Finessing On-demand Software Deals

How to mitigate risk when getting your software on tap.

If -- or more likely when -- your company considers on-demand software, or software as a service (SaaS), it will have to wrestle with many business, legal and technical issues in the process of selecting a provider and negotiating a service agreement. Many of these issues are common to most technology transactions. There are several, however, that heighten the risks associated with entering into on-demand software agreements. These factors fall into three broad categories: performance, security and data handling. Here is some information to help you deal with these key risk factors during the SaaS vendor evaluation, selection and negotiation process.

Performance Matters

Some on-demand software vendors will provide service-level guarantees for application availability when you insist on having them before you sign their contracts. Many will also provide service-level agreements (SLA) covering traditional help desk metrics, such as response and problem-resolution times. But SaaS vendors resist adding other key performance indicators that are central to the user experience. Chief among them are application response time, transaction throughput and customer satisfaction.

Meaningful service levels are backed by service credits, which are ordinarily applied to your invoice when performance falls below a predefined threshold. But vendors often try to incorporate into their SLAs overly broad exclusions, procedural hurdles and liability limits. As a result, actual performance guarantees tend to be considerably worse than they appear. Through persistent negotiations, however, you can eschew the onerous exclusions, hurdles and liability limits vendors try to include. Here are some techniques that can help you:

  • Include escalating credits that vary based on the severity, duration and frequency of the performance failures.
  • Require the vendor to proactively apply credits as soon as a service-level failure is identified.
  • Remove provisions declaring that service credits are substitutes for other contract remedies available to the customer.
  • Limit maintenance windows to a predefined off-hour time period.

As a general rule, service-level credits alone aren't enough for you to effectively enforce SLAs. Consequently, you have to negotiate SLA improvements to fill the gaps. Here are some gap-filler provisions:

  • Insist that the vendor conduct a root-cause analysis and implement a corrective action plan without additional cost to you.
  • Escalate chronic or critical service-level problems within the vendor's and your own senior management.
  • Include your right to terminate the agreement for cause or shorten the term of the agreement when performance failures reach critical levels.
  • Establish a service-level management approach that allows you to monitor the vendor's performance.
  • Conduct periodic performance- review meetings with the vendor.

Not every on-demand application has to be designed to provide premium levels of service across a wide variety of performance indicators. Because your company depends on its enterprise applications, however, minimum levels of acceptable performance must be attained in order for you to receive the basic benefits of SaaS. If you and your vendor fail to document minimum performance thresholds in advance, it's unlikely that your expectations and the vendor's delivery assumptions will conform, leaving you in an unpleasant and potentially costly predicament.

Exposing Security Vulnerabilities

Security vulnerabilities in a Web service on-demand software environment may occur for a variety of reasons, such as design defects, poor patch/ update management, ineffectual controls of authentication credentials, storage and transmission of sensitive data without encryption, and inadequate procedures for security incident monitoring, reporting and mitigation. These vulnerabilities aren't unique to on-demand software, but they are more pressing in the on-demand software context.

To increase the likelihood that your SaaS arrangement will be sufficiently secure, you must make security one of the determining factors in vendor evaluation and selection. As part of the evaluation process, you should do the following:

  1. Require the vendor to describe its physical and logical security practices, processes and management approaches as they relate to the services offered.
  2. Ask the vendor to indicate whether it will comply with your security policies and procedures.
  3. Evaluate the vendor's security practices, processes and technologies -- all before signing the service contract.

Seek the right level of security given the context of the application, but try to avoid overburdening the software with unnecessary and potentially expensive security features. To achieve this balance, the negotiated agreement should document your security requirements and the vendor's security responsibilities. Here are some other security- related provisions worth including:

  • Acknowledgment of your right to conduct periodic security assessments.
  • Assignment of responsibility for security incident detection, reporting, response and mitigation.
  • Vendor representations and warranties regarding its compliance with data- handling laws and regulations.
  • A process for management escalation of unresolved security problems.

Once the contract is signed, you must use the mechanisms you negotiated to oversee the vendor's security activities. Although you can delegate certain responsibilities for security-related tasks to service providers, ultimate accountability for protecting your information assets always remains with you.

Controlling and protecting customer data should concern anyone considering software that uses databases designed, hosted and administered by a vendor to store and retrieve customer data. When negotiating data protection and business continuity contract provisions, you should rely on key principles to help you manage the risks that arise when your important data is stored and processed by a third party outside your firewall.

In light of the risks associated with remote storage of critical customer data, you shouldn't entrust a vendor with your data unless 1) the vendor demonstrates its data protection and business continuity capabilities during your precontract due diligence, and 2) your agreement with the vendor specifies the vendor's ongoing data protection and business continuity obligations and holds the vendor liable for failures to satisfy those obligations.

For companies with international operations or companies operating in certain industries in the U.S., such as financial institutions or health care providers, the contract ought to prescribe the parties' respective obligations to comply with applicable data protection and privacy laws. The applicable data protection laws may come from a variety of jurisdictions, including the countries (or states) where your company does business and the countries (or states) where your data is processed or stored. The contract should incorporate the relevant portions of your privacy policies and obligate the vendor to conform to those policies.

Standard vendor disclaimers of responsibly for lost data are not acceptable in a SaaS deal. The service agreement should do the following:

  1. State that your company owns its data and has access to it under terms defined by you.
  2. Describe the vendor's and your responsibilities in connection with recovering lost data.
  3. Have clear instructions on how the vendor will handle your data in its possession and return it to you when the contract expires or is terminated.

Even more important, make sure that your data is backed up regularly so it can be recovered whenever the primary data source is lost, corrupted or unavailable. To complement the backup procedures, insist that the vendor implement (and regularly test) a disaster recovery plan. Effective disaster recovery plans specify the maximum time it will take the vendor to recover from catastrophic events, and they will trigger service-level credits or even termination rights when the time limits are missed. For applications that are mission-critical, you may want to exclude from consideration any on-demand software that doesn't offer business continuity services employing data replication in geographically diverse data storage systems.

The financial incentives and rising industry frenzy will pressure many companies to look at the SaaS delivery model to decide whether it represents a meaningful alternative to on-premises enterprise software in at least some instances. At this critical point in the evolution of on-demand software, you should insist that vendors solve the key challenges facing you as a customer before you subscribe. By doing so, you can benefit from the SaaS value proposition secure in the knowledge that you aren't exposing your company to undue risk.

Lindsey is a partner and Gamboa is an associate in the Washington law firm of Levine, Blaszak, Block & Boothby LLP. Contact them at and

Copyright © 2006 IDG Communications, Inc.

Shop Tech Products at Amazon