Chicago Software Licensing Lawyer & Attorney : Sam Conforti Law Firm : Master Service Agreements, Negotiations, Outsourcing : Cook County, Illinois

 

Bahan Sadegh, CEO and co-founder of NETtime Solutions and a veteran of the on-demand software industry, has written an article with the SMB Customer in mind.  Sadegh has created a list of questions for the SMB to consider before choosing its SaaS Vendor entitled 10 Questions To Ask A Potential SaaS Vendor.  His list is very informative and it would be wise to keep handy when considering which SaaS Vendor to select.  I cannot attest to the fact that this is an inclusive list, but I will tell you that his discussion of the points he has identified gives the reader enough information to perform their due diligence and ask more questions and there really are more than 10 points to know if one includes all the “sub-points” Sadegh includes.  I will try to provide a brief synopsis of his 10 Questions below:

1.     Billing should be pay-as-you-go: We all know there is a business cycle and your invoice should reflect this cycle.  Also, there should never be any maintenance fee on your invoice.

 

2.     Security:  Sadegh has a very good list of questions to ask in this very important area.  Instead of trying to paraphrase his words, I think it best to directly quote him on this matter:

“Ask your potential SaaS vendor:

-       Does the data center that is housing the servers have physical security 24/7?

 

-       Is the perimeter of the data center secured (do guards walk the perimeter at least once per 24 hours)?

 

-       Who has permission to the access these servers (only internal employees or do contractors also have access)?

 

-       Is there a log that captures who came in and when they left? If so then how often are those logs audited?

 

-       Does the application use industry standard 128-bit encryption?

 

-       If multiple customers are housed on the same server then are they logically/physically separated to ensure your data is not viewed by unauthorized eyes?

 

-       Has the staff of the SaaS vendor who has access to your data gone through a criminal background check? It’s important to know whether or not convicted felons have access to your sensitive personal data.

 

-       Does the vendor have a formal BCP (Business Continuity Plan)? Is the vendor willing to share it with you and does it satisfy your concerns?”

 

 

3.     Solution must be web based:  There should be no requirement to install an application on any computer.     Also any SaaS application should be able to run on any platform and any browser.  In the event of a computer crash, you must have access to your application.

 

4.     An experienced vendor:  Make sure the vendor has experience in hosting.  A vendor experienced in hosting has already addressed such issues as scalability and security and is not merely repackaging their application as SaaS. (NOTE:  See point 8 below regarding MSP’s).

 

5.     Upgrades should be automatic:  You want to be on the latest version and have the most current functionality.  There should be no need to retrain your users.  The upgrades should be seamless.

 

6.     Integration:  You should have the ability to transfer between the web based applications and any on-premise applications.

 

7.     Data must be backed up regularly:  Nightly onsite back-ups and weekly offsite back-ups should be the minimum.  Does the vendor test how to restore their database?

 

8.     Who is hosting the solution:  Is this an in-house hosting arrangement or has the SaaS vendor contracted out with a Managed Service Provider (“MSP”)?  Get a SAS 70 report and verify that in the data center every system has at least one independent backup to ensure availability in the event of system failure; this is known as N+1 configuration.

 

9.     Scalabilty:  Can the SaaS vendor grow as your company grows?  Ask about their largest customer and ask them about their plans for growth.

 

10.  Is the SaaS system monitored:  An easily overlooked question.  Do they have monitoring software and do they test their firewalls?

 

Sadegh concludes his checklist by suggesting that the SaaS Customer perform a bi-annual review of their service with the above checklist in mind.

 

 

• Email This
• Print
• Comments
• Trackbacks

 

Due to the differences between traditional “on premise” software licensing and the newer software as a service (“SaaS”) offering, there were bound to be required adjustments on how the software customer contracted for these services.  We owe a debt of gratitude to Gene Landy with the law firm of Ruberto, Israel & Weiner, P.C. in Boston, MA.   Landy has put together a list of 8 items in his article 8 Legal Tips for SaaS Vendors that should be considered by the SaaS Vendor while developing their SaaS offering.  Including some or all of these tips in your contract may be a smart decision.  Here is a brief summary of those legal tips:

1.     Look for restrictions in your own software licenses:  As you develop your offering, do your licenses prohibit use as a service bureau or are there restrictions on remote access or use as an Application Service Provider.  You wouldn’t want your SaaS application to be in violation of any of these restrictions.

 

2.     Has your contract model evolved:  Initially the SaaS offering came in a 2 part form - first a software license and then a hosting agreement.  Today the more common contract model is to view this as a subscription and not mention licensing in the agreement.

 

3.     The Tax Man:  Your customers may be interested to know that most states do not levy a tax on services as they do for the sale of a license.

 

4.     Trials:  The SaaS Vendor could include a trial period bundled into the subscription agreement.

 

5.     Required upgrades limit the SaaS vendor’s maintenance costs:  Require customers to upgrade and eliminate having to maintain prior releases.

 

6.     Security:  It is fine to tout your security measures, but never promise 100% guaranteed data protection.  This is IT after all and you are using the internet.

 

7.     Consider SAS 70 as a selling feature:  You can provide your customers with an extra level of comfort and some of your customers may actually require a SAS 70 certification.  This is a certification performed by an outside accounting firm which attests to the accuracy and security a vendor provides.  The certification states that the controls are adequate.

 

8.     Data Breach Notification:  In the event of a data breach most states require a notification be sent out to the subjects of such a breach.  Make sure that your customers do not attempt to place such obligation upon you.  The costs could be prohibitive.

This is by no means an inclusive list, but Landy has hit some key issues. I found it very informative and helpful.

 

 

• Email This
• Print
• Comments
• Trackbacks

 

Due to the current economic conditions, IT departments are coming under increasing pressure to do more with less.  However, over the last few years upper level management has become leery of divesting themselves of the servers and network to a service provider.  In prior postings to this Blog I have provided reasons why outsourcing can benefit the enterprise, 10 Reasons to Outsource, and also a comprehensive checklist to consider prior to making the decision, Checklist Before Outsourcing Your IT.  In an effort to continually update this topic as events evolve, this posting is another in this series and concentrates on the concerns one might have regarding the Service Provider.  To get the full detail underlying the following points to consider when evaluating which Service Provider is best for your enterprise read Outsourcing Your Infrastructure: Ten Points to Consider When Making the Move.  Here is a brief summary of those ten points:

 

·         Uptime:  Greater reliance on the internet makes “On” the only option.  The global marketplace makes this a necessity.  The options could be straight hosting, managed service, or SaaS.

·         Redundancy and Business Continuity:    loss of customer call center could result in lost orders.

·         Data Restoration:  eDiscovery Laws require a significant and competent back-up plan.

·         Response Time and Site Performance: providers have high-performance servers and high-speed access, but do they have only one location.

·         Scalability to meet growth: Can the Service Provider add capacity quickly to meet the rapid increase in demand, in other words, does the Service Provider have the financial capital available to rapidly add more servers.

·         Customer Support:  This is the “value-add” dimension that differentiates one Service Provider from the other.

·         Security:  Must be able to adhere to the Data Privacy laws such as Sarbanes-Oxley, and Gramm-Leach-Bliley.

·         Cost Reduction and One-Stop Billing:  Abandon the ala carte approach to IT infrastructure.  Bundled services are discounted.

·         Optimized IT resources i.e. dedicated servers:  Allows IT staff to redirect their efforts to delivering their own services.  Plus services on demand priced on usage is better offered from a service provider’s business model.

·         Financial improvements:  Eliminates the need for cash oulay for hardware and turn the cost into an operational expense as the enterprise pays for a service.

 

 

• Email This
• Print
• Comments
• Trackbacks

 

Mobile Device Management:  Strategies for Smart Phones and PDAs

It is estimated that by the year 2011 there will be over 82 million mobile devices in the workforce.  IT departments will be tasked with providing controls over the deployment of these devices.  A good mobile device management strategy is essential to ensure that risks and costs are in control.  The payback will be increased productivity.  Lisa Phifer, vice president of Core Competence Inc., a consulting firm specializing in network security and management technology, has put together a checklist of such strategies in her whitepaper Mobile Management Checklist: 6 Essential Steps that will guide you through the entire lifecycle of such devices, from activation to retirement.

 

Previously cell phones and PDA’s were not considered deserving of IT management.  Their capabilities were limited and employees did not utilize them sufficiently to call for a Mobile Device Management (“MDM”) policy.  With the new and more powerful devices, IT is being called upon to develop and manage the smartphones of the workforce.  Phifer has provided a checklist for such a strategy.  Admittedly not all the items in this checklist are needed for every IT department and some items are slight variations of desktop management, but other items are unique to the MDM strategy.  The following is a summary of that checklist.

·         Mobile Asset Inventory: includes

·         classifications

·         maintenance

·         physical tracking

·         database integration.

·         Mobile Device Provisioning:

·         which platforms must you support

·         how will you register devices

·         how do you install the MDM on the device

·         how to configure and override factory installed defaults

·         Mobile Software Distribution:

·         which applications to bundle

·         do you push or pull software to the device

·         Mobile Security Management:

·         user authentication

·         password enforcement

·         device wipe – ability to delete data or hard reset device

·         Mobile Data Protection:  consideration must be given to

·         encryption

·         backup & restore

·         data tracking (i.e. and audit trail)

·         Monitoring and Help Desk Support:  among other things this includes

·         self-help

·         diagnostics

·         remote control

 

 

Phifer’s whitepaper contains a further detailed discussion of this checklist and developing and managing a MDM strategy.  It is well worth the time to read her discussion and suggestions.  She concludes her paper with the following:

 

“Gartner predicts that more than 70% of enterprises will implement converged management and security policies for corporate-owned and non-corporate mobile devices by 2012. Mobile devices are already proliferating at a rapid pace, both in terms of platform and ownership. The sooner you develop a mobile device management strategy to deal with this daunting but inevitable scenario, the better life will be for both your employees and your IT staff.”

 

 

 

• Email This
• Print
• Comments (1)
• Trackbacks

 

I have stated in an earlier article, Checklist Before Outsourcing Your IT, the high value I place on the use of a checklist before drafting an agreement. It is also obvious that a tool such as a checklist can provide invaluable assistance to the IT Project Manager when preparing for the implementation of a newly purchased software suite. In my research I have found a very interesting article in Wisconsin Technology Network News, WTN News, by Richard Marcus entitled Six things to consider before a major software implementation. Marcus presents a very useful list in his March 2006 article. Admittedly this article is over 2 years old and in this fast-paced high-tech environment the concept of what is “new” and what is “old” takes on different meanings from our traditional understanding of the terms. However, I believe his advice stands the test of time regarding this subject matter.

Marcus begins his article by cautioning the buyer on the critical nature of the purchase and that concentrating solely on the pricing could be a perilous mistake. He then provides his six points that the purchaser should take into account before forging ahead with the implementation. A brief synopsis of these six crucial points is as follows:

 

• The Software Vendor and the Customer are partners in this undertaking. Both parties must bring their knowledge and skills together in a committed relationship. Success depends on having sufficient resources. The Vendor should already have their team ready and the customer should have a comparable team prepared to spend the estimated time needed for the project. See also the February 15, 2008 post to this Blog, The IT Worker Shortage: Practical Considerations for Tech Buyers. 

 

• Communication is key. Insist that the Vendor set the correct expectations. Talking is not the only art form in this communication process. Listening is essential. Ask questions and let those answers lead you to more questions. Strive to learn not only what the software can do, but also what it cannot do. In the past, I was a consultant for a large software vendor. As a newbie on one of my first implementations, I learned the catchphrase consultants were often overheard to say to the customer when discussing the software’s capabilities, “The salesman said it could do what?” Make sure your requirements are well known and can be met.

 

• Pricing. Marcus’ admonition above is still valid. Price is not the only factor, but it is still a factor nonetheless. Negotiate a payment schedule that is tied to clearly defined and identifiable milestones that are realistic. Holdbacks dependent on successful acceptance test results should be discussed and inserted into the contract. Too much money upfront surrenders too much influence to the vendor. I was interested to read that Marcus warns the reader not to be swayed by the software vendor’s pleas and worries about revenue recognition. In my career I have discussed this many times, but only in a software license agreement negotiation. A Master Service Agreement is usually a time and materials agreement and hence revenue can only be recognized as it is earned. A Fixed Fee arrangement is a totally different case and will be a topic for a separate post to this Blog.

 

• A separate Master Service Agreement should be drafted. Marcus points out that it is common for the license agreement itself to contain sections pertaining to services such as ongoing support and maintenance. However, these services are not directly related to the implementation. I have come across license agreements that purport to contain the implementation services section within the license. This should be avoided. His article deals with a major implementation and so most major software developers and vendors already have their contract model set up to have a separate license agreement and a separate Master Service Agreement. This is the preferred approach. An implementation section contained within a license agreement may not address all the salient points of an implementation and also may not be clear and unambiguous on other necessary elements.

 

• The Master Service Agreement should contain Service Levels. This is a very important item and one that should not be overlooked. A service level agreement (“SLA”) can take the form of a separate schedule attached to the license agreement. Alternatively and depending on the complexity of the requirements of the customer, a separate SLA may be more appropriate. In the SLA the customer should make certain that all of its requirements that were fleshed out during its communications with the software vendor (see point 2 above) are memorialized for future reference.

 

• Know the use limitations in the license and plan accordingly. Many software licenses are User based pricing. Many vendors are willing to provide some form of price protection for future purchases of users. The Customer should verify that no further implementation work will be needed if more Users are added. However, if the Customer is faced with product based pricing and is not purchasing the entire software suite of products, then further implementation work will be needed if more products are added. This possibility should be fully explored and the consequences understood in the event of future growth.
  

Marcus concludes his article by stressing that the Customer must do their due diligence on the front-end. With proper planning the Customer can avoid mission-creep and other costly mistakes. Once a major implementation is set in motion it becomes cost prohibitive to put a complete stop to it or redirect your efforts towards another project.

• Email This
• Print
• Comments
• Trackbacks

 

This post is aimed specifically at the SMB enterprise and those consulting such enterprises. Recently in a post to this blog on February 3, 2008, I posted an article detailing a checklist for those enterprises that have already faced the questions on whether to outsource or not entitled Checklist Before Outsourcing Your IT.  That article has attracted a large number of readers.  In the article that follows I hope to aid those SMB’s that are still grappling with the decision on whether such a move is in their best interest.  In my research I have found an article written by Rojo Sunsen entitled 10 Ways Outsourcing Can Help Grow Your Business.  Sunsen succinctly defines outsourcing and then follows this definition with a rather direct and to the point list on the benefits to the enterprise.  I have paraphrased Sunsen’s list below; however I highly recommend the complete article in order to gain the fuller picture and what such a move can do to grow your business.

1. Employee training is reduced and allows such time to be directed to the company’s core competencies.

2. Capital outlays for equipment and software are reduced and can be placed into more revenue generating endeavors.

3. Save on the expenditure of employee recruitment to fill positions for intra-company administrative functions.

4. Hand-in hand with point #3 above is the time that is saved performing certain administrative tasks that are ancillary to the enterprises core functions.

5. Yet another savings to points #3 and #4 above are the employee benefits costs that are no longer required such as “taxes, medical, vacation time, holidays, worker’s comp., unemployment costs, etc.”

6. Office space opens up which could be better used performing the tasks required on the revenue side of the business; or alternatively, space could be sublet or a company’s leasing requirements can be reduced.

7. Order processing and delivery of products or services can be enhanced thus creating better customer satisfaction which can result in future return business.

8. More emphasis can be placed on increasing market share with the abovementioned improvements and savings.

9. In line with point #8 above is the ability to accept larger orders or take on more orders due to the economies of scale which should come about due to the outsourcing.

10. Lastly, your outsourcer can become a valuable ally in your marketing efforts and provide an additional outlet and/or network of customers.

 

Implicit in the above savings tips is the ability to redirect funds usually budgeted for the administrative side of the business and put these monies to better use on the revenue generating side of the P&L.

• Email This
• Print
• Comments
• Trackbacks (1)

As a practicing attorney involved in contract drafting and negotiation, I know the value of checklists. As I am sure my fellow legal colleagues can relate, one of the things we dread is a client who asks “Did you consider …?” or, “What about …?” If our only response is something like, “Let me check that contract again and get back to you”, we’re in trouble. Contract drafting is an attempt to anticipate as many reasonable consequences as possible. When I was lecturing in Contract Law, I would tell my students that contract drafting anticipates litigation (i.e. if you do or do not act in the following manner, then the liability shall be as follows). Robert Bell has created an IT outsourcing checklist in his article 31 Risk in Offshore IT Outsourcing Contracts: Or Buying Promises.  I cannot vouch for its completeness, but I thought it a good idea to post it here as a tool to be used in your decision making process. In order to reprint this checklist, I must follow the “Reprint Guidelines” and publish the entire article, which follows:

No matter how much due diligence you attempt, making a decision on contracting with an onshore or offshore IT service provider is much like buying promises. To some extent you are going to have to trust in your selected partner to be committed to providing your company with the high quality services that they have promised. Your lawyers will surely not agree but offshore contracts are only worth the integrity of the company that you are contracting with. Dun & Bradstreet does not include this metric (integrity) in corporate profiles yet and it is not on a credit report either. One of my partners in Brazil would often tell me “Henry we are highly motivated for this opportunity”, but I did not fully understand the value of that statement until we got into the trenches together. Here are a few of the promises you are accepting or questions you may have doubts about when signing that offshore IT staff augmentation or support contract: 1. Will I really get the hours I am paying for? 2. Is my intellectual property and information secure? 3. Am I really going to be provided with qualified professionals? 4. Will billing rates go up after I train the new team in my business? 5. Can I reach this vendor when I need immediate support? 6. Will this vendor work with me when the going gets rough? 7. Is this a stable country politically, socially, and economically? 8. Are currency exchange rates an issue? 9. Is this a safe country for business travel? 10. Is this vendor’s location in a safe part of town? 11. What is the cost of business travel to this location? 12. What is the cost for offshore professionals from there to travel to the U.S.? 13. Can professionals at this location get a U.S. passport and visa for U.S. visits? 14. Are U.S. contracts legally binding in this country? 15. How long does it take to get a visa and passport for team members to make training and onsite orientation trips to my location? 16. What will it cost for visas and passports for your offshore team? 17. Will the offshore team have someone full time who is experienced in managing offshore projects? 18. Is this a stable company, i.e. good credit and strong experienced management? 19. Does this vendor’s company have the interpersonal skills to work with my company? 20. Does this offshore vendor have executive management that speak English and will be responsive and share your since of urgency? 21. Are this vendor’s team management and executive management going to be available in your workday time zone on short notice when you need them? 22. Can this vendor grow with your companies needs? 23. Do they have commercial liability insurance, errors and omissions insurance? 24. Can they buy commercial liability insurance in their country? 25. Will they work in your workday time zone? 26. Does this company have a secure network infrastructure? 27. Is their network infrastructure professionally designed and firewall protected? 28. Is their facility physically secure? 29. Are extreme weather conditions a factor affecting travel, security, or work schedules in this country? 30. Does this location pose natural disaster risk to your business? 31. Is this vendor going to be flexible as your needs change? No matter how much time on money you spend developing a clam tight contract with an offshore outsourcing provider you never want to have to consider international litigation or international arbitration for contract disputes. Unless your needs are well defined and static, which I have never seen, the requirements better be very general in that contract or they will need review and changes before the ink gets dry. In any offshore project establishing good relationships are key to clear communications. Vision TRE has been nurturing relationships with our offshore partner locations in Brazil and Panama for years. We have business relationships in South and Central America that have been proven dependable over the years. Integrity, trust, mutual cultural respect, and a shared since of urgency make these relationships valuable to any company that contract with us to establish an offshore team. About Robert Bell     We are a small family run Online Cosmetic Retail store at www.cosmeticsfairy.co.uk with great prices and useful cosmetic information / tips pages. View all Articles by Robert Bell This work is licensed under a Creative Commons Attribution-NoDerivs 2.5 License.

• Email This
• Print
• Comments
• Trackbacks (3)