Tech & Sourcing @ Morgan Lewis


In Part 1 of this Contract Corner, we discussed the importance of evaluating the types of data to be processed or accessed by a service provider at the beginning of the contracting process and key considerations to address when defining the types of data in the services contract.

This Part 2 highlights issues to consider with respect to the ownership and control of company data.

Retain Ownership and Control of the Data

To help ensure that company data remains “safe” with a service provider, contractual provisions regarding ownership, control, and access to the data should not be overlooked or forgotten. Below we discuss some key concepts to consider.

Ownership: The contract should clearly state that, as between the company and the service provider, all “company data” (as defined) is and shall remain the property of the company and shall be deemed the company’s confidential information. As with other intellectual property, consider adding a present assignment of rights (if any) in such data from the service provider back to the company.

Use Rights: After establishing clear ownership rights, consider what use rights the service provider requires to provide the services under the agreement. Consider the following:

  • Include a provision that, without company’s approval (in its sole discretion), the company data shall not be used by the service provider other than as necessary for the service provider’s performance under the agreement and solely in connection with providing the services
  • In addition, the contract should expressly restrict the service provider from commercially exploiting the company data and from disclosing, selling, assigning, or otherwise providing the data to third parties without the company’s consent
  • Some service providers may be interested in using a service recipient’s data (or components thereof) in aggregated and de-identified form for the purposes of improving its services. Consider whether your company will allow this right and whether additional restrictions should be added to the contract, including that the service provider shall not reverse engineer, combine, anonymize, de-identify, aggregate, or commingle any company data. If aggregated data use is permitted, be sure to make clear that such data must not permit the identification of the company, its data, or any of its confidential or proprietary information (including employees and customers)

Access and Return: Retaining access to data is critical, both during the term of the agreement and upon expiration or termination. The contract should address the following:

  • Upon the company’s request at any time, the service provider should be obligated (at no charge) to promptly return the company data and/or provide access to the company data, in the format and on the media requested by the company
  • In addition, the service provider should be obligated to erase or destroy all or any part of the company data in its possession upon request by the company
  • The service provider should be responsible for developing and maintaining procedures for the reconstruction of lost company data in its possession or control, and should be obligated to correct or restore any lost, destroyed, or altered data in its possession or control at no charge

Retention: Proper retention of company data is another critical component of data protection. As part of the services, the service provider should be obligated to assist the company in meeting the company’s legal obligations with respect to the retention of data and records in the service provider’s control. Consider whether the service provider must follow the company’s record retention policies or if the service provider’s policies are sufficient for this purpose.

Legal Holds: Building on the general retention obligations of the service provider, consider whether the data at issue could be subject to a legal hold that would require cooperation and assistance from the service provider. If, for instance, certain data will be hosted and backed up by the service provider, then the company may require assistance in complying with litigation holds. Appropriate contract language should be added to set forth the process for notifying the service provider of a legal hold and the service provider’s commitments with respect to any such legal hold, such as preservation and/or access of the data and the expected time period for the hold.

This post is part of our recurring Contract Corner series. Part 3 will address operational security requirements in services agreements.