Saas, PaaS and the Cloud? Part 2 & 3: Top 5 Considerations for Purchasing Hosted Services

Saas, PaaS and the Cloud? Part 2: Top 5 Considerations for Purchasing Hosted Services

Posted By Christine Wahr and Sarah Hogan 

You’ve read part 1 of our series, and you’re now armed with the knowledge about hosted services and cloud computing that you’ve been too embarrassed to ask.  To help you bring it home – virtually – we offer our top 5 considerations when purchasing hosted services for your organization:

1. Implement processes for agreement to non-negotiable terms.  Many lower priced hosted services providers will present terms of use in a “click-through” or “click-wrap” agreement.  These “take it or leave it” terms are intended to avoid a costly negotiation over legal language where this is low profit margin for the services.  While the vast majority of click-through terms will be acceptable for the services being purchased, your organization should make sure individuals with purchasing authority are trained to recognize provisions that raise your organization’s risk profile, and to escalate those provisions for legal review.  For example, legal and IT security should review all terms relating to privacy and data security.  Additionally, users should escalate for legal approval any provision requiring indemnification by your organization, as well as any provision purporting to claim ownership of any of your organization’s data or intellectual property.
2. Prepare appropriately for implementation.  Hosted services often require some work to integrate with your existing systems and implement use of the hosted product in your organization’s environment.  Implementation can be costly and complex, so be sure that fees for use of the product do not begin to accrue before the product has been implemented and you have provided acceptance sign-off.  A separate services agreement or implementation exhibit that clearly defines each party’s respective roles and responsibilities with respect to implementation, and that defines specific acceptance criteria, can be key to a successful implementation.
3. Obtain availability commitments that make sense.  Contemplate the appropriate availability of the services with reference to the importance of the product to your organization.  Critical systems should be available virtually 100% of the time, with only limited downtime for maintenance that occurs during limited pre-scheduled maintenance windows.  Beware of general statements that the services are available on a 24/7/365 basis, with broad exclusions for “scheduled and emergency maintenance”; this language is the equivalent of “our service is up except when it is down”, and provides your organization with essentially no real commitment.  Make sure that you have a service level agreement that will permit you to terminate the overall arrangement and get service credits in the event of excessive downtime.
4. Ensure updates do not impact your business.  Many hosted services providers automatically maintain the hosted product and quickly apply patches, fixes, updates and upgrades behind the scenes. For critical systems, consider whether the provider should be required to provide you advance notice of any update that would materially change the functionality of the product or affect interoperability with your external systems.  It is often beneficial in such cases to have the provider make the update available in a test environment, where you can test functionality and interoperability before the update is deployed.  A support agreement that sets forth response times and procedures, is also essential to ensuring your expectations are met.
5. Pay attention to data usage, privacy and security.  Last (but certainly not least!), pay close attention to what data your users will input, what data will be generated through use of the service and how the provider will be storing, protecting and using that data.  If you are providing any company confidential information, personally identifiable information (“PII”) or protected health information (“PHI”), ensure that your organization conducts appropriate due diligence to ensure that security architecture, controls and procedures meet your organization’s requirements and data is treated in accordance with applicable laws governing the use of PII and PHI.  Also pay close attention to the data that the service provider collects regarding your users’ use of the service; while you might not be concerned with the use of this data to create aggregate statistics about service usage and performance, you should ensure that this data is treated in such a way that it cannot be traced back to you, your users or your customers.

SaaS, PaaS and the Cloud? Part 3: Think Before You Float

Posted By Julia Siripurapu 

You’ve heard over and over about the benefits of moving to the cloud, and you’re ready (or not quite ready but being pressured) to move technology to the cloud (or other hosted services model). Now what? There are so many options out there, but a “one size fits all” approach does not work for many services. Our 2-part series (part 1, part 2) on hosted services basics was so popular, we decided to dig deeper into identifying, procuring, adopting and managing hosted services. To guide you through the initial step of this process, we offer some considerations to help you select the right service, deployment model, and service provider for your organization. As you think through these issues, we encourage you to engage a multi-disciplinary team comprised of procurement, IT, information security, risk management, regulatory and legal experts. Your choice of service will affect multiple aspects of your operations, so it is important that all stakeholders are consulted.


Ask certain threshold questions. Considering and answering certain threshold questions ahead of identifying solutions and providers can be key in making the right decision for your organization and for developing your contracting roadmap. Think about the following:

• What is your intended use of the service? Are you buying raw computing resources (data processing and storage) or complex software applications (email system, CRM system, HR system)?
• Are you moving data off-site? Is it confidential (proprietary data, trade secrets, third-party confidential data) or regulated data (PHI, PII, etc.)? What are your data portability and interoperability requirements? What are your data rights requirements (ownership, access, use)? Remember that “data” is not just data you put into the services, but also data that is generated by the provider in the form of results, reports, analyses and usage information.
• Will you need any complementary support services, such as assistance in creating and migrating application or assistance in migrating data in a form required by a provider?
• Do you have an exit strategy? How will you get the data back (consider both format and cost)?

Determine the appropriate type of service and deployment model. It is very important to understand that not all hosted services are the same; a private or hybrid deployment model may be more appropriate for mission-critical functions and highly sensitive data. The degree of control, responsibility, and flexibility that a user retains over data, security measures, and resources (storage, applications, etc.) will depend on the type of service and deployment model selected.
Conduct market research. Once you have determined your intended use and the type of service and deployment model that suits your organization, do some research on providers. Look at the reputation and reliability of the various providers, assess their financial viability, and talk to current customers of the providers about their experience. Pay attention to the source of your research, however; some analyses published on cloud economics are generated or paid for by providers.
Do your diligence! Transparency is key. Once you have selected a provider, you should have a clear understanding of the provider’s processing operations (where your data is stored, who has access to the data, how the data is used, and how the data is protected) and identify all the players in the supply chain and ensure accountability. Layering cloud services – where one cloud solution is dependent on other cloud solutions – is a common practice in the cloud services industry and the cloud supply chain can be very complex. Keep in mind that even a private cloud may run on top of a core, shared infrastructure. With that in mind, and especially if you will be relying on a hosted solution to store sensitive business data or confidential information, you should:

• Review the provider’s written information security policies and procedures as well as audit reports and security assessment performed by third-parties, such as SOC reports and ISO 27001 certification and statement of applicability to verify the scope of coverage  and applicability to the services that you are actually purchasing and to ensure that the provider has implemented robust security and privacy controls. Conduct a site visit to the vendor’s data center(s) to ensure you are comfortable with the security measures.
• Review the provider’s insurance policies, especially the provider’s cybersecurity coverage to ensure that the provider can mitigate losses resulting from information cybersecurity incidents, such as data breaches, business interruption, and network damage.
• Review the provider’s data back-up, archiving, and recovery practices and understand data destruction practices after termination of the relationship.
• Review the provider’s disaster recovery and business continuity plans to ensure a business disruption event will not impact your business. Keep in mind that the location of the disaster recovery site(s) has important regulatory implications (e.g., personal information of EU residents may only be transferred outside of the EU if certain requirements are met).
• Review the provider’s standard contracting documents (terms of service, acceptable use policy, service level agreement and privacy policy). If the terms are not acceptable, be sure they are negotiable before deciding to engage the provider.
• Ensure the provider has the capacity to provide other services you may require, such as assistance in migrating your applications and/or data offsite, implementation services, legal support services (e-discovery), and post-termination transition assistance services. Also ensure that such services are available at a reasonable cost.

Understand how hosted services affect your legal and regulatory compliance obligations. You should have a clear understanding of the various laws and regulations that may be implicated by having your data processed or stored offsite (e.g., U.S. privacy/data security laws, international data protection and data transfer laws, tax laws, export laws, etc.). Mapping the data that will be moved to the offsite ahead of time and having a clear understanding of the location where your data will be hosted will allow you to determine your legal and regulatory compliance obligations.
Be sure to stay tuned for Part 4 of this series (yes, there’s more!), which will dig into the contracting process and will arm you with specifics you need negotiate with hosted services providers.

Reference:http://www.technologylawmatters.com/2014/05/saas-paas-and-the-cloud-part-3-think-before-you-float/