When outsourcing IT services, your IT contract must reflect what you are aiming to achieve. You may have the option to provide your own agreement, or you may receive a standard contract from the IT supplier.

When drafting or reviewing the IT contract, you should include certain clauses that ensure you receive a quality product. You will also want to ensure that you receive ongoing support for any services or deliverables that you receive. Finally, your IT supplier must be able to handle your data in accordance with your privacy obligations. You should seriously consider any clause that places obligations on your business to ensure that you are comfortable with the applicable responsibility.

This article will explain the key provisions that you should include in an IT contract to protect your business and outline which clauses to focus your attention on when reviewing an agreement.

Key Clauses to Include in an IT Contract

When receiving IT services, there are some key clauses you should look out for. These primarily relate to the quality of the product, ongoing support and privacy.

Harmful Code

To ensure you receive a quality product, you should include a harmful code clause. This is a provision that legally prevents the supplier from introducing any systems that could harm your business. Indeed, harmful code refers to any computer program, virus or other code that is harmful, destructive, or disabling. It also includes code that enables theft, alteration, denial of service, unauthorised access to or disclosure, destruction or corruption of information or data.

Therefore, harmful code can be very destructive for your IT systems and data. Accordingly, you should seek to create a clause in your contract that prevents the transmission of harmful code if: 

  • you plan to integrate the IT supplier’s services with your own systems; or 
  • the supplier is providing a deliverable to you which may include harmful code.

If you receive a contract from an IT supplier, it is unlikely to contain a harmful code clause. This means that you may need to negotiate and add your own clause. When reviewing or preparing a harmful code clause, you should include:

  • a warranty from the supplier that they will not introduce harmful code into your IT systems or deliverables;
  • requirements for the types of security procedures the supplier must use;
  • an obligation for the supplier to immediately notify you if they introduce harmful code into your IT systems or deliverables; and 
  • an obligation for the supplier to eliminate the harmful code, prevent re-occurrence and rectify any consequences at their own cost.

Service Availability, Response and Service Credits

To ensure that your business can rely on the product or services, you should ask the IT supplier to promise to meet set availability and response requirements. This can take the form of a service availability clause within the core contract, or take effect as a separate service level agreement. Either way, you want to see a clear promise regarding uptime and service response.

You should request a high percentage guarantee for uptime, which is a measure reflecting the reliability and availability of the system or product. 

For example, a 99% uptime guarantee for the services ensures that they will be operational for 99% of any given month. 

Importantly, you should carefully check how the service provider calculates their uptime. This is because the method of calculation can impact the accuracy of the promised uptime. Therefore, some guarantees might be more effective than others. 

For example, two different providers might both promise 99% uptime but use a different approach to calculate this outcome. This means that they may not actually provide the same level of uptime.

Ideally, a service level promise will also include: 

  • guaranteed response times; and 
  • restoration times for support requests. 

Typically these will be categorised based on severity so that more severe issues benefit from faster response and restoration. 

This is demonstrated in the example table below. While it is reasonable to rank issues, you should check the definition of each category and consider whether these times suit your business’ needs. 

Example Service Level Credit Assignment

Priority Assignment

Definition

Response Service Level 

Restoration Service Level

Service Level Credit

Critical Incident 

An error that renders the SaaS services inoperable. You are unable to login to the SaaS services.

1 business hour.

4 business hours.

10% rebate on your next payment of the price applicable to the SaaS services.

Major Incident

An error that causes the SaaS services to be partially inoperative, which severely restricts your use of the SaaS services.

2 business hours.

8 business hours.

5% rebate on your next payment of the price applicable to the SaaS Services.

Minor Incident

An error that causes the SaaS services to not comply with its specifications. However, it does not severely restrict your use of the SaaS services, which are still usable but with moderately limited functions.

1 business day.

3 business days.

Not applicable.

Informational Incident

An error that does not materially affect the operation of the SaaS services, which remain usable.

2 business days.

Not applicable.

Not applicable.

Implementing Service Level Credit Clauses

You should establish any service levels written into the contract as an obligation of the supplier. It is also important that you remove any language which reduces service levels to an aim of the supplier, rather than an obligation. 

For example, instead of saying “The supplier will endeavour to maintain an uptime of 99%” you should seek a clause with definite language, such as “The supplier will maintain an uptime of 99%”.

Where service levels are an obligation and the supplier fails to meet these requirements, you will have a contractual right to claim for breach of contract. However, this may not be commercially practicable because of the cost of taking legal action and the inconvenience of needing to find a new supplier. Therefore, it is ideal to ensure that you are entitled to service credits upon certain breaches of your contract. This is a system by which your supplier’s failure to meet a service level promised under your agreement can result in a discount on your next invoice.

You may also seek to include a termination right for repeated failures. If the supplier is consistently unable to perform, you will probably want to find a new supplier. So, make sure that access to service credits is not your only remedy to your supplier failing to deliver on a service level.

Acceptance Testing

If you will receive deliverables from the IT supplier, you should have a right to perform acceptance testing on the products. If the deliverables do not meet the agreed specifications, you should also have the right to request that the supplier rectifies the product at no further cost to you. 

Importantly, you should clearly define what acceptance tests you will carry out for the purpose of any acceptance testing clause:

For example, a clause setting out your rights if the deliverables fail to meet the acceptance tests might look like this: “If the deliverables fail to meet the acceptance tests, we can waive the need for further acceptance tests, request that the deliverables be amended to satisfy the acceptance tests or accept the deliverables on the basis that we will allow you to set a timeframe to amend the error or non-compliance. If we request that you amend the deliverables, you will do so at no additional charge.”

Where the deliverables are core to the contract, you may wish to end your engagement with the supplier if the deliverables: 

  • do not meet the specifications; and 
  • your supplier cannot rectify the issues promptly. 

Accordingly, it can be useful also to include a right to terminate the contract in full and without any liability. 

Warranty Period

As well as performing acceptance tests on the deliverables, it is advisable to have an ongoing warranty against defects. This can also apply if you receive IT equipment from the supplier. 

Suppliers will often provide a warranty for their deliverables, such as software, for three months after acceptance or completion. However, you can negotiate a longer period to ensure greater protection, such as 12 months. You should note that the supplier may request to increase the price upon receiving a request to extend the warranty, to price their services appropriately. A warrant on IT equipment may be far longer, such as two or three years.

Where the supplier offers a warranty against defects, you must be careful about what they exclude from that protection. 

For example, typically if you make changes to the deliverable or equipment without consulting the supplier, the warranty may become void. Of course, if the Australian Consumer Law is applicable, the warranty may continue to apply depending on the nature of the issue. 

You should also check the requirements for the submission of a warranty claim. This includes details concerning: 

  • the type of information you may need to provide;
  • how and where you need to provide the information; and 
  • the kind of access you may need to provide to the supplier, whether access to your IT systems or to your premises and equipment. 

Ongoing Support Services

If you are receiving an ongoing IT service, such as access to software as a service, then you should also expect to receive continued support for that service. This could be in the form of a support telephone line, an online chat or a support ticket system built into the software. 

Where support is offered, it is key that you clearly define what support the supplier has promised and how to obtain this support. Further, the supplier should have an obligation to provide this support professionally and efficiently. This should also be guaranteed by a service level promising a certain standard and timeframe regarding support. 

Privacy is Key

It is key that you understand whether the IT services will: 

  • require or allow the supplier to access personal information which you hold; or
  • require you to transfer personal information to the supplier. 

If any personal information will be accessible, transferred to or otherwise handled by the supplier, you must address privacy in the contract to minimise your risk. In any good privacy clause, you should aim to address the following six key points.

1. Access

The contract should specify the basis on which the supplier and their personnel, including any third party subcontractor of the supplier, will access and handle the personal information. 

For example, you may wish to limit this access to a ‘need to know basis’. If you require further control over the access to the information, you may require that access is limited to access on a ‘need to know basis’ and only by key personnel approved by you in writing.

2. Security

The contract should include the steps the supplier must take to secure the personal information at any time that the supplier is handling it. 

For example, you may require that the supplier comply with your internal IT security standards or an international information security certification, such as ISO 27001. 

You may also ask that the supplier store data in a pseudonymised form, such as in an encrypted state. This may assist in reducing the likelihood of a virus or hacker obtaining personal information if they breach the supplier’s systems.

3. Legal Compliance

The contract should require the supplier to comply with all privacy laws that you comply with and which the supplier needs to comply with. 

It is not sufficient for the supplier to only comply with the laws applicable to their own business. This is because you may have promised or may be obligated to treat information in accordance with a particular law which the supplier is not subject to. However, you must also ensure the supplier complies with the laws applicable to their business to protect yourself from any potential risks or penalties. 

For example, if you are required to comply with the Commonwealth Privacy Act and want to ensure that your supplier is compliant with their own privacy obligations, you could include a clause that states: “You agree to comply with the legal requirements of the Australian Privacy Principles as set out in the Privacy Act 1988 (Cth) (as if you were an “APP entity” as defined in the Privacy Act 1988 (Cth)) and any other applicable legislation or privacy guidelines that may apply to you or the provision of the Services.”

4. Overseas Disclosure

The contract should state where the supplier may disclose or store the personal information. It may be important to you, or required based on your privacy obligations, that the personal information not be disclosed or stored outside of a specific country or area. If this is true, you should clearly set out the obligation to only disclose or store the personal information following these requirements. 

5. Data Breach Obligations

The contract should specify the supplier’s obligations where there is an actual or suspected data breach. Obligations should apply, whether it is personal information you hold or personal information the supplier holds which relates to the services. 

Commercially, it is useful to have the supplier notify you of any actual or suspected data breach (whether legally notifiable or not) and to build in a disaster recovery obligation for the supplier. This will reduce the likelihood of experiencing any unavailability of, or a delay in, the services. 

The data breach clause should also:

  • address any legal obligation to notify, such as under the Privacy Act;
  • specify who will be in charge of assessing whether notification is required; and
  • specify who will be responsible for the notification of the regulator and affected individuals.

6. The Consequences

Finally, the contract should also set out any consequences of the supplier breaching its privacy obligations. This clause should require the supplier to immediately notify you of any: 

  • breach of its obligations; and 
  • actual or suspected breach of any privacy law. 

The clause should also include the ability for you to receive compensation for any loss you may incur as a result, including fines. You could insert this clause as a broad indemnity for breach of privacy. Ideally, such an indemnity will not be capped and will not exclude consequential losses. The reasoning for this is that you may be subject to substantial penalties for breaches of privacy obligations and suffer considerable reputational damage as a result of mishandling personal information.

Key Clauses to Review in an IT Contract 

Confirm What You are Receiving 

One of the first things you should check in any contract for IT services is that you will receive the services that you expect. 

For example, if the services include software then you should consider the terms of the licence, especially any restrictions on your use. You should also confirm whether the licence allows your authorised users, such as your staff, to access the software. If so, you should check whether this is subject to an extra fee. 

Further, it is important to know whether a third party will provide any part of the services and what kind of responsibility your IT supplier will assume for this third party. You will want to know whether the supplier has excluded their liability for third parties and, if so, whether this is acceptable. 

For example, it will likely be unacceptable if the services rely heavily on a third party software but your supplier excludes liability for any issues caused by this third party. This is because the discontinuation of that third party software may materially change or delay the services. Further, if the agreement excludes all supplier liability for third parties, it may be difficult for you to seek compensation from the IT supplier. 

If Australian Consumer Law applies to the supply of IT services or products in question, you may also be able to rely on a right established under the law, even if your agreement excludes liability. However, the best option is to address liability for third parties at the negotiation stage and request that the IT supplier agree to accept responsibility for the third parties that they choose to use.

Check Your Obligations

When receiving IT services, it is also important to check the contract to confirm your own obligations. You will want to ensure that these are reasonable and achievable for your business. 

For example, the contract may require that you supply materials to the supplier. 

In such an instance, you should carefully consider the language used to check that any obligation to provide materials is limited to those ’reasonably necessary’ and that time is not of the essence. You should also confirm whether you need to give any warranties regarding: 

  • your rights to the materials; or 
  • that the use of the materials by the supplier will not cause infringement of any third party rights or breach any law. 

While such warranties may be reasonable in certain circumstances, you may seek to reduce obligations that simply require you to “take reasonable steps” rather than offering a warranty. Ultimately, you should make sure that you are: 

  • aware of the ownership or licensing of any intellectual property rights in any materials; and
  • comfortable that any personal information was collected legally and that you can disclose it as required.

Further, you should aim to remove any indemnities regarding the materials that you supply. If you do accept an indemnity for materials, you should consider limiting it to the extent directly caused by your business and to the extent that the supplier’s use is in accordance with the contract. Additionally, the indemnity should: 

  • exclude consequential loss; and
  • be subject to a liability cap and to an obligation for the supplier to mitigate any loss.

Key Takeaways

Before entering into a contract for IT services, you must carefully consider what services or products you expect to receive and check this against the contract. You should also ensure you have reassurance from the IT supplier that you can rely on the services or products that they provide. For instance, this may be through the promise of service levels and service credits or a warranty against defects.

You should also check that the IT supplier is subject to obligations of security and privacy, as well as confirming your own obligations under the contract. These should not be overly difficult, especially regarding any materials supplied by you. If you would like assistance drafting or reviewing IT contract clauses, contact LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. For just $199 per month, membership unlocks unlimited lawyer consultations, faster turnaround times, free legal templates and members-only discounts.

Learn more about LVConnect

Jacqueline Gibson
Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

  • By submitting this form, you agree to receive emails from LegalVision and can unsubscribe at any time. See our full Privacy Policy.
  • This field is for validation purposes and should be left unchanged.
Our Awards
  • 2019 Top 25 Startups - LinkedIn 2019 Top 25 Startups - LinkedIn
  • 2019 NewLaw Firm of the Year - Australian Law Awards 2019 NewLaw Firm of the Year - Australian Law Awards
  • 2020 Fastest Growing Law Firm - Financial Times APAC 500 2020 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review 2020 AFR Fast 100 List - Australian Financial Review
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards 2020 Law Firm of the Year Finalist - Australasian Law Awards
  • Most Innovative Law Firm - 2019 Australasian Lawyer 2019 Most Innovative Firm - Australasian Lawyer
Privacy Policy Snapshot

We collect and store information about you. Let us explain why we do this.

What information do you collect?

We collect a range of data about you, including your contact details, legal issues and data on how you use our website.

How do you collect information?

We collect information over the phone, by email and through our website.

What do you do with this information?

We store and use your information to deliver you better legal services. This mostly involves communicating with you, marketing to you and occasionally sharing your information with our partners.

How do I contact you?

You can always see what data you’ve stored with us.

Questions, comments or complaints? Reach out on 1300 544 755 or email us at info@legalvision.com.au

View Privacy Policy