Key issues to consider when outsourcing to a data centre provider

Businesses are increasingly becoming reliant on data centres to support their data storage and processing needs as business use and reliance on data has grown exponentially, often at a pace that exceeds the capacity of traditional in-house data management systems.  Data centres can offer businesses agility, scalability, state of the art security controls and robust disaster recovery mechanisms, for the storage and processing of data, allowing businesses to focus their internal resources more strategically.  However, taking the value of business data together with the ever present risk of cyber threats and data security breaches and the demand for 24x7, 365, availability of data, there are a number of important issues to consider when negotiating a contract with a data centre provider.

The issues below assume that the data centre provider is providing a managed service to the customer (including provision of the hardware, broadband connections, environmental controls, technical support etc.), rather than leasing space in a data centre for the customer to install and manage its own data storage and processing hardware.

Security

Security of business data will always be of paramount importance, the potential loss to a business if its data is lost or falls into the wrong hands is significant.  Before selecting a data centre provider, diligence should be carried out on the potential data centre provider’s security policies and procedures, including physical security, access controls, and cybersecurity measures.  The data centre provider should be obliged to comply with its policies and procedures, and any other specific requirements which the customer may have with regards to the data provided (for example, compliance with ISO27001), as part of its contractual obligations.

Data Privacy and Compliance

If personal data is processed by the data centre provider, the contract must clearly define the roles of the parties in the processing of such data  – which will depend on the specific activities the data centre provider takes on in relation to the customer data it processes.

If the data centre provider makes decisions about the purposes and methods of processing the data it hosts, it may be considered a controller.  If the data centre provider simply stores and processes the data based on the customer’s instructions, it is likely acting as a processor.  While the data centre provider may often be a processor, the position should be considered on a case by case basis in light of the scope of the services being provided.  If the data centre provider acts as a processor of personal data, mandatory data processing provisions must be included in the contract to ensure compliance with UK data protection laws.

In addition to establishing the roles of the parties, the contract should clearly define procedures for reporting and responding to data breaches and data protection audit procedures.  It should also apportion liability in the event of any breach of applicable data protection laws – the potential losses to the customer for any such breach could be significant and the customer should ensure it has sufficient recourse to the data centre provider.

Service Level Agreements and Reporting

The contract should clearly define the customer’s expectations in terms of the level of service to be provided.  Service levels must be clearly defined and quantifiable.  Some examples of service levels that may be included are:

• uptime guarantees, for example that the data will be available 99.99% of the time (save for any scheduled maintenance);
• technical support response times, these will likely vary depending on the criticality of the issue and complexity of the support required;
• service incident response times and targets for responding to any security incidents;
• environmental controls, to ensure optimal conditions for hardware, the data centre provider will maintain environmental conditions such as temperature and humidity within specified acceptable parameters; and
• scalability, the data centre provider will commit to providing additional resources (e.g., additional capacity) within a specified period, to ensure customer demand is satisfied.

Service levels set a performance standard to which the data centre provider should adhere to.  Service credits may be included for any failure to meet an agreed-upon service level.  

The contract should include mechanisms for the continuous monitoring and reporting of performance against the service levels so that service credits can be applied and any issues with performance addressed and escalated, as appropriate.

Scalability and Flexibility

The contract should include provisions allowing for scalability and flexibility in the customer’s requirements as its business needs change or grow over time (this could include scaling up or down).  It is important for the customer to include such provisions from the outset.  If this is not considered, and the customer’s needs do change during the term of the contract, the data centre provider may not be able to support the change in customer needs.

Term and Renewal

Carefully consider both the initial term of the contract and the renewal options.  It is in the customer’s interest to ensure it can renew the contract at the end of the initial term if it is happy with the service provided.  There will likely be a significant cost and time burden to transition to an alternative provider, so it is important this is thought about at the outset, so the parties are aligned on extension options.

Disaster Recover and Business Continuity

Include provisions for disaster recovery and business continuity planning in the contract. These provisions should clearly outline responsibilities in the event of a disaster, specifying procedures for data backup, recovery, and continuity of operations.  The data centre provider will likely have its own policies and procedures in place and these should be incorporated into the contract as part of the data centre provider’s obligations, together with any customer specific requirements.

Cost Structure and Transparency

Outline the cost structure, incorporating transparency in pricing and billing practices so there are no surprises. Ensure the initial setup fees, recurring charges, and the ability for the data centre provider to increase costs and charge any additional costs is clear.

Exit

Exit provisions should be included that define the process for migrating data and services away from the data centre including the return of data to the customer or to a new provider, the provision of assistance with transition and the continued provision of services for a transition period.  Exit provisions typically include an obligation to produce an exit plan and to keep this updated throughout the life of the contract.

IP and Data Ownership

It should be clear that the customer retains ownership to all its IP and data that is stored or processed by the data centre provider.  Provisions should also be included to set out restrictions on the data centre provider’s use of the IP and data (generally the data centre provider will only be permitted to use the IP and data for the purposes of providing the services to the customer and for no other purposes).

Energy Efficiency, Effectiveness and Costs

Data centres consume large amounts of energy for various reasons.  The servers and equipment in data centres require substantial electricity to operate; they typically operate 24x7, 365 days a year; and cooling systems are required to ensure hardware does not overheat .  It is therefore important for the contract to include provisions which ensure energy efficiency and effectiveness, not only from a costs perspective but also to ensure compliance with energy efficiency standards, environmental regulations and the customer’s own internal sustainability goals.  Clauses such as the following should be considered:

• specific power usage effectiveness targets (PUE targets), to encourage the data centre to be efficient in how it utilises power;  
• caps on energy cost increases to ensure price predictability;
• renewable energy requirements, a percentage of energy consumption that must be sourced from renewables;
• energy consumption monitoring and reporting, to ensure transparency in pricing for the customer;
• incentives for the data centre provider to achieve energy savings and to invest in energy efficient infrastructure; and 
• benchmarking, to check the data centre provider’s energy efficiency against industry standards, this may be included as a service level.  

The above is not an exhaustive list of issues that should be considered when outsourcing data storage and processing responsibilities to a data centre provider.  As with any commercial arrangement, issues such as liability; termination; change control; confidentiality; insurance; dispute resolution; governing law; and jurisdiction will also be important.