Service Provider Agreements: The devil may not be in the details
As we all become more comfortable with the idea of engaging service providers to do for us what we have previously been happy to do ourselves, it is important to understand what a provider’s services agreement really says. It could be even more important to recognise what it doesn’t say.
Since Tesserent is a service provider, it may seem counter-intuitive for us to want to draw attention to what is in a services agreement because such agreements are usually written by the provider and are, as a consequence, generally biased in the provider’s favour. However, understanding why certain clauses are included (or not included) can tell you a lot about a service provider.
Service providers have commitments too
Service providers often have to make commitments to other suppliers to fulfil a contract with a customer. For example, the provision of a network for a customer will likely require commitment by the provider to one or more external telecommunications providers, all of whom impose commitments for the duration of the term on the service provider. This can strongly influence a provider’s ability to, for example, offer “termination for convenience” in an agreement because the service provider often won’t have that option in their back-end agreements with their own supplier.
If you think there are circumstances under which you may wish to vary a contract or end a contract early, it’s worth a bit of effort to understand what this might entail.
Remedies should be clearly stated to avoid nasty surprises
At Tesserent we are fond of saying that for every complex problem, there is a solution that is simple, elegant, and wrong. It’s a bit tongue-in-cheek, but it reminds us that complex problems require real thought to solve them.
When it comes to a contractual agreement, there needs to be a balance between a number of competing factors. On the one hand we all want something that is simple to understand and of benefit to both parties. But on the other hand, potentially sticky situations are not avoided simply by ignoring them in the contractual documentation. Our view is that it’s better for managed service providers to be clear about their position in respect of the things that might occur during the delivery of a service.
It is important to recognise that service providers need to consider the interests of their entire client base. So it’s in every client’s interest to know that each new contract spells out acceptable behaviours and remedies, so that a service provider can take action to protect the interests of their existing clients. But the time to find out what a service provider will do in response to a particular issue is generally not when that issue has just raised its head. For example, we know of organisations who have discovered that their ISP’s approach to dealing with a denial-of-service attack is to just stop routing traffic for the customers who are the subject of the attack. You may or may not be able to live with that approach. But it would probably be good to know about it because it was documented, not because you had just discovered that you had been disconnected without notice.
Are the provider’s claims of technology partnerships consistent with what’s in the agreement?
Talk is cheap. And, unfortunately, it’s a fact that many service providers don’t let the truth get in the way of a good story.
Many service providers claim to have “partnerships” with various vendors. The reality is that most of them are just customers of a vendor and, as a result, like to call themselves a “technology partner” or some such credibility-inducing term to suggest a close relationship with a well-known company.
The reality is that many managed services providers in the security space buy products from a reseller or distributor just like an end-user would. There’s nothing wrong with that necessarily but there is often a strong suggestion that the provider has access to technology and support not available to ordinary customers and that this is part of the value that they add. If this is the case, then the managed service provider’s customer agreement will almost certainly reflect the restrictions imposed by those partners. Our global partners, for example, impose some conditions on how their software can be used and require us to pass these on when we embed their technologies in our security products. Such conditions may include country embargoes (very common when dealing with security technologies), industry exemptions (perhaps nuclear and military, for example), liability disclaimers, and so on. These conditions should generally manifest in some way in the managed service provider’s customer agreement.
Whilst implying credibility by referring to yourself as a partner is a questionable tactic, it’s certainly not the only reason that you won’t see third-party vendor licence conditions reflected in some managed service provider’s agreements. Incredibly, some providers (and even some high-profile product vendors) don’t embed partner-imposed restrictions because they have never entered into a contract to use that partner’s technology in the first place! Some providers have tried to claim that, technically, they are not selling a company’s technology as part of their product; they are merely configuring their customers’ devices to use publicly available services provided by the vendor, even though most vendors make clear that such services are for personal use only. But, as a customer of a provider who is doing this, how would you know whether you have a legal right to use this service or not? Unfortunately, many service providers have worked out that their claims of so-called partnerships are rarely, if ever, tested by customers. Even worse, this sort of behaviour could make end-customers unwitting liable for damages. And in some cases, when licence violations of this type are discovered by the vendor, the software may be disabled without the customers even being told that their level of protection has been reduced.
Another technique employed by some managed services providers is to take a free time-delayed version of a service that is not commercially restricted, embed it in their solution, and then bathe in the reflected glory of the vendor who has opted to make the delayed version free for anyone to use. Whilst this may not violate the licence agreement, customers are led to believe that they are protected because their managed service includes protection from a large and credible security vendor. Little do they know that by the time the updates get to them, they could be as much as a month old. This is the best of all worlds for some managed security providers: they can boost their own credibility by reference to a well-known vendor, access the vendor’s service for free, and then charge their customers for the privilege. Of course, since such services are “all care and no responsibility”, you generally won’t find any vendor conditions reflected in the agreement with managed service providers who take this approach.
Managed services providers typically don’t sit around and think up onerous clauses for the sake of it. If they have genuine partnerships with high-profile security vendors, they will usually have no choice but to pass on some or all of the licence terms that you would expect to see if you were dealing directly with those vendors yourself. If your managed services provider doesn’t include terms relating to the use of the technologies they claim they are delivering to you, it may be worth testing the veracity of some of the claims being made.
In this post-Snowden era, the questions relating to who might demand access to our data are now more pertinent than ever. The NSA has recently implied that questions around data sovereignty are merely a marketing tactic designed to hurt American companies. In fact, they said that since so many other nations do what they are doing, the US is no worse than anyone else. Maybe you believe that, maybe you don’t. But, regardless, it’s worth considering the issues around where your data is stored and whether this is or isn’t mentioned in the agreement.
Clearly, there is a lot more to be considered when entering into an agreement with a service provider. But it is our view that responsible service providers will be up-front about the positions they take on some of the thornier issues. They do this because they know that, in the long run, they’ll have to deal with some of these issues anyway, so they might as well be transparent about it. It’s worth being a little wary if they aren’t.