Tech & Sourcing @ Morgan Lewis

Contract Corner

The “shift to the cloud” continues, with analysts making bold predictions regarding the increase of cloud adoption by companies across almost every industry. Cloud solutions offer many cost, innovation, and scalability opportunities. What is often forgotten or considered late in the process, however, is the change in the risk, compliance, and contracting paradigm that arises with the reliance on a third-party cloud provider. If given the time and attention, these changes can be managed and the risks controlled with appropriate diligence and contracting structures.

Below is a high-level checklist of issues to consider when shifting from an on-prem to a hosted solution or offering:

1. Identify functionality and technical requirements.

  • Document, document, document.
    • Check links and referenced materials.
  • Consider if there are any differences in functionality in the on-prem versus hosted solution and if there are gaps, consider the plan for bridging them.
  • Address any customization or configuration requirements, including associated costs and timelines.
  • Understand how the hosted solution will be accessed.
    • Ensure that the customer has the requisite access capability.
    • Consider if there are any end-client installation requirements.

2. Map out transition plan and include cutover and stabilization criteria as well as acceptance testing roles and requirements.

3. Agree on performance commitments and service levels.

  • Consider service levels in addition to availability, including incident resolution and security patching.
  • Include remedies for failed service levels, such as root cause analysis, remediation, and service level credits.

4. Include mechanisms and rights of parties to make and/or require changes.

  • Consider limitations on right to make (or decline) changes for a one-to-many model.
  • Consider compatibility impacts and client-end downstream changes that may be required due to a vendor change.

5. Describe maintenance and support services, including resolution services, contact center services and configuration services.

  • Consider the right of the customer to releases, additional functionality, and upgrades.

6. Set out pricing.

  • Understand pricing metrics and how they are calculated.
  • Consider whether and when fees may increase, including due to inflation.
    • Should there be any increases during term or at renewal?
    • Should there be unilateral right to increase?
    • Should there be cap increases?
  • Add the timing of payments.

7. Consider the location of the following:

  • Servers/hosting environment
  • Secondary and non-production environments
  • Where other services are provided

8. Include what access rights the customer and its users have to the environment and the data.

  • Are there limitations?
  • How is data returned?

9. Address security requirements, including the following:

  • Access and security controls (including passwords)
  • Security incident protocols and responsibilities
  • Background check requirements

10. Ensure third-party access and use rights.

  • Check that potential third parties include contractors, advisors, and outsourcing partners.

11. Address potential corporate events, including the following:

  • Acquisitions
  • Divestitures (including transition service periods and assignment rights)
  • Increase or downturn in business

12. Pay close attention to ownership, rights to use, and retention of data, including data that has been:

  • Submitted
  • Processed
  • Produced
  • Aggregated

13. Address continuity issues, including the following:

  • Impact of force majeure
  • Disaster recovery
  • Vendor right to suspend or cut off services
  • Other termination rights
  • Post-termination assistance

14. Perform appropriate due diligence, including:

  • Financial viability of vendor
  • Insurance coverage

15. Confirm audit rights and requirements, including:

  • Audits by the customer’s internal and external auditors and regulators
  • Documenting audit coverage, including SSAE 18 reports

The above list is no way exhaustive, but it should serve as a starting point for flagging issues and initiating discussions with the business and IT teams.