Cloud

Six tips for negotiating contracts with SaaS vendors

Mary Shacklett offers six important tips that should inform your decision-making when it comes to engaging a SaaS vendor.

The software as a service (SaaS) market will top $15 billion this year . SaaS has been a boon to many companies, because it allows them to off-load some of the applications in their IT portfolios to third parties with specialized expertise. Organizations are clearly finding value in SaaS, and are embracing it. However, this doesn't mean that their relationships with SaaS providers couldn't be even more beneficial.

How you begin your relationship with your SaaS provider is one very important key. Often, this comes down to an effective contract negotiation that is fair to all parties, with an understanding of expectations on all sides.

Before you sign on any dotted lines with a SaaS provider, here are six contract negotiation tips that you should strongly consider:

#1 Does the SaaS provider have SAS70 and IT audit reports?

Performing a SAS70 audit is very expensive. It is also why many SaaS organizations don't do them. Most SaaS companies do execute IT audits. When you are interviewing prospective SaaS vendors, request (and expect) copies of these audits. You should also ask for a financial report so you can evaluate the vendor's long-term financial solvency.

#2 Does the SaaS provider have published SLAs?

It might come as a surprise that many SaaS vendors have internal SLAs (service level agreements)-but few SLAs that they publish externally to clients in contracts! If you want the vendor to promise SLAs that meet the internal performance expectations that you have for yourself, be sure to write these SLAs into the contract with your vendor.

#3 Do you have a dedicated project manager?

Very often, IT vendors (including SaaS providers) put their best people on your initial service implementation-and then reassign someone with less skills after cutover. In contract negotiations, it is smart to write in a provision that gives you the opportunity to interview and preapprove any person who is going to be the vendor's primary contact with you. SaaS projects can be made or broken with the quality of the primary contact points between your organization and the SaaS provider, because all communication and coordination flow through these points.

#4 What kind of disaster recovery and business continuation resources (and insurance) does the vendor have?

Nobody likes to think about service outages-but in IT, this can happen. Your team should pay special attention to what the SaaS vendor has in place for disaster recovery (DR) and business continuity. This process shouldn't stop at a checkout of the vendor's published DR plan. You should also ask the vendor about the level of insurance carried for the vendor and its clients if a DR effort fails.

#5 Check your exits as well as your entries into the contract

At the beginning of a relationship, everyone is excited and anxious to sign the contact and get underway-but not so fast. While no one wants to throw a wet blanket over initial enthusiasm, your contract should also include language in it in which the vendor warrants that it will cooperate to the utmost should you ever choose to deconvert from its services and/or move to another vendor. Some vendors can become very uncooperative when they lose a client. This can create hardships and bad feelings that are difficult to overcome. Hopefully an exit will never be necessary-but if it is, you want the vendor to cooperate. Specific language in the contract (along with a set of deconversion SLAs) can facilitate this.

#6 Get around boilerplate contract arguments

Many times, a vendor will say that the boilerplate contract it presents you is the product of its attorneys, and that it cannot be altered in any way. Don't let this deter you. You can draft a separate addendum to the contract, stating your own conditions to the contract, and also stating that if there is a contradiction between the addendum and the language of the boilerplate contract, that the addendum will govern. The two documents can then be integrated into a complete working agreement with a cover letter that states that boilerplate contract and the addendum constitute the full agreement. Of course, your own attorney look this over before anything is signed.

About

Mary E. Shacklett is president of Transworld Data, a technology research and market development firm. Prior to founding the company, Mary was Senior Vice President of Marketing and Technology at TCCU, Inc., a financial services firm; Vice President o...

2 comments
Datalas
Datalas

The reference to having the SaaS provider have a SAS70 needs to be updated. 1st A SAS70 type II, is someone pointless as you only are graded on what you claim you can do, if your backup process is lacking just don't include it in your claims. 2nd SAS 70 was at end of life in June 2011 it is effectively replaced by SSAE16. Note that SAS 70 and SSAE16 are about financial controls. I think you might want people to look for passing a SOC type 2 or type 3 audit. "In contrast to an SSAE-16 engagement, where the data center operator defines the criteria for an audit, AICPA Service Organization Control (SOC) 2 reports are intended to provide assurance about controls related to 1) security, 2) availability, 3) processing integrity, 4) confidentiality or 5) privacy of a system and its information. A SOC 2 report is based on pre-defined controls criteria contained in the AICPA Trust Services Principles and Criteria" source DataCenter Knowledge . com