TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

A shrinking in traditional outsourcing deal volumes since the United Kingdom's EU membership referendum vote on June 23, 2016, is being partially attributed to business caution following the “Brexit” decision.

According to consultants ISG, the traditional sourcing market in the UK pre-Brexit referendum had a deal volume of circa $900 million per quarter. However, the UK outsourcing market has only achieved this level of activity in one quarter since the referendum.

Authored by Barbara Murphy Melby, Christopher C. Archer, and Jay Preston

In Part 1 of this Contract Corner on Software as a Service (SaaS) agreements, we discussed ownership and use issues in SaaS transactions where the application is provided and hosted as a dedicated instance with common base software (sometimes with customization or variation) but running as a separate instance in a dedicated environment.

In this Part 2, we will look at ownership and use issues in transactions where the application is provided and hosted in a multitenant environment, with one common application layer and hosting environment that is logically partitioned by customer.

As noted in Part 1, when thinking about ownership and other intellectual rights in SaaS deals, we generally consider the following categories, discussed in more detail below. As with any solution there can be variations and customer-specific needs that drive different requirements.

Authored by Barbara Murphy Melby, Christopher C. Archer, and Jay Preston

In the typical SaaS scenario, the SaaS vendor provides, maintains, and hosts (either itself or through a hosting SaaS vendor) the desired application layer, and grants the customer and its authorized users access to the application functionality via the internet. At a high level, there are two variations of this scenario:

  • The application is provided and hosted as a dedicated instance, with common base software (sometimes with customization or variation) but running as a separate instance in a dedicated environment.
  • The application is provided and hosted in a multitenant environment, with one common application layer and hosting environment that is logically partitioned by the customer.

In this Contract Corner series, we will look at ownership issues in SaaS solutions in two parts, with different perspectives based on whether the solution utilizes a dedicated instance (Part 1) or a multitenant environment (Part 2).

Cybersecurity remains at the top of the list of risk concerns when organizations outsource IT and other functions leveraging cloud-based solutions. While there are no guaranteed methods to fully eradicate cybersecurity risks, companies should consider taking the following steps to mitigate the risk.

#1 – Diligence!

As a first step, it is helpful to define the minimal security controls that you will require your outsourcer to implement and adhere to, and then compare your organization’s own security requirements to the outsourcer’s solution. You can begin by forming a cross-functional due diligence team with stakeholders such as IT security, internal audit, compliance, and business owners to conduct robust and meaningful reviews of an outsourcer’s security solution and evaluate essential factors, including the following:

  • Types of data
  • How data is flowing and transferred
  • Location of data
  • How your organization’s privacy policies align with the outsourcer’s
  • Encryption requirements and access control processes
  • How remote access is handled
  • Whether the outsourcer follows industry best practices and regularly monitors and audits its controls
  • How the outsourcer uses subcontractors
  • Applicable laws and regulations