Building boilerplate clauses

Building boilerplate clauses

In this article, we have a look at some of the important aspects that must be kept in mind when drafting boilerplate clauses.

Boilerplate clauses do not address specifics relating to the underlying transaction but rather address ancillary aspects that need to be addressed in most contracts.

 

Such clauses are often considered standard, miscellaneous provisions, but this is a very dangerous view to adopt.

 

It is not unusual for a boilerplate clause to be the cause of litigation. Since a boilerplate clause will deal with issues such as the interpretation, validity and enforcement of an agreement, it can have a significant impact on the other clauses in an agreement and on an agreement as a whole. It is important that any such impact is intentional and not the result of a boilerplate clause being included in an agreement with little thought.

Building blocks

Building blocks of Boilerplate clauses

The purpose of Compliance with laws and regulation clause is to create a contractual obligation on the Party to comply with applicable laws and regulations. Therefore, if the Party is not in compliance with applicable laws and regulations when providing the services or goods under the Agreement, the non-complying Party will be in breach of the Agreement and the other Party will then be able to rely on the remedies available as provided for in the Agreement. 

Public disclosure clauses regulate the announcement of the transaction to the public. As Provider, you would want to announce publically that you have managed to secure a new Customer. However, the Customer may want to have a say on how and when this is done.

The purpose of an Assignment clause is to regulate the situation where a Party wants to assign obligations to another party.

 

One of the main purposes of an Agreement is to create certainty. For this reason, if you contract with a Party, you don't want to discover in a couple of months that it is a different party providing the services or goods under the Agreement.

 

There are, however, situations where a Party would want to assign some of the obligations under the Agreement to, for example, an Affiliate of theirs. If this is the case, the definitions of Affiliate and Control will be important and requires careful consideration.

 

Other aspects to be addressed in the Assignment clause include provisions relating to the effect of an assignment done without consent and other situations where consent will not be required, for example, where there is a merger.

The purpose of the fees and costs clause is to determine which Party will be responsible for fees and costs for the drafting and negotiation of the Agreement, its supporting documents, and the facilitation of the execution of the transaction in this Agreement.

The amendments and waivers clause regulates the proses and requirements for making amendments to the Agreement and the process and requirements for waiving rights under the Agreement.

 

Generally, with amendments and with waivers, the Parties will require that these need to be in writing and signed by the respective Parties. This is mainly to avoid "he-said-she-said" situations.

Agreements contain various important dates and processes with the main aim to create certainty between the Parties. The notice clause determine how notices must be provided under the Agreement, to whom these must be provided and when will it be deemed to have been received by the other Party.

The aim of the Entire agreement clause is to create certainty.

 

If there is ever a dispute, you do not guess which documents and correspondences determines the actual agreement between the Parties.

The severability clause addresses the situation where a provision of the Agreement becomes illegal, unenforceable or invalid. 

The purpose of the no employment, partnership or agency is to ensure that the commercial relationship between the Parties is clear and that no obligations are created between the Parties that would typically come about in a employment, partnership or agency relationship.

 

Additionally, these clauses also provide that neither Party may give any undertaking which will create an obligation binding on the other Party and neither Party will have authority to bind the other Party to any agreement.

When entering into the Agreement with a specific Party you don't want to be blindsided by a third-party claiming a right, benefit or remedy under the Agreement. The purpose of the no third-party beneficiary clause is to avoid the aforementioned situation.

FAQs

No, each agreement is unique and there are transaction where certainly boilerplate clauses can be omitted. For example, fees and costs clauses and publicity and announcement clauses will not always be required.

Example clause

1.           MISCELLANEOUS

1.1        Compliance:  The Provider undertakes in favour of the Customer to comply with all applicable laws, regulations, rules, ordinances, codes and standards applicable to the services and products provided under this Agreement, which includes the applicable rules and regulations related to the Provider’s personnel, consultants, representatives providing services to the Customer.

1.2        Responsibility for legal fees:  Each Party will pay their fees and costs Feefor the Agreement’s negotiation, drafting, finalisation, signing, and implementation.

1.3        No employment, partnership, or agency:  This Agreement will not result in an employment, partnership or agency relationship between the Parties and the Parties must not represent that there is any employment, partnership or agency relationship between the Parties.

1.4        No undertakings:  Neither Party may give any undertaking which will create an obligation binding on the other Party.

1.5         No authority to bind:  Neither Party will have authority to bind the other Party to any agreement.

1.6        Independent advice acknowledgement:  Each Party acknowledges that:

(a)          they have been free to secure independent legal and other professional advice, including financial and taxation advice, regarding the nature and effect of this Agreement’s provisions and that they have taken such independent advice or dispensed the need to do so;

(b)          all the provisions of this Agreement follow their intentions;

(c)          they have not relied on any advice given by the counter Party’s legal advisors in the preparation, negotiation, or implementation of this Agreement; and

(d)          they have taken all reasonable actions to satisfy themselves regarding the consequences of entering this Agreement.

1.7        No third-party beneficiaries:  This Agreement is for the sole benefit of the Parties hereto and their respective successors and permitted assigns, and nothing herein, express or implied, is intended to or shall confer on any other person or entity any legal or equitable right, benefit, or remedy of any nature whatsoever under or by reason of this Agreement.

1.8        Public disclosures:  All public disclosures by either Party relating to this Agreement will be subject to the following terms:

(a)          Any public disclosures must be coordinated with and approved by the other Party before release unless the announcement is intended solely for internal distribution or disclosures required to meet legal requirements beyond the control of the disclosing Party.

(b)          Despite Subsection 1.3(a), the Provider can list the Customer as a customer and describe in general terms the Services provided by the Provider under this Agreement in proposals and other marketing materials.

1.9        Amendments and waivers: 

(a)          No amendment or rescission, termination or discharge of this Agreement is effective unless it is in writing, identified as an amendment to or rescission, termination or discharge of this Agreement and signed by an authorised representative of each Party.

(b)          No waiver by any Party of any of the provisions hereof is effective unless in writing and signed by the Party so waiving.

(c)          Except as otherwise stipulated in this Agreement, no failure to exercise, or delay in exercising, any rights, remedy, power, or privilege arising from this Agreement will operate or be construed as a waiver thereof; nor will any single or partial exercise of any right, remedy, power or privilege hereunder preclude any other or further exercise thereof or the exercise of any other right, remedy, power or privilege.

1.10     Notices: 

(a)          Any notice under the Agreement must be delivered by email to:

The Customer

The Provider

(b)          A notice will be accepted as given if sent by email on the same day of transmission with a receipt confirming the successful completion of the transmission.

(c)          If the notice is given under Section 1.3, a copy of that email must be immediately delivered (by hand or courier) to the chief executive or equivalent officer of the other party at the other party’s last known physical address.

1.11     Severability: 

(a)          If any provision of the Agreement is, or becomes illegal, unenforceable or invalid, the relevant provision is deemed to be modified to the extent required to remedy the illegality, unenforceability or invalidity.

(b)          If modification under the above Subsection is not possible, the provision must be treated for all purposes as severed from the Agreement without affecting the legality, enforceability or validity of the remaining provisions of the Agreement.

1.12     Whole Agreement:  The Agreement sets out everything agreed by the Parties and supersedes anything discussed, exchanged, or agreed before the Agreement’s start.

1.13     Assignment: 

(a)          This Agreement will be binding on the Parties hereto and their respective successors and assigns.

(b)          Excluding a scenario as contemplated in below, neither Party may assign this Agreement without the prior written consent of the other Party which consent may be withheld or conditioned within the other Party’s sole discretion.

(c)          A Party may assign this Agreement where:

(i)           a Party assigns the Agreement to its Affiliate; or

(ii)          in the case of a merger or acquisition of all or substantially all of the assigning Party’s assets.

(d)          Any assignment made without other Party’s consent as required above is null and void and of no effect as between the Parties.

1.14     Interpretation: 

(a)          In the event of any inconsistency between the body of this Agreement, the related schedules and any other documents incorporated herein by reference, the following order of precedence governs

(i)           first, this Agreement, excluding schedules;

(ii)          second, the schedules to this Agreement;

(iii)         and third, any other documents incorporated herein by reference.

(b)          When interpreting the Agreement, and there are words or expressions defined in a Section, Sub-Section or clause then, unless the application of any such word or expression is specifically limited to that Section, Sub-Section or clause, the words or expressions will bear the meaning assigned to such word or expression throughout this Agreement.

(c)          When interpreting the Agreement, the following is important an expression which denotes:

(i)           Any gender includes the other genders;

(ii)          A natural person includes a juristic person and vice versa; and

(iii)         The singular includes the plural and vice versa;

(d)          A Party includes a reference to that Party’s successors in title and permitted assigns.

(e)          When reference is made to a specific time, the applicable time zone is CAT.

(f)           When reference is made to days, it means calendar days and when calculating days and the last day falls on a Saturday, Sunday, or a public holiday, the last day will be the next succeeding business day.

(g)          A reference to a month or months is a reference to a period starting on one day in a calendar month and ending on the day preceding the numerically corresponding day in the next calendar month or the calendar month in which it is to end, except that:

(i)           if the numerically corresponding day is not a business day, the period will end on the next business day in that month (if there is one) or the preceding business day (if there is not); and

(ii)          if there is no numerically corresponding day in that month, that period will end on the last business day in that month;

despite the above, a period commencing on the last business day of a month will end on the last business day in the next month or the calendar month in which it is to end.

The Author

Martin Kotze

Martin Kotze is a commercial lawyer with over 10 years of experience. He specialises in transactional work within the Tech, Financial Services and Property industries. 

He is also one of the co-founders at DocNinja and regularly advises companies on how to contract better with their customers and vendors. 

This is a free 30min consultation to better understand your business and your needs.

The building blocks of a Software Licence Agreement

The building blocks of a Software Licence Agreement

In this article, we have a look at some of the important aspects that must be kept in mind when drafting a Software Licence Agreement

A Software Licence Agreement is, in essence, a copyright licence. The bundle of rights associated with this type of copyright generally includes the exclusive rights to:

  • use, copy and reproduce the Software;
  • distribute the Software;
  • modify, translate or create derivative works of any part of the Software; and
  • display, or perform in any media and through any technology the Software.

 

The Software Licence Agreement, therefore, provides the Customer with the right to do the above (subject to the restrictions as per the Software Licence Agreement).

Building blocks

Building blocks of a Software Licence Agreement

To learn more about the specific building blocks of a Software Licence grant clause follow this link

 

The Provider would want to have the narrowest grant of rights. The Customer, on the other hand, would typically want broad licence. As a result, the scope of the license is among the most commonly negotiated provisions.

 

Another aspect often the subject of negotiation is whether the Licence grant is subject to the payment of the license fees under the Agreement. Furthermore, the Provider may also want to make the licence grant subject to the Customer's compliance with all terms and conditions as per the Agreement.  

The Provider may provide support and training to the Customer's Users. If this is the case, the terms of the support and training must be detailed in this section.

 

If training services are included as part of the Software Licence Agreement, ensure that the commercials relating to these services are unambiguously stipulated within the Agreement.

Generally, the Parties will retain their intellectual property rights and the Provider will own any new Intellectual Property Rights relating to the Software.

 

An aspect that will, however, need to be addressed in the Software Licence Agreement is feedback rights. In other words, if the Customer provides the Provider with feedback relating to the Software, will the Provider be able to use the feedback to improve the Software and make these improvements available to other Customers?

 

The default position is usually that the Provider may use all feedback freely without restriction or obligation.

 

Read more on building intellectual property clauses.

The payment provisions will detail payment terms, overdue amounts, method of payment, setoff, taxes, payment disputes etc.

 

Read more on payment clauses.

Both Parties would generally want to protect such sensitive information, which, if disclosed to certain third parties, will be detrimental to their business. The confidentiality provisions provide which information must be regarded as confidential, obligations relating to handling confidential information, and what happens if there are unauthorised disclosures.

 

Read more on confidentiality clauses.

Unrecoverable losses and maximum liability are generally dealt with under the limitation of liability provisions. Unrecoverable losses may include, for example, consequential losses, and claims relating to breach of data protection provisions may be limited under the maximum liability amount to a fixed amount.

 

Read more on the limitation of liability clauses.

The Customer and Provider will usually provide certain mutual warranties. These may include, for example, that they have the legal capacity to enter into the Agreement and that they have not offered unlawful or prohibited inducements to the other Party or any other person in connection with the Agreement.

Then there will also be warranties related to the Cloud Services that will be provided.

 

Typical warranties will include that no viruses will be introduced into the Cloud Services, the Cloud Services does not and will not infringe on any third party intellectual property rights, the Cloud Services will be updated as necessary to comply with applicable laws etc.

 

Breach of the warranties will also need to be addressed, and the disclaimers that relate to the warranties.

 

Read more on warranty clauses.

An indemnity often found in a Software Licence Agreement is an indemnity relating to Intellectual Property infringement claims that a third party may institute against the Customer.

 

The indemnity provisions need to identify what will be regarded as indemnified losses (what will be covered), what will trigger the indemnity and the claims procedure.

 

Read more on indemnity clauses.

Where the licence is limited to, for example, the number of users, the Provider would want to have the right to conduct audits on the Customer's use of the Software.

 

With the audit clause, aspects often addressed include notices of audits, the number of allowed audits, confidentiality and what happens if there is an adverse finding.

The Parties may conclude the Software Licence Agreement for a fixed term or it may be a perpetual licence. If it is a fixed-term period licence, there may also be auto-renewal of the Term, which must also be detailed within this section.

 

The termination provisions detail when a Party can terminate the Agreement before the Term ends and may also provide for termination assistance the Provider must provide if the Agreement is terminated.

 

Read more on term and termination clauses.

How will the Parties deal with disputes? Through a Court process or alternative dispute resolution? Are there different processes for different disputes - For example, expert determination for disputes relating to technical aspects of the Cloud Services?

 

Read more on dispute resolution clauses.

The boilerplate clauses will include the provisions relating to public disclosure, third-party beneficiaries, how amendments will be dealt with, how notices under the Agreement must be provided, assignment etc.

 

Read more on boilerplate clauses.

FAQs

Cloud Services are usually provided under a subscription-based model where access to the Software is provided to the Customer through an online login. No copy of the Software is provided to the Customer, and there is no need for a licence.

 

Read more about Cloud Services Agreements

 

When it comes to a Software Licence, the Software is installed on the Customer's computers.

With a Software Licence Agreement, there may be small modifications as part of the support and maintenance services.

 

If new Software or extensive changes to existing Software is required, a Software Development Agreement will be a more appropriate agreement.

 

Read more about Software Development Agreements.

A End User Licence Agreement (EULA) is for licensing a commercial or off-the-shelf (that is, without modification or customization) Software. The term "EULA" commonly refers to an agreement that is not negotiated or signed by the parties.

Generally, Software Licence Agreements do not include any Acceptance Testing provisions.

 

However, there are situations where a Customer may require changes to the Software. In such cases, it may be appropriate to include Acceptance Testing provisions.

There may be a situations where the Software is "mission critical" to the Customer. In such cases, it may be appropriate to provide for certain escrow arrangements.

The Author

Martin Kotze

Martin Kotze is a commercial lawyer with over 10 years of experience. He specialises in transactional work within the Tech, Financial Services and Property industries. 

He is also one of the co-founders at DocNinja and regularly advises companies on how to contract better with their customers and vendors. 

This is a free 30min consultation to better understand your business and your needs.

Table of Contents

The building blocks of a Cloud Services Agreement

The building blocks of a Cloud Services Agreement

In this article, we have a look at some of the important aspects that must be kept in mind when building a Cloud Services Agreement

The Cloud Services Agreement determines the rights and obligations of the Provider and the Customer relating to the Cloud Services.

 

Cloud services fall into three primary categories: software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS).

A Software Licence is, in essence, a copyright licence.

 

Cloud Services are usually provided under a subscription-based model where access to the Software is provided to the Customer through an online login. No copy of the Software is provided to the Customer, and there is no need for a licence.

Order Forms will generally contain the variable information relating to the Cloud Services Agreement. In other words, the commercials to the Agreement, the Term of the Agreement and other information the Provider negotiates with the Customer.

 

The Order Form then incorporates various other terms and conditions by way of reference - For example, the Master Cloud Services Subscription Agreement hosted on its website.

 

This Master Cloud Services Subscription Agreement may contain other terms and conditions that are generally more of a legal nature.

 

A Provider would want to use the Order Form approach to focus the negotiations on the Order Form and not negotiate a 30 to 50-pager contract.

 

Also, the Master Cloud Services Agreement is presented as the “standard Ts and Cs” the Provider contracts with its Customers creating the impression that the terms and conditions within the Master Cloud Services Agreement are not “negotiable”.

 

Another reason may be that the Master Cloud Services Agreement may be subject to amendment by the Provider from time to time. An amendment to the Master Cloud Services Agreement will then generally entail an email notifying Customers of the amendment and their right to object to it. The amendment will be deemed made to the Agreement if no objection is received.

Building blocks

building blocks of a cloud services agreement

The scope will generally address:

  • Specific usage limitations (users / territory / industry etc.), the Permitted Use of the Cloud Services (for example, the Cloud Services must be used for internal business purposes only)
  • Commercials (implementation charges / pricing structure / third party expenses / invoicing and payment period)
  • Start date, Term of the Agreement and autorenewal

 

The scope of the Cloud Services stipulates the access rights provided to the Customer and, if applicable, the Customer's Affiliates.

 

The scope of the Cloud Services may also refer to certain retained rights of the Provider and usage limitations imposed on the Customer.

 

Examples often imposed by Providers include restrictions:

  • Not to disassemble, reverse engineer, modify, or create derivate works of the Cloud Services
  • Not to use the Cloud Services in violation of applicable laws
  • Not to circumvent or disable any security features or other aspect of the Cloud Services
  • Not to attempt to gain unauthorised access to the source code of the Cloud Services
  • Not to use the Cloud Services to transmit unlawful material, or to store or transmit material in violation of third-party privacy rights
  • Not to use the Cloud Services to store or transmit any material that may infringe the software or other rights of third parties
  • Not to knowingly or negligently use the Cloud Services in a way that abuses or disrupts servers, user accounts, or other services

The Provider will generally provide support and training to the Customer's Users, and the terms of the support and training must be detailed in this section. Or, if not detailed in the Cloud Services Agreement, the Provider may consider making use of a support policy hyperlinked in the Agreement.

 

Professional services can also be included as part of the Cloud Services Agreement or incorporated into a separate Professional Services Agreement. If professional services are included as part of the Cloud Services Agreement, ensure that the commercials relating to these services are unambiguously stipulated within the Agreement.

The Customer would want to protect the confidentiality of and reserve its ownership rights in, data that it uploads for processing and storage by the Cloud Services.

 

It may be that the Provider has a Standard Data Protection Policy that covers the above aspects. However, with a higher value and more complex Cloud Services transactions, the Parties may want to agree on a separate Data Protection schedule.

 

The ownership and permissible uses of data that derived from the Provider's monitoring of the Customer's access to and use of the Cloud Services or processing of customer data or usage data (derivative or resultant data) can be significant negotiation points.

 

Read more on data protection clauses.

The Provider will generally retain all intellectual property relating to the Software, and no licence is provided in respect of the Software. For this reason, the intellectual property provisions within a Cloud Services Agreement are generally not overly complex.

 

An aspect that will, however, need to be addressed in the Cloud Services Agreement is feedback rights. In other words, if the Customer provides the Provider with feedback relating to the Cloud Services, will the Provider be able to use the feedback to improve the Cloud Services and make these improvements available to other Customers?

 

The default position is usually that the Provider may use all feedback freely without restriction or obligation.

 

Read more on building intellectual property clauses.

The payment provisions will detail payment terms, overdue amounts, method of payment, setoff, taxes, payment disputes etc.

 

Read more on payment clauses.

Both Parties would generally want to protect such sensitive information, which, if disclosed to certain third parties, will be detrimental to their business. The confidentiality provisions provide which information must be regarded as confidential, obligations relating to handling confidential information, and what happens if there are unauthorised disclosures.

 

Read more on confidentiality clauses.

Unrecoverable losses and maximum liability are generally dealt with under the limitation of liability provisions. Unrecoverable losses may include, for example, consequential losses, and claims relating to breach of data protection provisions may be limited under the maximum liability amount to a fixed amount.

 

Read more on the limitation of liability clauses.

The Customer and Provider will usually provide certain mutual warranties. These may include, for example, that they have the legal capacity to enter into the Agreement and that they have not offered unlawful or prohibited inducements to the other Party or any other person in connection with the Agreement.

Then there will also be warranties related to the Cloud Services that will be provided.

 

Typical warranties will include that no viruses will be introduced into the Cloud Services, the Cloud Services does not and will not infringe on any third party intellectual property rights, the Cloud Services will be updated as necessary to comply with applicable laws etc.

 

Breach of the warranties will also need to be addressed, and the disclaimers that relate to the warranties.

 

Read more on warranty clauses.

An indemnity often found in a Cloud Services Agreement is an indemnity relating to Intellectual Property infringement claims.

 

The indemnity provisions need to identify what will be regarded as indemnified losses (what will be covered), what will trigger the indemnity and the claims procedure.

 

Read more on indemnity clauses.

The Provider may be required to take insurance against, for example, cyber crimes. The insurance provisions should detail the type of cover to be taken out, the amount of cover required, what happens if there is a failure to maintain cover and obligations to produce certificates confirming cover. 

A clause that is not often included in Cloud Services Agreements is a Financial Reporting clause requiring the Provider to report it's financial position to the Customer.

 

These clauses may give the Customer "early warning" of trouble. If the Provider faces financial instability, it could tumble into bankruptcy, and it could lose the will or ability to perform vital services. But if the Customer sees that trouble far enough in advance, it can protect itself—by terminating the contract, retaining another provider, taking back the data, etc.

Technology is evolving at a rapid pace and a Customer may want to have the right to benchmark the Provider's performance and price. If found that the Provider does not meet die benchmarking requirements, the clause may provide certain remedies to the Customer.

 

Whether or not such a clause will be included will depend on the respective bargaining power of the Parties.

Although most of the time there will not be a need for Personnel and Non-Solicitation clauses, it may be that there will be some form of professional service provided with the Cloud Services. In such a case, the Provider may want to include Personnel and Non-Solicitation clauses.

 

Read more on Personnel and Non-Solicitation clauses.

For a Customer, it may be difficult to determine whether or not the Provider is executing their obligations under the Agreement. Audit rights allow the Customer, or their authorised representative, to conduct certain audits.

 

With the audit clause, aspects often addressed include notices of audits, the number of allowed audits, confidentiality and what happens if there is an adverse finding.

The Parties may conclude the Cloud Services Agreement for a fixed term. There may also be auto-renewal of the Term, which must also be detailed within this section.

 

The termination provisions detail when a Party can terminate the Agreement before the Term ends and may also provide for termination assistance the Provider must provide if the Agreement is terminated.

 

Read more on term and termination clauses

How will the Parties deal with disputes? Through a Court process or alternative dispute resolution? Are there different processes for different disputes - For example, expert determination for disputes relating to technical aspects of the Cloud Services?

 

Read more on dispute resolution clauses.

The boilerplate clauses will include the provisions relating to public disclosure, third-party beneficiaries, how amendments will be dealt with, how notices under the Agreement must be provided, assignment etc.

 

Read more on boilerplate clauses.

FAQs

Generally, Cloud Services provide "out of the box" functionality and Providers do not include any Acceptance Testing provisions.

 

However, there are situations where a Customer may require custom functionality that must be bolted onto the Cloud Services. In such cases, it may be appropriate to include Acceptance Testing provisions.

As discussed above, only usage rights are provided to the Customer and no licence is provided in respect of software.

 

The above being said, there may be a situations where the Cloud Services are "mission critical" to the Customer. Especially in situations where there has been extensive bespoke development done for a Customer to further the available functionality of the Cloud Service, it may be appropriate to provide for certain escrow arrangements in the Agreement.

The following agreements and policies generally determine the rights and obligations between the Parties:

  • Order Form
  • Data Protection Policy
  • Support & Maintenance Policy
  • Service Level Agreement (SLA)
  • Acceptable Use Policy (AUP)

 

The Author

Martin Kotze is a commercial lawyer with over 10 years of experience. He specialises in transactional work within the Tech, Financial Services and Property industries. 

He is also one of the co-founders at DocNinja and regularly advises listed companies to small and medium enterprises on how to contract better with their customers. 

Martin Kotze

This is a free 30min consultation to better understand your business and your needs.

Table of Contents

The building blocks of a Professional Services Agreement

The building blocks of a Professional Services Agreement

In this article, we have a look at some of the important aspects that must be kept in mind when drafting a Professional Services Agreement

The Professional Services Agreement usually relates to a single project with defined scopes or timelines and is usually not a continuous service.

Persons with certain expertise and ability usually provide services under a Professional Services Agreement.

 

Scope of the engagement

The scope of the service is often disputed, and for this reason, providing a detailed scope is recommended. What are the deliverables? Within which timeframe must the Deliverables be provided? Must the Services be provided at a specific location?

The scope of the Agreement is often separated from all the legal terms—schedules to the Agreement, detail scope of work, timetables and payment tables.

 

Acceptance of Deliverables

What are the criteria for acceptance of the Deliverables? What if the Deliverable does not meet the acceptance criteria? These are all important aspects that must be detailed in the Agreement.

 

Fees and expenses

Are there different rates that apply to different people providing the Service? Will any expenses be reimbursed? Can the Provider add a markup on the expenses? Is prior written approval required for the expenses?

 

Personnel and non-solicitation

The people involved with providing Services under a Professional Services Agreement often have unique skills, expertise and knowledge. Therefore, if an entity is appointed under the Professional Services Agreement, it can risk losing its skilled professional to a Customer who wants to employ these individuals directly. For this reason, non-solicitation provisions are often added to a Professional Services Agreement.

Read more on Personnel and Non-Solicitation clauses.

 

Intellectual property

Generally, Services provided under a Professional Services Agreement will constitute work for hire, and all intellectual property will belong to the Customer. However, some aspects that relate to intellectual property must still be dealt with in the Agreement. For example,  how will the intellectual property that the Provider brings to the table be dealt with under the Agreement? Will a licence be provided in respect of this Intellectual Property? What are the terms of such a licence? 

Read more on building intellectual property clauses.

 

Payment

The payment provisions will detail payment terms, overdue amounts, method of payment, setoff, taxes, payment disputes etc.

Read more on building intellectual property clauses.

 

Insurance

The Provider may be required to take insurance against, for example, cyber crimes. The insurance provisions should detail the type of cover to be taken out, the amount of cover required, what happens if there is a failure to maintain cover and obligations to produce certificates confirming cover. 

 

Audit rights

For a Customer, it may be difficult to determine whether or not the Provider is executing their obligations under the Agreement. Audit rights allow the Customer, or their authorised representative, to conduct certain audits.

With the audit clause, aspects often addressed include notices of audits, the number of allowed audits, confidentiality and what happens if there is an adverse finding.

 

Confidentiality

Both Parties would generally want to protect such sensitive information, which, if disclosed to certain third parties, will be detrimental to their business. The confidentiality provisions provide which information must be regarded as confidential, obligations relating to handling confidential information, and what happens if there are unauthorised disclosures.

Read more on confidentiality clauses.

 

Limitation of liability

Unrecoverable losses and maximum liability are generally dealt with under the limitation of liability provisions. Unrecoverable losses may include, for example, consequential losses, and claims relating to breach of data protection provisions may be limited under the maximum liability amount to a fixed amount.

Read more on the limitation of liability clauses.

 

Warranties

The Customer and Provider will usually provide certain mutual warranties. These may include, for example, that they have the legal capacity to enter into the Agreement and that they have not offered unlawful or prohibited inducements to the other Party or any other person in connection with the Agreement.

Then there will also be warranties that relate to the Services that will be provided.

Typical warranties will include that the Services will be done efficiently and that people with certain skills and experience will be used to provide the Services.

Breach of the warranties will also need to be addressed, and the disclaimers which will apply will also need to be included.

Read more on warranty clauses.

 

Indemnities

An indemnity often found in a Professional Services Agreement is an indemnity relating to Intellectual Property infringement claims.

The indemnity provisions need to identify what will be regarded as indemnified losses (what will be covered), what will trigger the indemnity and the claims procedure.

Read more on indemnity clauses.

 

Disputes

How will the Parties deal with disputes? Through a Court process or alternative dispute resolution? Are there different processes for different disputes – For example, expert determination for disputes relating to the Software Deliverables?

Read more on dispute resolution clauses.

 

Term and termination

The Parties may conclude the Professional Services Agreement for a fixed term. There may also be auto-renewal of the Term, which must also be detailed within this clause.

The termination provisions detail when a Party can terminate the Agreement before the Term ends and may also provide for termination assistance the Provider must provide if the Agreement is terminated.

Read more on data protection clauses.

 

Boilerplate provisions

The boilerplate clauses will include the provisions relating to public disclosure, third-party beneficiaries, how amendments will be dealt with, how notices under the Agreement must be provided, assignment etc.

 

The Author

Martin Kotze is a commercial lawyer with over 10 years of experience. He specialises in transactional work within the Tech, Financial Services and Property industries. 

He is also one of the co-founders at DocNinja and regularly advises listed companies to small and medium enterprises on how to contract better with their customers. 

Martin Kotze

This is a free 30min consultation to better understand your business and your needs.

The building blocks of a Master Software Development Agreement

The building blocks of a Master Software Development Agreement

In this article, we have a look at some of the important aspects that must be kept in mind when drafting a Master Software Development Agreement

The Master Software Development Agreement provides the framework within which the Customer engages the Developer.

The Parties to the Master Software Development Agreement will also agree on Statements of Work which detail the Service that the Developer will provide.

 

The Master Software Development Agreement can be agreed to before any Statements of Work are concluded.

Building blocks

Building blocks of a Software Development Agreement

The scope will typically include the general terms of engagement which may include the design, development, creation, testing, delivery, installation, configuration, integration, and customisation of the Software.

 

The scope may also address general support, maintenance, and training the Developer will need to provide to the Customer.

For larger projects, it is important to have structures and processes in place to manage the contract effectively. 

 

Under contract management, change control will be dealt with - For example, how the process will work if a change to the agreed Specification is required.

 

The Parties may also agree to establish a Steering Committee overall supervision of each Party’s performance and the direction of the activities under this Agreement.

The Developer is responsible for delivering the Software Deliverables as per the Statement of Works, which may detail certain Functional and Technical Specifications.

 

Testing needs to take place to ensure that the Software meets the Specifications agreed to.

 

The acceptance testing provisions will detail the process that must be followed after delivering a Software Deliverable, what happens if there are Non-Conformities, and what if there are repeated failures of Acceptance Tests.

The Software created will constitute intellectual property which the Customer generally owns. However, the newly created intellectual property is usually not the only intellectual property that must be dealt with in the Master Software Development Agreement.

 

To create the new intellectual property, the Developer needs to use its know-how, existing software and other intellectual property (Background Intellectual Property) to create the new intellectual property (Foreground Intellectual Property).

 

The Master Software Development Agreement will need to stipulate the terms of the Background Intellectual Property licence that the Developer will provide to the Customer to enable the Customer to use the Foreground Intellectual Property without any infringement.

 

Read more on building intellectual property clauses.

The payment provisions will detail payment terms, overdue amounts, method of payment, setoff, taxes, payment disputes etc.

 

Read more on payment clauses.

Both Parties would generally want to protect such sensitive information, which, if disclosed to certain third parties, will be detrimental to their business. The confidentiality provisions provide which information must be regarded as confidential, obligations relating to handling confidential information, and what happens if there are unauthorised disclosures.

 

Read more on confidentiality clauses.

Unrecoverable losses and maximum liability are generally dealt with under the limitation of liability provisions. Unrecoverable losses may include, for example, consequential losses, and claims relating to breach of data protection provisions may be limited under the maximum liability amount to a fixed amount.

 

Read more on the limitation of liability clauses.

The Customer and Developer will usually provide certain mutual warranties. These may include, for example, that they have the legal capacity to enter into the Agreement and that they have not offered unlawful or prohibited inducements to the other Party or any other person in connection with the Agreement.

 

Then there will also be warranties that relate to the Software.

Typical warranties will include that the Software will perform in conformity with the Specifications, it will not contain viruses, it will not contain any copyleft licences etc.

 

Breach of the warranties will also need to be addressed, and the disclaimers which will apply will also need to be included.

 

Read more on warranty clauses.

An indemnity that you will often find in Master Software Development Agreements is an indemnity relating to Intellectual Property infringement claims.

 

The indemnity provisions need to identify what will be regarded as indemnified losses (what will be covered), what will trigger the indemnity and the claims procedure.

 

Read more on indemnity clauses.

The Developer may be required to take insurance against, for example, cyber crimes. The insurance provisions should detail the type of cover to be taken out, the amount of cover required, what happens if there is a failure to maintain cover and obligations to produce certificates confirming cover. 

These clauses may give the Customer "early warning" of trouble. If the Developer faces financial instability, it could tumble into bankruptcy, and it could lose the will or ability to perform vital services. But if the Customer sees that trouble far enough in advance, it can protect itself—by terminating the contract, retaining another developer,  taking back the data, etc.

Technology is evolving at a rapid pace and a Customer may want to have the right to benchmark the Developer's performance and price.

 

If found that the Developer does not meet die benchmarking requirements, the clause may provide certain remedies to the Customer.

 

Whether or not such a clause will be included will depend on the respective bargaining power of the Parties.

The Developer may want to include Personnel and Non-Solicitation clauses to restrict the Customer from "poaching" their employees.

 

Read more on Personnel and Non-Solicitation clauses.

For a Customer, it may be difficult to determine whether or not the Developer is executing their obligations under the Agreement. Audit rights allow the Customer, or their authorised representative, to conduct certain audits.

With the audit clause, aspects often addressed include notices of audits, the number of allowed audits, confidentiality and what happens if there is an adverse finding.

The Parties may conclude the Master Software Development Agreement for a fixed term. There may also be auto-renewal of the Term, which must also be detailed within this section.

 

The termination provisions detail when a Party can terminate the Agreement before the Term ends and may also provide for termination assistance the Developer must provide if the Agreement is terminated.

 

Read more on term and termination clauses

How will the Parties deal with disputes? Through a Court process or alternative dispute resolution? Are there different processes for different disputes - For example, expert determination for disputes relating to technical aspects of the Software?

 

Read more on dispute resolution clauses.

The boilerplate clauses will include the provisions relating to public disclosure, third-party beneficiaries, how amendments will be dealt with, how notices under the Agreement must be provided, assignment etc.

 

Read more on boilerplate clauses.

FAQs

A Master Software Development Agreement is a framework agreement that goes hand-in-hand with Statements of Work (SoW).

 

The Master Software Development Agreement contains general terms and conditions applicable to the transactions. On the other hand, the SoW contains more specific information relating to the Software that must be developed. For example, the technical and functional specifications, timeframes, fees etc.

 

A Master Software Development Agreement allows for a more agile process where various "sprints" are undertaken to complete a project. Each "sprint" with its respective milestones and dates are agreed and documented as separate SoWs.

 

With a "standard" Software Development Agreement, the specifications of the project is fixed at the signing of the Agreement or agreed during a "consultation phase" preceding the start of the project.  

"Source Code" is the code that a developer writes to program an application/website. This code is "human readable" and this is the code that you want to protect.

 

"Object Code" is "machine-readable". In other words, it is numeric code made of binary numbers such as 0s and 1s and is understood by a machine. 

 

For a more detailed explanation on Source Code vs. Object Code, have a look at this article

Incorporating Open Source Components as part of Software certainly helps when developing Software and means that there is no need to "reinvent the wheel" when it comes to certain component of the Software.

 

However, Open Source can cause problems down the line for the Parties. Certain types of Open Source Components carry copyleft licences.

 

A copyleft licence requires that the Customer use the licence model if it redistributes the Software. In other words,  if the Open Source Component is inserted into the Software, the Customer may (depending on the Open Source Licence) be required distribute the Software with source code and the right to modify and redistribute. Obviously such a scenario may have far reaching consequences for a Customer and for this reason Open Source Components must be appropriately addressed in the Software Development Agreement.

In addition to Open Source Components, Developers may leverage other software (for example, through integrations) to develop the Software. 

 

The Third Party software may provide for certain functionality required for the Software, but may carry it's own terms when using the Third Party software. For example, you may use and embed the Third Party software as part of your Software, but You may only use it for internal business purposes. If this is the case, you will have problems when commercialising your Software. 

 

Furthermore, it is not necessarily only Third Party software that can cause problems, and using Third Party documents, data, know-how, ideas, methodologies, specifications, software, content, and technology, in any form, may have the same implecations for the Customer.

 

For the above reason, it is important to adequately address the use of Third Party Materials in the Software Development Agreement.

The Author

Martin Kotze

Martin Kotze is a commercial lawyer with over 10 years of experience. He specialises in transactional work within the Tech, Financial Services and Property industries. 

He is also one of the co-founders at DocNinja and regularly advises companies on how to contract better with their customers and vendors. 

This is a free 30min consultation to better understand your business and your needs.

Table of Contents

Building Personnel and Non-Solicitation clauses

How to build Personnel and Non-Solicitation clauses

In this article, we have a look at some of the important aspects that must be kept in mind when drafting Personnel and Non-Solicitation clauses.

When Customers contract with Providers, they may want to deal exclusively with certain Provider employees.

It may be that they have established a good relationship with these employees, or they want to ensure that these employees are always involved when it comes to a certain Project due to their skills and expertise.

 

Therefore, the Personnel clause's purpose is to detail these Key Personnel's involvement.

A Non-Solicitation clause prohibits a Party from soliciting the employment of the other Party’s Key Employees.

 

These Key Employees may have unique skills; usually, a Party has spent time and money to upskill these employees.

 

From a Provider’s perspective, you want to ensure you have the resources to provide continuity of services to all of your customers and to prevent losses related to intellectual property, confidential information, and investments made hiring and training these Key Employees.

 

There are situations where a Customer may seek a Non-Solicitation clause to prevent a Provider from enticing people with industry knowledge or other marketable skills to benefit the Provider.

Building blocks of Personnel and Non-Solicitation Clauses

The Key Personnel clause will need to address:

  • What is the process that must be followed if there is a transfer of Key Personnel
  • The succession plan
  • Key personnel working on competitor accounts
  • And can the Customer decide to remove Key Personnel from their account 

Often human mistakes are the cause of data breaches.


For this reason, a Customer may want to ensure that the Personnel working their account that may have access to sensitive and confidential information regularly undergo data security training.

A Customer that depends on a Provider to assist with especially Services of a financial nature may want to ensure that background checks be concluded on all Personnel working on their accounts.

 

Furthermore, depending on the transaction and Services to be provided, a Customer may want only to pay the agreed rates if they work with Personnel who must have certain qualifications or experience.

A wider definition of Key Employees may provide additional protection to the Provider. However, being more precise with your definition of Key Employees and referencing only Employees involved with the Services may increase the probability that a Court will enforce the provisions.

 

Here is an example of a definition for Key Employees:

any director, officer or senior employee in a key capacity of a Party or an Affiliate of it and any of their employees in a key position with regard to the performance of the obligations under the Agreement, at any time until completion of such obligations.

How long after the Agreement comes to end will the non-solicitation provisions still apply?

 

Industry practice may be a guide. But there is however no specific period that is regarded fair and reasonable. 

Parties may want to agree liquidated damages if there is a breach of the Non-Solicitation provision. For example, a percentage of the annual cost to company may be used or a fixed amount can also be agreed to.

Example clause

1.           PERSONNEL

1.1        Key personnel:  The following individuals are designated to the following positions as at the Start Date and must dedicate the below percentage of their time to the provision of the Services at the specified location:

Position

Name of individual

Percentage of time to be dedicated

Place of service

 

 

 

 

 

 

 

 

1.2        Transfer of key personnel:  A person holding a key position may not be transferred or re-assigned to other positions until a suitable replacement has been approved by the Customer.

1.3        Succession plan:  The Provider must establish and maintain an up-to-date succession plan for the replacement of individuals serving in key positions that shall be reviewed with the Customer on a regular basis.

1.4        Assignment of key personnel to competitor account:  For so long as an individual is assigned to a key position, and for 12 months thereafter, the Provider shall not assign such individual to perform services for the benefit of any competitor of the Customer.

1.5        Removal of key personnel:  At any time, and in Customer’s sole discretion, the Customer has the right to require that any individual assigned to a key position be removed from such position and replaced with another individual approved by the Customer.

1.6        Data security training:  The Provider must, at its cost, ensure that its personnel, on hiring and at least once a year afterwards, participate in data security awareness training, including at a minimum, Customer’s data security policies, including acceptable use, password protection, data classification, incident and breach reporting, the repercussions of violations, and overviews of applicable laws and regulations.

1.7        Personnel checks:  To the extent permitted by law and after obtaining the applicable consents from the affected personnel, before assigning any personnel to provide Services under this agreement the Provider must:

(a)          complete background checks on all these personnel, and

(b)          on the Customer's reasonable request, update any of these checks.

1.8        Contact information:  On or before the Effective Date, the Provider shall submit a list of contact names and telephone numbers to the Customer of its personnel and stand-by personnel.

2.           NON-SOLICITATION OF KEY EMPLOYEES

2.1        Non-solicitation:  During the Term of the Agreement, and for 12 months after the Agreement comes to an end, no Party may directly or indirectly solicit the other Party’s Key Employees.

2.2        Exclusions:  A Party will not be in breach of the above non-solicitation provisions if they hire or employ, or have hiring or employment discussions with any person:

(a)          who is not then employed by that other Party;

(b)          who contacts them without any solicitation by them; or

(c)          who responds to general solicitation for employment placed by them or their agents in newspapers, journals, the internet, recruiters, or any media.

2.3        Damages:  Should a Party breach the above non-solicitation provision, the soliciting Party, must pay to the non-soliciting Party within days of receipt of notice to that effect, the sum equal to 40% of the annual total cost to company of the relevant Key Employee.

2.4        Acknowledgement of pre-estimated damages:  The Parties agree that such damages contemplated above constitute pre-estimated damages to be suffered by the non-soliciting Party due to the breach of the non-solicitation provisions.

2.5        Survival:  The provisions of this Article – NON SOLICITATION OF KEY EMPLOYEES will survive the termination, expiration or cancellation of this Agreement.

The Author

Martin Kotze is a commercial lawyer with over 10 years of experience. He specialises in transactional work within the Tech, Financial Services and Property industries. 

He is also one of the co-founders at DocNinja and regularly advises listed companies to small and medium enterprises on how to contract better with their customers. 

Martin Kotze

This is a free 30min consultation to better understand your business and your needs.

Building an intellectual property clause

How to build an intellectual property clause

In this article, we have a look at some of the important aspects that must be kept in mind when drafting Personnel and Non-Solicitation clauses.

Most disputed terms WCC ranking: 

19

Most important terms WCC ranking: 

16

Most negotiated terms WCC ranking: 

12

What is the purpose of an Intellectual Property clause in a services agreement?

The Intellectual Property clause determines which Party owns which intellectual property that will be used or created during the Agreement. The Intellectual Property clause may also provide for various obligations in respect the intellectual property, for example, an obligation to assist with the registration of intellectual property.

What is Background IPR

A provider may have to bring a couple of things to the table to perform the service. For example, the provider’s know-how, their systems and technology. The provider may have certain intellectual property rights in respect of the know-how, systems and technology. These rights are referred to as the Background Intellectual Property Rights (Background IPR).

What is Foreground IPR

Foreground Intellectual Property Rights (Foreground IPR), are intellectual property rights that arise due to the activity conducted under the Agreement.

Building blocks of an Intellectual Property Clause

building blocks of an intellectual property clause

What is Background IPR

The devil is in the details when it comes to definitions.

Usually, Intellectual Property Rights is defined separately from Background IPR, and you should therefore start with the definition of Intellectual Property Rights.

The Intellectual Property Rights definition may also contain various embedded defined terms. For example, Know-How, Patents etc. 

Here are examples of definitions that you may need when building your Intellectual Property clause:

Backround IPR means, by reference to a Party, all Intellectual Property Rights, excluding Foreground IPR, owned by such Party or any of its Affiliates, or licensed or made available by a third party to such Party and under which such Party is authorised to grant licenses.

Intellectual Property Rights means unpatented inventions, Patents, trademarks, service marks, trade names, domain names, copyrights (including rights in software), moral rights, rights in designs, Know-How, database rights, topography rights, mask work rights, utility models and all other intellectual property rights and forms of protection of a similar nature, licences to such rights, in each case whether registered or pending registration, and rights to apply for any such rights.

Know-How means all knowledge, drawings, specifications, samples, models, instructions, algorithms, working methods, ideas, concepts, technology, applied development engineering data, reports, notes and all other technical or commercial information, data and documents of any kind.

Patent means all patents and patent applications in any jurisdiction in the world, including any divisional, continuation, continuation-in-part, reissue, renewal, re-examination or extension thereof.

Retention of ownership

Ownership of the Background IPR will usually be retained by the respective Parties.

Some of the Background IPR (for example, Know-How), will be used to create Foreground IPR. For this reason, a licence is required in respect of the Background IPR. Who provides the licence will depend on the circumstances. Generally, both Parties will be making available Background IPR for the project, and therefore, both Parties licence their Background IPR. 

Licence in respect of Background IPR

Generally, a “project licence” is provided in terms of which each Party licences their Background IPR to the other for purposes of and to the extent required to perform their obligations under the Agreement. Without such a licence, an infringement question may arise.

It may happen that some of the Background IP will be used to create the Foreground IP. If this is the case, you want to be clear on the terms of the Background IPR licence. In other words, you want to expressly stipulate the scope of the Background IPR licence.

You will need to consider:

  • To whom is the Background IPR licenced (does it include Affiliates)?
  • What can the licensee do under the licence? Modify, distribute, sell create derivative works etc?
  • Are there any restrictions? For example, restrictions relating to territory, field of use, external use etc.
  • What about assignment and sub-licensing?

If you are acting for the customer, the typical licence you would require in this regard is a worldwide, no-charge, royalty-free, perpetual, irrevocable, exclusive, sublicensable licence.

What is Foreground IPR

Basically, anything that is created as a result of the activities conducted under the Agreement.

Here is an example definition:

Foreground IPR means all Intellectual Property Rights that arise as a result of or in the context of any activity pursuant to this Agreement.

Who owns the Foreground IPR

Most of the time the Foreground IPR will be owned by the Customer paying for the work. There are situations where the Provider would want to own the Foreground IPR. If this is the case, the Provider will need to provide a licence to the Customer to enable them to use the Foreground IPR.

 

Licence and obligations

When the Provider is providing a licence in respect of the Foreground IPR to the Customer, You will need to consider:

  • To whom is the Foreground IPR licenced (does it include Affiliates)?
  • What can the licensee do under the licence? Modify, distribute, sell create derivative works etc?
  • Are there any restrictions? For example, restrictions relating to territory, field of use, external use etc.
  • What about assignment and sub-licensing?

If you are acting for the Customer, the typical licence you would require in this regard is a worldwide, no-charge, royalty-free, perpetual, irrevocable, exclusive, sublicensable licence with scope that is as close as possible to “ownership”.

The general obligations relating to licencing must also be included, for example, that the Customer must assist with the registration of any Foreground IPR. And also, specifically, provide who needs to pay the fees and costs relating to the imposed obligations.

Non-asserts

If the Foreground IPR will be owned by the Provider, the Provider may want to make use of a non-assertation clause which will mean that the Customer cannot seek to enforce any Intellectual Property Rights it may have against the Provider in respect of the Foreground IPR.

Waiver of moral rights

Certain Intellectual Property Rights cannot be assigned and if you, as Provider, don’t want a situation where objections arise that relate to certain creative works, inserting a waiver of moral rights must be considered.

Example clauses

Customer friendly

1.           INTELLECTUAL PROPERTY

1.1         Background IPR:  Each Party retains ownership of their Background IPR and Intellectual Property developed outside the scope of this Agreement.

1.2         Background IPR Licence grant:  The Provider hereby grants to the Customer a irrevocable, non-exclusive, worldwide, no-charge, royalty-free, perpetual, sublicensable licence in respect of the Background IPR, under the following terms:

(a)         The Provider can create derivative works, display, or perform in any media and through any technology or other means of delivery, whether now known or developed in the future, distribute, sell, offer to sell, import, to make, or have made, to modify, to reproduce, to use externally, and to use internally the Background IPR for purposes of performing their obligations under this Agreement.

(b)         The Background IPR is also licenced to the Affiliates Customer.

(c)         The licence under Section 6.2 will survive termination of this Agreement.

1.3         Foreground IPR:  The Customer will exclusively own all Foreground IPR and the Provider hereby assigns all Foreground IPR to the Customer.

1.4         Obligations relating to Foreground IPR:  The Provider must:

(a)         assist in obtaining, registering, perfecting and enforcing all Foreground IPR; and

(b)         deliver all Foreground IPR.

1.5         Fees and costs:  The Customer must pay all fees and costs to register and protect the Foreground IPR.

Proivder friendly

1.           INTELLECTUAL PROPERTY

1.1         Background IPR:  Each Party retains ownership of their Background IPR and Intellectual Property developed outside the scope of this Agreement.

1.2         Background IPR Licence grant:  The Customer hereby grants to the Customer a irrevocable, non-exclusive, worldwide, no-charge, royalty-free, non-transferable, sublicensable licence in respect of their Background IPR, under the following terms:

(a)         The Provider can create derivative works, display, or perform in any media and through any technology or other means of delivery, whether now known or developed in the future, make, or have made, modify, reproduce, use externally, and use internally the Background IPR for purposes of performing their obligations under this Agreement.

(b)         The Background IPR is also licenced to the Affiliates Provider.

1.3         Ownership of Foreground IPR:  The Provider will exclusively own all Foreground IPR and the Customer hereby assigns all Foreground IPR to the Provider.

1.4         Licence:  Upon Customer’s payment of fees due under the Agreement the Provider grants the Customer an irrevocable, non-exclusive, worldwide, no-charge, royalty-free, perpetual, sublicensable licence in respect of the Foreground IPR, under the following terms:

(a)         The Customer can create derivative works, display, or perform in any media and through any technology or other means of delivery, whether now known or developed in the future, make, or have made, modify, reproduce, use externally, and use internally the Foreground IPR.

(b)         The licence in Section 1.4 will survive termination of this Agreement.

1.5         Obligations:  The Customer must:

(a)         assist in obtaining, registering, perfecting and enforcing all Foreground IPR; and

(b)         deliver all Foreground IPR.

1.6         Fees and costs:  The Provider must pay all fees and costs to register and protect the Foreground IPR.

1.7         Non-assertion and disclosure:  The Customer must not:

(a)         at any time allege the invalidity or otherwise take or permit to be taken any action affecting the validity or enforceability of any Intellectual Property Right obtained, applied for or to be applied for by the Provider; or

(b)         disclose or publish the subject matter of any inventions which may be patentable before the Provider has applied for any patent registration.

1.8         Moral rights:  To the extent permitted under the applicable laws, the Customer hereby waives all moral rights arising from or relating to Intellectual Property Rights created by or in collaboration with the Customer for the benefit of the Provider and all the Provider’s licensees and successors-in-title to the Intellectual Property Rights.

The Author

Martin Kotze is a commercial lawyer with over 10 years of experience. He specialises in transactional work within the Tech, Financial Services and Property industries. 

He is also one of the co-founders at DocNinja and regularly advises listed companies to small and medium enterprises on how to contract better with their customers. 

Martin Kotze

This is a free 30min consultation to better understand your business and your needs.

Building data privacy and data security clauses

How to build a data protection clause

In this article, we have a look at some of the important aspects that must be kept in mind when drafting data privacy and data protection provisions.

Most disputed terms WCC ranking: 

Data privacy: 28

Data security: 26

Most important terms WCC ranking: 

Data privacy: 8

Data security: 7

Most negotiated terms WCC ranking: 

Data privacy: 17

Data security: 19

What is a Data Privacy clause?

Data Privacy clauses will generally deal with the way in which data (usually Personal Information) must be handled.

What is a Data Security clause?

Data Security clauses usually provide what the Provider must do to protect the Protected Data against unauthorised third-party access and malicious attacks.

What is a Data Protection clause then?

Data protection clauses are in a way a combination of data privacy and data protection clauses.

Building blocks of Data Privacy and Data Security clauses

building blocks of data privacy and data security provisions

What is Protected Data?

Defining Protected Data is important to ensuring balanced and fair data privacy and security provisions.

Generally, Protected Data will be personal information as defined by applicable data privacy and security laws. The aforementioned, however, does not mean that the definition of Protected Data should be limited to Personal Information. The Customer may want a much broader definition of Protected Data that includes all the data that the Customer provides to the Provider. For example:

Protected Data means all information processed or stored through the System by Customer or on Customer’s behalf, and includes, without limitation, information provided by Customer’s customers, employees, and other users and by other third parties, other information generated through use of the System by or on Customer’s behalf, and copies of all such information rendered onto paper or other non-electronic media.

If you are the Provider, you want to use a narrow definition and may even consider carving out certain types of data from the definition. For example:

Excluded Data means personal tax numbers, financial account data, and credit card and other payment card numbers;

Protected Data means personal information as contemplated under applicable data privacy and security laws, but specifically excludes Excluded Data;

If you are the Provider, you don’t want a situation where there is a Data Incident and, for example, credit card data is exposed and there was no need for you in the first place to process any such credit card data. 

If you follow the approach where certain data is excluded, make sure that a warranty is included in the Data Protection Schedule where the Customer warrants that they will not provide any Excluded Data to the Provider.

It may be that you want Protected Data to be regarded as Confidential Information. If you decide to go this route make sure that you address the situation where there is a conflict between the Data Protection Schedule and the confidentiality provisions.

Handling of Protected Data - Authorised Persons

A narrow definition of Authorised Persons may favour the Customer. On the other hand, the Provider would want to make sure the definition of Authorised Persons is wide enough to include sub-contractors so that there is no need to obtain written approvals for each sub-contractor.

Authorised Persons should, however, be limited to people who need to handle the data to fulfil the Provider’s obligations under the Agreement.

Handling of Protected Data - Aggregated and anonymised data

A Provider may want to use the Protected Data for its own purposes. Generally, if the Provider wants to use the Protected Data, it needs to be anonymised first. If you are the Customer, you would want to make sure that if the Protected Data is anonymised, such a process must and cannot be reversed.

Handling of Protected Data - Personal Information requests

Privacy legislation generally provides certain rights to data subjects when it comes to their Personal Information. For example, the “right to know,” delete, or the “right to be forgotten”. As a Customer, you may want to impose certain obligations on the Provider if a personal information request is directed at the Provider.

Access, location and deletion of Protected Data

If you are the Customer, you want to control the access, location and deletion of Protected Data.

Data privacy laws may determine certain requirements if Protected Data is moved cross-border. As a Customer, you do not want to be exposed to a situation where Protected Data is moved cross-border to a jurisdiction with less stringent data privacy and data security laws than those applicable within the current jurisdiction.

As a Customer, you can also consider specifying certain data centres within the current jurisdiction where data can be stored.

As Provider, the commercials of the transaction must be kept in mind when considering access, location and deletion of Protected Data. It may be useful to reserve a right to charge fees and costs for time spent assisting the Customer with providing access, deleting and moving Protected Data.  

Data security audits & certifications

Generally, the two standards that will be considered will be ISO 27001 and SOC 2.

A difference between ISO 27001 and SOC 2 is that SOC 2 is not a certification. If you pass the ISO 27001 requirements, then your business is ISO 27001 certified. However, in the case of SOC 2, the auditor issues a formal report, confirming whether or not you met the relevant criteria. 

ISO 27001 is a common European procurement requirement and is internationally recognized as the highest standard in information security. In the US market, many Customers will want the reassurance that the Provider is SOC 2 compliant.

Minimum safeguards

If you acting for the Customer, especially in the situation where the Provider is not required to produce an ISO 27001 certificate or an SOC2 report, you want to place certain contractual obligations on the Provider regarding data security.

Or, if there is a requirement that the Provider produces a ISO 27001 certificate or an SOC2 report, there are situations where the Customer may require further measures to be put in place that goes beyond what is required under ISO 27001/ SOC2.

Data incidents & deletion of data

Data Incidents

When considering provisions relating to Data Incidents, the definition of a Data Incident is a good point of departure.

Generally, Data Incidents include the unauthorised disclosure of, access to, or use of Protected Data

As Provider, you may want to consider narrowing the above broad and general definition to more specific scenarios where, for example, an unauthorised third-party obtains and threatens the distributions of Protected Data.

The obligations placed on the Provider relating to Data Incidents require detailed consideration. Examples of these obligations include:

  • Notifying the Customer
  • Cooperation with law enforcement
  • Assistance with notifying third parties whose data may have been exposed

 

Most of these obligations are generally aimed at damage control. However, a Customer may want to add obligations that require compensation, in some form, as a result of the Data Incident. 

As a Customer, you want to be in control of whatever happens after the occurrence of a Data Incident. As Provider, you do not want to be subjected to obligations that will be detrimental to your business financially.

 

Deletion of data

As a Customer, you want to have certain rights regarding the deletion of Protected Data.

Making sure that erasure leaves no data readable, decipherable, or recoverable may be expensive. Therefore, as Provider, you may want to consider adding provisions that the data deletion will be done using commercially feasible methods.

Data protection indemnity

The remedies and relief for breach of the Data Protection Schedule or the Data Protection Laws are usually addressed by an indemnity (see How to build an indemnity clause).

Breach & equitable relief

A Customer may also want to include a provision stipulating that a breach of the Data Protection Schedule will be deemed material with the hope that this will help them terminate the Agreement for cause if there is a breach.

Example schedule

Customer friendly

SCHEDULE – DATA PROTECTION

 

1.1.       Handling of Protected Data: 

(a)          Standard of care:  The Provider must keep and maintain all Protected Data in strict confidence, using such degree of care as is appropriate to avoid unauthorised access, use or disclosure.

(b)          Usage of Protected Data:  The Provider must use and disclose Protected Data solely and exclusively for the purposes for which the Protected Data, or access to it, is provided pursuant to the terms and conditions of the Agreement, and not use, sell, rent, transfer, distribute, or otherwise disclose or make available Protected Data for the Customer’s own purposes or for the benefit of anyone other than the Customer, in each case, without Customer’s prior written consent.

(c)          Disclosure:  The Provider must not, directly or indirectly, disclose Protected Data to any person other than Authorised Persons, without express written consent from the Customer, unless and to the extent required by government authorities or as otherwise, to the extent expressly required, by applicable law, in which case, the Provider must use reasonable efforts to notify the Customer before such disclosure or as soon thereafter as reasonably possible.

(d)          Responsibility for Authorised Persons:  The Provider is responsible for and remain liable to the Customer for the actions and omissions of such Authorised Persons concerning the treatment of such Protected Data as if they were the Provider’s own actions and omissions.

(e)          Written undertaking required from Authorised Persons:  The Provider must require the Authorised Persons that has access to Protected Data to execute a written undertaking to comply with this Schedule.

1.2.       Confidential information:  All Protected Data provided by the Customer to the Provider or to which the Provider may be exposed or acquire in terms of this Agreement, constitutes Confidential Information.

1.3.       Conflicts:  If there is a conflict or inconsistency between this Schedule and the confidentiality within the main body of the Agreement, the terms in this Schedule governs and controls.

1.4.       Cross border transfer:  The Provider must not transfer Protected Data (or allow Authorised Persons to transfer Protected Data) outside Republic of South Africa unless it receives the Customer’s prior written consent.

1.5.       Additional charges:  The Provider may charge additional fees at their standard rates for activities required by the Customer to assist them to comply with Data Protection Laws.

1.6.       Access rights:  The Customer may access and copy any Protected Data in the Provider’s possession or control at any time and the Provider:

(a)          must provide reasonable assistance to the Customer to access and copy the Protected Data.

(b)          may charge their reasonable then-standard fees for any assistance provided under 1.6.

1.7.       Protected data requests:  If the Provider receives a consumer “right to know,” deletion, “right to be forgotten,” or similar request related to Protected Data within Protected Data (the “Consumer Requests”), the Provider must not reply without the Customers written authorisation and shall, at the Customer’s expense, comply with the Customer’s reasonable written instructions for Consumer Requests (if any), subject to Data Protection Laws.

1.8.       Audits and certifications: 

(a)          The Provider must maintain annually updated reports and certifications (as may be applicable) of compliance with the following:

(i)           ISO 27001;

(ii)          SOC 2 Type II; and

(iii)         PCI Level 2.

(b)          The Provider must:

(i)           provide the Customer a copy of the most current certifications and reports (as may be applicable) within 30 days of request and thereafter annually within 30 days of completion of thereof; and

(ii)          if there are any deficiencies identified or changes suggested relating to the provisions of the Services under the Agreement, the Provider must exercise reasonable efforts to promptly address such deficiencies and changes.

(c)          Notwithstanding anything in this Schedule, the Provider is not required to permit any audit that may compromise the security of the Provider’ other customers’ data.

(d)          Any report provided under this Schedule must be regarded as confidential information.

1.9.       Inspections: 

(a)          If requested by the Customer, the Provider must permit inspection and security review by the Customer of systems processing Protected Data and on the Provider’s policies and procedures relating to data security.

(b)          The Customer may request an inspection contemplated in 1.9, every half-yearly starting from the date that this Agreement becomes effective.

(c)          Notwithstanding anything in this Schedule, the Provider is not required to permit any inspection that may compromise the security of the Provider’ other customers’ data.

1.10.    Data Incidents:  If there is a Data Incident, or if Provider suspects a Data Incident, the Provider must:

(a)          promptly, and in any case within 24 hours, give notification by telephone, in person, or by other real-time, in-person communication;

(b)          cooperate with law enforcement agencies, where applicable, to investigate and resolve the Data Incident;

(c)          provide reasonable assistance in notifying applicable third parties;

(d)          comply with applicable laws governing data breach notification and response;

(e)          if the Data Incident results from their breach of this Agreement or negligent or unauthorised act or omission of an Authorised Person, compensate the other Party for any reasonable expense related to notification of consumers;

(f)           give the other Party prompt access to such records related to a Data Incident as may reasonably be requested (such records will be regarded as confidential information and there will be no obligation to provide access to records that might compromise the security of the other customers); and

(g)          provide the name and contact information for an employee who shall serve as primary security contact and must be available to assist 24 hours per day,  7 days per week as a contact in resolving obligations associated with a Data Incident.

1.11.    Third-parties and Data Incidents: 

(a)          The Provider must not inform any third party of any Data Incident without first obtaining the Customer’s prior written consent, other than to inform a complainant that the matter has been forwarded to the Customer’s legal counsel. The Customer has the sole right to determine:

(i)           whether notice of the Data Incident is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies or others as required by law or regulation, or otherwise in the Customer’s discretion; and

(ii)          the contents of such notice, whether any type of remediation may be offered to affected persons, and the nature and extent of any such remediation.

(b)          The Provider must reasonably cooperate at its own expense with the Customer in any litigation or other formal action deemed reasonably necessary by the Customer to protect their rights relating to the use, disclosure, protection and maintenance of Protected Data.

(c)          If there is a Data Incident, the Provider must use their reasonable efforts to prevent a recurrence of any such Data Incident.

(d)          Nothing in this Schedule limits other rights or remedies of the Customer, if any, resulting from a Data Incident.

1.12.    Deletion of Protected Date:  Except as required by Data Protection Laws or authorised pursuant to a data deletion policy accepted in writing by each party, the Provider must not erase Protected Data or any copy thereof without the Customer’s prior written consent. The Provider must:

(a)          on request promptly erase all Protected Data from all systems under Provider’s control and direct and ensure erasure by any and all of its subcontractors that have access to Protected Data;

(b)          within 30 days of termination of this Agreement, erase all Protected Data in Provider’s possession or control, including without limitation in the possession or control of its subcontractors;

(c)          after erasure leave no data readable, decipherable, or recoverable on its computers or other media or those of its subcontractors, using the best erasure methods commercially feasible; and

(d)          promptly after any erasure of Protected Data or any part of it, certify such erasure.

1.13.    Minimum safeguards:  In addition to any other safeguards contemplated in this Schedule, the Provider must ensure at minimum that that:

(a)          their Personnel each have a unique user ID assigned to them, subject to strict confidentiality undertakings in terms of a password and confidentiality policy;

(b)          there are passwords required for any access to Data in line with its password policy;

(c)          its operating systems are secure and that the security settings in respect thereof are aligned with good industry practice;

(d)          its administrator accounts (and records of usage in relation thereto) are stored securely and can be accessed in the event of any service restoration or fault determination;

(e)          access to Data be limited to Personnel on a “need to know” basis, which Personal shall strictly utilise their unique user ID and applicable passwords to access same (the access to such Data shall be subject to a two-step authorisation/authentication process);

(f)           all Data is backed-up regularly, and to ensure that back up testing is conducted regularly in order to ensure that Data can be recovered in the event that such Data is lost, damaged or destroyed;

(g)          its environment has comprehensive malware protection software employed, which software is specifically designed to protect against the most recent malware infections;

(h)          frequent vulnerability scanning is conducted in order to assess whether any computers, networks or applications have any vulnerabilities to cyber-attacks; and

(i)           all designated networks, employ intrusion detection systems and intrusion prevention systems, and record any security incidents.

1.14.    IT network infrastructure diagram:  Upon the Customer’s written request, the Customer must provide the Customer with a network diagram that outlines the Provider’s information technology network infrastructure and all equipment used in relation to fulfilling of its obligations under the Agreement, including:

(a)          connectivity to the Customer’s and all third parties who may access the Provider’s network to the extent the network contains Protected Data;

(b)          all network connections including remote access services and wireless connectivity;

(c)          all access control devices (for example, firewall, packet filters, intrusion detection and access-list routers);

(d)          all back-up or redundant servers; and

(e)          permitted access through each network connection.

1.15.    Material breach:  Any breach of the obligations under this Schedule, is deemed a material breach of the Agreement.

1.16.    Equitable relief: 

(a)          The Provider acknowledges that:

(i)           no adequate remedy exists at law if it fails to perform or breaches any of its obligations under this Schedule;

(ii)          it would be difficult to determine the damages resulting from a breach of this Schedule, and such breach would cause irreparable harm to the Customer; and

(iii)         a grant of injunctive relief provides the best remedy for any such breach, without any requirement that the Customer prove actual damage or post a bond or other security.

(b)          To the extent permitted under Data Protection Laws, the Provider waives any opposition to such injunctive relief contemplated in Section 1.16 or any right to such proof, bond, or other security.

(c)          The Provider’s obligations in this Schedule apply likewise to the Provider’s successors, including without limitation to any trustee in bankruptcy.

 

Provider friendly

SCHEDULE – DATA PROTECTION

 

1.1.       Handling of Protected Data: 

(a)          Standard of care:  The Provider must keep and maintain all Protected Data in strict confidence, using such degree of care as is appropriate to avoid unauthorised access, use or disclosure.

(b)          Usage of Protected Data:  The Provider must use and disclose Protected Data solely and exclusively for the purposes for which the Protected Data, or access to it, is provided pursuant to the terms and conditions of the Agreement, and not use, sell, rent, transfer, distribute, or otherwise disclose or make available Protected Data for the Customer’s own purposes or for the benefit of anyone other than the Customer, in each case, without Customer’s prior written consent.

(c)          Disclosure:  The Provider must not, directly or indirectly, disclose Protected Data to any person other than Authorised Persons, without express written consent from the Customer, unless and to the extent required by government authorities or as otherwise, to the extent expressly required, by applicable law, in which case, the Provider must use reasonable efforts to notify the Customer before such disclosure or as soon thereafter as reasonably possible.

(d)          Responsibility for Authorised Persons:  The Provider is responsible for and remain liable to the Customer for the actions and omissions of such Authorised Persons concerning the treatment of such Protected Data as if they were the Provider’s own actions and omissions.

(e)          Written undertaking required from Authorised Persons:  The Provider must require the Authorised Persons that has access to Protected Data to execute a written undertaking to comply with this Schedule.

1.2.       Additional charges:  The Provider may charge additional fees at their standard rates for activities required by the Customer to assist them to comply with Data Protection Laws.

1.3.       Aggregated and anonymized data:  The Customer hereby authorises the Provider to:

(a)          Anonymize Customer Data and to combine it with data from other customers into a new aggregate dataset; and

(b)          use such Anonymized Customer Data as a component of such new aggregate dataset for any legal business purpose, including without limitation for distribution to third-parties.

1.4.       Minimum safeguards:  In addition to any other safeguards contemplated in this Schedule, the Provider must ensure at minimum that that:

(a)          their Personnel each have a unique user ID assigned to them, subject to strict confidentiality undertakings in terms of a password and confidentiality policy;

(b)          there are passwords required for any access to Data in line with its password policy;

(c)          its operating systems are secure and that the security settings in respect thereof are aligned with good industry practice;

(d)          its administrator accounts (and records of usage in relation thereto) are stored securely and can be accessed in the event of any service restoration or fault determination;

(e)          access to Data be limited to Personnel on a “need to know” basis, which Personal shall strictly utilise their unique user ID and applicable passwords to access same (the access to such Data shall be subject to a two-step authorisation/authentication process);

(f)           all Data is backed-up regularly, and to ensure that back up testing is conducted regularly in order to ensure that Data can be recovered in the event that such Data is lost, damaged or destroyed;

(g)          its environment has comprehensive malware protection software employed, which software is specifically designed to protect against the most recent malware infections;

(h)          frequent vulnerability scanning is conducted in order to assess whether any computers, networks or applications have any vulnerabilities to cyber-attacks; and

(i)           all designated networks, employ intrusion detection systems and intrusion prevention systems, and record any security incidents.

Table of Contents

The Author

Martin Kotze is a commercial lawyer with over 10 years of experience. He specialises in transactional work within the Tech, Financial Services and Property industries. 

He is also one of the co-founders at DocNinja and regularly advises listed companies to small and medium enterprises on how to contract better with their customers. 

Martin Kotze