A cloud service level agreement (SLA) is not something that should be glossed over—after all, this is your data we’re talking about! The SLA is a legally binding contract between you and your cloud provider, designed to ensure a minimum level of service is maintained and establish a mutual understanding of which responsibilities lie with the provider which which are controlled by the customer. While the SLA should include the financial penalties a provider must pay for failing to live up to the guaranteed terms, many are written in a way that favors the provider, so it’s very important the read the fine print and ask the right questions.
Top 5 SLA Negotiation Considerations
Some cloud providers will offer lower uptime than what they can actually achieve just to give themselves some breathing space in the event of a data incident. The lowest number you’re likely to encounter is 90%, known as “one nine.” This equals potentially 2+ hours of downtime per day which will certainly make for a cheap SLA, but is obviously unacceptable for most organizations. 99.5% is usually going to be a starting position for most providers, which equals about 7 minutes of downtime per day. This may be adequate for some businesses that can handle a brief loss in productivity, but for healthcare providers and government agencies that need immediate access to data, it is still considered inadequate. These organizations in particular may want to strive for 99.99% (“four nines”) which equals about 8 seconds of downtime per day. You can try to negotiate up to four nines, or the provider may simply not be able to achieve that level of uptime, in which case it would be time to look into another provider.
2. Data Protection
Data protection processes, such as backup and disaster recovery, should be addressed in any SLA. The agreement should detail what each party is responsible for, acceptable performance parameters, which applications and services are covered, monitoring procedures, and a schedule for remediation of outages whether by a power outage, natural disaster, human error, or malware. Be sure to look for a liquidated damages section that specifies the penalties the provider will incur if the terms of data protection in the SLA are not met.
3. Exporting Data (Repatriation)
Just like any relationship, sometimes you want to cut ties. But that can be easier said than done. Some cloud providers make it easy to migrate your data into their cloud, but charge large sums of money to return it to you—or they return it to you in an unusable format (we call this the Hotel California effect). So, you want to be sure you’re able to exit the contract if you need to and that there are no fees associated with doing so (or that they are minimal). You should also negotiate the export of your data in a predefined format (CSV, XLS, XML, etc.). If you don’t have a skilled IT team that can make the export easy, you might also make it a condition that the provider assists you in the export. Finally, because some contracts require a notice of non-renewal within a certain period, make sure you understand the time period and if it seems unreasonable, try to talk it down or eliminate it altogether.
Many SLAs are designed to meet the needs of the customer at the time of signing, but we all know organizations can change dramatically in size over time. Make sure the SLA details intervals for reviewing a contract so that if your organization grows larger, your cloud capacity can grow with it (and if your organization happens to grow smaller, you’ll want the option to reduce capacity; no sense it paying for unused capacity).
5. Data Location
Although cloud computing is all about the ease of accessing your data any time, anywhere, it’s ultimately housed somewhere. Some providers may scatter your data across multiple locations, or house it overseas. Knowing where data physically resides is key when it comes to matters of compliance. It is a requirement to know where data is located for HIPAA healthcare and CJIS government regulations, among others. Being unsure of the location of data also puts General Data Protection Regulation (GDPR) compliance at risk. The location also plays a factor in security measures required by compliance regulations, such as being outside flood zones, having redundant N+1 generators, an uninterruptible power supply, computer room A/C (CRAC), dual authentication security (HID, Pin, and/or biometric), and hurricane-rated structuring.
A cloud service level agreement (SLA) should be pored over before signing any dotted line. The security of your data, the safety of your customers, and the longevity of your organization could be at stake! If you’re planning a move to the cloud or are looking to switch providers, we can help. DSM, Florida’s predictable cloud provider, can easily and seamlessly transition you to a secure, compliant, high-performance cloud. And we offer complete transparency with each and every SLA so there are never any surprises! Talk with one of the experts at DSM today.