• United States



Storm Clouds: Ensuring Data Availability in a Hosted Environment

Mar 08, 20083 mins
Core Java

With all the talk these days about cloud computing, SAAS, and ASPs, we see much focus on ensuring data entrusted to these vendors is adequately secured. This usually covers the first two letters in the well-known CIA acronym (i.e., Confidentiality, Integrity, and Availability), but the service levels for these vendors – the all important availability, response time, and other performance requirements – are frequently very thin. Given the recent, highly publicized downtime at several of the most well known vendors in this space, I thought it might be useful to highlight some of the key elements to be considered in drafting effective service levels agreements (SLAs):

1. SLAs should be clear and absolutely objective. The vendor should be required to provide monthly reports on SLA performance. 

2. Remedies (generally some form of credit) should be associated with each SLA. Remedies should escalate depending on the severity of the SLA failure (e.g., a 10% credit for availability between 99%-99.9 and a 20% credit for availability between 98%-99%). Repeated failures in a given time period should also cause escalation of remedies. All credits should be made automatically, without the need for the customer to request the remedy.

3. Repeated failures (e.g., two failures in any four month period) should, in addition to all other remedies under the contract, give the customer the right to terminate the agreement. Repeated failures should also require the vendor to provide a root cause analysis of the failures and a specific plan to minimize future performance issues.

4. Broad force majeure exceptions to SLA performance should be avoided. While general Internet and infrastructure failures may be excluded, events such as strikes, power failures, labor issues, accidents, etc. should not. In particular, if a circle is drawn around the vendor facility providing the service, anything that happens within that circle, regardless of whether it constitutes an Act of God or not, should not relieve the vendor of its SLA obligations. You are buying a service. If the vendor fails to provide that service for any reason, there should be an adjustment in fees (i.e., the credit remedy mentioned above).

5. Credits issued for SLA failures should not be framed in terms of “exclusive remedies.” The customer should have all other remedies available to it under the agreement, including the ability to declare a breach, terminate, and seek damages to compensate for poor performance. 

6. Include the ability for the parties to meet and confer on at least an annual basis to evaluate existing SLAs and discuss potential changes.


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author