IT professionals, including many CTOs detach themselves form the word ‘contract’. They consider delegating ‘contract’ creation and management to the legal counsel and stay away from dealing with it. This hands-off approach may lead to major challenges in achieving desired results even if IT professionals have worked so hard identifying and negotiating for strategic IT sourcing and procurements.
While legal counsel can review the contracts from the legal perspective, you – the IT folks – need to review from the business standpoint. You know your business the best. A lawyer can neither anticipate what could go wrong in a software implementation nor recommend a clause specific to a business requirement for executing successful IT procurements.
For example, Legal can assume any IT software purchase would require maintenance and support plan. As an IT professional, you would know that any software vendor relationship starts with the implementation or some type of customization. At least, in most deals, you won’t use the software until the vendor has finished with customization—possibly after months or longer. As per contract created by legal counsel monthly or annual maintenance fees start before even customization is done, and you may pay for nothing. In this case, IT can help redefine the software purchase contract by defining “Go-Live” as completion of required customization, or acceptance of the final customization deliverables. Then, provide that maintenance begins on Go-Live. By reducing the time span of maintenance and support you may save money for the organization.
With this classic example in mind, let’s understand more about IT contracts, key terms and conditions used in IT contracts and how IT and legal can collaborate on a single workflow to manage end-to-end IT contract lifecycle better.
What are the IT Contracts?
IT contracts encompasses any contracts, which fall in the technology domain or under the budget/cost center of IT department. In other words, we are talking about IT procurement and sourcing contracts, i.e. anything procured as part of IT department budget. Typically, IT contracts could be categorized as:
- Non-Disclosure Agreement (NDA) – When either party (you and your vendor) needs to share/process any confidential information, this agreement dictates on who can share what information (In general, the receiving party should not disclose the confidential information obtained as part of business deal)
- Software License and Service Agreement (SLSA) –When you procure any software license (SaaS or on-premise), this agreement dictates what are you buying, at what price support SLAs and other related terms.
- Hardware Maintenance and Service Agreement –When you procure any hardware and its maintenance, the agreement deals with specificities of quality checks, maintenance schedule, return policy, etc.
- Statement of Work (SOW) – If you are working with a System Integrators for any service-related activities, you would create a SOW to define scope, milestones, hourly (or milestone) rates and other related terms
- Intellectual Property (IP) Contract – if you license someone’s IP, this contract will govern the IP licensing terms including ownership, royalty and the whole host of other things related to that IP license.
Key Terms and Conditions in IT Contracts:
- Commercial Aspects: Based on the experience and quick external research, IT professionals should review the purchase price, any price escalations mentioned by the supplier, possible discounts for the IT products or services getting procured.
- Service Level Agreements (SLA’s): From IT standpoint, this is the most critical section in the contract. For example, if you are procuring a managed cloud services or cloud infrastructure, SLAs, including % of uptime or support response time, should be carefully negotiated and agreed with the vendor. Most IT contracts mention SLA’s, but not many IT organizations track those SLA’s agreed in the contract. The tracking mechanism has to be agreed internally at the time of contract negotiation. IT team can decide a framework for a contract tracking mechanism until its end of life and consequent obligations management.
- Security and Confidentiality Provisions: While your legal department will certainly look at this section closely, you would need to focus on special security & confidentiality requirements, which your vendor should adhere to – based on the agreed solution architecture. For example, if your new cloud provider needs and integration with your Salesforce instance, you need to evaluate if your customer list is exposed to your vendor? Your legal team can never anticipate such confidentiality clauses and you need to guide legal team to author a legal language, specifically for data handling. In general, you should make sure that the contract covers following adequately, as this activity is covered under Gramm-Leach-Bliley Act (GLBA).
- Ensure security of NPPI (Non-Public Personal Information)
- Protect against anticipated threats
- Protect against unauthorized access and have mitigation plans in the event of a security breach
- Proper disposal of confidential information and data
- Maintain confidentiality of proprietary information
- Provision of Subcontractors: While your vendor may further use the subcontractors, your organization still carries a liability under certain conditions. While preparing contracts and agreements, the subcontractors should be identified and a governance structure is should also be agreed with the vendor. Typical governance structure may include:
- Ownership and maintaining SLA’s of the deliverables should always be your vendor’s, and not of subcontractor
- Periodic monitoring and reporting should be managed by the vendor, as per industry standards
- Your vendor should provide empirical evidence of their own testing and auditing before submitting to you as finality
- Compliance Documents: Audits are never fun, especially when you have to run around gathering the documentation just before the audit. Hence, your vendors should provide periodic compliance documents – mostly on annual/quarterly basis. The compliance document may vary based on your industry and criticality of the data, here is a probable list:
- SOC Reports
- PCI Compliance Certificates
- Certificate of Insurance
- Financial Reports
- Network Penetration and/or Vulnerability Assessment
- Intrusion Detection and Incident Response Plans
- Business Continuity and Disaster Recovery Procedures
- Business Continuity and disaster recovery plan: Not all your contracts may need this provision, but you need to weigh in need for this clause in the contract, depending on criticality of the contract. However, if this clause exists, you should consider below provisions:
- Accessibility to your vendor’s BCP policies and procedures
- Independent testing requirements that demonstrate the ability to meet recovery objectives
- Frequency and availability of such test results
- Established recovery times for the return of critical business functions
- Back up responsibilities
- Cyber resilience
- Management of third party/outsourced business continuity
IT Contracts Workflow Considerations:
- IT team should be able to create standardized, non-negotiable contracts using legal-approved templates and should NOT need any review or approval steps. However, these contracts must to be executed within certain timeframe and status of such contracts should be visible on CLM software dashboard
- Enable tiered approval rules, i.e. different levels of approvals depending on the contract value
- Appropriate business department owner should always be one of the approvers
- Use only sequential review flow, unless your contract manager enjoys reconciling multiple documents in one final document before sending to counterparty
- Consider having a ‘delegate’ or ‘backup’ approver in the workflow to ensure that contract is not stuck in absence of one of the approvers
Now that you have made it so far, let me mention that you can easily manage your IT contracts on the most preferred ITSM platform – ServiceNow using Aavenir ContractFlow, a complete Contract Lifecycle Management software natively built-on ServiceNow platform. Aavenir ContractFlow facilitates all above mentioned IT contract management needs, right from your favorite ServiceNow platform. No need to trust new cloud SaaS, no need to sign contract with another CLM software vendor – just Install Aavenir Contractflow from the ServiceNow app store and you are good to go.