Beltug recommendations for your SaaS negotiations: SWIPO and the SaaS CoC

Negotiating contracts with Cloud Service Providers is a complex yet critical endeavour for organisations. As the ‘voice of the business user’, we are committed to keeping our members well-informed and prepared. Together with our sister associations Cigref (France), CIO Platform (Netherlands) and VOICE e.V. (Germany), we have put together concrete Recommendations plus a Data Portability Questionnaire, based around the recently published SaaS Code of Conduct (CoC) from SWIPO.

18 / 11 / 20

Downloads

SWIPO - observations and recommendations Beltug - Cigref - CIO - VOICE

Overcoming roadblocks to porting your data

SWIPO (SWitching from provider and POrting non-personal data) is the name for the working groups, comprising users and providers, set up to address EU Regulation 2018/1807 on the free transfer of non-personal data in the EU. One goal of the Regulation is to resolve the legal, contractual and technical roadblocks that make it difficult or impossible for companies using data processing services, to port their data from one service provider to another, or even back to their own systems.

The SWIPO working groups are drafting self-regulating ‘Codes of Conduct’ to address these roadblocks. These codes should define best practices and information requirements that reduce vendor lock-in, by making it smoother to switch providers and simplifying data porting. And they should ensure that Cloud Service Providers supply business users with detailed, clear and transparent information before signing a contract for data storage and processing.

The general SWIPO Principles

Switching between service providers and data porting must be possible, effective, not cost consuming, and easy.
The ability to port data without hindrance is a key factor in facilitating user choice and effective competition on markets for data processing services. [Consideration 29]
In order to take full advantage of the competitive environment, professional users should be able to make informed choices and to easily compare the individual components of various data processing services offered in the internal market, including in respect of the contractual terms and conditions of porting data upon the termination of a contract. [Consideration 30]
Trust enhancement in the security of cross-border data processing is a key factor to improve the legal certainty for companies as regards compliance with the applicable security requirements when organisations outsource their data processing activities to service providers, including to those in other Member States. [Consideration 33]
All security requirements related to data processing that are applied in a justified and proportionate manner on the basis of Union or national law in compliance with Union law in the Member State of residence or establishment of the natural or legal persons whose data are concerned, will continue to apply to processing of that data in another Member State. [Consideration 34]

(Source: SWIPO Common Scope and Approach Version 0.10 10 June 2019, our bold and references to the corresponding considerations of the Regulation.)

The above principles do not appear in the 2020 version of the document. This is very unfortunate, as they could be inspirational for the future evolution of the Code of Conduct.

CoC for SaaS and IaaS: strengths and gaps

So far, Codes of Conduct (CoC) have been created for SaaS and IaaS (you can find them on the SWIPO website). They cover several important details, for example the current version of the SaaS CoC handles the technical aspects of porting rather adequately.

However, there are a number of gaps: it does not assure data export for interoperability, nor porting at all time; it does not assure data export in case of organisational change; it does not address cost moderation; it does not protect users from unilateral changes in contract terms; and more.

Our recommendations and observations

While Beltug and our sister organisations do encourage Cloud Service Providers to adhere to the CoC, this in itself is not enough for users to be confident that all of their needs are being met.

‘SWIPO. A new Code of Conduct for data import and data export for SaaS Suppliers: Observations and recommendations’ explains the background of SWIPO, provides observations on the strengths and gaps of the CoC, and gives recommendations on what your organisation can do when preparing tenders, and negotiating with Cloud Service Providers. This includes a Data Portability Questionnaire (linked in the Recommendations) that you can use with providers who do and who do not adhere to the SaaS CoC.

We encourage you to share this document with all those involved in the selection of a SaaS application: business project leads, technical staff, buyers, contract drafters and legal counsellors.

Return to impact

Cookie	Duration	Description
_wordpress_test_cookie, test_cookie	session	WordPress sets this cookie when you navigate to the login page. The cookie is used to check whether your web browser is set to allow, or reject cookies.
CONSENT	until you remove it	The cookie is set by the GDPR Cookie Consent WordPress plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. When Consent has been given the cookie is used to store the user consent for the cookies in the category 'Analytics'.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category 'Necessary'.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
WordPress_clef_session, _wordpress_cleff_state	1 year	This WordPress cookie is necessary to use the administrator zone (only for administrators).
wp-settings-1, wp-settings-time-1	1 year	WordPress uses this cookie to customize your view of the admin interface, and possibly also the main site interface.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report.
_gat_gtag	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick to register and report the website user’s actions after viewing or clicking one of the advertiser’s ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie that YouTube sets that measures your bandwidth to determine whether you get the new player interface or the old.
YSC	to be removed by you	Registers a unique ID to keep statistics of what videos from YouTube the user has seen. This cookie expires when you close your browser.
yt-remote-connected-devices	to be removed by you	Stores the user’s video player preferences using embedded YouTube video.
yt-remote-device-id	to be removed by you	Stores the user’s video player preferences using embedded YouTube video.