TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

In April, we shared a LawFlash Outsourcing and Managed Services Agreements During COVID-19: Our Perspective. With the continued and unprecedented impact of the coronavirus (COVID-19) pandemic on business operations, we thought it would be timely to provide a brief update on five top-of-mind issues that we are addressing with outsourcing and managed services clients.

Remote Working

  • Many outsourcing and managed services agreements include strict requirements on the location of personnel, including the location of certain personnel onsite at a customer site and/or the location of offshore personnel at secure delivery centers with no permitted remote working. These physical location restrictions often are coupled with requirements with respect to the type of technology that can be used when connecting to or accessing the customer’s systems or interacting with end users (such as hardened desktops only, no personal devices), security requirements and detailed connectivity and bandwidth requirements (particularly if there are end user facing activities such as call centers).

There are two primary models by which vendors will make software available to customers (1) software as a service (SaaS); and (2) on premise. In a SaaS model, the vendor provides, maintains, and hosts (either itself or through a hosting SaaS vendor) the desired software, and grants the customer access to the software functionality via the internet. In an on-premise model, however, the vendor will deliver the software (either physically or through a file transfer system) for the customer to install on its servers behind the customer’s firewall.

In cloud services, whether it is infrastructure as a service (IaaS), platform as a service (PaaS), or software as a service (SaaS), service availability is often a significant customer concern because the customer is relying on the vendor to provide and manage the infrastructure and related components that are necessary to provide the services. To address this concern, vendors will often provide a Service Level Agreement (SLA) containing a commitment that the service will be available for a percentage of time (e.g., 99.9%) during a certain period (e.g., week, month, or quarter). This is often referred to as an uptime or availability commitment. When reviewing and negotiating an SLA with an uptime commitment, it is important to consider the following issues.

Uptime Percentage

Given the different types of cloud services and how those services are used, there is no standard uptime commitment provided by vendors. Rather, uptime commitments can range from 99.999% to 97% or even lower. It is also not uncommon for vendors to provide different uptime commitments for different parts of the service. Ultimately, a vendor’s uptime commitment will depend on a variety of factors, including the type of service, how a customer will use the service, negotiating leverage, and vendor’s business model.

Open Banking is an initiative mandated by the UK’s Competition and Markets Authority (CMA) in 2017. It is intended to facilitate better competition in the banking sector by mandating protocols that facilitate the secure sharing of customer-related data of the nine largest banks in the United Kingdom (CMA9) with third-party providers (TPPs).

Open Banking is developed and delivered in the United Kingdom by the Open Banking Implementation Entity (OBIE). The OBIE was established by the CMA and is funded by the CMA9. The CMA’s UK Retail Banking Market Investigation Order 2017 (Order), which applies only to the CMA9, requires the CMA9 to provide their customers with the ability to access and share their account data on an ongoing basis with TPPs through the use of specified application programme interfaces (APIs). This compliments the reforms under the EU’s Second Payment Directive (as transposed in the United Kingdom primarily by the Payment Services Regulations 2017), which requires all payment account providers to permit open access to payment accounts for authorized TPPs, but which does not specify the means of access or prescribe the scope of access in any detail.

A shrinking in traditional outsourcing deal volumes since the United Kingdom's EU membership referendum vote on June 23, 2016, is being partially attributed to business caution following the “Brexit” decision.

According to consultants ISG, the traditional sourcing market in the UK pre-Brexit referendum had a deal volume of circa $900 million per quarter. However, the UK outsourcing market has only achieved this level of activity in one quarter since the referendum.

Authored by Barbara Murphy Melby, Christopher C. Archer, and Jay Preston

In Part 1 of this Contract Corner on Software as a Service (SaaS) agreements, we discussed ownership and use issues in SaaS transactions where the application is provided and hosted as a dedicated instance with common base software (sometimes with customization or variation) but running as a separate instance in a dedicated environment.

In this Part 2, we will look at ownership and use issues in transactions where the application is provided and hosted in a multitenant environment, with one common application layer and hosting environment that is logically partitioned by customer.

As noted in Part 1, when thinking about ownership and other intellectual rights in SaaS deals, we generally consider the following categories, discussed in more detail below. As with any solution there can be variations and customer-specific needs that drive different requirements.

Authored by Barbara Murphy Melby, Christopher C. Archer, and Jay Preston

In the typical SaaS scenario, the SaaS vendor provides, maintains, and hosts (either itself or through a hosting SaaS vendor) the desired application layer, and grants the customer and its authorized users access to the application functionality via the internet. At a high level, there are two variations of this scenario:

  • The application is provided and hosted as a dedicated instance, with common base software (sometimes with customization or variation) but running as a separate instance in a dedicated environment.
  • The application is provided and hosted in a multitenant environment, with one common application layer and hosting environment that is logically partitioned by the customer.

In this Contract Corner series, we will look at ownership issues in SaaS solutions in two parts, with different perspectives based on whether the solution utilizes a dedicated instance (Part 1) or a multitenant environment (Part 2).

Cybersecurity remains at the top of the list of risk concerns when organizations outsource IT and other functions leveraging cloud-based solutions. While there are no guaranteed methods to fully eradicate cybersecurity risks, companies should consider taking the following steps to mitigate the risk.

#1 – Diligence!

As a first step, it is helpful to define the minimal security controls that you will require your outsourcer to implement and adhere to, and then compare your organization’s own security requirements to the outsourcer’s solution. You can begin by forming a cross-functional due diligence team with stakeholders such as IT security, internal audit, compliance, and business owners to conduct robust and meaningful reviews of an outsourcer’s security solution and evaluate essential factors, including the following:

  • Types of data
  • How data is flowing and transferred
  • Location of data
  • How your organization’s privacy policies align with the outsourcer’s
  • Encryption requirements and access control processes
  • How remote access is handled
  • Whether the outsourcer follows industry best practices and regularly monitors and audits its controls
  • How the outsourcer uses subcontractors
  • Applicable laws and regulations