In my latest Secure Your Data series post, I provided my top digital data security tips, including tip #7: Vetting Providers. This bonus guest post digs deeper into your due diligence obligations. Attorney Louise Leduc Kennedy, whose practice involves drafting and negotiating service contracts for online software companies, explains what attorneys should be looking for when reviewing these agreements and before committing to a particular service. Attorney Kennedy is President of West Hill Technology Counsel, Inc.
. . .
As attorneys we are trained to read – if not write and negotiate – legal agreements. We advise our business clients to focus on the details of the commercial agreements they sign. However, when it comes to the plethora of “click to accept” agreements we encounter in our typical week or month, it is all too easy to ignore our own advice and good judgment. As you prepare to use any service that will become a key dependency for your practice (billing or practice management software, internet-enabled telephone services, online freelance or payment services, document management services, or online marketing tools) it is important to understand the details of the agreement you are entering before you simply “agree to be bound by the Terms of Service.”
These agreements can be lengthy and can be written like a legal treatise or a friendly letter. They can be called a “Subscription Agreement,” “User License Agreement” or “Terms of Service”. Whatever form these agreements take, there are a few areas that deserve particular attention:
- Commitment to Security. Internet-enabled services have some degree of inherent risk. It is reasonable for a vendor to disclaim liability for security issues related to this risk or those caused by your misuse of the service. However, vendors should make affirmative commitments to provide a secure service. For example, vendors should agree to use “information security best practices” and “secure methods of authentication” for accessing the service. These are objective measurable commitments. It is a red flag when a vendor only makes vague statements about the service being “designed to provide security” or that the vendor works with only “the most well respected service providers.”
- Responsibility for the Service Experience. In the software-as-a-service world, there are free offerings and those for which end-users pay. It is typical for free services to be offered “as is” with no warranties and to disclaim all damages, including direct damages, that result from use of the service. However, with a paid offering, it is reasonable to expect that a vendor will be responsible for certain damages you incur from using their service. When reviewing the Terms of Service, focus on the language, typically all in capital letters, related to limitation of liability. It is standard practice to exclude special, indirect and consequential damages, and cap direct damages to amounts paid by you during some time period. A vendor offering a paid service and seeking to exclude liability for direct damages as well, is a significant red flag.
- Indemnification. Many on-line services agreements require end users to indemnify the vendor in the event of a claim based on the customer’s breach of the agreement or negligence. Some vendors take a more expansive approach and require the end user to indemnify them for any claim relating to the customer’s use of the service (even in perfect compliance with the terms). In the unlikely event of a claim, this difference could have a significant financial impact for the customer. In addition, most online services disclaim any warranty of non-infringement. However, as you review an agreement for services there should be, at minimum, a commitment by the vendor to indemnify you in the event the service is found to infringe the intellectual property rights of a third party.
- Service Level Agreements. For a paid offering, it is standard practice for cloud service providers to offer credits for future service if service availability (or “uptime”) drops below a certain level over a set period of time. It is important to understand the criteria for obtaining these credits as they typically do not apply automatically. A typical time frame for requesting credit for a service disruption is 30 days, but some vendors contractually shorten this time to five days or even an unreasonably short 48 hours.
- Other Business Considerations. When you enter into a key vendor agreement, it is important to fully understand what will happen if or when the relationship ends. Under what circumstances can the vendor terminate your access to the service? How do you obtain access to your data upon termination? Will the vendor assist with transition to a new vendor? Dispute resolution procedures also vary greatly. Some vendor agreements require arbitration – or the courts of a particular jurisdiction. Whether it is the courts in Santa Clara County, California or Vancouver, British Columbia, or arbitration in West Palm Beach, Florida, you should take this into account as you evaluate the overall risk (and potential cost) of the service.