Earlier this year, the European Commission published its opinion 05/2012 on Cloud Computing (July 1 2012).
Among other things, it said one of the key risks to customers of cloud computing services is the lack of transparency in the outsourcing supply chain, which features multiple data processors and sub-contractors.
Recent years have seen a dramatic increase in the use of cloud computing services. The most common form of service provided using 'the cloud' being Software as a Service (SaaS), although other members of the cloud family exist, such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Data as a Service (DaaS).
Given its prominence, this article focuses on SaaS, although the issues discussed may be applicable to other forms of cloud computing.
The attraction to SaaS typically stems from the reduction in IT spend, as the customer does not need to make significant capital investments in procuring and maintaining physical servers and storage units, since the software and associated data are centrally hosted by the SaaS provider and delivered to the customer via the internet.
SaaS is becoming more and more popular as a delivery mechanism for software solutions. This trend is evidenced in the International Data Corporation study World Wide SaaS and Cloud Computing Software 2012-2016 Forecast and 2011 Vendor Shares, which identifies that the cloud software market reached $22.9 billion in revenue in 2011, and expects growth to $67.3 billion by 2016.
The SaaS supply chain
With this potential for making a substantial amount of money from SaaS in mind, it is perhaps unsurprising that there has been exponential growth of the number of SaaS providers in recent years.
Another significant contributing factor to the rise in SaaS providers, are the relatively minimal barriers to entry. It is possible to enter the SaaS market with little more than a bright idea and a sales team, as one or more of the core software or infrastructure services can be - and often are - sub-contracted to third parties, such as software development, support and maintenance and hosting.
Of course, sub-contracting is prevalent in most industries and should not lead to trepidation when dealing with SaaS providers; in fact, quite the opposite.
The proclivity in the SaaS industry for sub-contracting - often to much larger companies with greater economies of scale - has translated into cheaper costs and, in many cases, a better standard of service than the customer would otherwise have received.
However, a SaaS provider's use of sub-contractors can leave the customer with some interesting challenges from both a legal and practical perspective, and which are worth considering.
First, where the SaaS provider lacks bargaining power with a larger, more established sub-contractor, a customer may find its terms of the upstream contract with the SaaS provider are dictated by the downstream subcontract, which may not be compatible with the customer's specific business requirements.
Secondly - by the very nature of sub-contracting - the customer does not hold a direct contractual relationship with the sub-contractor, only the SaaS provider. Therefore, the customer must route any issues with the service provided by the sub-contractor via the SaaS provider. This may lead to delays in resolving performance issues or defects, particularly where the sub-contractor has a 'too big to care' attitude or the SaaS provider has a commercial interest in keeping the sub-contractor sweet.
Thirdly, the contractual distance between the sub-contractor and the supplier may cause security concerns for the customer - particularly where the sub-contractor is holding data on behalf of the customer, such as a hosting provider - because of the perceived loss of direct control over that data and the inability to audit the sub-contractor in order to verify compliance. Furthermore, if personal data is involved this may also cause complications under English data protection laws, particularly where the sub-contractor is based outside the European Economic Area.
Finally, if the SaaS provider were suddenly to cease providing the services because of the onset of insolvency or other unforeseen reasons, a customer may find it very difficult - nigh on impossible - to take over and maintain continuity of the service where there are multiple sub-contractor relationships to manage.
To minimise the risks associated with sub-contracting in a SaaS environment, we recommend:
- Prior to entering into a SaaS contract, complete comprehensive due diligence on the SaaS provider and how it delivers the solution, particularly any use of sub-contractors. If sub-contractors are used, establish the extent of the SaaS provider's reliance on this aspect of the service and ease of migrating to a new sub-contractor or 'in-housing' in a crisis situation.
- List all approved sub-contractors in the SaaS contract. No changes should be made to this list, or additional sub-contractors added, without the customer's consent.
- Ensure the SaaS provider takes fully responsibility under the SaaS Contract for all acts or omissions of any permitted sub-contractors.
- If the sub-contractor is processing personal data (particularly outside of the EEA), take specialist data protection advice to ensure compliance under UK data protection laws.
- If a business critical service, consider obtaining direct agreements with each sub-contractor to ensure continuity of service in the event the SaaS provider ceases to exist.