The “cloud shift” continues, with analysts making bold predictions of increased cloud adoption by businesses in nearly every industry. Cloud solutions offer many opportunities for cost, innovation, and scalability. However, what is often overlooked or considered late in the process is the paradigm shift in risk, compliance, and contracts that comes with using a third-party cloud provider. If given time and attention, these changes can be managed and the risks controlled with proper due diligence and contractual structures.
Below is a high-level checklist of issues to consider when moving from an on-premises solution or offering to a hosted solution or offering:
1. Identify technical features and requirements.
- Papers, papers, papers.
- Check the links and referenced documents.
- Consider if there are any functionality differences between the on-premises solution and the hosted solution and if there are any gaps, consider the plan to fill them.
- Meet any customization or configuration requirements, including associated costs and lead times.
- Understand how the hosted solution will be accessible.
- Make sure the client has the required access capability.
- Determine if there are any end customer installation requirements.
2. Develop the transition plan and include transition and stabilization criteria as well as acceptance testing roles and requirements.
3. Agree on performance commitments and service levels.
- Consider service levels in addition to availability, including incident resolution and security patches.
- Include solutions for failing service levels, such as root cause analysis, resolution, and service level credits.
4. Include the mechanisms and rights of parties to make and/or demand changes.
- Consider the limitations on the right to make (or refuse) changes for a one-to-many model.
- Consider compatibility impacts and client-side downstream changes that may be required due to a change in vendor.
5. Describe maintenance and support services, including resolution services, contact center services, and configuration services.
- Consider the customer’s entitlement to releases, additional features, and upgrades.
6. Set prices.
- Understand pricing metrics and how they are calculated.
- Consider if and when fees may increase, including due to inflation.
- Should there be increases during the mandate or at renewal?
- Should there be a unilateral right to raise?
- Should there be cap increases?
- Add the payment schedule.
7. Consider the location of the following:
- Servers/hosting environment
- Secondary and non-production environments
- When other services are provided
8. Include the access rights of the customer and its users to the environment and to the data.
- Are there any limits?
- How is the data returned?
9. Meet security requirements, including:
- Access and security controls (including passwords)
- Protocols and responsibilities in the event of a security incident
- Background check requirements
10. Guarantee the access and rights of use of third parties.
- Verify that potential third parties include contractors, consultants, and outsourcing partners.
11. Discuss potential corporate events, including the following:
- Divestitures (including transition service periods and transfer rights)
- Growth or decline in activity
12. Pay particular attention to data ownership, use rights and retention, including data that has been:
13. Resolve continuity issues, including the following:
- Impact of force majeure
- disaster recovery
- Seller’s Right to Suspend or Discontinue Services
- Other Termination Rights
- Post-termination assistance
14. Perform appropriate due diligence, including:
- Supplier financial viability
- Insurance cover
15. Confirm audit rights and requirements, including:
- Audits by the client’s internal and external auditors and regulators
- Documentation of audit coverage, including SSAE 18 reports
The above list is by no means exhaustive, but should be used as a starting point for reporting issues and engaging in discussions with business and IT teams.