In a recent interview with the New Zealand Herald, Datacom’s CEO, Greg Davidson, identified a significant lift in the volume of technology projects in the past year, with many organisations wary of their level of “tech debt”. “It’s the biggest upswing in demand for advice about moving to modern platforms that I can remember”, he said.
We have also noticed this acceleration to the cloud and a clear increase in the volume of technology contracts being negotiated. This post explores some of the key trends we’re seeing during this tech transaction boom.
1) Implementation Proclamation
Modern software deals generally involve less bespoke development and on premise hosting than in traditional enterprise software. SaaS (software-as-a-service) providers tend to emphasise “configuration” (i.e. tweaking their pre-existing solution within defined parameters) over “customisation” (bespoke development to address specific customer requirements). This means the parties can sometimes overlook the importance of the implementation phase of these projects: “we’re just rolling out a standardised product, how hard can it be”? However, implementing software at an enterprise level almost always involves some level of complexity, whether due to integration with the customer’s technology stack, transfer of existing data to a new platform, the organisational process changes required, or a host of other reasons.
Contracting parties need to consider these potential risks and ensure that the agreement deals clearly and comprehensively with the implementation phase. This is particularly important in“non-refundable” licence deals, which kick in from day one without an ability to pull out if the implementation fails. To de-risk this element of the transaction, many deals include a separate ‘design’ or ‘discovery’ phase, giving the provider a chance to scope what’s required in detail and report to the client on its intended approach before the implementation begins.
2) A Bit Too Agile?
The benefits of agile methodology for technology projects are now widely acknowledged. Although initially designed for internal software development projects, agile is now regularly deployed in tech implementations where both provider and customer teams are involved. While there are some clear benefits to this in terms of the ability to iterate, check in regularly and drive more cohesion between teams, there are also some challenges from a contractual perspective. Agile projects generally take a more open-ended approach, prioritising flexibility over certainty in terms of specifications, timeframes and deliverables. The result is that implementation projects using an agile methodology are often light on detail in these areas, even though the end product – and existing software solution – is largely known at the outset. The parties to these contracts need to ask themselves whether the agile contract provides an adequate roadmap for delivery of the solution.
We have found that a‘hybrid’ approach is often a valid answer – preserving core agile project management processes while being more specific around what will be delivered, at what cost, and in what timeframe.
3) Once More Unto the Breach
Data breaches are fast becoming the number one risk for organisations across the globe, so the need to deal properly with this risk is fast becoming the major priority in technology contracts. There are many complexities to address: How is a data breach defined? Where is the demarcation of responsibility for data (at rest and in transit) between the customer and provider? What is the role of third party hosting providers and who takes responsibility if they cause a breach? Who has the role of “controller” and “processor” for data protection law purposes and how will this affect the allocation of responsibilities between the parties? Liability after the fact is one thing, but just as important is defining how the parties will co-operate in the heat of the moment to discover, notify, mitigate and resolve an incident.
4) Data Without Borders
The dominance of SaaS platforms and cloud-based infrastructure in today’s technology stacks has led to a big increase in cross-border data flows. This is coupled with a number of significant recent developments in the law governing international data transfers, both here and overseas. Further afield, the Schrems II decision last year invalidated the Privacy Shield mechanism previously used as the legal basis for sending data between Europe and the US. More recently, the European Commission has released a new set of ‘Standard Contractual Clauses’ that must be used in most circumstances where there’s a transfer of data from the EU to any outside country not deemed “adequate” by the Europeans (i.e. most of them). In New Zealand (which helpfully does have adequacy for now), the Privacy Act 2020 recently imposed a new regime(including optional model contract clauses) for disclosure of personal data outside New Zealand – although transfers to cloud hosting providers and others processing data purely on someone else’s behalf are not caught. All this means a thorough assessment of the data flows involved, and the legal obligations that apply, is a key component of most tech deals.
5) Indemnities on the Increase
Traditionally, a customer in a software licence could be comfortable it had relatively few contractual obligations to worry about: pay the fees, stay within the licence scope and don’t breach confidentiality or IP. However, many technology providers are now providing ‘one to many’ solutions to a large volume of customers with a range of diverse needs. This, along with the ever-increasing complexity of data use/flows and the global regulatory environment, means providers often have legitimate reasons for looking more closely at the balance of risk. With this in mind, technology providers are increasingly asking customers to provide wide indemnities in relation to the customer’s particular use of their products – often to address data protection concerns, but in many cases wider regulatory and third party risk. These indemnities are often broadly drafted, sometimes making the customer liable for almost everything bar the provider’s negligence. Whatever the reasonableness of specific clauses, it’s important for both parties to step back and think about the specific risk profile of each deal. Standard templates are seldom sufficient to cover all bases in today’s market.