Data

Tire vendor’s use of customer data and the security and confidentiality of that customer data are very important in cloud computing agreements. Tire vendor should provide detail regarding and agree to reasonable provisions addressing its competency, policies, and procedures related to: (i) protection against security vulnerabilities; (ii) disaster recovery and business continuity, (iii) data backups; and (iv) the use of, and return of, customer data.

Data Security

The need for data security in cloud computing transactions cannot be understated. While it might seem that cloud computing vendors would want their agreements to include detail about their data security, they too often do not. Accordingly, customers should demand that vendors provide specific details in the agreement about data security, specifically hardware, software, and security policies. These details need to be reviewed by someone competent in data security—either someone within the customer’s organization, a data security attorney, or a third-party consultant. Some vendors will not distribute copies of their security policies but will allow customers to come to the vendor’s site and inspect them. Such policy inspection should be done if the customer information at issue is very sensitive or mission-critical. Customers should compare the vendor’s policies to their own, and in some circumstances it is appropriate for a customer to demand that the vendor match the customer’s policy. Verification of the vendor’s capabilities with respect to data security, via a physical visit, SSAE 18 audit (IT internal controls audit) conducted by a third party, is also commonly appropriate. It is becoming far more expected that vendors regularly demonstrate to their customers that their security controls remain intact and robust.

Consider the following sample of a typical data security provision:

• 1. In general. Vendor will maintain and enforce safety and physical security procedures with respect to its access and maintenance of customer information that are (i) at least equal to industry standards for such types of locations where customer information will be located, (ii) in accordance with reasonable customer security requirements, and (iii) which provide reasonably appropriate technical and organizational safeguards against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access of customer information and all other data owned by customer and accessible by vendor under this agreement.
• 2. Storage of customer information. All customer information must be stored in a physically and logically secure environment that protects it from unauthorized access, modification, theft, misuse, and destruction. In addition to the general standards set forth above, vendor will maintain an adequate level of physical security controls over its facility. Further, vendor will maintain an adequate level of data security controls. See Exhibit A for detailed information on vendor’s security policies protections.
• 3- Security audits. During the term, customer or its third-party designee may, but is not obligated to, perform audits of vendor’s environment, including unannounced penetration and security tests, as it relates to the receipt, maintenance, use, or retention of customer information. Any of customer’s regulators shall have the same right upon request. Vendor agrees to comply with all reasonable recommendations that result from such inspections, tests, and audits within reasonable timeframes.

Disaster Recovery and Business Continuity

Disaster recovery and business continuity provisions require the vendor to demonstrate and promise that they can continue to make the software available even in the event of a disaster, power outage, or similarly significant event. Too often the customer does not request these provisions or, even if they do, they do not read the actual vendor policies and procedures with respect to disaster recovery and business continuity. This is a mistake because customers generally won’t have their own up-to-date backup of the data used with or processed by the software. Without access to such data and software on an ongoing basis, even during a disaster, the customer’s business may falter. The customer should, therefore, require contractual assurance regarding disaster recovery and business continuity. By way of illustration, here is a sample provision of what to ask for from the vendor in this regard:

Vendor shall maintain and implement disaster recovery and avoidance procedures to ensure that the software is not interrupted during any disaster. Vendor shall provide Customer with a copy of its current disaster recovery and business continuity plan and all updates thereto during the Term of this Agreement. All requirements of this Agreement, including those relating to security, personnel due diligence, and training, backup, and testing shall apply to the Vendor’s disaster recovery site.