IT companies need to implement various agreements and policies to comply with their legal obligations and mitigate their commercial risk exposure. By standardising these agreements and policies, legal costs and negotiation time can be reduced allowing them to conclude deals more quickly and scale their operations efficiently.

Below, we discuss the main agreements and policies that IT service providers deal with and how they can be standardised:

Agreements

  • General terms and conditions or a master services agreement (MSA): It is fast becoming the industry norm for IT service providers to require their customers to sign up for their products and services using standardised terms and conditions rather than negotiating an agreement. These can be enabled as clickwrap terms whereby customers are required to agree to the terms and conditions before they are able to access or use the relevant product. As a result, the terms and conditions are not subject to negotiation and are managed through the relevant customer accepting the terms and conditions through an "I accept" button. Such terms would sit alongside any other terms and conditions that may apply (eg, data processing agreements).
  • Service levels: Service levels represent commitments made by an IT service provider to its customers regarding the quality, availability, and performance of the services provided. By adhering to these commitments, the service provider builds trust with its customers. When customers can rely on consistent service levels being met, they experience higher satisfaction and perceive the IT service provider as reliable and dependable. It is standard to formalise service level commitments in the agreement with the customer. Service providers should ensure that the service levels they commit to are feasible as failure to achieve them may result in contractual disputes, remedies enforced by the customer like service credits or termination. With the above in mind, the service provider should again ensure that it has a clear idea of the service levels it can commit to, the remedies it can offer a customer where service levels are not achieved, and then fix this through a standardised policy that would sit alongside the terms and conditions referenced in the above point.
  • End user licence agreements ("EULAs"): EULAs typically outline the terms and conditions for the licensing and use of the software, for example, the licence restrictions and what the user is permitted to do when they use the software. Although such terms would be contained in the overarching terms and conditions with the customer purchasing the software, for many IT service providers, their products and services are purchased by a representative for their customer and are used by the customer's authorised personnel (ie, the end user). Such personnel may not have been privy to the terms and conditions signed between the customer and the service provider, and so they may not be aware of their responsibilities when they use the relevant product or service. On top of having provisions in the main terms and conditions with the customer to ensure that the customer flows down its responsibilities to its users, it is recommended that service providers implement a separate EULA that pops up when the customer's authorised user accesses the relevant product or service. This widens the service provider's net of recovery in the event of any issues that arise from a user's use of the product. A EULA is not to be confused with a software-as-a-service ("SaaS") agreement which covers a broader range of topics. SaaS agreements are used for cloud-based offerings and in addition to licensing, address service level commitments, data privacy and security, IP ownership, support and maintenance services (if applicable), termination, and other specific terms relevant to the SaaS service.
  • Data processing agreements: Many products and services offered by IT service providers involve processing personal information on behalf of their customer, for example, an online file hosting platform or an employee self-service portal. In these instances, the service provider will be an "operator" as defined under the Protection of Personal Information Act, 2013 ("POPIA") – provided of course that POPIA does in fact apply to their processing of personal information. POPIA does not legally oblige operators to conclude any written agreements with their customers regarding what they do with their customers' personal information. Instead, the converse is true: section 21 of POPIA would require the customer as the responsible party under POPIA to conclude a written agreement with the service provider. Operators have very limited obligations under POPIA: namely to secure information and to notify the responsible party of a security compromise. The enforcement remedies (eg, fines) available under POPIA are all against the responsible party. Customers therefore face significant compliance risks which they may seek to mitigate through their contracts with their service providers. For example, the customer's contract could include onerous cooperation and assistance obligations, extensive audit rights, broad indemnities, and uncapped liability.

IT service providers could also have one document that consolidates all four of the above documents (general terms and conditions / MSA, the service levels, the EULA, and data processing agreements) instead of having separate documents. This approach is often preferred by companies as it means fewer documents to operationally implement and manage with their respective customers.

In addition to the above, IT service providers should also implement website terms of use. Separate from terms and conditions that govern a customer's use of products and services, website terms of use apply to a user's access and use of the service provider's website and are important to control user behaviour, particularly in respect of security of the website and the service provider's proprietary information contained on the website. The terms of use can also create awareness of other terms and conditions and policies that may apply to the user.

It is commercially prudent for the service provider to implement standardised agreements that are aligned with its obligations under the law and what it can reasonably provide to the client from a commercial and operational perspective. This is especially relevant for service providers offering a one-to-many solution to customers as standardised agreements save legal costs and time which enables service providers to conclude deals more quickly and scale fast.

External policies

  • Standardised security and product documentation: An information or policy portal on the service provider's website is helpful to both prospective and existing customers so that they are able to understand details about the products that they have subscribed to (eg, product specifications, what is included and what is excluded in the product offering, user manuals and how-to tutorials, etc), and backup and security features and capabilities. Not only does this approach secure a level of transparency and trust with the service provider's customer base, but it also allows the service provider flexibility in communicating and prescribing its applicable policies without the need for engagement and sign-off by the customer.
  • Privacy policy and other prescribed notices: POPIA requires responsible parties to inform their data subjects about the nature and scope of their processing activities, the data subjects' rights in respect of their personal information, who they can contact if they have questions, among others. This type of notification is most practically managed through a privacy policy that is publicly accessible on the website. The responsible party should regularly review its privacy policy and update it as its operations change – for example, if it launches a new app or product that processes a new scope of personal information. In South Africa, all private and public bodies are also required to publish on their website a manual in terms of the Promotion of Access to Information Act, 2000 ("PAIA"). The PAIA manual often sits side-by-side with the privacy policy.

Internal policies

  • POPIA compliance: Data offers high value to IT service providers as the reliability and success of their products and services often depends on the quality and type of data that they process through providing their products and services to their customers. While it is important to have the right security policies and data processing agreements as discussed above, the commitments made by the service provider in such documents can be undermined by poor user behaviour. It is therefore important for a service provider to ensure that appropriate security controls and privacy training are implemented internally so that staff apply appropriate data hygiene protocols to any customer data that they handle.
  • Responsible AI: Generative AI has taken the world by storm. Companies need to ensure that they regulate and are committed to the responsible use of AI in the workplace. If generative AI use in the workplace remains unregulated, a company could suffer financial losses and other damages. ChatGPT and other generative AI expose companies to risks concerning corporate governance and accountability, confidentiality, cybersecurity, data privacy, intellectual property, and liability. The use of AI in organisations, however, extends beyond generative AI and organisations seeking to implement AI solutions into their operations require additional legal and ethical interventions and risk appreciation. Depending on the service provider's scope of AI usage, it should implement appropriate "responsible AI" policies and training to mitigate the foregoing risks.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.