What software solutions are considered “mission critical” for your business?
If a hospital’s elevator music subscription came to an abrupt end, not many people would notice. But if the hospital lost access to its electronic health records, patient care would be severely interrupted. These are the systems, applications, and technological solutions that are integral to the success of business operations.
When the stakes are high, the approach to contract negotiation changes. Even after completing rigorous due diligence to select a vendor, there are unique contractual terms to consider in mission-critical agreements. A salesperson might promise you the world in functionality and continuity, but it’s up to the legal team to hold the provider accountable. Here are our top five provisions to negotiate in mission-critical software agreements.
There are many facets of termination to consider in a mission-critical agreement, but the key concerns are:
- termination triggers;
- continuation of services;
- access to data; and
- notice and cure period.
Termination for convenience by a mission-critical provider is rarely acceptable. There is nothing convenient about short-circuiting your business at a provider’s whim. But zooming out, self-help termination for any reason — even for non-payment or breach — can be just as catastrophic. Continuation of services is essential, and you cannot afford for your data to be held hostage. To mitigate disaster, ask for appropriate notice and cure period so that you have time to standup an alternative provider in case a move to plan B is necessary. You may also require post-termination rights to access and recover your data or, alternatively, require the vendor to timely return your data in a usable format upon termination. If privacy regulations or other policies require the destruction of your data upon termination, consider requiring certification of deletion for assurance.
2. Transition Assistance
Before cloud-hosted services surged in popularity, it was common for mission-critical software providers to offer source code escrow for their on-premises solutions. The idea being that if the licensor discontinues its offering (or some other unexpected triggering event occurs), the licensee will get access to the secret sauce to keep their business running. Today’s SaaS providers are not going to offer the same kind of access.
What they can offer, however, is transition assistance. These are proactive steps the provider takes to facilitate a smooth transition or migration of data to a third party. This means that when the ship goes down, they will help move your valuables onto the lifeboat. Do not expect the provider to offer these services for free, but you should consider requiring termination assistance. The provider will then be contractually obligated to facilitate knowledge transfer and minimize disruption of your services.
3. Updates, Upgrades, and Support
Innovation is great. Updates and upgrades are great. That is, until they are not. You want to make sure that any functionality promised to you at launch is not eliminated by some future update — whether intentional or not. In a mission-critical agreement, consider asking the software provider to warrant that any future changes will not adversely affect your business. For on-premises software, be wary of terms that require you to be on the bleeding edge in order to receive support. You might not want to risk updating or upgrading before all the bugs are worked out.
4. Data Security
Mission-critical software often processes critical data — sensitive information, personally identifiable information, proprietary information, or otherwise confidential information. It is essential that the vendor’s security obligations be explicitly detailed in the contract. At minimum, look for a warranty of compliance with applicable laws and regulations (e.g., privacy laws like GDPR OR HIPAA), and an obligation to establish and maintain physical, technical, administrative, and organizational safeguards to ensure the security and confidentiality of your data.
Of course, even the best safeguards are not impenetrable. If and when there is breach, where does the liability land? The cost of responding to a data breach can be enough to bankrupt a company, so buttress terms like indemnity obligations, cyber insurance, and liability supercaps where possible. IT systems can also be taken down by other factors, including unforeseen circumstances such as natural events or power outages. For mission-critical software, data security terms should also include disaster recovery provisions and a business continuity plan. Establishing a framework for incident response in advance facilitates more rapid recovery and can reduce the overall impact of a disaster.
5. Service Level Agreements
Last but not least, that final exhibit stuck to the end of your SaaS contract: the Service Level Agreement (“SLA”). Ignore SLAs at your peril. Downtime for mission-critical software can equal devastation. SaaS providers may be quick to offer you a “credit” for downtime, but that is not enough. You need crystal clear definitions of “downtime” and vulnerability classifications (e.g., errors may be considered “low priority,” “high priority,” or “critical”). You also need to know how quickly the vendor can resolve an issue, not just respond to one. The details of your SLA might be the lifeline to support, so if the terms in that SLA are vague or missing — beware.