Service Level Agreements as a Vendor Risk Mitigation Strategy

The other day I came across a blog post from attorney Don Pepper about public cloud provider’s SLA’s and some unintended consequences they might create Pepper explained that it is becoming more common to see SLAs expanded to cover issues beyond simple service downtown – some SLAs now cover data loss, network failures and notice of maintenance breaches. At first blush, this would seem to be a good thing – cloud vendors are giving customers more certainty over their service, and making allowances for when things go wrong.

Pepper however suggests that the reason that vendors are broadening SLA provisions is to reduce their liability in the event of these other types of failure. The way some SLA contracts are written, the existence of the SLA reduces or removes the ability for customers to seek other remedies beyond the service credits that SLAs are generally structured upon.

Pepper details a particularly worrisome example of where this could lead, as he wrote:

…say the vendor fails to apply a security patch and that misstep results in the unauthorized disclosure of the user’s company’s sensitive and confidential data. The damage to the user’s business may be truly significant and costly, but if the vendor has incorporated service credits as the user’s exclusive remedy for such a breach, the user’s only recourse is to get a discount on their next monthly bill

We live in interesting times for cloud computing – the unmasking of the widespread Governmental spying on private and corporate data has got people concerned about utilizing cloud services. The fact that some vendors would appear to be complicit in providing back doors that the NSA can take advantage are bad enough. The fact that some SLAs customers agree to may very well reduce their ability to seek redress in that event is yet another concern.

Cloud customers need to spend time reading the fine print – while vendors may pitch a broad SLA as a chance to protect customer’s best interests, it’s important to look at the downstream problems that these moves can make. As ever, it is a case of caveat emptor.

2 Comments

Leave a Reply