Enterprise resource planning (ERP) systems have revolutionized business. Now, the cloud is revolutionizing ERP. By 2020, four out of every ten large organizations will have at least 60% of their
ERP applications in the cloud, according to Gartner. This article describes important contracting considerations for companies preparing to move ERP to the cloud.
First, let us review how we are using certain terms in this article. We use “ERP” as a general term for integrated enterprise applications. Examples of ERP providers include SAP, Oracle, Microsoft, Workday, Salesforce, and Infor. We use “on-premise” to refer to a business hosting and running ERP software on its own infrastructure or infrastructure managed for it by a cloud provider other than the ERP provider. “Cloud ERP” means the ERP software is provided in a “software as a service” model by the ERP software provider.
CONTRACTING FOR CLOUD ERP
Cloud ERP providers prefer to license Cloud ERP on their own forms, versus the customer’s forms, though some customers succeed in using their forms. Use of the provider form presents a disadvantage to the customer, but in our experience, customers are usually able to negotiate reasonable changes to the terms, depending on the size and scope of the deal and the revenues involved. Customers must prepare to negotiate on issues common to all commercial technology contracts: indemnification, limits of liability, termination rights, provision of service during disputes, protection against suspension of license rights or services, and disengagement services (i.e., ramp-down rights), and clauses that permit continued use by divested entities for a period of time, or use by newly acquired affiliates and subsidiaries. In addition, the following are common hot issues in Cloud ERP negotiations addressing operational, risk and compliance topics:
Users and Use. Clearly defining how “use” and “users” and “direct” and “indirect” access will be applied by the cloud provider can eliminate costly surprises. For example, consider: Which members of your enterprise beyond your employees may need access to the ERP software? Will contractors, suppliers or customers have access? Does use (and incurring fees) apply during testing periods? If the customer accesses the system merely to extract data does that constitute “use”? What if one of your customers accesses the system to check status of an order or payment? What if access occurs only through an API, and does not grant full use of the software? The issue of licensed named users became the subject of contention in a case between Diageo, a British beverage company, and SAP1. Diageo licensed SAP and connected two Salesforce.com systems to the SAP system to allow sales representatives to access SAP, and to allow customers and distributors to place orders through the system. SAP claimed that all of these users needed licenses according to the definition of named user licenses and other terms under the SAP license, and the court agreed with SAP. SAP is not the only ERP provider to take this position regarding users and access, and customers should be careful to understand which types of system access and use (including data extraction and even data viewing) may trigger a claim of “use” of the system, requiring a supporting paid license for such use.
ERP System Performance and SLAs. Customers using on-premise ERP have the ability to architect the level of performance, redundancy, and flexibility that they need—within the limits of the software—to meet specific business needs. With Cloud ERP, customers must accept the service levels, maintenance windows, and other performance-related aspects of the software and systems made available by the cloud provider. Cloud providers are often willing to document processes, procedures and policies in the cloud agreement, but they generally are not able to change operational components of the Cloud ERP, for example, to increase standard service levels. As a customer of Cloud ERP, it is important to document the critical performance requirements of the ERP software and system, recognizing that while you may not be able to negotiate improvements to these terms, documentation of them still provides value (and a basis for recourse and remedies).
Upgrades, Updates and Patches. For on-premise systems, within certain parameters, customers typically control the timing of the implementation of software upgrades, updates, and patches. Generally, this control is limited only by the period that the licensor supports previous versions of the ERP software. Thus, customers can delay applying changes during peak business cycles or at other times where implementation could cause a disruption. For example, retailers would not want to undergo system changes during the busy holiday season. In contrast, in Cloud ERP, the provider controls when upgrades, updates and patches are implemented. Typically, Cloud ERP providers offer roadmaps and the tentative schedule for such changes, but the cloud provider retains full control. Although customers do not carry the burden of implementing changes, customers must focus on the consequences that automatic updates may have on integration points and API’s with legacy systems. Customers may mitigate some of this risk by securing rights to information about the roadmap for upcoming changes, advance notifications of changes, and access to technical account managers who may provide additional advance support, so that the customer may better plan for these changes.
Risk and Compliance Issues
Data Locations. With on-premise ERP systems, the locations of the data centers and the hosting of data are entirely controlled by the customer (within limits of the applicable license). This is not necessarily the case with Cloud ERP systems. Some providers do allow customers to select one or more locations for the ERP system and primary data locations. But, even in such cases, cloud providers advise customers that their data may be transferred or remotely accessed worldwide in connection with, for example, support, maintenance, security troubleshooting, back up and similar functions. Customers must understand the potential locations of their data and assess the intellectual property, ownership, use, compliance, and regulatory risks associated with those locations. Most Cloud ERP providers are willing to list the country locations of processing and storage of data. Some will also agree that the customer has the right to object to any proposed movement of data out of such specified countries on the list.
Subcontractors. Cloud providers typically subcontract some functions to affiliates or third parties. When licensing on-premise ERP software, the concept of subcontractors is only relevant to maintenance, support and implementation obligations. In Cloud ERP, the use of subcontractors is relevant to provision of the entire service. Cloud ERP providers generally do not grant rights for customers to approve particular subcontractors (because it is a one-to-many service), but customers should require that providers disclose the identity of subcontractors, specify the function each subcontractor performs, and permit good-faith objections to new subcontractors. Processing data in the European Union and in other jurisdictions can trigger additional data protection obligations regarding subcontractors. Customers should seek local advice to ensure compliance with data protection laws regarding subcontractor.
Data Security and Data Breaches. Cloud ERP systems typically contain tremendous amounts of customer data, including proprietary business, sensitive and personal data. Strong security requirements, data protection agreements, confidentiality requirements, restrictions on data uses, analytics and sharing, privacy protections, data breach notification, cooperation with regulatory authorities, requirements regarding customer audits and penetration testing, and a variety of other data and system security measures help to reduce the risk of data security breaches. Cloud ERP provider agreements tend to contain only high level security information. Cloud ERP providers typically will not change their security practices for customers, but customers should request more detailed documentation and commitments from the provider, and seek to include it in the agreement. Global data protection laws and data transfers implicate a variety of laws, and customers will need to take local advice in all of the jurisdictions in which the ERP cloud provider will collect, store, process and/or transfer the data.
Compliance. Companies that run on-premise ERP software have greater control over related compliance functions – everything from data security and privacy to audit requirements, record retention, eDiscovery holds and production, incident management, security breaches, management of important controls, and a host of other compliance issues. With a Cloud ERP, the customer will have to rely on the availability of the system and data, the functions of the system and the cloud provider itself for achieving compliance in those areas that are under the control of the cloud provider. For example, if regulators request access to data logs regarding a data breach or potential violation, the customer will need the assistance of the Cloud ERP provider to produce that information in a timely, complete and accurate manner. Besides securing a commitment from the cloud provider that it will provide assistance with these compliance requirements, cloud customers must also consider if these requirements present hidden costs in the “total cost of ownership” for Cloud ERP. Cloud subscription fees may not include additional costs for services relating to compliance reporting, audits, litigation/discovery, and other services and access to systems and data for which the customer is dependent on the cloud provider. It is important for customers to assess the need for these additional services, confirm that they are available through the cloud provider, secure those rights in the agreement, and understand the costs that will be associated with provision of that additional service or support.
Floating Terms. On-premise software and cloud providers alike are increasingly incorporating terms into their ERP agreements by reference through URL links and reserving the right to change those terms from time to time, without the consent of, and often without specific notice to, the customer. Customers must be on the lookout for these “floating terms,” as they frequently contain important risk, liability, performance, price and cost impacting terms. Customers may wish to mitigate the risk of floating terms in one of several ways. Customers may negotiate all terms referenced by URLs and actually append those negotiated terms to the physical or virtual agreement. Another workaround is to negotiate important terms in the main contract document and include an order-of-precedence clause where the negotiated terms prevail over floating terms. The clause also may be written to provide that URL links may not add, remove, or modify terms related to certain subjects, e.g., termination rights or disclaimers of liability. However, there is a risk that floating terms that do not conflict with a term with a higher order of precedence may become part of your agreement, and no precedence clause will eliminate all of that risk. For example, if floating service terms introduce restrictions on data storage, those new terms may not conflict with terms in the existing agreement, and as such, they will become part of the agreement unless the customer has included other terms to prevent such unilateral changes. The ultimate protection against undesirable floating terms is a right for the customer to terminate if the customer does not accept the floating term changes.
Be Prepared for ERP Cloud Negotiations
Before undertaking a renewal of an ERP agreement, or negotiation of a new ERP agreement (whether on-premise or cloud), customers should prepare for negotiations in advance using contracting best practices. First, develop a checklist of your requirements based on your own operational and technical requirements, risk tolerance, compliance, privacy, and security requirements. Prepare for negotiations with ERP providers on key terms and issues, understanding material terms, walk-away points, and potential compromise and fall-back positions that you are prepared to accept in the negotiations. Use the checklist and the key positions as a benchmark frequently during the negotiations with the ERP provider to help educate the business regarding risks and gaps in customer requirements. A bit of preparation prior to engaging with the ERP Cloud provider can go a long way toward a smoother, more successful contracting process and outcome.