With the proliferation of new technological solutions for everything from fundraising to donor relationship management, program analytics to payment processing, an increasing number of third-party vendors are being engaged to integrate these systems into their day-to-day operations. These services are often “mission-critical,” meaning they are necessary for the nonprofit to function optimally and accomplish their purpose.
Since the legal contract with the vendor forms the groundwork for the delivery and continuing functionality of the system being provided, it’s essential that you understand its terms and be prepared to negotiate them.
It probably comes as no surprise that these technology contracts are mostly one-sided in favor of the vendor. Though many vendors would like you to believe that little or no negotiation is possible, the truth is that in most cases, most of the terms are completely open for discussion and can, and should, be negotiated.
It would take a great deal more space to provide an exhaustive list of all the possible terms that that can be negotiated. Below are the essential five points that must always be addressed. If the contract is well drafted, these terms will protect your organization from any unexpected, extended downtime or a data breach that could result in more devastating harm.
1) More Money: Negotiating Limitation of Liabilities
Vendors routinely attempt to limit claims for any loss or damage that the organization might incur by imposing a “cap.” The cap typically is a limit of six months or less of fees paid.
In reality, should the vendor fail to adequately provide the services or if the contract is breached, it’s likely that the impact and cost will far exceed the vendor’s default cap. Set the cap at a high multiple of the contract value and do not allow it to be tied to monies paid to date, which would limit the organization’s recompense for claims that occur early on.
Even if a higher cap gets negotiated, those damages which pose a greater risk to the organization and its reputation should always be excluded from any such cap. As an example, damages that result from a data breach or exposure of confidential information, or claims related to intellectual property infringement of the vendor provided solution, should never be capped.
2) Promises, Promises: Representations and Warranties
During the initial evaluation phase of identifying and selecting a vendor, the presentation might include impressive marketing materials that exhaustively detail the various aspects of the vendor’s product, which promise you all sorts of amazing results.
If the vendor is responding to a re- quest for proposal (RFP), the person might also meticulously detail the features and functionality of the proposed solution. Then when the contract follows, it only provides scant information on these same benefits, features and functionality of the original proposal.
Making matters worse, vendor contracts might actually disclaim or exclude statements or information made during the “selling” phase. To counter this problem, attach all marketing materials, RFP responses or other descriptions previously provided to the contract and require the vendor to attest to their accuracy and truthfulness.
Alternatively, you could conduct a review of the user documentation provided for the proposed solution, and make sure it is referenced in the contract. These extra steps will align expectations that the solution actually delivers on what was pitched, and provides legal recourse if it does not.
3) Security, Security and Security
Vendors tend to be non-committal and vague when it comes to describing the security precautions they will employ to protect data and confidential information. You should exercise due diligence on the vendor’s actual practices and require the inclusion of your baseline expectations and standards in the contract.
To this end, it should include specific provisions that require the vendor to employ physical, administrative and technical safeguards to protect confidential information and donor data. This is essential to ensuring the adequate protection of your confidential information.
4) Even the Best Laid Plans: Breach Notification and Credit Monitoring
Data breaches can occur as the result of careless or negligent acts. Even when the vendor is well intentioned and the various safeguards and security precautions have been implemented, a breach can happen as no system or platform is completely “breach proof.”
Besides the damage to the organization’s reputation, data breaches can be very costly events. For example, if consumer notification is required, the vendor will be legally obligated to notify you, not the donors and supporters. It’s a good idea to insist that all vendors storing personally identifiable information agree to pay for all statutory required expenses related to breach notification, as well as to pay for credit monitoring and insurance services on behalf of the affected donors and supporters.
5) Breaking Up is Hard to Do: Transition Services
Not all vendor relationships last forever. If you need to make a change, the process to transition to a new vendor can be lengthy and arduous. Vendors are usually reluctant to assist with these transitions, and as a result the organization gets stuck with the logjam.
To mitigate a rough transition, include a provision in the contract that requires the vendor to provide ongoing services and specific transition support (at their then standard rates) for a specified period after notice of intent to terminate the contract is provided.
The above is a general framework for addressing some key contractual issues, but keep in mind that there will doubtless be a variety of other issues and concerns to address. The importance of closely reviewing each contract — and negotiating the key terms as well as adding in additional provisions that may be missing — cannot be overstated.
A well-crafted comprehensible contract will help ensure that you and your vendors are in fundamental agreement regarding obligations and expectations, and will provide your organization with important legal protections and remedies.
Jon Dartley, Ph.D., is Attorney, Of Counsel, at Perlman & Perlman, LLP in New York City who counsels on privacy and big data, technology, outsourcing, software, intellectual property/licensing, Internet-related transactions, general corporate matters and venture-related funding. His email is email@example.com. Legal disclaimer: The information contained in this article does not constitute legal advice, and is not intended to substitute for legal counsel.