What is contract negotiation?

Contract negotiation is an essential part of any third-party relationship.  Contract negotiation involves the development of a contract that clearly defines the expectations and responsibilities of both the third-party vendors and the organization. Some of the purposes of the contract’s language include helping to ensure the contract’s enforceability, limiting the organization’s liability and mitigating disputes regarding performance.

Why is contract negotiation a critical part of my third-party relationships?

Contract negotiation is a critical component of a compliant third-party vendor relationship. If not managed correctly, improper or incomplete contract negotiation can generate significant risks, including:

• Loss of time and potential revenue due to overly-lengthy negotiations
• Failure to meet an agreement altogether
• Vendors not delivering due to incomplete contract language
• Possible litigation actions for non-performance on the main entity’s part

Developing a contract with a third-party that plainly defines expectations and responsibilities is necessary before entering a relationship with any vendor. Before contracting, you should have undertaken a risk assessment of the third party and due diligence based on that risk. Understanding the inherent risks of the third party and the type of engagement they are involved in will help you ensure the contract is constructed in the best possible way to minimize that risk. This process, if done correctly, helps to ensure that the contract is in scope with the intended relationship, is enforceable and helps to manage liability if an issue occurs or a vendor under-performs.

As you negotiate your vendor contracts, consider the following:

• Service Level Agreement: This outlines the level of service expected, the metrics for measuring service performance, and the remedies or penalties, if the agreed-on service levels are not met.
• Due Diligence Documentation: This may include a provision that the vendor provides SOC reports (see below), financial information, pen test reports, etc.
• Confidentiality: Clauses that protect your organization’s and your customers’ sensitive information.
• Right to audit: For third parties that hold or process data in particular, you may wish to consider a right to audit provision, so that you can monitor their performance, including their internal controls and security. For instance, you may require the comprehensive SOC reports on the service provider’s policies, procedures and test of actual controls.
• Notification of sub-contractors (4^th parties) and provisions for notification if these change: You should be aware of any sub-contractors your vendor is using in order to help fulfil the obligations of the contract (especially for your critical third parties) (link to critical third parties subpage). You can include provisions that you must be notified if these vendors change.
• Duration: This includes the term of the contract, whether it is non-renewal or automatic, and the renewal notice period, etc.
• Data breach notification: If your third party stores or processes data, you should strongly consider a data breach notification clause that requires the vendor to notify you as soon as a breach happens, or within an agreed time frame. This is important for regulatory compliance as well as your ability to be proactive regarding next steps, notifying customers and issue management.    
• Indemnification: Indemnification clauses protect your organization from liability for potential claims that may arise during the contract.
• Insurance: The contract may specify a requirement for a vendor to maintain a certain level of insurance or contain notification obligations when insurance changes.
• Limits on Liability: Contracts often contain a clause that contains limits of liability – here you may wish to determine if the proposed limit is consistent to the level of loss you might experience if the vendor fails to perform. 

Exit strategy: You should also include exit strategy steps for your contracts. This is especially important if your vendor holds or has access to your/your customers’ data. Here you should include provisions for things such as how data will be returned or destroyed, how access will be revoked, notification process, etc.

How can Aravo assist in contract negotiation and third-party vendor management?

Aravo offers multiple capabilities to help manage your contracts and other vendor activities. Several of these include:

Vendor Contracts Management: Helps companies create a centralized repository of all vendor contracts, and automates contract monitoring, review and management processes.

Vendor Intake and Scoping: Applies a standardized and defensible process for centralizing, collecting and validating your third-party vendor information.

Vendor Due Diligence: Enables you to embed best practice principles for due diligence processes including scoping third parties, third-party assessments, conducting risk-based due diligence, managing approval processes, and mitigating risks.

Share with Your Friends: