When entering into IT agreements with vendors, it is important to understand the type of agreement being negotiated, the services being provided, and who will be using the services within your organization. The category of “IT agreements” generally includes cloud application agreements, service agreements, installed applications, and online presence management. When negotiating IT agreements, the legal team should work closely with the business and IT teams to ensure that the correct level of importance is placed on the agreement and that provisions are added or revised in a way that clarifies the parties’ responsibilities in connection with the services being provided and also addresses the potential unwinding of the relationship. To provide maximum clarity and flexibility in connection with purchased IT services, consider the following key provisions when negotiating IT agreements:
- Performance Standards (or “teeth”)
Performance standards are critically important, but it is difficult to know where standards should be set and what services are most critical without consulting with your IT group. The IT group can help determine how critical the services are and build appropriate performance standards around the applicable services. Types of performance standards include quality assurance, service levels and credits (which often include measurement and monitoring and notice of performance issues), and customer satisfaction surveys.
Consider the benefits versus the risks of including a long multiyear initial term and automatic renewal terms. Vendors love a long term and often offer pricing concessions to lock in long terms, but a long term can significantly increase risk to the customer if the relationship goes south. Some companies prefer automatic renewal because there is less paperwork, but others view automatic renewal as another milestone that needs to be managed and a potential risk if the relationship with the vendor is strained.
- Termination and Termination Assistance
Consider including a termination for convenience clause. Termination for convenience provides an easier mechanism for unwinding a deal when a vendor is not knocking it out of the park, especially if the vendor’s obligations are not clear. Customers should also strongly consider negotiating for termination assistance services to further mitigate the risks associated with unwinding an unsatisfactory deal. If the IT services include storage or processing of customer data, termination assistance provisions should include return and migration of customer data and require the current vendor to cooperate with the new vendor. Specific disengagement plans can be negotiated up front if necessary.
- Data Protection
Language should be added to protect all data provided in connection with the use of the services. This language can include security obligations (remember, this is not insurance), obligations to mitigate or cover the costs associated with data breaches, a duty to notify, and rights to audit and review security representations.
- Proprietary Rights
If proprietary rights are important to the agreement—for instance, if a vendor is developing new technology or using important customer technology—make sure that the contractual language around proprietary rights clearly states who owns the core technology and any improvements, interfacing elements, and data.
- Cyber-Liability Insurance
Add provisions that require the vendor to maintain adequate cyber-liability insurance, especially if the vendor is storing or processing customer data.
- Representations and Warranties
Consider adding situational representations and warranties (e.g., PCI compliance or EU Data Privacy compliance) applicable to particular services being provided, in addition to standard representations and warranties for IT agreements, such as conformance with specifications. For each representation and warranty, consider the remedy that should apply in the event that it is breached.
The vendor should agree, at minimum, to indemnify the customer for third-party claims related to the services being provided.
- Limitation of Liability
If the vendor negotiates for a limitation of liability provision, make sure appropriate exclusions for confidentiality, data breach, and indemnification are negotiated. It is also important for these exclusions to be carved out of standard limitations on indirect, special, and consequential damages, because many of the losses associated with confidentiality, data breaches, and indemnification claims might otherwise be barred by such provisions.