Be Clear on Cloud Computing Contracts

Know how vendors handle key details before entering into agreements.

By Dave Zielinski Nov 1, 2009

November CoverCloud computing, particularly the subset known as software-as-a-service (SaaS), has made life easier in multiple ways for Karen Sones, senior vice president and human resources strategic project director for First Horizon National Bank in Memphis, Tenn.

Sones has used Ultimate Software’s SaaS offerings to store and accesspayroll, benefits enrollment,recruitment and other HR data for seven years. As is characteristic of SaaS arrangements, software resides on the vendor’s servers running on the Internet, or "in the cloud," rather than on the bank’s computers, and the bank’s employees access HR data via an Internet connection.

The benefits: Information technology (IT) maintenance is handled by the vendor’s staff, software upgrades are less hassle, and self-service and automated reporting features enable Sones and her staff to focus more on strategic rather than tactical issues. In addition, instead of purchasing expensive new hardware, the bank pays only for software that it uses.

The success of the arrangement is partly attributable to Sones’ determination in seeking answers upfront about how key concerns such as data security, data privacy and contract renewal would be handled. For example,what legal responsibility would the vendor have in the event of a security breach? What would become of sensitive data when the contract ended?

HR professionals considering SaaS would do well to follow Sones’ inquisitive lead—and with HR SaaS offerings expanding in number and use,it’s likely that more and more employers will enter into these outsourcing deals in coming years.In fact, Gartner Inc., an IT research and advisory firm,predicts that SaaS use will grow at roughly double the pace of on-premises HR software in the near future, forecasting an annual growth rate of 22 percent through 2011 for all enterprise application software markets.

While cloud computing has become more secure and reliable as the technology has evolved, it can be easy to overlook the potential pitfalls of using cloud applications while focusing on the considerable cost savings and ease of use.

"People need to go into third-party cloud computing arrangements with their eyes wide open," says R. Jason Straight, senior managing director of computer forensics for Kroll Ontrack, an Eden Prairie, Minn.-based technology services firm. "The cost savings and efficiencies gained from cloud computing and SaaS are compelling, but there are hidden costs that can emerge in case of security breaches or lawsuits tied to running afoul of state employment laws or data privacy restrictions."

Experts identify the following as areas where it pays to get detailed answers before inking contracts with SaaS vendors.

Data Security

Using HR cloud vendors means ceding control of personally identifiable data to third parties, a concept that continues to make plenty of human resource leaders nervous. Recent security breaches and shutdowns have stoked these concerns.

In a series of incidents beginning in 2007, cloud storage provider Carbonite Inc. lost data it housed for 7,500 customers, who were provided apologies and credits as compensation. The company recently filed a lawsuit against the provider of its data storage hardware, Promise Technology, alleging that it sold defective products to Carbonite that led to the data losses.

And in July, users of Apple’s web-based MobileMe service were left without access to service for several days. MobileMe stores information such as e-mail, calendars and contacts in the cloud. The same month,’s popular S3 cloud storage service experienced an eight-hour outage.

While not catastrophic, these losses represent the risks ofcloud computing.

Liability is also a concern. Should data that you store in the cloud be breached—if, for example, Health Insurance Portability and Accountability Act information or compensation data is hacked or compromised—your organization, not the vendor, may be on the legal hook.

Straight suggests collaborating with IT staff to ask prospective cloud partners:

  • Whether they have full-time staff dedicated to data security.
  • How well they’ve documented their security infrastructure.
  • What kind of audit logs they keep.
  • Whether they have incident protection and detection software in place.

You’ll also want some sense of how cooperative a vendor might be in the event of a breach. "Will the vendor allow you and the IT experts you work with access to their facility?" asks Straight. The first 72 hours after a breach are critical. Failure to act quickly can mean key audit log data will be lost or overwritten—data essential to determine the scope of a breach.

Thomas Otter, a research director with Gartner Inc., suggests seeking out vendors that meet the security requirements of an internationally accepted framework. For example, a vendor certified in ISO/IEC 27002 has met certain standards for having a secure, sophisticated IT infrastructure.

It also pays to know what level of data encryption a SaaS vendor uses to protect your information. In the United States, "data encryption is moving from a best practice to a legal requirement," explains Christine Lyon, a partner with the law firm of Morrison and Foerster in Palo Alto, Calif. A newly enacted law in Nevada, for example, requires that personally identifiable HR data be encrypted in both Internet storage and transit.

Lyon also suggests negotiating an indemnification clause in contracts to provide protection against loss or liability from breaches that happen on a cloud vendor’s watch.

Lyon recalls "cases where the employer gets sued because of a breach of human resource data that was the vendor’s fault. But if there is no indemnification clause, the customer, not the vendor, can be left holding the bag." Sones of First Horizon Bank insisted on such a clause.

Data Privacy

Many countries, including those in the European Union (EU), have more restrictive data privacy regulations than the United States. That means, for example, if your SaaS vendor stores your data on servers located outside the United States, the potential exists for unknowingly violating another country’s privacy laws.

"The EU has strict rules forbidding that personal employee data be accessed or shared outside of its countries because it views other countries as not having adequate privacy protections," Lyon says.

If your organization operates across international borders, Otter suggests asking a SaaS provider if it segregates, or tags, employee data from different countries. For example, can the vendor segment data by country so information on employees in EU countries isn’t inadvertently accessed by U.S. employees?

And, with regard to SaaS e-recruitment modules, do job candidates have an option of deleting data from the system—or requesting that data be deleted? "Candidates might decide they don’t want their personal information on an e-recruitment module anymore," and they have a right under laws in various countries to access it and delete it, Otter says.

Kristin Ferrara, associate director of human resource management systems for Inverness Medical Innovations, a medical diagnostic products company in San Diego, uses Workday’s SaaS offerings for core HR processes, including benefits and compensation systems tracking.The SaaS option appealed to her because of the ability to get newly acquired companies up and running on the global HR system quickly.

But Ferrara says her IT staff was careful to put Workday’s security and data privacy protections under the microscope before inking a contract, seeking assurances about industry-standard data encryption and guarantees that Inverness employees would only have access to select domains, or data segments, in the system.

State Law Compliance

Some states have laws requiring certain employee records be kept at the employer’s place of business for specified periods. In Connecticut, for example, employers are required to keep time and wage data on-site for each employee for three years. Storing such data in the cloud may violate that requirement. Know the vagaries of your state’s employment laws, attorneys advise.

Otherwise, "the cost savings realized from going to cloud applications can be eaten up in legal fees later," warns Daniel Schwartz, a partner with the law firm Pullman and Comley in Hartford, Conn.

Internal IT’s Role

Employing SaaS solutions, thereby shifting IT supportfrom your internal department to external vendors, has advantages and complications. If employees experience a problem using a self-service SaaS feature, for example, they may contact internal support—and not receive help. For that reason, some HR executives suggest establishing service-level agreements with both vendors and the internal IT team.

"Our IT help desk didn’t feel that it was within its scope of duties to support the SaaS application," explains Lisa Hellmann-Rhodes, senior director of organization development for Gen-Probe, a biotechnology company in San Diego, who uses SaaS performance and talent management modules from SuccessFactors. To ensure that employees get technical help, work out service support responsibilities upfront, she says.

When the Contract Ends

Think about the end of the contract before you agree to a deal.Many companies enter into SaaS contracts with little or no price protection on the renewal of agreements, Otter says. He suggests addressing price caps, or "not to exceed" price increases, early in negotiations.

Seek "provisions that state vendor prices cannot increase by more than an inflationary index like the Consumer Price Index, at least for the initial three to five years," Otter adds. Given the subscription nature of SaaS services, companies may not be able to access the vendor’s software application if renewal fees aren’t paid.

Also, ask vendors if they’ll allow cost reductions if the number of system users decreases at certain points in a contract cycle. Given layoffs resulting from the recession, Otter says, many organizations have fewer SaaS users now than when they signed their deals. Typically, if you purchase more volume than you use, there are no money-back credits. But Gartner’s research has found that, in light of the economic climate, some vendors are allowing customers to reduce the initial number of users by 10 percent to 15 percent without raising the per-user price.

You’ll also want to know what will happen to your data if the contract is not renewed. "You should insist that your HR data, along with any proprietary code needed to read it, is backed up somewhere and that the cloud vendor is contractually obligated to return it to you by a certain period," says Straight.

Ownership of HR data post-relationship was an issue for Hellmann-Rhodes when she was negotiating with SuccessFactors. If "we elected to go to another vendor or to bring the SaaS application in-house, we wanted to ensure we’d have access to all of our historical data," she says.

The author is a freelance writer and editor in Minneapolis.

Web Extras

SHRM article: Cloud Computing’s Forecast: Mostly Sunny, but Beware Storms (SHRM Online Technology Discipline)

SHRM article: Cloud Computing (Staffing Management magazine)

Online sidebar: Cloud Computing’s Multiple Dimensions


Job Finder

Find an HR Job Near You
Post a Job


The SHRM Member Discounts program provides member-only access to discounts on products and services you can apply to your life and career, and share with your company.



Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect