Availability of services: this would mainly concern factors such as network availability, data center resources or even database availability. The inclusion of punitive clauses is a necessity in the event of a prolonged network failure, which could have an impact on the business function. The “sanction doctrine” provides that a clause in a contract may be invalid and unenforceable if it imposes additional liability when a party breaches the contract. To be considered a penalty clause, the consequences must be disproportionate to the damage likely to be caused by the infringement. It is therefore important to ensure that the consequence is a true prediction of the harm suffered. The difficulty is obviously to carry out this assessment at the time of the conclusion of the contract and not at the time of the infringement. However, a SUPPLIER CIO shouldn`t always be seen as the cop with the club. It should therefore also consider including in an SLA a reward system for performing or exceeding the expected level of service. Unlike a penalty clause, a reward clause could positively motivate the provider to provide better services. **Update 2018: Please see my update on additional clauses, such as. B privacy policy, in light of the latest news about Facebook and Cambridge Analytica** The personal experience of one of my international projects has not been able to ensure the expected level of performance of a telecommunications operator due to a temporary decrease in the availability of the service. The provider had failed both in terms of network availability and performance assurance (latency). However, the inclusion of a penalty clause in the SLA not only helped us to obtain sufficient credit, but also forced the provider to provide an additional connectivity option for redundancy.

5. Security and Data Protection – How does a SaaS provider protect customer data and respond to security breaches? These scenarios should be set out in the SaaS agreement. These clauses generally stipulate that the supplier has security measures/systems in place (and that the security measures/systems comply with current legislation). In addition, the clauses should stipulate that the customer must be informed without delay of any infringement. In some cases, customer data may be accessible to the third party.