SSA-SKY has arrived - the new Norwegian governmental standard agreement on cloud services
By Inge Kristian Brodersen
In our previous newsletter, we discussed the soon-to-arrive governmental standard agreement on cloud services – SSA-SKY. Well, here it is - just after the recent Easter vacation, on 7 April 2021, SSA-SKY was published on the website of Norwegian Agency for Public and Financial Management ("DFØ", see link. As for all the "SSA"- templates, it is free to use and is not limited for use by governmental customers only. As previously mentioned - it is reason to believe SSA-SKY will be a practical and possibly popular addition to the half century old SSA-portfolio in the area of IT and cloud services on the Norwegian market. We will briefly look into the contents of SSA-SKY below.
Overview and structure
SSA-SKY is currently only provided in a Norwegian version, but we expect a version translated into English to be provided shortly as well, in line with the other SSA-templates. The full title of SSA-SKY, as hereby unofficially translated by us, is "Agreement on facilitation, implementation and management of cloud services delivered on standard terms". The title is certainly indicative of one of the main purposes of the agreement, which is to cater for the "new normal" in which the customer buys cloud services from a "public cloud" (i.e. standardized cloud services, typically from large international service providers).
The final version of the SSA-SKY main body text is 46 pages long, with 12 main sections with several sub-sections. Many of the general terms and conditions are based on familiar SSA-wordings, such as the liability clauses for breach of GDPR and for other breaches of contract, while a few appear to be new such as a currency risk clause.
There are 12 pre-written templates for appendices (including requirement and solution specifications, SLA, pricing provisions, Data Processing Agreement, and not least – standard terms for cloud services from the applicable provider) with the option to add on further appendices.
Relationship between Customer, Supplier and Cloud Service Provider
Under SSA-SKY, the typical situation would be that the Supplier provides services to the Customer related to the implementation and the management of cloud services provided by separate cloud service providers (hereinafter "CSPs"). The template is designed for procurement of various cloud services which are adapted and put to use in implementation processes that are independent from each other. The built-in flexibility of the template allows independent cloud services to be implemented and managed, partially or fully in parallel.
The term "Cloud Services" is defined as cloud services delivered by the CSP according to the applicable CSP's standard terms, which shall be attached to SSA-SKY Appendix 10. The Supplier's services (Nw. "Ytelser") are distinguished from Cloud Services, and the distinction is crucial to the understanding of the Supplier's obligations as further described below. A fundamental principle in SSA-SKY is that the CSP's standard terms are binding for the Customer to SSA-SKY when it comes to the provision of the Cloud Services, even if it is the Supplier under SSA-SKY that is party to the agreement with the CSP, cf. clause 1.1.2. Also, if the Customer is party to a CSP's standard terms, the Supplier is obliged to manage such terms on behalf of the Customer against the CSP, to the extent that obligation is stated in the SSA-SKY Appendix 1 and 2.
In addition to said principle, we find provisions throughout SSA-SKY specifically stating that the CSP's standard terms prevail. The term of the applicable Cloud Services is defined in the applicable standard terms for such Cloud Services, i.e. not necessarily the same as the term for SSA-SKY, cf. clause 4.1.2. Another example is in clause 5.4.2 which refers to the CSP's standard terms regarding the CSP's change of subcontractors, and yet another in clause 5.8.3 which states that any audit by the Customer of the Cloud Services as such can only happen in accordance with the CSP's standard terms. According to clause 6.6, pricing and payment terms, including indexation, for the Cloud Services follow the CSP's standard terms, unless otherwise agreed. Breach of contract and/or service levels as well as dispute resolution related to Cloud Services fall under the standard terms of the CSP, cf. clauses 9.1.2 and 12.5.
The obligations of the Supplier
The Supplier's obligations under SSA-SKY revolve around services such as the implementation of the Cloud Services from CSP and thereafter the management of such Cloud Services. In this context, one might say that the Supplier acts as an integrator or reseller of the Cloud Services. As further described below, the Supplier may be more than that – it may have other responsibilities such as for performing operational infrastructure services while implementing the cloud platform – or in parallel with the provision of the Cloud Services.
Implementation activities are divided into 2 main categories: Activities for "facilitation" and for "introduction" of the Cloud Services. Under "facilitation", examples are listed such as customization of Cloud Services, including set-up of Cloud Services and development additional functionality for the Customer, as well as integration, data conversion and production of documentation for cooperation and service management. Under "introduction", we find training, awareness and other organizational topics.
Such implementation activities shall be captured in a high-level progress plan with agreed milestones. The plan shall include a "go-live date". On that date, the Supplier is responsible for ensuring that the Cloud Services that the Supplier has recommended or offered fulfil the service levels stated in the CSP's standard terms. The parties can specifically agree that the go-live date shall follow an "Approval Test" (Nw. "Godkjenningsprøve"), under which the Customer shall verify and test the implementation of the Supplier's services. SSA-SKY includes A, B and C error category definitions in clause 2.2.12 – on standard SSA format - which the parties can agree to deviate from in Appendix 4.
The Customer can also verify the Cloud Services as such as part of the Approval Test. However, defects and errors in the Cloud Services on the go-live date shall not prevent approval by the Customer of the Supplier's services, unless the Supplier has explicitly has taken on the responsibility for such defects and errors in the Cloud Services. The Supplier's responsibilities for the Cloud Services during implementation are mainly limited to ensure that they adequately cover the required functionality and fulfill the service level requirements stated in the applicable standard terms from the CSP on go-live date.
Service management activities commence upon the go-live date, and include activities such as maintenance of customizations, monitoring performance and changes of the Cloud Services, consultancy services, operational services etc. If specifically agreed, it can also include assistance from the Supplier related to financial monitoring of the Cloud Services. A main purpose of such financial monitoring would be to ensure that the Customer pays for actual use and to assist the Customer in keeping track of orders etc.
Further, SSA-SKY includes exit management provisions, under which the Supplier shall perform certain defined activities according to an exit plan, subject to a fee. At a minimum and unless otherwise agreed, such activities shall include inter alia preparations for exit from the Cloud Services, transfer of data to new Supplier, transfer of documentation (e.g. source code to customizations) etc.
Compared to SSA-L, the other template for "as-a-service"-deliveries in the SSA-portfolio, SSA-SKY appears to apply a more practical and stringent approach to the allocation of responsibilities between the parties involved. In this sense, SSA-SKY seems more in line with newer versions of SSA-D (the SSA-template for operational services) as it acknowledges to a further extent that the third party's standard terms prevail on the applicable areas of the cooperation. It remains to be seen at this early stage, but SSA-SKY could turn out to be a welcome addition to the SSA-portfolio, and may contribute to procurement processes attractive to relevant suppliers and cloud service providers and providing value to the customers.