Most service providers will outsource or use a sub-contractor to provide part of their services to a third party. If you do not include the specific right to use sub-contractors in your terms and conditions now, you may run into problems later, especially if you are providing any sort of service “in the cloud” as customers are becoming increasingly concerned about security issues in relation to the use of their data.
Types of Sub-Contractors
The type, nature and number of sub-contractors that you use will depend upon the services that you are providing and the business sector in which you operate. However, generally the following sub-contractors are common.
A SaaS (Software As A Service) supplier will host data in a data centre which is in 99% of cases owned and operated by a third party. Therefore if you are a SaaS supplier it is essential that you specifically include the right to host customer data and process it in your third party data centre. You should also reserve the right to be able to change the data centre without requiring prior consent from your customers.
Backups and Disaster Recovery
Many suppliers use online third party providers to backup data remotely and/or to provide disaster recovery services. If your customers want to restrict your right to sub-contract, do not forget to include these types of sub-contractors in the list of approved sub-contractors, reserving the right to change them without requiring the prior consent of your customer.
Many suppliers use third party software developers or offshore IT outsourcing centres to develop source code for their online services and applications. If you do so, it is essential that you have the right to sub-contract included in your terms and conditions. Also where professional services are provided to customers using third party consultants you will also need to have the right to use such sub-contractors. In these cases many customers will then often require you to carry out security and background checks on such individuals (as if they were employees).
A customer’s main objection to the use of sub-contractors, is that they will have no recourse against the sub-contractor directly if there is a breach of contract caused by an act or omission of the sub-contractor i.e. the data centre is flooded and the service goes offline. It is common practice for suppliers to state in their terms and conditions that any breach by a sub-contractor will be treated as if the breach had been caused by the supplier itself. The customer should then agree to the use of sub-contractors as the aforementioned risk has been minimised.
In addition, customers often try to prevent the use of sub-contractors due to their obligations to comply with the provisions of the Data Protection Act 1998. Customers often require the supplier to confirm that the sub-contractor is bound by written obligations similar to those that the supplier gives to the customer before it will agree to the use of the sub-contractor. It is becoming increasingly common for customers to require suppliers to sign a separate data processing agreement.
By including appropriate provisions in your terms and conditions which cover the above concerns often raised by customers you will address the risks of using sub-contractors proactively and should be able to avoid protracted discussions on your right to use sub-contractors.
image courtesy of Sam Howzit