SaaS, ASP Agreements – FAQs – Disaster Recovery

Do I need disaster recovery provisions in a SaaS agreement?

Disaster Recovery

Disaster recovery sets out the processes and procedures to be followed in the event of SaaS software, or customer data, no longer being accessible due to a problem with the technology infrastructure at the supplier’s data centre.

For example if there is a power cut, flood or fire at the data centre, the server on which the software is running will no longer function and the customer will no longer have full access to the software and its data. If the customer is using the software for a live website, the website will cease to function correctly, or possibly at all.

Supplier Obligations

The disaster recovery provisions of a SaaS agreement should be set out in the SLA and should as a minimum, include the following supplier obligations in the event of a disaster:

  • customers must be notified of the disaster;
  • any third parties used for disaster recovery should be identified;
  • the estimated time for restoring the servers and access to the software and services should be specified; and
  • details should be given about the supplier’s testing procedures i.e. how often its disaster recovery processes are tested.

Costs

The extent and speed of the disaster recovery offered by the supplier will depend upon the fee charged for this service. Suppliers often include the costs of basic disaster recovery in their licence fees. In addition, or as an alternative, they may offer higher levels of disaster recovery for additional fees. The faster and more individual the disaster recovery process is, the higher the fees.

If the supplier does not provide any disaster recovery services, or the customer is not satisfied with the disaster recovery offered, it should consider setting up its own disaster recovery procedure with a third party, particularly if a disaster would be business critical i.e. for a customer providing online banking services.

Avoiding Disasters

The most common disaster recovery risks are power failure, physical damage to the data centre or data and insolvency.

Power Failure

To minimise the risk of a power failure causing the servers to fail, ensure that the data centre has a continuous power supply (UPS) and power regulators to prevent fluctuations or interruptions in the power supply.

Backups

If the SaaS agreement includes backup of customer data, the regularity, media used for backups and storage should be set out in the SLA.  Backups should not be stored at the same physical location as the servers on which the data is being processed.

Encryption

The media on which customer data is backed up should be encrypted. Particularly, if backups are to be physically sent to the customer, or moved to another data centre in the event of a disaster.

Access to Data

In the event that the data centre or a third party making backups of customer data becomes insolvent, the customer usually has no right to access its data and backups. Provisions should be included in the SLA to give the customer the right to access its data and backups in such circumstances.

Help

For assistance with any disaster recover issues, SLA, SaaS, ASP, software on demand contracts or any other IT legal issues contact me at:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles: