Tips and tricks: Dealing with third-party vendors in IT agreements

Many companies engage suppliers to deliver IT services. Whereas many years ago, most suppliers provided services on the basis of their own capabilities, systems and solutions, the situation today is significantly different. Today, the vast majority calls upon standard products and services of third-party vendors to provide services to their customer base. The most common example is the use of public cloud services (AWS, Azure, etc) for the storage of data or the running of an entire solution. Other examples include making available an IT ticketing tool for the delivery of incident management services and the installation of network vulnerability scanning software for the delivery of security services.

We observe that both suppliers and customers struggle with how to deal with the terms and conditions of such third-party products and services which are part of a larger IT offering that is contracted between a customer and a supplier.

On the one hand, suppliers do not want to run the risk of being squeezed between the main IT agreement negotiated with their customers and the terms and conditions applicable to the use of third-party products and services (which are often non-negotiable). On the other hand, customers are often reluctant to accept or sign off terms and conditions of third-party products and services that deviate from the contractual conditions set out in the main IT agreement negotiated with their supplier.

Below we share some tips and tricks that customers and suppliers can take into consideration when dealing with third-party products and/or services in an IT project.

Separate terms and conditions: Yes or No?

The first question to be addressed is whether it would be appropriate to subject the use of standard products or services in the context of an IT project to separate terms and conditions.

If a supplier would use a standard product or service in the background (i.e. as part of its internal service organization) the customer could reasonably argue that such use must governed by the main IT agreement. In such case, the third-party vendor could then qualify as a subcontractor of the supplier. It is the duty of the supplier to make sure its main IT agreement with the customer does not grant the customer any rights (e.g. in terms of audit rights, service levels and IP rights) that go beyond what is agreed in the contract between the supplier and the third-party vendor, or at least included exceptions in this regard (such as an exception to the audit rights for public cloud components of the service delivery).

In our view, the situation is different if the customer specifically requests the supplier to use a certain standard product and/or service. In such case, it could be reasonable for the supplier to justify that separate conditions apply, and more difficult for the customer to refuse such terms.

Common contractual set-ups

Provided that the customer and supplier agree on the applicability of separate terms and conditions for a standard third-party product or service, attention needs to be given to the contractual architecture. In this regard, multiple set-ups are possible, whereby the following three are seen often in practice:

• Direct contract with the third-party vendor. The first option is that the customer contracts directly with the third-party vendor, without involvement of the supplier, and agrees on the commercial and license terms with the relevant third-party vendor. This allows the customer to keep full control over the performance of the third-party vendor.
• No direct contract with the third-party vendor. The second option is that the customer solely contracts with its supplier, but not with the third-party vendor. This could, for example, be considered where the supplier has already signed a master services agreement with the third-party vendor from which its customers can benefit commercially or to deal with public procurement considerations of the customer (making it difficult to contract directly). In this case, the supplier could either attach the third-party vendor’s terms and conditions entirely to the main agreement, make a selection of the relevant provisions, include them in a dedicated statement of work, or align the main agreement with the relevant third-party terms.
• Main supplier as reseller. The third option involves the supplier acting as a reseller. This typically means that (i) the commercial arrangements (e.g. fees and payment terms) are included in a contract between the supplier and the customer, and (ii) an end-user license agreement (EULA) containing the use rights and restrictions of the relevant product and/or service is concluded directly between the customer and the third-party vendor.

An important observation is the fact that the supplier would not be part of the contractual set-up for the third-party product or services does not mean that the supplier cannot be involved in the contracting phase or in the execution phase. Here we also see different options, including the following:

• Brokerage. The supplier could, for example, act as a ‘pure’ broker, meaning that he acts as an intermediary during the contracting phase between the customer and the third-party vendor, but does not become a party to the contract.
• Value-added services. The supplier’s role can also go beyond that of a “pure” broker. This will, in particular, be the case if it also offers value-added services such as aggregation (i.e. combining and integrating multiple third-party and/or services into one or more new product and/or service) or customization (i.e. customizing the third-party products and/or services at the request of the customer).
• Managed services. The supplier could also be asked to manage the third-party contract for the customer, i.e. (i) to take care of the day-to-day management of the third-party contract, (ii) to monitor the performance by the third-party vendor of its contractual obligations, and (iii) to direct the customer as necessary and notify the customer of the need for it to exercise any contractual remedies towards the third-party vendor.

Specific points of attention

In this part we highlight a non-exhaustive number of specific points of attention that need to be kept in mind when considering the different contractual set-ups.

Responsibility. Before entering into a contract, the customer should carefully consider against which party it can bring a claim in case of an error in the third product and/or service or a breach by the third-party vendor. This will heavily depend on the chosen contractual set-up.

• In the case of a direct contract with the third-party vendor, the customer will (only) be able to make a claim against the third-party vendor. Considering that many large third-party vendors are based in the US, the contract is likely to be governed by US law and subject to the exclusive jurisdiction of the courts of a US state. This may make it more difficult and more expensive for the customer to enforce its rights and remedies.
• If there is no direct contract, the customer will only be able to address its claim for a breach or failure by the third-party vendor to its supplier. The benefit for the customer is that it has a single point of contact. At the same time, the downside is that the customer cannot introduce a direct claim towards the third-party vendor and always needs to go through the supplier, which may take more time to come to an effective solution. For the supplier there is a risk of becoming liable for aspects of the service delivery that it cannot control operationally.
  
  If the supplier has simply attached the third-party vendor’s terms and conditions, particular attention needs to be given to the provisions regarding governing law and competent court. Often these terms will be subject to another governing law and competent court than the main IT agreement. This should be avoided as much as possible, as there may be circumstances in which there could be a breach under the main IT agreement as well as under the incorporated or attached terms and conditions of the third-party vendor and in which the customer may want to summon both breaches in front of the same court. In any event, it is recommended to make it very clear which parts of the services are provided by the supplier and which are provided by the third-party vendor, to limit any finger-pointing.
• In terms of reselling, the contractual documents will often specify that claims relating to the standard product or service can only be brought against the third-party vendor.

As previously mentioned, the parties could agree that the supplier will manage the relationship with the third-party vendor. This could include assisting the customer with bringing a claim against the third-party vendor. Where relevant, third-party vendors could also be invited to relevant governance meetings, enabling the customer to influence a certain level of control.

Back-to-back and beyond coverage. If there is only a contract between the customer and the supplier, it is important for the supplier to make sure that all relevant obligations and restrictions included in its contract with the third-party vendor are passed on to the customer, and ensure that it is covered “back-to-back.” It is also worth mentioning that many suppliers will not just conclude a back-to-back contract, but provide for a certain buffer. For example, if the third-party vendor requires a certain action to be performed within ten business days, the supplier may decrease the timeframe passed on to the customer.

Consequences of termination. Another key point of attention is whether the main IT agreement needs to contain provisions that the supplier and customer can rely on in case the customer or supplier no longer has the right to use the third-party product and/or service. If the product and/or service is crucial for the service delivery, the supplier may want to specify that it will be excused from performing its obligations under the main IT agreement if this was the result of a customer failure. Similarly, if the product and/or service is not (easily) replaceable by another product and/or service, the customer may want to negotiate a right to terminate the agreement in case the right to use the product and/or service is terminated. The parties could also consider including a right for the customer to require the supplier to transfer the contract with the third-party vendor in case of termination of the main IT agreement to ensure business continuity.

Conclusion

We have presented some key considerations we see in the market in relation to contracting standard products and services. It does, however, need to be mentioned that there is no one-size-fits-all solution to deal with the use of standard products and services of third-party vendors in IT projects.

The most appropriate solution may depend on various elements, such as the risk associated with the relevant product and/or service, the required level of control, the fees payable and the models offered by the supplier and/or third-party vendor. It is important to keep in mind that in some situations the interests of the supplier may conflict with the interests of the customer. While the supplier will often be focused on minimizing risks and/or retaining a good relationship with a third-party vendor it works with on many projects, the customer will be interested in minimizing complexity and being able to easily address a responsible party in case of a breach.

Therefore, it is recommended to thoroughly reflect on the contractual architecture for third-party products and services early on in the sourcing process, and to involve your legal team at the right time.

If you require further information or legal advice in this respect, please contact the authors.