The reversibility clause in IT contracts, a risk management tool

The reversibility clause in IT contracts, a risk management tool

Advertisements

Recovering your data, is that enough? Recent case law reminds us of the importance of the precise drafting of contracts in terms of reversibility. The opportunity to take stock of this essential clause, and yet sometimes neglected, in IT contracts.

When you outsource IT services, you must be able to take over the operation internally or change service provider, because the contract is coming to an end, to support a new strategy or a new technical orientation, or even because the service provider is not no longer able to carry out its activities, or that the relationship no longer satisfies you.

The guide published in 2010 by ANSSI 1 made it a point of attention, recalling “the question of reversibility must be a permanent concern of the client. Whatever the evolutions of the system, he must be able to take over the operation on his own account, or to entrust it to another third party of his choice, and this, at any time and without particular difficulty”.

Likewise in the Requirements Repository for Cloud Computing Service Providers (SecNumCloud) 2, the national agency indicates that “The service provider must include in the service agreement a reversibility clause allowing the sponsor to recover all of its data”.

What is reversibility and why organize it upstream?

The objective of the contracting authority is the continuation of its activity, without loss or alteration of its data, by recovering as much as possible its investments and what is reusable, and by allowing its teams or those of the new stakeholder to capitalize on the deliverables, processes and know-how acquired.

All IT projects are concerned. We naturally think of the outsourced processing of a management (of the payroll or CRM type), but any service such as the integration of software, entrusted to a third party, also raises the question of the conditions for continuing the project if it is interrupted. .

The customer must make sure to control this exit from the contract, from an operational point of view, by limiting the risks of dependence on the service provider in place, by securing the whole process, which implies precisely defining the roles, the responsibilities, items to be submitted, costs.

On the service provider’s side, when his mission ends, he also has every interest in knowing what he is bound by, what he must do, at what price and in what time frame. A vague perimeter can lead him to respond to complex and consuming requests, data format requirements or assistance, when he has already demobilized his teams and no longer has the adequate resources available. And this all the more so as its responsibility may be engaged in the event of an imprecise clause.

These important issues are part of an implementation context which is, by definition, that of the end of the relationship. The two parties then no longer have the commercial levers that helped them to agree before or during the execution of the contract.

Moreover, when you are no longer on good terms, when the buyer is potentially a competitor of the service provider, all the conditions for complications are met, and the spirit of collaboration may be lacking.

An example

A recent stop 3 is a perfect illustration of the operational difficulties encountered and possible blockages.

A company had outsourced the processing of its salaries and social declarations. The contract only provided for an incomplete clause providing that the customer could “recover the data contained in our systems by way of reversibility”. The service provider restores this data but it does not allow the client, failing to include the settings, to resume its management correctly.

The judges take note of the technical and confidentiality reasons which prevented the transmission of all the elements, but they will reproach the service provider for the imprecise wording of the clause. It was not such as to guarantee the reversibility of fair, honest and usable data. The customer had not been alerted to the difficulties that were going to appear during the transfer and the service provider was condemned for lack of information and advice when concluding the contract, on the methods to be used to reintegrate the returned data without degradation.

Any dispute can find a legal solution, but what about business continuity? How much time, money and energy wasted?

Clear supervision upstream of this phase is absolutely essential.

The right questions to ask

Be careful when drafting your reversibility clauses, recovering your data is necessary, but you still need to know which ones precisely! Will they be usable, how to reintegrate them, will you need the assistance of the outgoing service provider? A vague clause can certainly be interpreted by a judge, but the judicial solution seems ill-suited to the operational difficulties you will have encountered.

We provide you with a “checklist”, a tool to download here to help you structure your thinking and not forget anything when drafting and negotiating the contractual clause.

Some of the questions may not be answered on the date of signing the contract, and some initial decisions will no longer necessarily be relevant on the release date. This is why we advise for complex projects, beyond a clear clause, to establish a “reversibility plan” during the execution of the contract: the requirements and the bases will be laid down as well as the methods of updates throughout the duration of the project, whether to update the applicable documentation, the scope concerned or even the technical prerequisites. On D-Day, you will roll out the most recent version of the plan with complete peace of mind.

See reversibility as a project in its own right and organize it with the same care!

——————————————————————————————————————-

1 National Agency for the Security of Information Systems “Managing the risks of outsourcing – Outsourcing of information systems”

2 Version 3.2 updated on September 21, 2021

3 Court of Appeal of Pau, 2nd Chamber, Section 1, Judgment of November 25, 2021, General directory nº 19/03573

Leave a Comment

Your email address will not be published.