Vendor Contract Reviews
Review the scope of services. You want to verify there are provisions, such as the following, included:
The products and/or services the vendor will provide
Rights and responsibilities of both parties (your organization and the third-party vendor)
Language around any timeframes promised or custom services requested
Rights to modify products and/or services
Any guidelines around adding products or services and contract re-negotiation
Locate the performance standards and make sure they are adequate. Here you should find the service level agreement (SLA) requirements, remedies and any penalties if the SLAs are not met.
Verify the duration of the contract is correct. Confirm that the term, renewal term, non-renewal and termination notice periods and anything else related to timeframes are accurate.
Ensure there is a default and termination clause within the contract. Also, be sure to review for early termination fees in the event you need to terminate the agreement for convenience as these can become quite costly.
Consider costs and price increase language. In the fee description, you are looking for information pertaining to the following:
Cost overview
Increase limitations
Support for merger/acquisition activity and costs
Payment terms
Late fee language
Deconversion fees
If applicable, who is responsible for cost to provide or maintain software and/or hardware
Always looks for security and confidentiality provisions. This should include information on how the vendor plans to safeguard your data, prevent exposure to breaches, how they will notify you of a breach and how they plan to mitigate future incidents. You also want to confirm how the vendor will return or destroy your data or assets if the relationship terminates. Are there geographical limits on where data can reside and/or be transferred?
Look at the audit requirements. Verify there is a description of audit reports your organization is entitled to receive – like a SOC 1, SOC 2 and SSAE 18 – and that they are provided annually at no cost to you.
Understand what reports will be made available to you and if there will be any fees for customizations. Reports often considered, but not limited to, are the following:
Financial statements
Performance reports
PCI compliance certification
Look to verify business resumption and contingency plan language is included within the contract. You are seeking provisions around disaster recovery, business continuity and back-up record protection. This should include annual testing and provision of a summary of test results.
Be sure the vendor outlines their policies around subcontracting. This should include that your vendor will provide required due diligence documents for any subcontracted vendors and notify you in advance of any changes to subcontractors.
Ownership and license information should be included in the contract. There should be a description of ownership, rights and allowable use of your organization’s data, system documentation and other intellectual property. Also, look for protection by the vendor in the event of a patent/copyright infringement claim. It is important to make sure there are protection rights for your organization outlined within!
Confirm the contract includes a clause pertaining to indemnification. This is so that the vendor will hold your organization harmless from liability due to negligence of the vendor.
Review the limitation of liability to verify it equates to the amount of loss your organization might experience as a result of the vendor’s failure to perform.
Provisions around dispute resolution should always be included too. Be sure to identify how and where disputes will be heard. Many arbitration clauses benefit the vendor, so be sure to have your expert legal team review before signing!
And, to bring it all home, review the general provisions. You are looking for provisions such as the following:
Survival
Governing law
Contract conflict – order of precedence
Severability
Failure to exercise/waiver
And more, depending on the vendor relationship in review, as the provisions necessary aren’t limited to these five
Last updated