How to Negotiate a Datacenter Contract

If your company has begun to push its servers out of the closets and back rooms of its office, or if your servers' mandatory 24/7 monitoring has been leading to a complete breakdown of your IT staff's morale, then no doubt you've considered outsourcing your data hosting to another company. Like any business arrangement, the devil is in the details of the contract. So what do you need to know before you negotiate a datacenter deal?

My place or yours?

Every business has data needs unique to its business model, office space, growth history and quirky IT staff. So to imagine a common starting point is not practical. Some businesses have room for their data-server space to grow in their current facility, and they are looking for a third-party host to work the third shift, or to supply the IT hardware to supplement the current data array, so they want the host to come to them. Others might be looking to reclaim the office space that has been overtaken by server racks and are looking for a company — any company — to take the racks somewhere else. In the latter case, you might be looking for a co-location facility, the datacenter equivalent of a co-op, where many companies rent space to place their server racks, sometimes in secure, caged areas.

If the datacenter is providing the hardware, the contract should require it to supply a quality server with adequate storage space , including technological specifications.

If your company is supplying the hardware, as in the case of a co-location facility, you will need to agree which party is responsible for insuring and maintaining the equipment.

Which party is responsible for security?

The service provider should provide assurance that your firm's data is safe from hacking , viruses and other threats to the site's virtual security , as well as its physical security from floods and fire , for example.

This can be done by setting out the level of security that the host should provide, including firewalls , encryption software and anti-virus protection . This can be particularly important if personal or financial information will be stored on the service provider's server.

Exactly how will the data be stored and served?

You should require the service provider to supply sufficient bandwidth to ensure that your company's site and data are accessible at all times, that the network will function at user-friendly speeds and that the host's network can carry the amount of data traffic you anticipate in the contract. Specify an acceptable data-transmission rate in an agreed-to definition of "user-friendly speed."

While an ISP or a data host can't guarantee response times for transmissions over the Internet (because they don't control the Internet outside of their own networks), they should guarantee a minimum level of service over their own servers.

Which party has ultimate responsibility for data protection?

If your company processes customers' personal data or credit card numbers, how is your data host planning on protecting this information from identity thieves beyond basic security measures? For instance, does your data host run background checks on the employees who manage your data? Likewise, if your business manages medical records or other private health information, which party (you or the data host) will be held responsible in the case of lost or stolen data that becomes a HIPAA (Health Insurance Portability and Accountability Act) violation?

What happens if server downtime exceeds the agreed-to limit in the contract?

Courts have recognized the "liquidated damages" clause for hundreds of years for all sorts of breaches of contract, long before datacenter downtime could cost a company a fortune. If one party loses money because of another party's failure to abide by the contract's terms, the injured party can collect a monetary amount from the party in breach equal to the amount lost. By writing a predetermined dollar figure into the contract for potential "liquidated damages," your company increases its chances of ensuring a breach never occurs, and if it does, your business also increases its chances of having a court enforce the clause.

Should there be a force-majeure clause?

A force-majeure clause is for when contractual obligations by either party have become impossible to fulfill because of circumstances completely outside of that party's control, like earthquakes, hurricanes and various other acts of God or warfare.

In data-hosting contracts, service providers may want a wide-ranging definition of force majeure, even though many datacenters and co-location facilities are built to withstand these sorts of occurrences.

As a client negotiating with an off-site data facility, it would be better to exclude force-majeure clauses altogether, or barring that, to keep the definition as narrow as possible.