I have had cause to review a number of support contracts since releasing the article ‘Why do I need a contract?‘ with one in particular highlighting many things that I thought would be of interest to those who contacted me about this subject. I will not mention any names to protect the privacy of my client and the supplier but all of this is genuine extraction from a contract that covers data backups where it appears in quotes and italics. This particular contract is a general outsourced IT support contract aimed at the small to medium sized business without an internal IT resource and I understand that this contract has been used across a reasonably large client base.
I will be focusing on the clauses that affect data backup management from this Service Level Agreement:
- The contract offers a paid for extra option for ‘Back-up management and restore‘ and demands that ‘The restore service only covers back-up software that is from the XX approved back-up software list‘.
- There is an additional exclusion which impacts on the restore service as the contract states ‘If the server needs to be reinstalled this will be charged at £X per hour if a restore is not possible‘.
- There is an exclusion that states ‘Please note that the responsibility to have a good backup of all the business data and programs lies with the client and not with XX. XX recommends that there should be more than one good backup (preferably a minimum of 5) and that they should be held off-site at all times.‘
- There is an exclusion that states ‘Services does not include the diagnosis and rectification of any fault, or otherwise providing any Services, resulting from failure by the client to backup its data‘
- There is an exclusion that states ‘While providing the Services, XX, may access the client’s computer network and may impair the performance of that network, or inadvertently damage or lose any data stored upon it. XX is not liable for such damage or loss and the client undertakes that it will backup all data stored on its computer network at least once every 24 hours and check every 24 hours that the backup has been successful. Clients are required to operate a minimum of 5 back-ups. If provided as a Service, XX will undertake to repair a data backup problem within a reasonable timescale and more than one attempt over the course of more than one day may be required to allow the restoration of data from backups. Any data added by the client after the data backup that requires repair will not be the subject of a data backup itself and may be lost in the event of a further fault arising. It is the sole responsibility of the client to ensure that all data backups are operating successfully and are stored off-site.‘
When I first read this contract I was not certain that I had read it correctly but after reading it a few times I was somewhat taken aback by the exclusions and with the placement of the responsibility of the service covered within the contract firmly back with the client.
So let’s go through these points one a time and I will explain what I see is wrong with this contract:
- This service is an optional extra on the standard ‘Network Support Service‘ which offers ‘Backup Monitoring‘ by allowing a client to access ‘backup management and restore‘ for an additional fee. In itself this is not a problem as it clearly shows the supplier wishing to take responsibility for the backup management and offering assistance in restoring the data but when reading further through the contract, this seems to be a shallow offer. I also do not have any problem with the software used for the backup being on an approved list by the supplier as this would assist in ensuring that all the supplier’s staff are appropriately trained on the solutions. However, when examining the list of approved software, it was found to contain only 5 options that were predominately Cloud based subscription services that the supplier is a reseller for!
- Whilst I realise that the supplier can’t be fully responsible for every type of data loss, if the software being used is on their approved list, why does the supplier not ensure that their own backup service offerings do not support bare metal data recovery from the last good backup? I also question under what circumstances would a server reinstall be required without the need to restore some data therefore this exclusion clause should never be able to be acted upon so one would question what the intent of this clause is.
- The second part of this clause is reasonable business advice for basic data backups and probably would be adequate, what I am at a loss to understand is why is it the responsibility of the client to have a good backup? The client is paying the supplier to manage their backups with this covering monitoring and reacting to support incidents in a managed way to ensure that good backups are being taken and I would assume that this would be carried out in line with the supplier’s own advice on backup frequency and retention.
- This is another example of where the supplier is stating that it will not be responsible for the backup process or more importantly the restore process as it states that the client is to do the backup of its data. One would assume that if the management of the backup was being carried out properly that there would be backups to allow the recovery of data services to the client and therefore the support related to data recovery would be covered by the contract. I would accept that the client is responsible for the changing of backup media to meet with the supplier’s recommendations but there is no mention of this within the contract terms and conditions. I would suggest that the contract leaves this in an ambiguous state as neither party is taking responsibility for this critical role whilst recognising that the clause at point 3 does make suggestion that the client is to maintain off site backup copies.
- I am sorry, the supplier ‘may inadvertently damage or lose data’ and is ‘not liable’ for this! Under what conditions would the supplier not be liable for any damage or loss of client data when carrying out their services for the client and why would any client accept a clause in a contract like this? This whole clause is an appalling example of a contract trying to protect the supplier in their line of business and passes all responsibility back on the client.
Whilst this poor example of a contact is being used to demonstrate the appalling position of what an IT support contract can offer with respect to data backup protection, it is the client’s business that will be affected if their backups do not operate properly and their data can’t be restored when they need it.
Symantec BackupExec, for example, can send a backup status eMail when the backups complete with it possible for this to go to a number of different notification users. A backup status alert eMail can come through with the title of ‘Backup Exec Alert: Job Completed with Exceptions’ and whilst in many cases these do not represent a real problem, if the files skipped are most of your files you would want to know about it. You should be familiar with your daily backup process, the normal status alerts and also the size of the backup.
I would suggest that whilst you can outsource the management of your data backups, you should also receive daily notification of your backups so you can monitor them yourself and be confident that they are working as planned which is what I think this supplier is actually trying to do but their contract goes too far. Do not leave your business at risk due to a poor service contract like this and monitor your supplier and backups if you outsource your data backup monitoring/management.