Physical Data Centres:

Transcription

1 Physical Data Centres: How to find the right one

2 Contents 1 Introduction 2 2 Initial Considerations 4 3 Commercial Issues 5 4 Key contractual provisions 13 5 Conclusion 18 Physical Data Centres: 1

3 1 Introduction Data storage and processing facilities are a high level priority for most CTOs and CIOs as businesses of all sizes are finding that data is becoming increasingly business-critical. The volume of data being processed and stored is going up year on year and access to data and data security is becoming increasingly important, whilst pressure to reduce costs and utilise the cheapest available solutions are often paramount. At the same time, obligations which apply to data processing and storage (e.g. data protection requirements) are becoming more complex and heavily policed, which means legal and compliance teams need to be heavily involved in assisting the CTO and CIO to find the appropriate solutions for the business and data in question. There are a wide variety of potential data processing and storage solutions available from public cloud through to purchasing and managing your own servers, sitting on your own privately owned and managed premises. The public cloud is managed entirely by the third party cloud provider and as such the business has no control over where its data is located, typically stored across multiple servers and data centres at any given time, usually at much lower cost. Conversely, some very large businesses which store very large volumes of data, such as banks, choose to construct their own data centres or store and manage their own servers on-site. While this brings a great degree of control it comes at a high cost. Bearing in mind these factors, businesses often choose a solution that blends some of the advantages of each of these approaches, whereby rack space is leased, and servers purchased and installed, within a data centre which is owned and operated by third parties. Such businesses benefit from a data storage solution that is more sophisticated and efficient than that which it could construct itself while benefitting from the comfort that its data resides on dedicated servers in a specific, geographical location. On top of this, a business can choose whether to purchase only the rack space or as part of a managed service. Many businesses look to public cloud services for a data processing and storage solution that can store vast volumes of data cheaply. However, not all business or data can be safely stored in a public cloud environment, particularly where data and/or processes are business-critical and the business wishes to have a strong level of control over and secure access to them. Conversely, storing and processing data entirely on-site can be both expensive and high risk as all eggs are in one basket and up to the minute offsite back-up facilities may need to be engaged to hedge this risk. Many large businesses therefore utilise a combination of cloud services, and onsite and offsite data facilities, to provide a right-sized data solution for their business, seeking to ensure that each type of data is stored in the best-fit solution to match its security and risk profile whilst minimising the associated costs of storage. All businesses remain under constant pressure to identify cost-effective technology solutions and as such data processing and storage solution providers are coming under increasing pressure to address their customers concerns surrounding reliability, security, service flexibility and efficiency. In this paper we explore the key concerns of customers considering sourcing more traditional physical data centre type space and services for placing customer Physical Data Centres: 2

4 hardware in suitably secure and suitably powered rack space, with appropriate connectivity. We consider: whether data centre services can meet the (often customised) requirements of customers and at the same time provide an economically viable alternative to the traditional in-house server model and/or cloud on the other; the customer s main commercial concerns; and how customers should approach the negotiation of the key contractual terms. Physical Data Centres: 3

5 2 Initial Considerations Customers are often attracted to data centre services because of: significant cost savings in abandoning the in-house server/infrastructure mode. the opportunity of obtaining high specification and quality data centre space managed by a specialist provider. the opportunity to obtain the best fit IT solution. the flexibility for the customer to increase or decrease its server space over time and in response to business need. There are significant potential cost and time implications of transitioning either from its in-house IT function or from an existing data centre service provider and customers should conduct a thorough review of their systems and data to determine what the impact of such a change might be at the outset. For example, customers should: comprehensively review their existing IT function (whether in-house or outsourced) to determine whether its software licences and other supply contracts (for example maintenance contracts) can be transferred to the proposed supplier. This may involve paying additional fees or terminating contracts where required. determine whether any TUPE liabilities arise in connection with the termination of the existing service provision. consider whether there are any legal or contractual restrictions on it moving its data out of its offices, particularly if the data centre is located offshore, which could have data protection implications if that data is personal data. Failure to fully consider these implications at the outset could lead to unwelcome surprises further down the road and, potentially, undermine the economic rationale for using data centre services in the first place. Physical Data Centres: 4

6 3 Commercial Issues If the customer has determined that data centre services provide the best fit data storage solution it should next consider the types of data centre services offered in the marketplace and ensure that the service is commensurate with its requirements. We have summarised some of the key commercial considerations below. 3.1 Service Type The types of data centre services offered in the market vary a great deal in terms of the number of services offered by the supplier (for example if it includes only rack space in the data centre or if it includes associated services such as the provision of servers, connectivity and software) and in terms of the degree to which the supplier manages the service. Broadly, three distinct categories of data centre service can be identified: Custom solution. The supplier constructs the data centre to the specification of the customer, migrates the data, and continues to provide associated services to the customer. Fully-managed. The supplier provides the premises and the server environment and associated services. Several customers may share the data centre and possibly the servers. Co-location. The supplier provides the data centre and connectivity, however the customer installs its own servers, usually alongside other customers. This type of data centre service is the focus of the remainder of this paper. A customer may also consider whether it is willing to offshore its data centre service provision, explore the potential savings and also consider the impact on the service, such as the accessibility of data if the supplier becomes insolvent and ensure it remains compliant with data protection laws. Depending on the value of the deal, the customer may be able to negotiate terms but on smaller-scale deals the service will be provided on the data centre provider s terms. Nonetheless, the commercial issues identified in the next section remain important to customers of all types. 3.2 Type of Data Centre The Telecommunications Industry Association has established categories of data centre (the Telecommunications Infrastructure Standards for Data Centres) by reference to site space and layout, the cabling infrastructure, environmental considerations and with a particular onus on service availability. These are industryrecognised and the classification of the data centre, in ascending order, as either Tier 1, 2, 3 or 4 indicates the availability and performance levels of that data centre. A Tier 1 data centre is the least reliable among the four categories which although the cheapest is based on a single redundancy platform and with unplanned outages likely. Tier 1 data centres are most appropriate for companies with a passive web Physical Data Centres: 5

7 marketing presence or for small internet based companies with no customer support or e-commerce facilities on-site. At the other end of the scale, a Tier 4 data centre is the most expensive option, with fully fault-resistance equipment and high availability at over 99.99%. This standard of data centre is prohibitively expensive for the majority of businesses and is the preserve of large multinational companies and organisations. Tier 2 and 3 data centres are considerably more reliable than Tier 1, but at appreciably lower cost than Tier Business Requirements and Due Diligence The customer should ensure it liaises with the relevant parts of its business to determine in advance the business data storage and processing requirements. In particular, the business should determine how much space it is likely to need over the term of the contract and whether it requires any support services. Given the duration of data centre contracts the customer should ensure that it is not tied into an expensive arrangement which becomes inadequate or unsuitable after a period of time. Once the customer has reviewed its IT requirements it should produce a request for proposal (RFP) to use as an invitation for data centre service providers to bid for the customer s colocation hosting and services. RFPs typically include the following: A statement of work (SOW) setting out the customer s objectives and requirements Including as to physical and security requirements, power, data centre type, services required, connectivity, space, numbers of locations and flexibility for growth or scaling back. Terms and conditions such as confidentiality, publicity, governing law, regulatory compliance and force majeure. Budgets and pricing. 3.4 Obligations that apply to data There are a number of legal principles which may be relevant to the arrangements between the customer and its own suppliers and clients. The customer should carefully review the contracts it has entered into and, where the customer holds supplier and client data without a contract in place, the nature of the data, to identify whether the principles outlined below are applicable. Contractual. The customer will have contracts in place with its suppliers and its clients which may contain express restrictions on the transfer and use of data. The customer should ensure that its use of data centre services is not in breach of such provisions. Duty of confidence. A duty of confidence may arise in the absence of any express confidentiality provisions in the contract between the customer and its suppliers and clients. A duty will arise if the data has a necessary quality of confidence about it, for example if a document has been created using a special intellectual skill or using a complicated process that would be difficult to Physical Data Centres: 6

8 reproduce. In such circumstances the customer is unable to disclose the data to third parties without the permission of the confiding party. For this reason businesses usually ensure that favourable confidentiality provisions are built into the contracts with suppliers and clients. Data protection. Data controllers based in the UK are subject to the Data Protection Act 1998 (and equivalent legislation is in force in the other Member States of the EU). The Act makes data controllers liable for the processing of personal data carried out by them or on their behalf. Data controllers should ensure that data transfers to data centres outside the EEA are permitted under the Act (there is a blanket prohibition on such transfers unless the data protection regime in the destination country is adequate or if another exemption can be relied upon). The contractual arrangements between the customer and data centre provider should accommodate the customer s data protection obligations, for example such arrangements will often include a requirement on the data centre provider to only process personal data in accordance with the customer s instructions and to provide appropriate data security measures. Data security standards. There are industry standard data security principles that apply to certain types of data, for example payment card transactions and the transmission of cardholder data (the Payment Card Industry Data Security Standard, or PCI DSS). Although designed for the processing of card transactions the PCI DSS contains broad principles concerning the security of data, systems, networks and premises, all of which are applicable to data centre services and customers may seek warranties from the provider that it will conform to the relevant principles. 3.5 Obligations that apply to software/hardware and services Data Centre Reliability Reliability of service remains the most important consideration for customers and goes to the heart of the data centre service. Customers expect their data to be safely stored and accessible around the clock without any interruption to the service and seek assurances that the infrastructure in place will provide a reliable day-to-day service (for service level agreements ( SLAs ), please see 4.2 below) and given the criticality of data to business operations, customers (or, in some sectors, such as financial services, regulators) place a great deal of importance on business continuity regardless of circumstances (please see 4.8 (Force majeure) for recommendations on how some of these issues should be approached in the contract). To this end, customers should give thought to the location of the data centre and whether there are any inherent geographical issues (such as the data centre being constructed in an earthquake or seasonal hurricane zone) and scrutinise the telecommunications networks and energy supply on which the data centre relies. Location Physical Data Centres: 7

9 Distance from customer. The distance between the data centre(s) and the customer s offices will affect the costs of transmitting data as transmission becomes more expensive over longer distances. Similarly, the customer should consider the practical implications of using a data centre which is far away if the customer needs to send its own technical personnel to the data centre to install systems. Distance between data centres. To the extent that the customer uses data centres (as back up or for disaster recovery) the customer should consider the locations of the data centres and the risk that one or more data centres, and the customer s offices, may be affected by the same disastrous event. Customers usually mitigate this risk by using more than one data centre to store the same data (customers in the financial services sector use several data centres) and ensure that they are not all located in the same region. Latency. The greater the distance between the data centre(s) and the customer s office the greater the latency in data transfers between them. This issue is particularly important to financial services, such as trading platforms. Please see paragraph (Connectivity) below for more information on connectivity and latency. Natural Risks Flood. The data centre should have been constructed at a location with little to no risk of flooding, however the customer should establish the data centre s proximity to flood plains and other areas which have been affected by flooding and review the service history of the data centre to establish whether it has been affected by floods in the past. Storm. Some regions are prone to seasonal storms. Data centre providers should have either avoided locating the centre in such regions or ensure the data centre incorporates anti-hurricane safeguards, as is the case with some data centres on the east coast of the US. Earthquake. Data centres should not be constructed in an area known to suffer earthquakes or on tectonic plate lines. Alternatively, data centres in such regions should benefit from anti-earthquake technology, as is the case in Japan. Power supply. Future power supply can, to an extent, be managed through long-term energy contracts but the data centre should not be dependent on one source of power and should have emergency generators to provide short-term power in the event of an emergency. Some data centres have been constructed near renewable energy sources in order to guarantee power availability. The customer should ensure that the data centre specification includes comprehensive details of its power connections and back-up systems. Physical Data Centres: 8

10 Telecommunications. Data centres should be able to access a telecommunications network which provides a fast connection for customers. As the demand for greater speed grows, customers should consider whether their business requires near-instantaneous connectivity and data back-up because speeds reduce as the data centre becomes more physically remote. The customer should consider what type of connections it requires, such as the number and speed of connections (in some sectors, such as financial services, lead times on data transfers are critical). If the connections are not being provided by the data centre service provider the customer should present a separate RFP for the connectivity services to ensure that its requirements are met. Customers should address these risks by reviewing the data centre s service history to discover the extent of any network outages, power failures and significant temperature fluctuations. Where possible, a customer should secure the feedback from the data centre s other customers and implement SLAs which establish service level standards, and impose discounts on the service costs if performance falls short. Standard of data centre. See paragraph 3.2 (Type of Data Centre) above. A customer should consider which standard it requires and ensure that this is documented in the specification Data Security and Data Protection Following high-profile data loss/hacking scandals in the UK, and the revelations by Edward Snowden of state-sponsored spying activities, data security has grown in importance. Businesses are concerned that all types of data should benefit from the highest standards of security. In addition to the commercial, contractual and reputational risks presented by data loss, in the UK, pursuant to the Data Protection Act, data controllers should ensure that their suppliers take "appropriate technical and organisational measures" to protect personal data. Aside from the physical security of the site, depending upon the exact manner in which a customer utilises the related data centre services, a data centre provider may offer related IT security services for example: Virus protection. Data encryption. It is important for customers to scrutinise the security systems which the supplier has put in place and then ensure that these standards are set out in the contract. Furthermore, it is important to note that a supplier may not be able to guarantee certain standards are imposed on the third parties on which it relies to deliver the service, and that a supplier may be unable to apply different customers bespoke security measures on any shared aspect of the service. Physical Data Centres: 9

11 A customer may not be aware that there has been a security breach if there is no apparent data loss so provision should be made in the contract requiring the supplier to notify the customer if it knows or suspects a breach. Under the European data protection regime it is the customer (as the data processor) rather than the supplier which is ultimately responsible for compliance with data protection law. It is therefore the customer that should ensure that it imposes obligations on the supplier equivalent to the customer s local data protection legal framework in the contract. Where the data centre service provider is providing only the rack space and connectivity the data will reside on the customer s own servers. In this scenario, the data centre services provider will not touch the customer s data but nonetheless should still be required to comply with the Data Protection Act where applicable. Therefore, the customer should ensure that the provider: (i) processes data only in compliance with the customer s instructions; and (ii) implements appropriate data security measures. The customer must give special consideration to the jurisdiction in which its data centre is located if it is outside the EEA as European rules prohibit the transfer of personal data outside the EEA, except in certain circumstances. Due diligence of the location of the data centre is complicated by the potential complexities of cloud computing and the fact that customers may be dealing with suppliers who operate at one position in a lengthy supply chain Service Flexibility One of the main attractions of outsourcing data centre services is that it potentially provides a great deal more flexibility than could otherwise be achieved by an in-house service. The customer could ensure that suppliers commit, at the outset, to provide more or less capacity depending on how the customer s business requirements change over time, although this is likely to be at an extra cost. If the customer wishes to be able to reduce the rack space it uses it should negotiate this possibility prior to entering into a contract as a provider is likely to resist this without the customer paying extra charges. For increasing rack space, the customer could require the supplier to reserve additional space dedicated to the customer and the additional capacity can be charged by reference to either the number of rack spaces used, or the power consumed (power being the main cost of providing the service). For an alternative, which is less likely to incur charges, customers could require the supplier to provide updates with respect to the remaining rack space, so the customer can keep track of rack space availability. The provider could give notice to the customer if a certain area is requested by a different customer and give the customer a first option such space. Some suppliers do not own the data centre and instead only lease space within it. In such cases, the supplier should have built flexibility into its contract so that it can call upon more space if its customers require. Physical Data Centres: 10

12 3.5.4 Efficiency Despite the obvious cost pressures on reducing power consumption many data centres remain wasteful but, as data centres become more efficient, customers are able to benefit from the savings. Suppliers are beginning to address the high volume of servers running idle for extended periods by moving the data centre architecture towards a cloud-like service, which is more flexible and reduces rack space. Additionally, the power required for cooling servers accounts for a significant portion of running costs and some data centres have adopted systems which harness outside air rather than relying on expensive air-conditioning units. This is particularly important for customers which are required to report on energy consumption and carbon emissions and can use this as a driver to impose energy efficiency levels on the supplier Insolvency and Contractual Considerations A customer should consider whether it is contracting with the owner of the data centre or with a middle-man and also the wider contractual framework in place, which underpins the provision of the entire service. In the event the supplier becomes insolvent the customer may find it is unable to access its servers or forced into moving to another data centre at short notice. We recommend that, at a minimum, customers should ensure that the contract states that the servers and data within them is the property of the customer, and gives the customer the right to access the data centre and take its data if it needs to. The supplier will also have a number of contracts in place that are essential to the provision of the service, for example contracts for the servers and infrastructure, for telecommunications and power supply, and with third party contractors responsible for managing and maintaining the data centre. Customers particularly concerned with service continuity should consider the extent to which the supplier provides these elements itself and the extent to which it relies on third parties Connectivity Customers should establish whether the connectivity supplier will be responsible for all the cabling between each data centre in its network. Often the customer will need to use different suppliers for the different elements of connectivity, so it is crucial to plan ahead to ensure that each data centre and the customer s premises are interconnected with high-performance connections, with little to no latency in data transfer between each part of the network (please refer to the Kemp Little paper on latency, Latency time for commercial lawyers to get up to speed? for a more detailed summary of this issue). Number of connections. A more reliable service will involve multiple connections between the customer premises and its data centre(s) and, where multiple connections are used, the customer should ensure that the connections do not follow the same route to minimise the risk that all connections could be disrupted by the same disastrous event. Physical Data Centres: 11

13 Connection type. Where the customer is using more than one data centre to store the same data, the customer should consider whether it requires a live-live link or a periodic link. A live-live link will transfer data between the customer s premises and its data centres in real time and using the same software so that if data storage is lost in one location the same data, which is up-to-date, is stored elsewhere. Alternatively, the data can be backed-up at a data centre periodically (for example every six minutes). Some customers, for example those in financial services, will require a live-live link so that none of its data is lost if it suffers a force majeure event. Physical Data Centres: 12

14 4 Key contractual provisions 4.1 Term and termination As with any outsourcing or long-term services contract the parties will usually agree a relatively lengthy initial term (and sometimes combined with a one-off, unilateral, right exercisable by the customer to extend the term, where the relevant service is critical to the customer s operations). The initial term is usually between five and ten years in order for the customer to obtain the best pricing and due to the significant cost of moving in and out of a data centre. The term will be subject to early termination for cause and, possibly, for convenience. This approach is similarly appropriate for data centre services, subject to the additional considerations below: Early termination. Customers may require the flexibility of terminating the services for convenience, however in almost all cases the customer will be required to pay an early termination fee. We recommend negotiating this fee prior to entering into the agreement. Access to data. Regardless of the reason for termination (even where the customer is at fault) the customer should retain the right to access the data centre to retrieve its equipment. Note, however, that the supplier may reserve the right to exercise a lien over the customer s equipment where the services are terminated by the supplier due to the customer s failure to pay the charges. Post-termination requirements. The supplier should return any confidential information belonging to the customer and purge any customer data from its equipment. 4.2 Service Level Agreements ( SLAs ) SLAs are a useful way for customers to impose on the supplier an objective service standard, with usually the supplier compensating the customer for relatively minor shortfalls in service quality in the form of service credits. Given that customers expect an uninterrupted service customers should seek an SLA guaranteeing 100% uptime with service credits for the marginal failures that fall short. There is also scope to impose SLAs, with service credits, for temperature, humidity and power supply to ensure optimum conditions for the operation of the infrastructure. Temperature. A data centre must be adequately cooled to off-set the significant heat generated by its operation, which otherwise reduces the reliability and longevity of components. In fact, a significant portion of the data centre s operating costs are dedicated towards maintaining an ambient temperature. For example, Facebook located its first data centre outside the US above the Arctic Circle in northern Sweden in order to take advantage of the favourable low average temperatures and the savings it brings. We suggest that customers prescribe upper and lower temperature limits, recommended at between 20 C and 24 C at all times. Physical Data Centres: 13

15 Humidity. When humidity levels are too high water condensation can occur causing erosion of hardware and system failure. If the humidity is too low electrostatic discharge can occur causing damage to components and the customer should check that the supplier has adequate humidity monitoring in place. We recommend that humidity is kept within the range of 40% to 60% with critical alerts at 30% and 70%. Power. The customer should stipulate the required voltage in the power source and the maintenance of a standby power source at all of its data centres on a 24 hour/365 day basis, with service credits payable if any of the data centres suffer any temporary power failure. 4.3 Liability Loss of data. Suppliers typically try to exclude their liability for loss of data and, in the context of data centre services, will argue that the customer is providing its own servers and software and that the supplier does not touch the customer s data. Nonetheless, the supplier provides the building and physically controls the interior space (for example the supplier s employees may arrange the cabinets and rack space) and there remains the risk that the customer s servers could be damaged, so the customer should ensure that the supplier remains liable. Customers should similarly ensure that the supplier is responsible for damage it causes to the customer s servers, or address this risk by taking out adequate insurance cover. Liability cap. All suppliers seek to limit their liability. Given the importance of data to many businesses the customer should ensure that it can adequately recover its costs if its data is lost but on the other hand, suppliers will resist being liable for the customer s entire business. In financial services, for example, the supplier could face huge liabilities if it is responsible for the loss of customer data and records of transactions, effectively suspending that business s operations. Typically suppliers will cap their liability at somewhere between % of the service charges and for this reason customers frequently use more than one data centre to back up their data as damages claims for lost data will usually be insufficient. Uncapped liabilities. Notwithstanding the general cap which suppliers impose, a customer should ensure that certain types of liabilities fall outside out of the cap and these are often liabilities which present a potentially significant financial risk to the customer and which are within the control of data centre provider. This should apply to claims in relation to the supplier s breach of its confidentiality and its data protection obligations and to claims that the intellectual property residing in the data centre infringes any third party rights. In addition customers should ensure that the data centre maintains its status (for example, as a Tier 3 data centre) as this status is often at the heart of the customer s choice of data centre and if the data centre fails to do this it can have a significant impact on the customer s regulatory compliance. Physical Data Centres: 14

16 Other customers. The contract should address which party is responsible for damage caused to servers by other customers using the same data centre. As the supplier will disclaim this type of liability, a customer should benefit from a provision in the supplier s other customer contracts whereby a customer accepts liability for the damage its personnel cause to others equipment. 4.4 Data backup and disaster recovery Customers should ensure that the supplier has systems in place to adequately back up data and reinstate or reconstruct lost data and, where the supplier (or its subcontractor) is at fault, it is responsible for the costs of such reconstruction. Suppliers will usually attempt to exclude liability for data loss in the contract but customers must ensure that suppliers take responsibility for this except, perhaps, where the customer is solely responsible for the loss. Suppliers must also have a detailed disaster recovery plan in place which is updated as necessary. The backup of data and the provision of multiple storage locations, all interconnected and each in turn connected to the customer s premises, is essential. 4.5 Auditing A customer will almost always require a right, on reasonable notice, to audit the data centre premises up to a certain number of times in any given period (for example once in any 12 month period). A customer can (and, in the case of financial services firms, should) go further than this by securing additional rights to audit the data centre at very short notice where the customer has reasonable grounds to suspect fraud or where required by the customer s regulator. 4.6 Benchmarking As with any outsourcing contract, the customer can require a benchmarking regime so that an independent third party reports on the extent to which the supplier s services and costs reflect market norms. Benchmarking is typical in contracts lasting five years or longer and although sometimes present in contracts of between 3 and 5 years, is less common given the high costs. For data centre services, benchmarking could mean that the supplier is required to improve its service (by, for example, implementing the latest technological developments in security, cooling and power supply) or by reducing its prices so that they are in line with its competitors. For a full discussion of benchmarking please see Kemp Little s paper, Benchmarking terms in outsourcing contracts: all pain and no gain or an indispensable price protection tool? 4.7 Compliance with laws The customer will be concerned that its use of the service complies with relevant laws and regulations and for some customers, such as those in financial services, the burden of regulatory compliance may be great. The parties should consider how this responsibility should be apportioned however where the supplier takes responsibility for regulatory compliance the cost of this will always be recovered from the customer Physical Data Centres: 15

17 one way or another and the two common approaches are for the supplier to either spread the cost across all other similar customers or, where a customer s requirements are more unusual, to quote for such additional requirements periodically: the supplier takes responsibility for ensuring that the data centre remains compliant with, for example, PCI DSS standards however this on-going support and quality assurance comes at an additional cost. In practice, this means that the supplier imposes the cost of compliance across all customers (or all customers in the same sector/subject to the same regulatory regime); or the supplier provides a periodic quotation for making the necessary upgrades to the service to ensure on-going regulatory compliance. 4.8 Force majeure Customers should take a more aggressive approach to the negotiation of the force majeure clause than perhaps they would in a typical service agreement. Customers are paying for more than simply storage space. The customer s need for an uninterrupted service goes to the heart of the data centre service and some of the avoidable force majeure events should have been considered prior to the construction of the data centre. Any hazard which is factored into the disaster recovery plan should not be considered a force majeure event under the contract, because this would otherwise excuse the supplier from performance because of something which the supplier has nonetheless planned for. On the other hand, suppliers will resist taking on the entire business risk presented by force majeure events. A number of the factors typically relevant to force majeure which may be identified and planned for in the data centre specification are linked to the location of the data centre which will impact its susceptibility to fire, flood and storm. The level of security at the data centre site will affect its vulnerability to acts of terrorism or civil disturbance. Below are some examples of issues which should be considered: Proximity to airports (and flight paths), power stations and other known hazards. Proximity to flood hazard areas as mapped by the environmental agency. The presence of on-site security (such as security personnel, perimeter fence and motion sensors). Of course, the supplier should have minimised these risks when selecting the location of the data centre and choosing appropriate security systems, but no data centre can guarantee its service in circumstances beyond its control. Even when all such factors have been considered customers accept that they must use a number of interconnected data centres in different locations to adequately minimise risk. Physical Data Centres: 16

18 4.9 Pricing Clearly, the type of service required by the customer will impact the price. If the customer opts for a fully managed service which includes, in addition to the rack space, the servers and software, or if the customer minimises its disaster recovery risk by using multiple data centres to back up its data, the customer should expect to pay more for the service. The Customer can minimise its costs by ensuring it has only paid for the data centre standard, space and services it needs. However in a fast paced business it can be very difficult to gauge requirements over time and some inbuilt flexibility may need to be factored into the requirements and built into the pricing model. In such cases, the customer should seek a scalable service whereby it can increase the rack space/servers as its business grows. The simplest approach is where the customer can reduce its space on reasonable notice and acquire more space subject to availability, however some customers will require a guaranteed flexible service which it can scale up or down without restriction, however, in such cases, suppliers will be reluctant to permit the customer to reduce its space or increase its space without imposing a cost in return. As an alternative the customer could require periodic updates of remaining rack space and retain a first option right over space which is requested by other customers. Physical Data Centres: 17

19 5 Conclusion Despite the rise of cloud based services, many customers still require explicit space in identifiable data centres within which they can place their own servers and manage their own IT. The key to successfully securing space in an appropriate data centre on favourable terms is to accurately assess requirements upfront and to invest time in negotiating those into the terms with the chosen data centre supplier. Customers should not underestimate the time it takes to accurately record and understand their own requirements, including adequately reviewing their own data to ensure all underlying rights and obligations are identified, reviewing their commercial and technical requirements, including predicting what might be required over the term of the contract and determining an acceptable level of legal risk. Customers with a well understood set of requirements can run a competitive tender process and secure reliable, technically superior, flexible and cost effective data centre space and related services from suitable suppliers for the long term. Paul Hinton, Partner, Kemp Little LLP James Bellamy, Associate, Kemp Little LLP Physical Data Centres: 18