Take it from us, disaster recovery has never been easy. These times, however, are the most challenging yet, with cyberattacks and cloud outages becoming almost common. For enterprises with limited IT staff and an even more limited in-house disaster-recovery capability, the challenges become herculean. Data security concerns, shrinking IT budgets, and overburdened in-house IT are the major challenges faced by all kinds of enterprises. As a natural reaction and viable option, these enterprises may think about signing with a disaster recovery service vendor to take care of data protection and business continuity for their companies.
Disaster Recovery as a Service, or DRaaS, is getting increasing traction, as more vendors jump into the space, and more enterprises subscribe to the scalable, affordable, and value-adding services. Whether you finalize a data recovery service deal with a traditional vendor or an advanced DRaaS solution provider, you will need to understand, assess, analyze, and renegotiate on the critical fine print points of the service-level agreements and other sections of the contract. In this guide, we will take you through the fine print that makes DRaaS contracts iffy for enterprises, and enable you to take control and be protected by the contract when the time comes.
Replication service: Get a written guarantee
One of the most crucial parts of any disaster recovery service is the replication service. Of course, the technology used to manage replication at production and recovery sites will need to be updated, advanced, and reliable. Any disaster recovery service vendor is increasingly becoming open to including replication service within the uptime guarantee. Once you define your recovery point objectives (RPOs), you would need written guarantees from disaster recovery service vendor that the replication service is managed well to meet the RPOs.
It goes without saying, speed is everything when a disaster takes your business data and applications offline. It works well to consider the data-recovery service provider as an extension of your in-house IT security personnel teams. To make sure that the vendor is involved when you embark on data recovery exercises, push for specific wording in the contract and get commitment for an agreeable level of responsiveness. If you’ve entered into a self-service data-recovery engagement with a vendor, it will still make sense to have the contract explicitly say how the vendor will help in situations where your IT team is unable to complete the recovery on its own.
Recovery time objective
One thing to remember is that recovery time objectives (RTO) differ across vendors. Based on your business and the nature of data, you will need to stress specific RTO SLAs with your disaster-recovery service vendor. For instance, in the medical care industry, you’d want your vendor to acknowledge the need to make recent patient data available in shortest possible times. Because RTO SLAs differ based on vendor capabilities and enterprise priorities, you’d do well to specifically discuss what’s critical for your company and have that built into SLAs. Though vendors only provide a per-machine basis RTO SLA, or often only provide estimated SLAs, you must not let go of the opportunity of getting the vendor to commit to very specific RTO SLAs.
While your vendor’s service delivery and quality will be managed by the explicit SLAs you agree on and have written into the contract and Statement of Work document, it always pays rich dividends to have an additional layer of protection in place. Service credits give you this layer. A service credit clause makes sure that the vendor pays back some amount to your enterprise, or knocks off a portion of the billing, to make up for unmet SLAs. Because DRaaS is still new, there’s sufficient power with the buyer to get a vendor to agree on service credits. And assuming your first year goes well, you’d find it easy enough to have the same basic contract extend for the years to come.
Availability of infrastructure
As counterintuitive as it might sound, it’s common for enterprises not to care about the tenets in the contract about infrastructure availability. Infrastructure comprises the digital and physical assets where the replication and restoration of data will be managed from. It goes without saying, for the replication and restoration to be successful, the core infrastructure will need to be accessible at that time. Particularly when you are involved in a self-service DRaaS engagement, this becomes the most important, and often the only SLA, that the vendor offers.
Before you enter negotiations and contract finalization with a disaster recovery service vendor, know this. As soon as you bring in the idea of adding more SLAs or changing some of the boilerplate contract clauses, the vendor will cite legal difficulties in changing the contract. To counter, propose that you will mention the additional SLAs in an addendum document to be added to the contract. That’s not all: You will need to add a declaration in the beginning of the contract, acknowledging the presence of the addendum, and specifically mentioning that the boilerplate contract and the addendum make for the complete contract. Also, mention in the declaration that in case the clauses of the contract and the addendum are conflicting, the addendum will hold.
Exit strategy from your disaster recovery service vendor
It’s possible that a year or two down the line, you’d want to switch to a different DRaaS option. The problem you’re likely to face is that your existing disaster recovery service vendor might stop cooperating and even become hostile when the stage of transitioning the documents, assets, and knowledge over to the new partner arrives. To retain control, consider laying down clauses to govern the last quarter of your engagement with the vendor, and link them to service credits explained above.
A surprisingly large number of enterprise-vendor relationships around disaster recovery services could end up being debated and contested around the wording of the contract. To fare better, make sure you understand the fine print, and get adequate additions and changes done in the contract to stay confident, secured, and covered.
Photo credit: Shutterstock