Many contracts that a business will sign with a software vendor (or any other professional service provider relating to software) involve sharing detailed business or customer data. This is especially true with any type of cloud computing service. Before you sign a contract, ask yourself these questions:
What can the provider use my data for? Obviously, a vendor needs to be able to use your data to provide you with the contracted services. But many standard contracts also allow the provider to use the data (typically in aggregate form or without specific customer identifiers) for a number of other purposes, such as improving its own products, or even selling it to third parties. Do you really want your customer data treated in this way?
Will the data be safe? What systems does the provider have in place to maintain security? These can include passwords, antivirus software, alarm systems, limits on which of the vendor’s employees have access to the data, and backup and disaster recovery systems.
Many types of data are subject to additional legal privacy requirements, including patient health information, financial data, Social Security numbers, and so on. Can the provider comply with these requirements?
Keep in mind that while you might not be uploading highly sensitive data or trade secrets today, you might do so in the future, and you want to be prepared.
What happens to the data when the contract ends? You should make sure that you can get all your data back from the vendor when the contract terminates – ideally in a form that will let you easily transfer it to a new vendor or system.
Some contracts say that you can’t get your data back until you’ve paid all your bills to the vendor. The problem here is that if you have a disagreement with the vendor at some point about how much you owe, the vendor could try to withhold your data to get leverage in the dispute. Ideally, you should make sure you can access your data while the issue is being resolved.