Customers increasingly are taking advantage of Software as a Service (SAAS) and other cloud-based solutions available in the marketplace. There are of course many legal and commercial issues that customers should consider when evaluating contracts provided by suppliers of these solutions. This post focuses specifically on issues arising when SAAS or other cloud solutions will be provided from an offshore location. For example, data hosting, help desk/service desk, implementation, and disaster recovery services are often provided from India, the Philippines and other offshore locations in support of solutions that are delivered in North America and Europe.
- Transfer of Customer Data Offshore. Customers should consider whether there must be restrictions on the transfer of data offshore (whether due to internal security policies, industry standards, obligations within downstream customer contracts, or applicable laws and regulations). If the data contains personally identifiable information (PII), protected health information (PHI) or similar types of data covered by data privacy laws, the data most likely should remain onshore. A customer may decide that other data may be transferred offshore, but only if additional safeguards, contract restrictions or liability provisions are added to the contract with its service provider.
- Access to Customer Data or Systems from Offshore. This issue turns the item above on its head, a bit: even when customer data and systems remain onshore, customers should consider whether personnel from the SAAS or cloud service provider should have access to such data or systems from offshore. For example, offshore personnel who are accessing service desk records or performing break-fix services may request the ability to access a customer’s onshore systems. This may or may not be acceptable in any case, or it may be acceptable only if certain agreed-upon restrictions are followed.
- Security Concerns. Customers should ensure that they understand the physical and logical security applicable to the offshore component of the SAAS or cloud solution that they are buying, and confirm that it complies with their overall network, application and data security standards. For example, customers may want to ensure that they can (i) inspect the service provider’s policies and procedures related to security and (ii) perform site audits of locations where offshore services are provided. They also may want to prohibit or restrict offshore employees from working from home.
- Flash Drives/Printing. Customers should consider restricting the ability of offshore personnel from using computers that allow the customer’s data to be downloaded. Restrictions on the ability to print, prohibitions against the use of flash drives, and prohibitions against the use of both internal and external hard drives by offshore personnel are not uncommon.
- Permissions of Offshore Governments. Customers should consider which party (the customer or the service provider) should be responsible for obtaining any government authorizations that are necessary to provide services from offshore, whether those are onshore or offshore governments. Related to who must take responsibility for obtaining any authorization is the issue of which party is responsible to pay any associated costs.
- Encryption. If data is being sent offshore, customers may have certain encryption standards that they want their service providers to meet or particular encryption software that they want their service providers to use. It is important to note that the use of encryption technology is restricted with respect to the transmission of data to certain countries worldwide, so customers should coordinate with legal counsel to confirm that the use of encryption technology is in compliance with applicable law.
- Personnel Matters. Customers should inquire as to how high the turnover rate is among the offshore workforces of their potential service providers. In some cases, customers may want to ensure that (i) there are turnover restrictions or service levels in place; (ii) incentives to avoid turnover are implemented; or (iii) at a minimum, the customer receives reports as to the turnover rates so that the customer will be aware if turnover becomes an issue. Additionally, customers will want to ensure that their contract makes clear that the service provider is responsible for compliance with applicable laws and customer policies relating to personnel. This may involve not only employment screening, reference checks and hiring issues, but also compliance with any applicable immigration laws (including visa status) and employee benefits requirements.
If SAAS or other cloud solutions will involve any offshore services, customers should carefully consider these issues and ensure that they have the necessary contract terms in place in order to protect themselves from potential risks related to the offshore services. Taking this a step further, we recommend that customers have a set of pre-prepared terms that they can include in contracts that will involve offshore services (these terms can be included in a stand-alone contract schedule or incorporated into the main body of the contract). If a customer is negotiating with a large service provider that offers a standard SAAS offering or other public cloud solution, the service provider may not be open to considering the customer’s standard offshore terms, but instead may have its own data security “fact sheet” or similar contract attachment. In that case, customers will want to review and attempt to supplement the service provider’s data security terms to make sure they adequately address the issues described above.