Information posted on this site is not intended to be legal advice, and no attorney-client relationship is created by your visit to this site. You should not rely on any information contained on this site, or apply it to any specific individual, entity, or situation.

Hosting Agreements in Florida

Written on March 21, 2010 by Jason L. Molder. Categories: Florida Information Technology Law

I originally wrote the following post as a FAQ for Legal OnRamp.  As hosted computing, cloud computing, and online storage become more and more popular, it is important to take a few moments to discuss something that many people may overlook: the hosting agreement.  Hosting agreements take many forms, and may come to you as a benign-looking “terms and conditions” page on a website, that you are asked to click through in order to proceed.  This post examines several (but not all) issues that pertain to hosting agreements.

1. What is hosting?

Generally, ‘hosting’ (sometimes used in conjunction with ‘cloud computing’) is a service where one party entrusts the storage and provision of its data to a third-party provider. I some instances, the data resides on servers controlled, operated and maintained by the third-party hosting provider. In others, the hosting provider itself may outsource some or all of those functions. The core concept with a hosted service is that the end user can simply access application data (and possibly even the application itself) without having to worry about the underlying infrastructure.

2. What different types of hosting services are there?

Providers may offer different types of hosting. Some providers offer only storage hosting, such as an online disk where users can upload and access their data. Other providers offer application hosting, a service where an application is delivered online via a web browser, and the application and the data is stored with the provider. This latter form of hosting is commonly referred to as Software-as-a-Service (SaaS). There are other forms of hosting as well, such as platform and infrastructure hosting. End users though are primarily focused directly on SaaS.

3. How do I select a hosting provider?

This is a very difficult question to answer, and there are many factors to consider. Selecting a hosting provider is in many ways like selecting a bank (except you don’t get the added protection of the FDIC). Usually you are trusting critical business assets with the hosting provider, and it is important to select a hosting provider that is financially stable, reliable, and able to deliver the service and support that you need. Service providers should be willing to answer questions about their company’s strength, and provide information about their storage and security practices. Providers should also be willing to allow customers (and potential customers) to tour their facilities, so end users can see exactly where their data will be housed. If you get a bad vibe about a specific provider, ask questions until you are satisfied. If you don’t feel comfortable with a specific candidate, move along.

4. What is a hosting agreement?

A hosting agreement (or the terms of service) is the written contract that governs your relationship with the hosting provider. Much like any other agreement, this is where the terms of the relationship are set out. Since many service providers offer online sign-up, the hosting agreement may presented to you online, and the provider may ask you to agree to them before setting up your account. In almost all instances I have seen where sign-up is online, the provider will not process your order unless you acknowledge your agreement to their terms and conditions. Don’t just click “Accept.” Read the terms of service thoroughly and familiarize yourself with them completely. If you don’t agree to something (or something isn’t clear), call or email the provider and see if the terms are negotiable. If not, you may have to go elsewhere. As when entering into any other agreement, consultation with an attorney is strongly encouraged.

5. What is a service level agreement?

A service level agreement (SLA) is an agreement pertaining to how often the service will be available to the end user. An SLA is sometimes referred to as an uptime agreement. It may be either a standalone agreement, or incorporated into the hosting agreement. It is important to make sure that the SLA is consistent with the provider’s marketing. For example, make sure that if a provider markets itself as providing 99.99%, 99.999%, or even 100% uptime, those terms are clearly outlined in the SLA. Check to see how downtime is measured, if there is a cure period that would allow a provider to repeatedly violate the SLA over the course of small periods of downtime, and what end users are entitled to if downtime exceeds agreed-upon thresholds. This language is one of the most important areas to review. Review it closely and carefully.

6. What are planned service interruptions?

Planned service interruptions (a.k.a. planned maintenance) are intentional periods of downtime which are necessary to provide periodic maintenance to the provider’s infrastructure. It may include anything from an operating system or application upgrade, to physical plant maintenance which requires that systems be brought offline. Check with the provider to see if planned service interruptions are included in the SLA, or if those are separate. If separate, your SLA might not reflect true system availability.

7. Where is my data stored?

The hosting agreement should outline where your data will be stored. If the provider is going to outsource this function, it should clearly be disclosed in the hosting agreement, and your provider’s provider should be clearly identified. Keep in mind that if your provider outsources this function, it likely has a separate hosting agreement with its provider, and those terms may ultimately affect you. Also keep in mind that where your data is stored may implicate data, privacy, and other laws of different jurisdictions.

8. How is my data protected?

The hosting agreement should outline how your data will be protected (in some detail, but not enough as to compromise security), and should place on the provider certain responsibilities with respect to data security, access control, and antivirus measures.

9. What about confidentiality?

The hosting agreement should outline confidentiality of your data. Some agreements might simply restrict the provider’s ability to disclose your data to third-parties (except in cases where necessary to provide the service or as required by law). However, consider looking or asking for an agreement which restricts the provider’s right to view the data itself (while the provider will likely except from this technical support requests, this is a reasonable request). Overall, look for the language which best protects your data from being viewed and disclosed.

10. Will I have unattended access to my data at any time?

Having unattended access to your data is very important. It will allow you to keep an updated copy of the data in-house, should it ever be needed and unavailable from the provider. Being allowed access to your data only upon request to the provider is very different from having unfettered FTP or web-based download access (e.g., imagine having a bank account without ATM access; see the difference?).

11. How is my data stored? Is it kept in a proprietary format?

This issue mainly comes into play with application hosting, but may also be implicated with traditional data hosting and online backup providers. Many applications store data in proprietary formats, which render the data inaccessible unless being read by that specific application. Make sure that not only is your data accessible, but that it is in a readable format even without the application. If the raw data is proprietary, make sure that it can be exported and made available in a non-proprietary, readable format, such as CSV or XML. After all, having access to your data is meaningless if you can’t do anything with it.

12. What is data-escrow?

Data escrow is relatively simple, and works essentially the way you would expect any other escrow arrangement to work. With data escrow, the hosting provider is typically required to mirror the data you store with it (at an agreed-upon frequency) with yet another third party, the data escrow agent. The data escrow agent then holds a copy of the data, should access to it ever be necessary. Both the agreement with your hosting provider and the escrow agreement with the data escrow agent should address in detail who can access the data, when, and under what terms. It is important to make sure that the agreements allow you immediate access to your data upon request to the data escrow agent. Language that requires both parties to agree before the data is released may seem fair, but when disputes arise, it may also mean a long delay before you are actually able to get your data. Be careful with data escrow companies that are affiliated with or are operated by the same company as the hosting provider, as this does not offer a true escrow.

13. Will my provider cooperate with a data-escrow provider?

Ask. If the answer is no, be careful.

14. What if I want to cancel my hosting service?

Make sure that the hosting agreement expressly covers this, and clearly addresses who can terminate, when, under what conditions, at what cost, and how the data is returned to you. Make sure you are comfortable with the language, and always make sure the agreement provides that your data is returned to you in a timely fashion, and in a readable format.

15. What if I want to switch to another provider?

Some providers may actually facilitate a move to another provider in the event you discontinue your service. Check with them in advance if this is something that is important to you. Make sure whatever you are told is ultimately incorporated into the hosting agreement.

16. Are these types of agreements with the provider even negotiable?

That depends. It probably comes down to the size of the provider and the size of the account you represent. If you are interested in negotiating the terms of the hosting agreement, ask to speak to someone in the provider’s legal department. And whatever is agreed to, get it in writing by someone who is authorized to act on behalf of the provider.

Tags:

Sorry, comments are closed for this post.