5 critical contractual protections for technology contracts
The size and scope of the technology needs of associations and nonprofit groups are as varied as the organizations themselves. Yet whether large or small, there are five critical contractual protections to limit an organization’s risks when entering into a technology contract. The following legal issues are key to keep in mind before you sign a contract for development and delivery of software, or for outsourcing technology services.
Security and confidentiality. Contracts should address security and confidentiality if your intended third-party provider will have access to your organization’s confidential information including systems and data about your members, customers, vendors or employees. Nonpublic personal information access calls for contractual terms that the third-party provider complies with all applicable privacy laws and regulations. If you are outsourcing services, the service provider should also be required to report to you when system intrusions occur and the impact to or exposure of an organization and its members upon intrusion.
Audit. When entering into a technology contract for outsourcing services, audit may not be foremost on your mind. But for online services, you should pay especially close attention to security, and thus should include contractual terms for the types of audit reports you are entitled to receive and their frequency. Does the service provider engage an independent party with sufficient industry expertise to do a system review including penetration testing, intrusion detection and review of firewall configuration? If this will be a critical vendor for your organization, include too a financial and internal controls audit report, preferably an SAS 70 Type II report that includes an opinion, based on testing, on the service provider’s internal controls in force during the audited period.
Subcontracting and multiple service provider relationships. Some service providers may contract with subcontractors to provide services to you. To provide accountability, organizations should designate the primary contracting service provider in the contract. Regardless of which contractor or subcontractor performs a specific service, to protect your association include contract terms that the primary service provider is responsible for all the services outlined in the contract regardless of who actually conducts the services.
Business resumption and contingency plans. Technology contracts should address a service provider’s responsibility for backup and record protection, including equipment, program and data files, and maintenance of disaster recovery plans including periodic testing. Are backup files maintained off-site? Given the service provider’s backup and file rotation protocols, how much of your data could be at risk of loss?
Ownership and license. All content (including logos, text, graphics, video, data) provided by an organization to a third-party provider should be protected contractually as being owned by the organization. Similarly, intellectual property rights to an organization’s trademark or copyrighted material, domain name and website design should be expressly protected as being owned by the organization.
Farrow is chief financial officer/ chief operating officer of the Nonprofit Technology Network, Portland, Ore. Contact her at jill@nten.org. NTEN is a nonprofit membership organization of technology professionals.
