• Certainty of usage rights and costs
  Cloud services are not licensed like software. Customers usually buy a subscription for a specific term (e.g. 12 months) and pay for usage of the service (based on a metric associated with volume of usage (e.g. transaction volume)). You need to understand the metrics and ensure they are clearly stated. Include protections against hidden metrics and other unknown charges, and ensure you calculate correctly your possible costs, including to ensure the pricing covers metrics the customer needs, and pricing is pre-agreed for any required flexibility, up or down, in usage (and then manage them!).
• Certainty of terms
  Cloud Service Provider (CSP) cloud terms often link to other third-party terms (e.g. referenced and linked terms such as support terms). Make sure you check and understand these terms, and that they do not unacceptably reduce the responsibility of the CSP. Insist on risk mitigations, such as additional layers of support.
• Access to customer systems and data
  For cloud services, the data is stored off site and in the ‘cloud’. Check where the CSP’s data centre is located and specify any requirements you have (e.g. storage of customer data in Australian data centre facilities only). Many CSPs will offer improved protections even for public cloud services, at a consultancy rate.
• Security
  CSP security policies are usually written without clear security outcome promises. You can seek to negotiate mitigations, and of course obligations to comply with mandatory laws and policies. You need to understand how the product is supported and managed and impose or implement the best possible protections for controlling access to systems and data. These may include limits on access to non-production environments, limits on personnel who can access (e.g. data processors in another jurisdiction), a prohibition on data mining, and obligations to implement available security features such as dual authentication and other access controls. Customers know less about the components of a cloud services solution than they do with on-premise solutions. CSPs cannot guarantee security, but they can implement strong security protection measures. We recommend that, in addition to focusing on security liability, you insist on promises about the strength of the security measures (including notification of cyber threats/events) to be put in place, and mitigations for the risk of any security event.

Remember the Digital Transformation Agency’s Cloud Marketplace not only covers all of these issues, but also offers customers a lot of flexibility in going to market with contract terms that suit their risk appetite and requirements.

Now that you are trying to procure solutions that offer multiple use options and flexibility for the future, how do you build these requirements into your contract?

Bridget Sullivan, Associate

Doesn’t it sound logical that if you are buying a solution configured for your specific agency business requirements, you would look to ensure you can use it for other purposes? How do you build in this sort of flexibility? The concept of ‘reuse’ is increasingly important in procurements of multi-component solutions. Here are some suggestions:

• Think about the bigger picture
  What do you want to use the solution for? When do you want to use it? Why do you want to use it? Who else do you want to permit to use it, and how can they do this? For example, do you want to be able to swap components in and out, do you want to allow use of your solution by individuals from other organisations, or do you want to be able to pick up your solution (or components of your solution) and share it with other organisations so that they can then configure it to meet their requirements (or both!).
• Manage expectations
  Clearly describe what you are trying to achieve in procuring a solution that can be reused for other purposes or by other agencies or affiliates. This will help tenderers ensure they have appropriately reflected all risks in their proposal, and that there are no nasty surprises when you want to share your solution with other customers! Consider including evaluation criteria and functional/non-functional requirements which reflect your use requirements.
• Be clear about the flexibility you want
  Cover this in your description of required usage rights but also in your requirements for pricing. Look for pricing that gives you scalability and flexibility.
• Look for limitations
  Standard vendor terms almost always include limitations, such as limitations on use rights which may prohibit your reuse requirements. Make sure that the precedence mechanism in your contract addresses these risks.
• Governance and collaboration
  Consider how you want the vendor to engage more broadly with stakeholders.
• Teamwork makes the dream work
  Maintaining strong relationships with vendors is always important and goes a long way. But you should also think about how you want your vendors to work together and manage issues, and what visibility you require over these relationships.
• Money, money, money
  Your charging mechanism should be clear and distinguish between fixed and variable charges. It should also include a price basis for your use and other reuse requirements (e.g. metrics for scalability, a price basis for other entities to buy the same products or professional services).
• Procurement obligations
  Be open about what your procurement approvals cover. If some reuse rights depend on future approvals, make that clear.

Have you encountered reseller arrangements in ICT contracts more than ever before? What do you need to know about them?

Nick Topfer, Senior Associate

A reseller is an entity that sells a product or service it did not create. Resellers are often used by suppliers of software, hardware and cloud services to leverage third party distribution channels and access new markets or customers. Resellers are a prominent feature of ICT transactions, but ICT customers dealing with a reseller often have limited visibility of that reseller’s arrangements with the original supplier. There are multiple reseller models and each model can have different implications. Depending on the reseller’s arrangements with the original supplier, a customer could be required to contract with the reseller, the original supplier or both!

It is important for agencies or companies purchasing hardware, software or cloud services from a reseller to be aware of how resellers operate and to ensure contract documentation addresses additional risks arising from the reseller’s arrangements. Think about the following issues:

• Original supplier’s terms
  When purchasing software from a reseller, procurers will usually still be asked to sign or accept the original supplier’s terms and conditions. This might be done formally in an ordering document, or otherwise (e.g. customer personnel might be required to tick a box when using the software to accept the original supplier’s “end user licence agreement” or EULA). Some of these terms and conditions will be relevant to the technical specifications or operation of the software, e.g. they might set out what a user can and can’t do with the software or how it operates. However, as with all software, cloud and hardware arrangements, supplier terms (if they are enforceable) can create legal or commercial risks, so customers should make sure these are clearly specified and acceptable.
• Promises, promises
  The original supplier will not necessarily be bound by the reseller’s statements and representations about the product or service. So, when contracting directly with the original supplier, businesses or government agencies should ensure that the contract for the product or service properly reflects all of the reseller’s representations.
• Follow the money
  Payment arrangements under reseller contracts can be complex. A buyer may be required to make payments to the reseller only, or to both the reseller and the original supplier. Make sure the contract or ordering document is clear about the total amounts payable, to whom and when. When making payments to the reseller only, make sure the contract or ordering document states those payments are in full satisfaction of obligations to the original supplier as well. When making payments to both the reseller and the original supplier, make sure you understand what products or services each payment relates to – to ensure you are not being double charged.

Are you looking for the best possible ICT managed services contract? What should you be thinking about?

Samantha Haddon, Associate

Managed services are still all the rage as an option for outsourcing some ICT business support. While internal ICT might look simpler with a transition to the cloud, that doesn’t mean you don’t need to focus on ensuring that your requirements are very clear. Here are some things that could go wrong:

• You define your requirements too broadly – (e.g. anything needed to support the business – and you end up with an argument about what tasks are expected to be performed).
• Service levels that don’t really measure what is important to the customer. Focus on using qualitative (but clear) and quantitative measures – don’t make them too complicated.
• Insufficient focus on strategic issues such as the benefits of new technology. Encourage innovation by building measures into your performance framework, and address failure to deal with interdependencies with other providers or stakeholders. We have advised on many outsourcing contracts where vendors have not appreciated the complexity of the customer’s infrastructure and business requirements.

As an in-house ICT lawyer, how can you achieve the best possible effective relationship with your external lawyers?

Angelina Yang, Associate

External lawyers love having internal lawyers involved when they provide legal support to companies and government agencies. This is because they know the internal lawyers will help project manage the legal services and will also offer the benefit of their deep understanding of the business or agency and how they operate. How can you get the best from this relationship? Here are some tips: