Cloud on the Horizon: Replacing Servers with Services

In 2018, one could be forgiven for thinking that many business-focused publications use terms like “data breach”, “malware” and “GDPR” as an easy way to strike fear into the hearts of savvy business-owners across the UK.  At the same time, the cloud sector is going from strength to strength, and is expected to increase by 21% globally in 2018, bringing in roughly £141 billion, as more and more companies choose Software-as-a-Service (“SaaS”) over Servers-in-the-Basement. But the truth is that cloud adoption is almost never seamless, and companies which don’t carefully think through every step of the process may be caught out by opaque licensing terms, service level agreements that fail to deliver, or valuable data that suddenly becomes inaccessible if a service provider closes its doors. Whilst covering all the potential pitfalls could easily fill an entire textbook and possibly send you into a deep slumber, this brief overview will focus on a few important (but often overlooked) areas to consider when entering into discussions with a cloud provider. 

Keeping the Lights On

Whether the IT system is customer-facing, or provides support to employees, downtime at a critical moment could cause a very real disaster. Customers try to guard against this through service level agreements, disaster recovery provisions and making sure that support engineers are available around the clock. Whilst all of these measures have their place and should be considered, they fail to take one key factor into account – what happens if the cloud provider goes insolvent? In an industry where it is estimated that one in four IT service providers declares bankruptcy/insolvency or is absorbed by a larger rival, this concern is well-founded.

Some IT providers will agree to put the “source code” of their software in escrow, meaning that their preferred customer(s) will be able to install and maintain it themselves if they have the necessary expertise. Whilst this was a valuable safeguard when all IT infrastructure was installed locally, it only does half the job in a SaaS context, since the customer will still experience a significant period of downtime whilst they locate a new cloud provider, load the relevant software, carry out any configuration changes, install the last backed-up copy of the relevant database and update it manually with missing data from the downtime period.

A far more effective (though potentially difficult) way of keeping the lights on is to seek contractual protection from the data centre provider itself, enabling the customer to pay the data centre directly in the event that the cloud provider it uses goes insolvent. This will allow the software to keep running and buy the business time to migrate it to a new provider for a smoother and less costly transition. But this can only work if there is a single tenant environment (i.e. the customer’s data is not mixed in with those of third parties, as is often the case). It is worth mentioning that a copy of the source code is still important to ensure that the environment can be maintained should the worst case materialise.

If the above is not an option, there is an offering from NCC Group called “SaaS Assured”. At a cost, SaaS Assured will mirror the software and databases on NCC Group’s own servers and should therefore enable a more simple transition than building the solution from scratch.

Both of these options provide a higher degree of protection for data, and continuity, in the event that the cloud provider goes out of business for any reason. 

Customer Data on Exit

Another aspect of cloud computing which is often given fairly short shrift at project inception is to consider what will happen to the cloud data on termination.

In multi-tenant cloud environments (i.e. where many organisations’ data is mixed together), separating one customer’s data from another can be difficult, since all the data is effectively stored in a single database. Customers should seek assurances that the database is appropriately segmented and that their data can be separated from the rest if necessary.

Another area for consideration concerns erasure. Understandably, suppliers will typically only keep data from former customers for a very short time. If the underlying contract does not oblige them to keep it, customers may be met with a blank stare if they request a copy of their database more than a few days after termination. Making sure that the agreement requires the cloud provider to retain it for a period of time, and that it can be exported in a commonly-readable format is a simple way of guarding against this. It is even more important if the database contains personal information, since the GDPR’s Right to Data Portability allows any individual to request a copy of that data in a format that can be easily transferred. Care should be taken to choose a data retention method which suits the customer – a simple spreadsheet may be adequate if the database is small or easily migrated, but larger, more convoluted data sets may require access to the underlying database software used by the provider on an ongoing basis in order to be of any use to the business. Such ongoing access licences may come at a cost, and it is better to agree this up front where possible.

Exit provisions should cover transition assistance. Migrating large databases between IT providers can require specialised knowledge, especially if fields don’t perfectly map between software packages. Knowing that the outgoing cloud provider is contractually obliged (for an appropriate fee) to assist the business and the new IT supplier to streamline this process may prove invaluable, especially if the system is business-critical. 

Cloudy, with rays of sunshine

Migrating to the cloud can bring with it a host of benefits for the business, including cost-savings, flexible capacity and on-demand access to data.

But it is important to think through what happens to commercial data at every stage, and include appropriate provisions in the agreement. The above are just a few examples of issues that have become particularly relevant as a result of the move to the cloud.

At Freeths, we have experience of guiding customers through the process of drafting and negotiation agreements with IT suppliers, from simple SaaS contracts all the way through to SaaS based solution implemented costing more than £100m.

For further information, please contact Mark Neale, a partner in our IT and Data team on 0345 077 9626, [email protected].

 

The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.