Total Information Outsourcing can be at the same time cheaper, faster and more efficient to implement information systems in an organisation. It can also lead to irremediable vendor lock in or complete loss of control. Service Level Agreement, which define the nature of the service between a client of TIO and a supplier of TIO, is a key document to understand and assess the strengths and weaknesses of a TIO offer.
We recommend to review 5 issues in a TIO SLA: support, software access, data access, privacy and staff screening. For each issue, we recommend buyers to make sure they can answer to simple questions.
How fast does my TIO provider garantees me to repair the system if it is malfunctioning ? Some TIO providers provide no garantee on this, or a garantee of so called best effort. Others provide a garanteed delay of response, which does not mean anything in terms of repairing action. Some provide a garanteed delay for going back to normal.
Is there a way for me to run the same application on my own servers and at what cost ? Some TIO providers keep their application secret and do not allow running it outside their infrastrucre. Others make it open source, thus allowing to migrate a TIO service anytime to another provider or one's own infrastructure.
Can I access all my data, including log files, data input history and configuration data ? Some TIO providers provide no access at all and even pretend, as Google did in early versions of the Chrome application license, that data entered by the users becomes their property. Others provide full access to all data in their native formats.
Can my TIO supplier provide my data to third parties ? Some providers just resell the data you entered. Others, like Google, include in their SLAs a right to use it in an aggregated way for purposes which are not specified. Cnsulting companies as McKinsey build a corporate knowledge base of business cases based on the result of previous consulting missions, ie. previous clients. Others provide information to the intelligence services and, in some cases, are forced to due to the national regulations. This is for example the case in the United States where suspicion of unethical business behaviour is sufficient for intelligence to access the data of companies which are competing with US companies and to provide them such data. Other TIO providers garantee that client data will not be provided to any third party in any form.
Which garantees does my TIO supplier provides me in terms of staff screening ? Some TIO providers make sure that their staff signs specific NDAs or include NDA dispositions in their work contract. Other TIO providers implement specific procedures to train and protect their staff from tentatives of blackmailing from intelligence services.
(Besides the 5 main criteria to look for in an SLA, it is also
important to check whether a TIO service includes advertising
for other companies, which is often a sign that such TIO
service is reselling client data in an aggregate form.)
SLA Effectiveness
Is an SLA effective enough to protect clients ?
Access Freedom effect: SLA is enough
Data Freedom: some technical effectiveness required. The process to access data must be defined in the SLA and .....
Software Freedom: some technical effectiveness required. Same as GPL and source code SVN vs. tar.gz etc....
Social Freedom: third party auditing is the only way to make it effective
Competition Freedom: SLA is enough
SLA Worst Practices
Crime 1: no garantee of delay to repair
Crime 2: no way to run the same application on my own infrastructure
Crime 3: no garantee to access all my data (TDP)
Crime 4: transfer of ownership of user information to TIO provider
Crime 5: no garantee that my data will not be provided to other companies without my explicit approval
Crime 6: no garantee that my data will not be provided to police or intelligence services without my explicit knowing
Crime 7: no garantee that staff has to obbey to strict non disclosure procedures about my data