How to negotiate a cloud SLA

It is essential to ensure that providers make good on their enterprise-level commitments related to service and performance, that’s where the cloud service-level agreement, or SLA, comes in.

cloud contracts thinkstock

The worldwide cloud adoption boom shows no signs of slowing down: According to Gartner, the global public cloud services market is forecast to grow 17% in 2020 to a total of $266 billion, with SaaS remaining the largest market segment. As companies sign on the dotted line with an ever-increasing number and variety of cloud service vendors, from SaaS and IaaS/PaaS to cloud MSPs, it is essential to ensure that providers make good on their enterprise-level commitments related to service and performance.

That’s where the cloud service-level agreement, or SLA, comes in. As part of a cloud contract, an SLA defines the level of service, how the service is measured and what the penalties are if the service is not achieved. “You have to be able to hold your provider accountable for the services they deliver,” said Chris Pomeroy, vice president, solutions architecture at Syntax, a leading managed cloud provider for mission-critical enterprise applications.

An SLA requires three core service levels to be addressed, he explains: One is the availability, or uptime, of the server/infrastructure or the app — many of today's leading Software-as-a-Service (SaaS) vendors offer 99.5% to 99.9% uptime, for example. Next is the recovery point objective, or how much data can be lost in a catastrophic failure of infrastructure or servers and, finally, the recovery time objective, or how long it would take to bring those systems back online.

As companies have become more and more dependent on offloading critical portions of their infrastructure to SaaS-based applications, SLAs have become increasingly critical, said Suzy Fulton, co-founder of law firm Grable Martin Fulton. “A lot of companies get excited about a SaaS provider’s offerings and the SLA is often secondary, but they need to think through the effect of an actual downtime,” she explains. “If what you will get in return if it actually happened is not sufficient, you want to worry about that on the front end.” 

Moving the needle on SLA negotiation

Reading the fine print and understanding your SLA is obviously important. But how negotiable are these agreements? Well, it depends — both on the size of the cloud vendor and the size and influence of the customer. Don’t expect wiggle room from the massive “hyperscalers” that offer hardware-level availability and storage, such as Google, Amazon and Azure. Unless the customer has the size and power of, say, the U.S. Department of Defense, their SLAs are typically “take it or leave it.”

Managed service providers (MSPs), or SaaS vendors, however, are another matter. “An MSP can help negotiate an SLA with you that meets your exact requirements, bridging the gaps between your business needs and the big cloud provider SLAs,” said Len Buznya, CTO at HGS Digital, which offers cloud managed services to medium-to-large enterprises. “For example, we had a big enterprise client who had a very specific need for response time, so they negotiated with us to make a specific kind of expertise available to them,” he said. “We said, okay, if you need a cloud architect on the phone in 15 minutes or less who knows your architecture, we can make that happen as part of the SLA.”

Related: 7 elements of cloud SLAs you should focus on

If customers are educated, with prior experience buying SaaS solutions or partnering with an MSP, they will often present their own predefined SLA, perhaps in an RFP, to a group of providers as a starting point for negotiations, explains Gregory Turner, CIO at MTM Technologies, an IT service management provider. “On the other hand, if this type of business is new to the company, they might use a Gartner or Forrester subscription to review the contract and provide feedback,” he said.

Depending on the size of the company, a combination of legal and IT also might be brought in to negotiate the SLA, adds Fulton. “Sometimes it’s easier to get concessions at the business level when the legal side is brought in,” she explains. “On the other hand, sometimes you need the business side to simply explain the reality of what the business needs.”

4 key areas of negotiation in a cloud SLA

1. Uptime and support

Uptime, or the amount of time that a service is online, available and operational, is the metric at the heart of any SLA. An SLA level of 99.99%, for example, works out to 52 minutes and 36 seconds of downtime per year. The higher the availability, the higher the cost. “Businesses need to do a cost benefit analysis and risk assessment regarding uptime,” said Pomeroy.

Many companies try to negotiate for as close to 99.99% (or the “five 9s”) as possible, but Turner emphasizes that organizations shouldn’t get “hung up” on uptime availability, since while world-class on-premises operations target the “five 9s,” most are lucky to achieve 95-99.0% availability for their internally-managed applications and systems.

“Chances are the SaaS application will have better availability than the internally-managed, on-premises version, and there is a cost to maintaining nearly constant uptime for most organizations,” he said. “In many cases downtimes are in periods where there is no commerce, or late at night, so if you are not an international company with transactions at all hours of the day, it may not matter to you. You should focus on what really impacts your business.”

2. Recovery and penalties

Even a short outage of a second or two can potentially cause data loss and sales interruption, so it is important to negotiate vendor penalties in the case of unavailability of service. This is also the area where the most negotiation may be possible, said Fulton. “Those are areas after the fact, when things have calmed down, you might have success negotiating refunds or service credits for an outage,” said Fulton.

Once uptime and availability are negotiated, however, enterprises should make sure the language in the SLA does not also include significant exclusions to the right to penalties.

That said, companies may want to avoid negotiation around penalties becoming antagonistic or overly transactional, said Turner, who points out that some things may be out of the service provider’s control and as long as corrective action is taken immediately and issues do not arise every month, companies may consider simply relying on pragmatic, common-sense rules of engagement. “There are industry standards related to recovery and penalties, but it is difficult to define hard and fast absolutes,” he said.

Related: 10 best cloud SLA practices

3. Termination rights

The right to terminate the agreement for multiple SLA violations is a standard provision, also known as an exit clause, which can and should be negotiated, said Fulton. A typical termination clause may include a 30-day grace period, but “you need to determine what is fair — that is, what kind of event will allow you to trigger termination rights,” she said. A right to terminate might be based on how many times the SLA is breached (such as three times within three months), or for extreme downtime (such as availability below 90%).

Besides frequent downtime, non-performance or inefficiency related to service delivery levels, other considerations for termination rights include the vendor’s inability to deploy adequate skilled resources; breach of trust or non-disclosure agreements; a change of scope or fee revisions; or technology obsolescence.

“If you have a symptomatic failure of the service provider, who can’t rectify things so outages don’t consistently happen over 2-3 consecutive months of operation, I would say you have a breach of contract and should think about changing partners,” said Turner.

4. Data security

As data breaches have become top-of-mind for IT organizations, security has become a much more important SLA topic to address. “It’s a more recent issue, but security guarantees are becoming more important to define, such as who can access customer data, where data is located and what happens in the case of a data breach,” said Buznya.

However, it can be hard to define what constitutes a data breach and whether a service outage is due to a data breach. “It can be hard to tell from the provider standpoint,” said Fulton. “For example, if you have someone trying to attack your systems, maybe through a DNS attack, and they’re able to cause a service outage, is that a data breach or not? That’s something that would be contained and defined within the SLA.”

According to Francoise Gilbert, general counsel of the Cloud Security Alliance, the SLA should contain the proper clauses addressing security issues including the determination of the allocation of liability, payment of damages and indemnification. “Without these, there will likely be a dispute,” he said. “If you are a purchaser of cloud services, make sure you have a proper understanding of the security measures used to protect the data stored in the cloud.”

The evolution of SLA negotiation: Savvy clients, more collaboration

There is no doubt that there is typically some room to negotiate an SLA with SaaS or MSP cloud providers, and SLAs are critical elements of technology vendor contracts that should not be taken lightly. According to Buznya, clients have become better educated about SLAs over the years and typically come to vendors with ideas about exactly what they want.

“In years past we didn’t work as hard at negotiating with the client about uptime and downtime and simply provided some standard definition we thought made sense,” he explained. “Customers are generally more savvy and definitely always have something specific that they want.”

Keep in mind, said Fulton, that getting a vendor to make every concession is not always a good thing. “You can end up in a position where you get what you pay for and then have to worry about it after an event happens,” she cautioned. However, it is a collaborative mindset that brings the best results in negotiating an SLA, said Buznya. “In my opinion, it’s about finding a provider who shares your business philosophy and is willing to work with you to match up your requirements with an SLA,” he said.