What is the purpose of the solution? 
E.g. is it customer facing, does it generate revenue, assist with regulatory compliance, drive efficiencies?

What is the impact if it’s not available
(either short/medium/long-term) – are there manual workarounds and what would implementing them cost?

• If the reg tech solution assists you in meeting your compliance obligations (and there is no easy manual workaround) then it is likely that you will want greater clarity around exactly how the solution will help you meet those requirements including uptime commitments, technical support during relevant operating hours, and a strong governance framework to address any issues.

• If the solution isn’t business critical (e.g. it drives efficiency but you can satisfy your compliance obligations without it), then you may be willing to live with a service description or service level commitment which is lower than you would require for a business critical solution.

Are there real alternate solutions in market you could quickly/easily move to if dissatisfied?

Is the supplier or the solution a key player in the relevant market? 

• The fewer alternatives there are in market, or the trickier it would be to transition to alternatives, the more important it is to get the service standards and levels right.

• You might be willing to live with poor service descriptions if the Supplier or the solution is a key player in the market.  Equally, if you are comfortable with the current functionality of the solution, you may be able to get comfortable with a poor service description.

Do you have the right to terminate for convenience at any time with a partial refund of any upfront fees?

Are you committing to a minimum term, minimum spends or any kind of exclusivity?

Will you require disengagement assistance?

• If you don’t have a right to terminate for convenience, or if you are agreeing to a minimum spend or exclusivity, it will be important to get the service standards and service levels right and to include appropriate rights to terminate and/or suspend the minimum spend and exclusivity commitments if those requirements are not met.

• Consider what assistance you might need on disengagement and whether a formal plan should be agreed early on during the engagement so exercising your termination rights is actually a practical option.

What sorts of data will actually be uploaded to, or generated by the solution – in terms of nature, sensitivity and volume?  For example, personal information of customers, personal information about employees, confidential information about your business plans? 

What is the likelihood that serious harm would occur if data was compromised? 

• The more sensitive the data, and the greater volume of data that will pass through the solution, the more you will want to negotiate additional protections to mitigate against the regulatory and reputational impacts of a data breach/compromise.

• Also, consider whether you can reduce the risks by:

• • de-identifying or redacting the information so that it is no longer personal information or highly confidential information before uploading or transmitting it to or via the solution; or

• • if the data is not personal or confidential in nature, whether risks around data security can be managed through regular backups.

• If the supplier is also located within Australia, or is located externally but will commit to hosting the solution from within Australia, the data risks reduce given the supplier will likely also have obligations under the Privacy Act.

• If the supplier or the solution are offshore, consider the equivalency of any privacy and data security regimes which operate in those countries (and conflicting data-sovereignty issues, e.g. as a result of the US Patriot Act).

• Data sovereignty issues are back in focus again after the recent Schrems II decision – click here to read more.

What is the supplier’s approach to security – are they compliant with industry standards such as ISO27001, PCI DSS? 

How much do they invest in security? 

What is their reputation for compliance with their stated security positions?

• The more comfortable you can get from an operational perspective, the fewer amendments might need to be made to the agreement to reflect the actual level of data security.

• For example, does the supplier already go through annual testing and certification of its data security arrangements consistent with industry standards? Do they share those certifications and annual testing reports?

Will you be using a public or private cloud solution?

• If the solution is available on a public or shared cloud instance, will your data be held so that it is logically separate, with specific security controls to ensure it cannot be accessed by other tenants of the solution?

• If you are using a private cloud solution, you may have a greater ability to negotiate specific data requirements into the contract.