I. Introduction/Summary
ONCE UPON A TIME, when a customer desired to obtain technology services from a provider, the customer and provider negotiated a services agreement covering all of the relevant terms and conditions. With the evolution of technology and increasing complexity by which technology solutions are delivered, the days of one-tier contract arrangements seem but a distant memory. Today, technology providers frequently use a multitude of cloud providers to host, store or process data and/or provide functionality for their solutions. Those cloud providers may rely on other cloud providers in a chain that very often leads back to a “hyperscaler” such as AWS, Google Cloud, Microsoft Azure or IBM.1 While the customer and provider are in privity of contract, each party is negotiating in the context of what might be a long chain of other related contractual commitments. Careful consideration and analysis of the interplay among the contract terms along the chain will enhance the ability of the customer and provider to find an optimal solution for allocating risks.
II. Background
Providers that use hyperscalers and other cloud providers to host and/or enhance their offerings, in many, if not most, cases have already entered into contracts with such parties. Those contracts typically include key terms and conditions, such as those related to data privacy and security, audit rights, use restrictions, and rights to modify, suspend and terminate, which will impact the positions such providers take in contract negotiations with their customers. A provider must either (i) negotiate terms with the customer that are fully backed by the terms in the provider’s contracts with its providers, (ii) agree to the customer’s proposed terms that are not fully backed by the terms in the provider’s contracts with its providers and assume the risks associated with the gaps between the contracts, (iii) solution around the gaps or (iv) negotiate some combination of the foregoing.
Similarly, customers who contract for solutions to support the customers’ downstream clients may either already have contracts in place with such clients and/or have an understanding of contract terms that the clients in their industry will expect. So, similar to the above, in the contract with the provider, a customer must either (i) negotiate terms with the provider that are fully backed by the terms (or anticipated terms) in the customer’s contracts with its downstream clients, (ii) agree to the provider’s proposed terms that are not fully backed by the terms in the customer’s contracts with its downstream clients and assume the gaps between the contracts, (iii) solution around the gaps or (iv) negotiate some combination of the foregoing.
III. Why This Topic Matters Now
This topic matters now because multi-layer solutions do, and we believe increasingly will, deliver enhanced business opportunities. Because it allows innovators to go to market with only a last layer of functionality, more and more technology solutions are being quickly scaled up through the use of hyperscalers. The acceleration in digital commerce during the pandemic has also driven companies toward the use of platforms and cloud-based ecommerce systems.
Additionally, this topic matters now due to evolving laws and regulations, in particular data privacy laws and regulations. As multi-layered solutions expand, regulations are applying to not only the provider and customer, but also the provider’s providers and the customer’s clients, which makes contracting around regulatory requirements quite complex. In some cases, the providers have their own regulatory requirements to address, in particular where the provider is providing the customer access to data. For example, a provider of personal data may acquire data from sources that are regulated by data privacy laws (GLBA, HIPAA, among others). In order for the data sources to provide that data to the provider, and correspondingly for the provider to share that data with the customer, the purpose for which the data is shared and the permitted uses of the data may be subject to those regulations, which need to be passed through from the data source to the provider, which in turn need to be passed through to the customer.
Additionally, more “customers” are seeking technology solutions to expand and enhance their ability to provide services to their clients in regulated industries. In such cases, where the client’s data may be processed by the customer, the customer’s provider and/or the provider’s providers, regulatory requirements may need to be passed up the contractual chain.
IV. Recommendations for Technology Transactions
Assess the Gaps. Negotiations in which each side merely insists on its own terms are typically unproductive. In cloud deals, providers often propose that their terms - data privacy and security, audit rights, use restrictions, and rights to modify, suspend and terminate, among others – apply, and/or the pass through of its providers’ analogous terms to the customer. Providers often take the position that they can offer no better than what they have obtained from their providers, who are either hyperscalers or themselves bound to terms from hyperscalers. This is a favored argument because the hyperscalers, being at the infrastructure level, offer little or no application-specific promises.
The customer, on the other hand, typically receives information technology services from numerous providers. For example, a customer frequently has multiple vendors processing its data, which data may include the personal data of its employees and clients, as well as competitively sensitive data. It is difficult for the customer to manage multiple provider data privacy and security terms for the protection of its own data and to ensure it meets data privacy and security commitments it has made to its clients. The situation is exacerbated to the extent a provider’s terms vary and/or are inconsistent with the customer’s terms and/or with the terms of customer’s other providers. Further, the customer may use a vendor’s solution to provide services to multiple clients, which clients have their own requirements, creating further complexities in managing a multitude of inconsistent provider terms.
Thus as a first step, compare the terms of the parties to find the gaps between what the provider is offering and what the customer wants or needs to buy. It’s only through a careful review and analysis that the parties can work to develop proposals that optimize the position of each party.
Find the Best Way to Address the Gaps. When developing proposals to address the gaps, consider which party is in the better position to close the gap or mitigate the risk and whether the benefits to the customer exceed the cost to the provider. Where an entity in the contractual chain is responsible for regulatory compliance, that entity may not be in a position to be out of compliance with the regulation, but that party is likely in the best position to understand the regulatory requirements and provide the other entities in the chain with instructions of what is required of them in order for the regulated entity to meet its compliance obligations.
Provider is in a better position than the customer to bear risks that the provider’s providers suspend or terminate services due to a provider breach. Customer is in a better position than the provider to cause its clients to comply with, for example, restrictions on use of the services or use of data.
Consider whether it is practical for a party to compromise terms. As noted above, many providers – and/or hyperscalers - push back on amending contract terms on the basis that they provide a one-to-many solution, the terms of which cannot practicably be customized for any one customer. This may be true, for example, when considering the actual delivery of the services and data security protocols, but such a statement may not be accurate where the customer is looking to negotiate terms that do not implicate the core of the solution, for example, where the customer is seeking notice of changes to the services, contractual remedies and the like or the change is a configuration change to software or a matter of, for example, adding more servers or faster connectivity. In those cases, it may be practicable for the provider to vary terms it offers to customers.
Consider who is driving the terms at issue. It may not be practical for a provider to reopen terms in existing contracts with its providers, especially in the case of large hyperscalers. However, where the contractual term is driven by the provider, the provider likely has more flexibility to compromise. Also, the hyperscalers offer a wide range of product options, and the provider might merely be seeking to avoid the cost of those options.
Consider whether there are means for solutioning around the gaps. As examples, a provider may be required to pass-through suspension rights and/or limited remedies or broad excuses for availability service level failures. Nevertheless, does the provider have an ability to build into its solution redundancies or workarounds to be able to provide services to the customer even if its provider exercises suspension rights or experiences an outage? Similarly, where a customer requests more stringent protection of its data than is offered by the hyperscaler, can the provider build the extra security into the provider’s solution?
As another example, a provider may offer little to no right for the audit of its systems. However, most hyperscalers perform controls audits of their environments and meet specified industry standards such as ISO. Depending upon what regulations apply to the customer and the nature of the data processed as part of the solution, controls audit, ISO certifications and the like may satisfy the customer’s data security needs.
Customers can also solution around risks. They can modify their own systems, purchase different or backup cloud products, or redesign their product offerings; however, such workarounds may create other issues for customers. Further, it is likely inefficient, in a one-to-many product, for the many customers to each solution around a gap that a provider could fix. So, leading providers at times extend their offerings to close gaps that exist for many customers.
Include contractual commitments. Regardless of what the parties negotiate, make sure the resolutions are documented in the contract. For example, even if the provider will not agree to adhere to the customer’s security terms and insists that its own terms govern, be sure the contract requires the provider comply with its own security terms, so that the customer has a basis to claim breach if and to the extent the provider fails to comply with its own terms. If the customer is willing to rely on controls audits and ISO certifications, the contract should require the provider to provide the results of such audits and copies of the certifications on an annual basis, as well as remediation requirements and customer remedies where an audits reveals a deficiency. If the customer is relying on a hyperscaler’s reputation in hiring an SaaS provider, the contract should require at least notice, if not consent, before the SaaS provider moves away from the hyperscaler.
Will the provider and customer LIVE HAPPILY EVER AFTER with a multi-layer solution built through a contractual chain? ”Ever after,” perhaps not. New challenges will arise in the sequels. But, the parties will put themselves in the best position to maximize deal value and avoid costly pitfalls by engaging in an analysis of the gaps between what each party claims to need in the contract and taking a deep dive into the considerations outlined above.
1In computing, hyperscale is the ability of an architecture to scale appropriately as increased demand is added to the system.
