & Judd LLP. All rights reserved. Page 27

28 SLA for SLA Failures Typically in the form of a credit. Require that a root cause analysis be performed after any service level failure to determine its cause and prevent future failures. Include the right to terminate for cause for repeated failures Warner Norcross & Judd LLP. All rights reserved. Page 28

29 Disaster Recovery and Business Continuity Compare the provider's data back-up practices and policies, including the frequency of its partial and periodic full backups, to the your back-up requirements. Require the provider to demonstrate and promise that it will provide business continuity by making the software available even during a disaster, power outage or similarly significant event Warner Norcross & Judd LLP. All rights reserved. Page 29

30 Force Majeure With the exception of general and widespread internet or telecommunications failures, exclude disruptions of the provider's telecommunication or internet services from the definition of a force majeure event. Make clear that force majeure events do not relieve the provider of its disaster recovery and business continuity obligations Warner Norcross & Judd LLP. All rights reserved. Page 30

31 Force Majeure Paige, While I realize that the carve out for payment as an exception to force majeure has become common, I see no reason why it should be so. The Russian meteorite from earlier this year caused me to rethink many things, including that specific provision. It seems to me that if our accounts payable department was quite literally struck by a similar calamity, GEIP could understand that our payment may be delayed. Mary is tough, but I m not sure how quickly she could recover from a meteorite, sinkhole, or other similar events. Thanks, Nate 2013 Warner Norcross & Judd LLP. All rights reserved. Page 31

32 A Better Partnership Bring Your Own Device 2013 Warner Norcross & Judd LLP. All rights reserved. WNJ.com

33 Why The Trend? 93% of the world s information is created and stored electronically 247+ billion s are sent each day 70% of the world s population now has a mobile phone 70 million phones are lost every year Every six months SMS traffic volumes increase by at least 37% Apple sold 5 million iphone 5 in three days 2013 Warner Norcross & Judd LLP. All rights reserved. Page 33

34 The Problem Employee dictates a voice memo on iphone containing sensitive sales information. She takes her iphone home and syncs it with home computer to download latest songs. Her son later syncs his ipod to computer, including the playlist Recently Added. Her son is now walking around with sensitive company information on his ipod Warner Norcross & Judd LLP. All rights reserved. Page 34

35 The Problem Employee uses his ipad at the office. He is passed over for a promotion, leaves without incident and then relocates across the country. Your company is then involved in litigation and required to produce documents, some of which are saved in the ipad s GoodReader app Warner Norcross & Judd LLP. All rights reserved. Page 35

36 The Problem 2013 Warner Norcross & Judd LLP. All rights reserved. Page 36

37 Security Company owned device vs. employee owned Applicability of policies to employee devices Company compliance with its own security program Regulatory requirements Protection of trade secrets Incident response 2013 Warner Norcross & Judd LLP. All rights reserved. Page 37

38 Privacy Employees personal communications Employee data Policies and procedures Other employee activities 2013 Warner Norcross & Judd LLP. All rights reserved. Page 38

39 Accessibility Accessibility Audit rights Litigation holds E-Discovery Destruction of confidential information Prohibit bricked or jailbroken devices Overtime pay 2013 Warner Norcross & Judd LLP. All rights reserved. Page 39

40 A Better Partnership Software Audits 2013 Warner Norcross & Judd LLP. All rights reserved. WNJ.com

41 Steady Increase in Audits 2011 Gartner study Of 228 responders, 65% indicated they had been audited by at least one vendor within last 12 months 2013 Warner Norcross & Judd LLP. All rights reserved. Page 41

42 Top Auditing Vendors Adobe Attachmate Autodesk IBM Info Informatica Microsoft Oracle SAP Symantec VMware Source: 2011 Gartner survey 2013 Warner Norcross & Judd LLP. All rights reserved. Page 42

43 No. 1 Auditing Vendor 2013 Warner Norcross & Judd LLP. All rights reserved. Page 43

44 The Audit Notice I am writing to advise you that your enterprise has been selected for a software license review Warner Norcross & Judd LLP. All rights reserved. Page 44

45 The Audit Notice 2013 Warner Norcross & Judd LLP. All rights reserved. Page 45

46 IBM - Primary areas of risk Acquisitions practice is to migrate acquired products to Passport Advantage within months of acquisition 2013 Warner Norcross & Judd LLP. All rights reserved. Page 46

47 Risk - Acquisitions Change in licensing models and process through "blue washing" Blue washing is the term IBM uses when they release updated code and change the licensing metrics for products acquired from other vendors 2013 Warner Norcross & Judd LLP. All rights reserved. Page 47

48 IBM - Primary areas of risk International Passport Advantage Agreement (IPAA) effective July 18, 2011 Major changes: All or nothing subscription and support Full capacity/sub-capacity reporting requirements 2013 Warner Norcross & Judd LLP. All rights reserved. Page 48

49 IPPA Prior Version Changes to the Agreement Terms. IBM may change the terms of this Agreement by giving the Customer Originating Company three months written notice by letter or . Such change applies as of the date IBM specifies in the notice. You agree that you have consented to any such change if you do not notify IBM in writing, prior to the effective date specified in IBM s written notice, that you disagree with the change. IBM may add or withdraw Eligible Products or change an Eligible Product s SVP or point value at any time. Otherwise, for a change to be valid, both the Customer Originating Company and the IBM Originating Company must sign it. Additional or different terms in any order or written communication from you are void Warner Norcross & Judd LLP. All rights reserved. Page 49

50 IBM Primary areas of risk 2-3 year recurring audit cycles Mainframe System z programs added to audit process in Warner Norcross & Judd LLP. All rights reserved. Page 50

51 Microsoft 30,000 audits on small to midsize companies (500-2,000 computers) in Warner Norcross & Judd LLP. All rights reserved. Page 51

52 Microsoft 2 Types of Audits 2 Types of audits: 1. Software Asset Management (SAM) voluntary audit 2. Legal Contract and Compliance Audit (LCC Audit) Serious infractions; and Those who Refuse to participate in the SAM audit 2013 Warner Norcross & Judd LLP. All rights reserved. Page 52

53 Oracle - Primary areas of risk 1. Change in licensing metrics in ordering documents 2. Oracle only recognizes hard-partitioning as method of isolating use of Processor and Named User Plus licenses for the Oracle Database and other Infrastructure licenses 2013 Warner Norcross & Judd LLP. All rights reserved. Page 53

54 Attachmate 2013 Warner Norcross & Judd LLP. All rights reserved. Page 54

55 Attachmate 2013 Warner Norcross & Judd LLP. All rights reserved. Page 55

56 Questions 2013 Warner Norcross & Judd LLP. All rights reserved. Page 56