CIOREVIEW >> Compliance >>

Things to Consider while Preparing a Service Level Agreement

By CIOReview | Monday, August 8, 2016

Service Level Agreement (SLA), a warranty tag for an organization to venture into the legally complex managed services space, is a widely discussed topic in the recent times. Still, not every aspect of an SLA has been covered in detail by analysts, and thus confusion reigns over the agreement terms to a certain extent. For instance, the need for organizations to negotiate with cloud providers has grown significantly as the partnership scenario shifts widely from technically managed to contractually managed solution.

Cloud SLAs encompass a broad range of details including provisions for governance, accountability, response times, security specifications, uptime statistics and performance. Organizations, while subscribing for the cloud service should make sure that they compare the specifications offered by different vendors and analyze its suitability. It is during this stage that the decision makers of a company should determine the critical areas of focus in cloud computing service.

Assessing the contractual terms

SLAs are primarily written to set clear and unambiguous standards of service between cloud customer and the cloud vendor, but it should also mention terms of agreement with other cloud entities such as the cloud carrier, broker and cloud auditor. Unlike insurance policies, cloud SLAs do not cover physical assets but define terms for a virtual architecture. Considering this fact, it has to be understood that issues that crop up can be chaotic, in a sloppy, poorly documented contract.

A service agreement may appear to be a long and mind-numbing document, but unless you fully comprehend it before signing the contract, it may turn out to be unyielding at a later stage. Merely signing the agreement doesn’t free an organization from its further responsibilities; they have to enforce the terms of the service level agreement signed with the vendor firm.

Areas covered in SLAs

Generally, the cloud service providers will clearly list service levels that can be accessed from their official websites. A typical contract covers the terms between the service provider and the customer and an Operational Level Agreement (OLA) that entails agreement between the vendor and another part of organization that governs the service. It is common in SLAs to see guarantees that the service will be available as per the terms almost all the time and it will mention details such as how long a load request can take to be serviced, retries and the like. It will also detail what type of recourse will users have if they fail to meet the uptime conditions as per the guarantee.

Critical Policies to be considered in SLA

  • Data storage and redundancy: A regular and efficient capturing and storing of information is essential to maintain the organizational work flow, which will have strong impact on the entire business. Before signing the SLA, companies should ensure that they have properly outlined the data preservation strategy, which addresses redundancies within the systems. The data preservation strategy should be elaborate and must include sources, scheduling, backup, restore and integrity checks. Companies should be clear with the protections offered or omitted by their cloud vendor. A demonstration of the same, if possible, should be done prior to acceptance of the terms.
  • Location of data: The jurisdictions of the SLAs often become a question of debate. The agreement should specify where the data resides, where it is processed and whether it meets the applicable regulations. Cloud customers should also have a clear understanding of the location from where the data is viewed or delivered, and whether or not it violates any applicable territorial jurisdiction resulting in regulatory or tax implications. For example, the ability of the vendor to provide a sound solution in a transborder data flow situation.
  • Legal terms: The powers vested with governmental agencies allow them to seize data under certain conditions. In such cases the cloud vendor should provide notifications and necessary legal support to the customer organization. Customers should also ensure that there are proper arrangements to retrieve data even if the vendor firm goes out of business. Also appropriate actions in the event of billing dispute—resulting mostly in denied access—should be discussed and documented.
  • Data protection: In a cloud environment, the term data privacy is not limited to protection of the customer’s data but also covers the privacy of information stored about the customer’s own customers. The data privacy policies of the vendor organization should be a part of the SLA and it should ensure that they conduct business operations in accordance to the applicable laws on data protection.
  • Change of management: Any expected change in management or obligations of the vendor should be carefully reviewed before signing the contract. Similarly the service provider too may require the customer to provide certain timely notifications which will help to strengthen their own change in management policies.
  • Maintenance policies: Companies should check whether the maintenance schedules of the vendor will interfere with their business processes and should work out terms to address any of issues that crop up.