Gartner shares procurement best practices to reduce risk in cloud contracts

By eGov Innovation Editors | May 25, 2011

Thumbnail: 

CONNECTICUT — IT procurement or sourcing managers tasked to find ways to reduce costs at tolerable risks should examine nine contractual terms to reduce risk in cloud contracts, according to research firm Gartner Inc.

"Cloud solutions often appear to have lower initial and switching costs than traditional solutions, but include hidden costs and risks, and require unique terms for contract protection, compared to traditional arrangements," said Alexa Bona, research vice president at Gartner. 

When assessing cloud offerings' procurement and sourcing, executives need to understand what can be negotiated relative to risk elements, what they need to pressure cloud providers to offer, and what will likely not be negotiated, she added.

Gartner highlights nine key terms to understand in cloud deals to mitigate excessive risk:

*Uptime Guarantees. Cloud contract negotiators must be aware of the performance service levels required and ensure that they are documented contractually, ideally with penalties, if the performance standards are not achieved.

*Service-Level Agreement Penalties. If downtime or performance service levels are not met, negotiate penalties and escalation clauses. Rather than credits, money back is preferable because no vendor likes to have to give money back, once booked.

*Watch Out for SLA Penalty Exclusions. To manage their risks, cloud providers usually put rigid penalty exclusion criteria into their contracts. Organizations should look carefully at exclusions to the right to penalties. For example, they should ensure that any downtime calculation starts exactly when the downtime commences.

*Security. Executives should ensure that the provider's security practices are at the same level as, or exceed, their own security practices, especially if the company falls under industry or national privacy-related regulations. Gartner recommends negotiating SLAs for security, especially for security breaches. 

*Business Continuity and Disaster Recovery. Cloud contracts rarely contain any provisions about disaster recovery or provide financially backed recovery time objectives. If organizations are prepared to back up their data within the enterprise, or some other cloud service, and have the ability to use that data within an application, then they need to confirm that their provider has a suitable API or other mechanism to accommodate the organization taking responsibility for disaster recovery.

*Data Privacy Conditions. If the cloud provider is complying with privacy regulations for personal data on behalf of the organization, the client needs to be explicit about what they are doing and understand any gaps. Contracts should unequivocally state that the cloud provider will not share personal data with anybody else and that they will only do what the customer says they should do.

*Suspension of Service. Some cloud contracts state that if payment is more than 30 days overdue, the service can be suspended by the provider. Organizations should negotiate an agreement that payments in any current legitimate dispute should not lead to a suspension of service. 

*Termination. A number of cloud contracts allow the provider to terminate the agreement with 30 days of a written notice, or at least within 30 days of renewal. Users should negotiate for at least six months notice for the provider to terminate, unless they have materially breached the contract.

*Liability. Most cloud contracts restrict any liability apart from infringement claims relating to intellectual property to a maximum of the value of the fees over the past 12 months. Organizations should try to negotiate for higher liability protections.