One of the most popular posts on this blog continues to be my SaaS Service Level Agreement post from last year. I've also published several additional pieces since covering additional SLA best practices - whether you are looking for a cloud computing SLA, cloud SLA, a SaaS SLA or an on-demand SLA.
I thought it would be useful to re-summarize and bring up to date my recommendations both for what people shopping for SaaS or Cloud Computing solutions should be asking for in Service Level Agreements, and what vendors should consider offering in their SaaS and Cloud Computing SLAs.
In my experience, there are four key areas to consider in your SLA:
First is addressing control: The service level agreement must guarantee the quality and performance of operational functions like availability, reliability, performance, maintenance, backup, disaster recovery, etc that used to be under the control of the in-house IT function when the applications were running on-premises and managed by internal IT, but are now under the vendor's control since the applications are running in the cloud and managed by the vendor.
Second is addressing operational risk: The service level agreement should also address perceived risks around security, privacy and data ownership - I say perceived because most SaaS vendors are actually far better at these things than nearly all of their clients are. Guaranteed commitments to undergoing regular SAS70 Type II audits and external security evaluations are also important parts of mitigating operational risk.
Third is addressing business risk: As cloud computing companies become more comfortable with their ability to deliver value and success, more of them will start to include business success guarantees in the SLA - such as guarantees around successful and timely implementations, the quality of technical support, business value received and even to money back guarantees - if a client isn't satisfied, they get their money back. Cloud/SaaS vendor can rationally consider offering business risk guarantees because their track record of successful implementations is typically vastly higher than their enterprise software counterparts.
Last is penalties, rewards and transparency: The service level agreement must have real financial penalties / teeth when an SLA violation occurs. If there isn't any pain for the vendor when they fail to meet their SLA, the SLA doesn't mean anything. Similarly, the buyer should also be willing to pay a reward for extraordinary service level achievements that deliver real benefits - if 100% availability is an important goal for you, consider paying the vendor a bonus when they achieve it. Transparency is also important - the vendor should also maintain a public website with continuous updates as to how the vendor is performing against their SLA, and should publish their SLA and their privacy policies. The best cloud vendors realize that their excellence in operations and their SLAs are real selling points, so they aren't afraid to open their kimonos in public.
These ideas leads to specific SLA terms that I recommend cloud / SaaS buyers discuss with their vendors, and that SaaS / Cloud vendors should consider including in their service level agreements:
Control oriented Service Level Agreement Terms
- Establish a system availability SLA, based on average monthly availability, with bonuses for overachieving and increasingly steep penalties for downtime beyond the agreed level.
- Establish a system response time SLA, based on average monthly response time, with penalties for slow system performance.
- Establish a fail over window for disaster recovery SLA in the case of a catastrophic failure of the vendor's infrastructure.
- Ensure that you can get your data back if you ever decide to leave and that it is unambiguous that you own your data.
- Ensure that the vendor will assist you in migrating away, for an appropriate professional services fee.
- Ensure that you can retain your data on the vendor's system for an appropriate fee if you ever need to stop using the service but don't want to lose access to your data.
- Review the vendor's privacy policy and make sure that you understand what happens according to the SLA if there is ever a privacy breach.
- Ensure that the vendor undertakes annual SAS70 Type II audits, and that the vendor further undergoes annual third party security and penetration testing.
- Establish an error resolution time SLA, with different windows for different severity levels (system down vs. workaround) and again with penalties for not being responsive.
- Establish criteria for the quality and timeliness of professional services engagements with bonuses for implementations that go better than planned and penalties for those that do not.
- Look for guarantees around proactive communications - look for monthly product feature updates and quarterly roadmap updates and understand how your requests for new features and product changes will be prioritized.
- Ask for money-back guarantees - cloud vendors may be willing to offer you a money-back guarantee, particularly if you are willing to commit to a pre-agreed upon scope of work and criteria for success. If you are comparing multiple vendors this can be a great way to reduce your risk or at least to understand how confident the vendors are that they will meet your needs.
- In each of the above sections, ensure that the vendor documents the methodology for measuring performance and calculating penalties and rewards.
- Understand whether you will be issued an automatic credit if a failure occurs that impacts you, or must you ask your vendor for a credit to receive one
- Understand whether you can you get out of your contract if the vendor continuously and materially fails to meet their SLA
- Ensure the vendor guarantees transparency and proactive notification of system availability, production issues, scheduled downtime and pending updates.
- Review the vendor's public real-time status website that shows their operational performance. If they don't have one, think about looking for another vendor.
- Review the vendor's published service level agreement and understand how it applies to you (and how it compares to this list. If the SLA isn't published on the company website, decide whether that is a red flag to you.
I realize this is a very long post - but I wanted to try to make it comprehensive and I hope that both prospective SaaS / Cloud buyers and vendors find it helpful. At Intacct, we publish our SLA, which we call "Buy with Confidence" as well as our privacy policy and our real-time system status.
6 comments:
Excellent post, Dan - I'm the CEO for a SaaS start-up and we want to publish and SLA that demonstrates our commitment to high quality service and our confidence that we can achieve this. I'll reflect on the elements of the SLA that you recommend and head very much in this direction. Thanks for a genuinely helpful contribution to a very common challenge/topic.
Cheers
Andy Smith
CEO
http://www.iceflo.com
Nice article, it helped me consolidate various thoughts that I had on this subject. I've shared your blog with my friends with whom I discuss the subject.
Dan,
Thanks for this informative post. I'm conducting a SaaS project for a multi-national client (SaaS financials included as part of project), and some of the concerns from the IT team have been around protection of customer data and privacy.
Based on my research it looks like EU Safe Harbor and PCI compliance offer good safe guards for a service provider to have as certifications. When comparing PCI and SAS 70 Type II it looks like PCI is much more rigorous around specifying the controls to protecting customer data - which seems critical for financials (with SAS 70 Type II, it looks like it relies on the service company to provide the controls that will be tested to achieve certification).
I've been browsing the Intacct site, but I can only see SAS 70 Type II, are you certified PCI and Safe Harbor, and if not, is there a reason you haven't been certified yet - and when is the plan to get certified?
Thanks,
Nigel
Hi Nigel,
Thanks for the comment. First a couple of cautions for other readers and then I'll answer your specific questions.
You used the term "certified" in both of these areas. Along with discussions about SAS 70 Type II, this is a term to be a bit careful about - in these areas SaaS / Cloud firms will generally attest to being "compliant" and "audited" but there often isn't a way to get "certified" as such by a third party.
I think you understand from the way that you worded your comment that compliance with these standards can be more about documenting business processes than about actual security in the system, though you are correct the PCI standards do have some actual technical security requirements built in.
I've seen many a SaaS / cloud sales and marketing team overstate what SAS 70 really means and to imply that SAS 70 is a security certification, which it is clearly not - that's why we at Intacct undergo third party security audits and penetration tests in addition to compliance with standards like SAS 70.
As far as your specific questions:
I left PCI (Payment Card Industry) compliance off of this list because it's not as broadly applicable to SaaS / Cloud vendors as SAS 70 Type II is. I agree this is an important standard for any vendor that is processing payment card information - so I see it as an "in addition" to SAS 70" not instead of. As to your question about Intacct, the system was designed to be PCI compliant and we do plan to undertake a third party PCI audit this later - our head of product management for payments comes from eBay is is quite deep in this area.
As to European Union data privacy directives and Safe Harbor - For most US-based cloud/SaaS companies, compliance with Safe Harbor as it relates to Directive 95/46/EC largely amounts to registering with the US department of commerce, publishing a Safe Harbor Notice on the corporate website that discloses what type of data is collected, and establish a process for access and review of this data. At Intacct we've not yet taken these Safe Harbor steps, but while we haven't had very many requests for it yet I agree that's it's a good idea to get it on our roadmap. As with PCI, the controls built into the Intacct system for authentication, encryption, fine grained access controls, audit, etc are quite strong and we've got many clients with operations in the EU.
Our security and operations teams often meet with IT departments like the one you are describing to take them through the system and our processes and said IT departments pretty quickly find out this is an area Intacct really excels in.
thank's for sharing nice artical on cloud / saas service.
Saas Services
This was a refreshing post from a professional SAAS provider. My experience with SAAS providers is that they are very limited on SLAs and resistant to due diligence on security and disaster recovery. I also have to disagree heartily with the statement that most SAAS providers are much better at security than inhouse IT departments. Maybe most of the Tier 1 providers are, but Oracle failed our security review and I've dealt with several SAAS providers that don't even have a security policy. In my experience, SAAS is still deep in its adolescense and providers can act like an adult at times and a 12 year old gamer at others.
Post a Comment