Information technology contracts: negotiating the most common clauses
With the increasing use of information technology products and services, it is essential to understand some of the most important aspects to consider when negotiating contracts for the use of these new technologies. In particular, it is necessary to have a high-level overview of the issues related to the negotiation of some specific contractual clauses. How is a license clause defined? What do IT contacts predict regarding cloud service agreements? How do the liability clauses work?
The wording “IT contracts” is often used to indicate a type of agreements related to information technology products and services. Broadly speaking, IT contracts encompass, among others, the following categories of agreements: software license agreements, cloud services agreements, IT outsourcing agreements, hardware supply agreements and, in general, IT professional services agreements. Although each of these contracts presents its own peculiarities (also in light of the specific technologies entailed and the purposes pursued by the parties), certain common elements can be traced back to all IT contracts.
At the very heart of most IT contracts are the intellectual property rights embedded in the technology provided under the agreement. The use and the protection of such rights, most of the times, represent the raison d'être of the agreement and therefore must be carefully tailored in light of the parties’ needs and intentions. A license clause should list the rights that are granted but most importantly the rights that are not granted to the customer, in order to avoid any confusion and to ensure the protection of the owner’s intellectual property rights.
Although both software license and cloud services agreements involve software technology, in cloud services the customer does not get a copy of the software, rather, it gets remote access through the internet and consequently the intellectual property rights’ issue may be considered less relevant in these cases. In cloud services agreements customer is granted the right to access and use supplier’s services through the internet. During the negotiation the parties should pay attention to carefully provide a detailed services description in order to make crystal clear the tasks the systems will and will not perform.
Limitation of liability clauses appear in almost all IT contracts. This element is deeply connected to the scalability of the IT industry and business whereby low-cost software applications or computer can be deployed into, and potentially ruin, sensitive higher-value projects. The idea behind these clauses is to make sure information technology suppliers’ know beforehand the potential liability they may face in order to carry out their business profitably.
Limitation of liability clauses come in two flavors: liability cap, and exclusion of liability for certain types of damage. The reason behind such clause is to shield the parties (most of the time the supplier) against unforeseeable damages the other party may claim in case of breach of contract. In order to determine the amount of maximum liability the parties may agree on a specific figure, or refer to a calculation formula usually linked to the value of the contract or the fees due or paid during the term. On the other hand, the parties want to expressly exclude their liability for indirect, special, punitive and incidental damages which all fall under the concept of “consequential damages”, even if they cannot be recovered in some jurisdictions. The reason behind this carve out is that consequential damages are unpredictable and theoretically unlimited exposing the parties to broader risks.
The two layers of limitation (i.e. cap and exclusion of type of liability) most of the times overlap. Undoubtedly, limitation of liability clauses are considered a deal breaker and as such are one of the most heavily negotiated part of IT contracts.
Finally, an industry common practice is to exclude from the limitation of liability clause the parties’ liability for breaching certain contractual provisions they see as too sensitive to be subject to a liability limitation. Amongst these are often comprehended intellectual property clauses, data protection, confidentiality or cybersecurity clauses.
Indemnity clauses provide one party will defend, indemnify and hold harmless the other from lawsuits and other claims. The reason of these clauses is to protect one party facing a significant risk of third party claims just by virtue of doing business with the other, for example intellectual property claims in relation to the usage the supplier software. The parties usually negotiate these clauses in very detail.
Most of the time, the indemnitor will require the indemnified party to give prompt notice of the claim and let the indemnitor to run the defense, including settlement negotiations. There are cases where the indemnified party’s rights are limited. For instance, in software license agreements the vendor usually avoids indemnity for intellectual property claims triggered by the customer’s breach of contract or by unauthorized use or modification of the software. Likewise, the supplier may also limit or avoid responsibility for any intellectual property rights claims deriving from the software’s use in combination with third parties’ technology.
Indemnity clauses work also the other way around, i.e. the supplier may require to be indemnified in case certain customer’s behaviors trigger third parties’ claims. By way of example, cloud services providers sometimes ask for indemnities related to customers’ online conduct, in particular in the event they upload content that may breach third parties’ intellectual property rights, harass others or violate specific laws. Finally, certain cloud services providers may even push further requiring to be indemnified against any claims raised by the customer’s end users in case they provide services through the supplier’s cloud system.
Another profile to consider in the context of IT contacts, especially with regard to cloud services agreements, is the protection of personal data. In this type of contracts, supplier, as a processor, generally processes personal data on behalf of the customer, the controller.
In accordance with current legislation, the parties must regulate their relationship with respect to the processing of personal data by entering into a contract (i.e. data processing agreement) that establishes, among other things, the instructions that the customer gives to the supplier for the purposes of the data processing, the parties’ obligations in this regard and the technical and organizational security measures adopted by the supplier in carrying out the processing activities.
In the negotiation of data processing agreements, the parties should also carefully consider the events that may lead to a data breach, describing the procedure to be followed by the supplier to notify the customer of such a breach. Furthermore, it is key to stress out the supplier’s obligation to assist the customer in the fulfilment of its obligations to respond to data subjects’ requests to exercise their rights.
In the event of different supplier’s entities around the world or in case of engagement of other subjects to process the customer data (“sub-processor”), the possible transfer of such data outside the European Economic Area has to be carefully considered and specified in the data processing agreement.
Last but not least, IT contracts may also include technology escrow provisions. As a general matter, the customer does not get access to the software source code, but only to the object code, that is what the customer actually needs to operate the software. The access to the source code would indeed allow the customer to carry out certain operations on the software that usually are provided by the supplier, for example the software maintenance. That is not a problem as long as the supplier offers any necessary maintenance service, but in the occurrence of certain event (e.g. bankruptcy, breach of the maintenance obligations) the customer may be in trouble not being able to properly tackle defaults or errors.
The solution envisaged in most of such cases is an escrow agreement, which is often attached to the license agreement it refers to. Thanks to this additional agreement, the customer has the possibility to access the source code upon the occurrence of specific events agreed by the parties beforehand. An escrow agreement is typically a three-party contract including also the escrow agent that is entrusted to keep the source code confidential and safe, and to deliver it to the customer on the occurrence of a given event. The escrow agent may be a third party entrusted by the parties or a specialised company providing escrow services.
As for cloud agreements, the provider does not deliver to the customer neither the source code nor the object code of the software and therefore an escrow agreement may not properly work in cloud agreements. This does not mean that a protection in such fashion is less needed, as customers in cloud services agreements usually outsource critical aspects of their infrastructure to third party providers. In such an event, the parties may agree for a different form of escrow usually called "pseudo-escrow": the supplier agrees to create a mirror system, that is an infrastructure more or less identical to the cloud system’s alongside with identical software, documentation and data which is managed and hosted by the escrow agent on behalf of the supplier. Even if the underlying operation is the same as a normal escrow deposit, the pseudo-escrow requires a much greater use of resources, considering the escrow agent must maintain and update the hosted system during the term of the contract. However, the main advantage for the supplier is that even if the escrow release events are met, the customer is not allowed to access the source code.
Nowadays, information technology products and services are wide-spread and increasingly relevant for most industries and businesses, making it essential to understand some of the most important aspects to be considered during the negotiation of the contracts entailing these technologies.
For editorial reasons it is not possible for us to analyse extensively all the relevant aspects and contractual clauses of IT contracts, but we are confident that we provided some useful insights to better understand the extent of the phenomenon.