Software as a Service Agreements

Software as a Service (SaaS) Business application delivered over the Internet in which users interact with the application through a web browser. Vendor provides the business application in a complete, ready-to-run state, with the application residing on computing infrastructure that is either owned or managed by the SaaS vendor or outsourced to a third-party vendor in a hosted or IaaS model. 2013 Warner Norcross & Judd LLP. All rights reserved. Page 4

Key Considerations 1. Data Type of data (e.g., PHI, PII, PCI, highly sensitive corporate) Geographic location of the owners of the data and the data itself 2. Nature of the business application(s) (e.g., mission critical) 2013 Warner Norcross & Judd LLP. All rights reserved. Page 5

Pre-Contracting Due Diligence Mechanisms include questionnaires, requests for proposals, interviews, reference checks and review of any public filings. One of the goals is to identify gaps in your requirements and the ability of the provider to meet those requirements. 2013 Warner Norcross & Judd LLP. All rights reserved. Page 6

Pre-Contracting Due Diligence The process should elicit information about the provider regarding: its history of compliance its insurance coverage and claims history the financial condition of the provider its security infrastructure, including the policies and procedures it has in place to ensure the administrative, technical, and physical security of the data it handles the location of the data its use of subcontractors its existing service levels and capacity to increase those levels its disaster recovery and business continuity processes 2013 Warner Norcross & Judd LLP. All rights reserved. Page 7

Data Conversion Determine whether: Your data from legacy systems can be directly imported into the provider's software; data conversion is needed; and if needed, data conversion will be done at the provider's or your cost. When checking the provider's references, ask about other customers' data migration experiences. Consider a test run to determine the ease or difficulty of the provider's mapping scheme. 2013 Warner Norcross & Judd LLP. All rights reserved. Page 11

Ownership of Data The contract should clearly affirm your ownership of data that will reside on the provider's system. Depending on the nature of your data and how it is processed, you might need to negotiate language to affirm your ownership of the results of any processing of its data that occurs on the provider's system. 2013 Warner Norcross & Judd LLP. All rights reserved. Page 12

Provider's Use of Customer Information Require that the provider to maintain the confidentiality of your information and expressly prohibit the provider from using for any other purpose except in its performance of the agreement. Specify which, if any, uses of your data are permitted (e.g., aggregated, de-identified data to provide customers within an industry with data trending and analysis). 2013 Warner Norcross & Judd LLP. All rights reserved. Page 13

Location of Data List all locations and service providers that store, process, transmit or access your data. Require prior consent before the data can be moved outside of specific pre-defined countries. 2013 Warner Norcross & Judd LLP. All rights reserved. Page 14

E-Discovery Central Question: Do you have sufficient contractual rights from the provider to meet obligations to which you yourself are subject? 2013 Warner Norcross & Judd LLP. All rights reserved. Page 15

ediscovery You should try to include the following types of clauses in order to mitigate your e-discovery risks: Ownership of data. Right to export data and method of doing so. Storage and export of data (including corresponding metadata) in specified form. Accessibility of data on-demand and by counsel and e- discovery vendors as designated by the business. Establishment of time periods the provider will keep data before deleting it pursuant to the business s and/or provider s retention schedules. 2013 Warner Norcross & Judd LLP. All rights reserved. Page 16

ediscovery Suspension of auto-delete settings and retention schedules when litigation is reasonably anticipated. Limitation (or at least identification) of physical locations where data may be stored. Implementation of specified security measures to protect against unauthorized third-party access. Notification of any data breaches. Notification of any requests for data by third-parties in advance of any production so that the business can oppose or take action to limit the disclosure of data. 2013 Warner Norcross & Judd LLP. All rights reserved. Page 17

Data Transition Include the right to access data during the term and upon termination or expiration of the agreement: Include the timeframe within which the provider needs to provide access and/or return data. Identify the appropriate data format. Data provided in a proprietary or otherwise inaccessible format will be of little or no use. 2013 Warner Norcross & Judd LLP. All rights reserved. Page 18

Security Policies Have a data security professional review the provider's security policies. If acceptable, incorporate the provider's hardware, software and data security policies in the agreement. Verify the provider's data security capabilities through a third party's physical visit or an industryapproved audit process. 2013 Warner Norcross & Judd LLP. All rights reserved. Page 21

Security Audits and Certifications There is no common standard for cloud computing certifications Most commonly used SSAE 16 SOC 2 (replaced SAS70) Other currently used cloud computing certifications include: 1. Systrust issued by the AICPA 2. ISO 27001 issued by the International Standards Organization 3. Certification under the Federal Information Security Management Act (FISMA)8 2013 Warner Norcross & Judd LLP. All rights reserved. Page 22

Security Breaches Require that if a breach of security or confidentiality occurs necessitating notice to your employees, customers or others under applicable privacy law: you have sole control over the timing, content and method of the notice; and the provider is prohibited from notifying affected customers unless the customer explicitly directs the provider in writing to do so. Require the provider to reimburse you for your out-of-pocket costs and expenses (including remediation costs). Exclude these costs from the disclaimers of certain damages. 2013 Warner Norcross & Judd LLP. All rights reserved. Page 23

Uptime SLA Requires that the software be available for access and use for a certain percentage of time during specified hours, as measured over an agreed time period. Define the term "unavailability" to include both severe performance degradation and inoperability of any software feature. 2013 Warner Norcross & Judd LLP. All rights reserved. Page 25

Uptime SLA Require prior notice of scheduled downtimes and require that they occur during specified time periods so they align with the times your institution has critical access. Require the provider to proactively detect downtime by constant monitoring of its servers. 2013 Warner Norcross & Judd LLP. All rights reserved. Page 26

Problem Resolution SLA Include a service level escalation matrix designating levels of severity for performance issues, and specifying timetables for the provider to correct or provide an acceptable workaround for those issues. Response time measurements should require the provider to correct (not merely to respond to) a problem within a specified period. 2013 Warner Norcross & Judd LLP. All rights reserved. Page 27

SLA for SLA Failures Typically in the form of a credit. Require that a root cause analysis be performed after any service level failure to determine its cause and prevent future failures. Include the right to terminate for cause for repeated failures. 2013 Warner Norcross & Judd LLP. All rights reserved. Page 28

Disaster Recovery and Business Continuity Compare the provider's data back-up practices and policies, including the frequency of its partial and periodic full backups, to the your back-up requirements. Require the provider to demonstrate and promise that it will provide business continuity by making the software available even during a disaster, power outage or similarly significant event. 2013 Warner Norcross & Judd LLP. All rights reserved. Page 29

Force Majeure With the exception of general and widespread internet or telecommunications failures, exclude disruptions of the provider's telecommunication or internet services from the definition of a force majeure event. Make clear that force majeure events do not relieve the provider of its disaster recovery and business continuity obligations. 2013 Warner Norcross & Judd LLP. All rights reserved. Page 30

Force Majeure Paige, While I realize that the carve out for payment as an exception to force majeure has become common, I see no reason why it should be so. The Russian meteorite from earlier this year caused me to rethink many things, including that specific provision. It seems to me that if our accounts payable department was quite literally struck by a similar calamity, GEIP could understand that our payment may be delayed. Mary is tough, but I m not sure how quickly she could recover from a meteorite, sinkhole, or other similar events. Thanks, Nate 2013 Warner Norcross & Judd LLP. All rights reserved. Page 31

Why The Trend? 93% of the world s information is created and stored electronically 247+ billion emails are sent each day 70% of the world s population now has a mobile phone 70 million phones are lost every year Every six months SMS traffic volumes increase by at least 37% Apple sold 5 million iphone 5 in three days 2013 Warner Norcross & Judd LLP. All rights reserved. Page 33

The Problem Employee dictates a voice memo on iphone containing sensitive sales information. She takes her iphone home and syncs it with home computer to download latest songs. Her son later syncs his ipod to computer, including the playlist Recently Added. Her son is now walking around with sensitive company information on his ipod. 2013 Warner Norcross & Judd LLP. All rights reserved. Page 34

The Problem Employee uses his ipad at the office. He is passed over for a promotion, leaves without incident and then relocates across the country. Your company is then involved in litigation and required to produce documents, some of which are saved in the ipad s GoodReader app. 2013 Warner Norcross & Judd LLP. All rights reserved. Page 35

Security Company owned device vs. employee owned Applicability of policies to employee devices Company compliance with its own security program Regulatory requirements Protection of trade secrets Incident response 2013 Warner Norcross & Judd LLP. All rights reserved. Page 37

Accessibility Accessibility Audit rights Litigation holds E-Discovery Destruction of confidential information Prohibit bricked or jailbroken devices Overtime pay 2013 Warner Norcross & Judd LLP. All rights reserved. Page 39

Steady Increase in Audits 2011 Gartner study Of 228 responders, 65% indicated they had been audited by at least one vendor within last 12 months 2013 Warner Norcross & Judd LLP. All rights reserved. Page 41

Risk - Acquisitions Change in licensing models and process through "blue washing" Blue washing is the term IBM uses when they release updated code and change the licensing metrics for products acquired from other vendors 2013 Warner Norcross & Judd LLP. All rights reserved. Page 47

IBM - Primary areas of risk International Passport Advantage Agreement (IPAA) effective July 18, 2011 Major changes: All or nothing subscription and support Full capacity/sub-capacity reporting requirements 2013 Warner Norcross & Judd LLP. All rights reserved. Page 48

IPPA Prior Version Changes to the Agreement Terms. IBM may change the terms of this Agreement by giving the Customer Originating Company three months written notice by letter or e-mail. Such change applies as of the date IBM specifies in the notice. You agree that you have consented to any such change if you do not notify IBM in writing, prior to the effective date specified in IBM s written notice, that you disagree with the change. IBM may add or withdraw Eligible Products or change an Eligible Product s SVP or point value at any time. Otherwise, for a change to be valid, both the Customer Originating Company and the IBM Originating Company must sign it. Additional or different terms in any order or written communication from you are void. 2013 Warner Norcross & Judd LLP. All rights reserved. Page 49

Microsoft 2 Types of Audits 2 Types of audits: 1. Software Asset Management (SAM) voluntary audit 2. Legal Contract and Compliance Audit (LCC Audit) Serious infractions; and Those who Refuse to participate in the SAM audit 2013 Warner Norcross & Judd LLP. All rights reserved. Page 52

Oracle - Primary areas of risk 1. Change in licensing metrics in ordering documents 2. Oracle only recognizes hard-partitioning as method of isolating use of Processor and Named User Plus licenses for the Oracle Database and other Infrastructure licenses 2013 Warner Norcross & Judd LLP. All rights reserved. Page 53