"Is it possible for you to retrieve your data that has been contracted to a third party?"

In the rapidly evolving digital landscape, traditional source code escrow is of little use in the context of cloud-based platforms or Software as a Service (SaaS). However, the importance of data access in maintaining business continuity and exit planning cannot be overstated.

Financial institutions and critical infrastructure companies, under certain financial regulations, are required to ensure access to data held by their service providers. This is crucial for operational resilience in the event of service disruptions.

The Role of Contractual Protections

In SaaS arrangements, contracts should require data to be provided in an accessible format without additional licensing or purchasing technology. Business process outsourcing agreements should contain detailed exit planning provisions for the transfer of outsourced services, including data migration.

Contractual protections for data access should include high platform availability commitments, strong support service levels, robust incident management, and ancillary obligations for data segregation, efficient extraction, and protection against loss, damage, or corruption.

Newer Escrow Models for Modern Platforms

Recognising the shortcomings of traditional escrow models, newer cloud escrow models, such as the "access" and "replicate" models, have been developed. The "access" model provides access to the latest version of the code, environment, and data, but may not be suitable in multi-tenanted environments. The "replicate" model, on the other hand, requires regular updating of the code and data in the replicated instance.

Scenarios Illustrating the Importance of Data Access

Scenario A illustrates the mitigation of temporary disruptions through quick activation of a business continuity plan and support from the tech provider. Scenario B demonstrates how repeated disruptions can lead to planned exits, but with substantial additional and unanticipated costs due to data inaccessibility. Scenario C shows the impact of a service provider's insolvency on an unplanned exit, potentially leading to long-term operational disruption.

In cloud-based platforms or SaaS, it is essential that businesses critically impacted by the loss of access to data consider escrow as a potential mitigation strategy. An effective provision ensuring access, recovery, and return of data should go beyond regulatory expectations, particularly in stressed exit scenarios.

When service provider personnel use a third-party platform, the contract should address the commitments offered by the third party, liability exclusions, contingency arrangements, and the possibility of contracting directly with the third-party platform provider.

Regulatory requirements for outsourcing and material technology contracts in the financial services sector often include appropriate business continuity and exit planning provisions, as well as provisions ensuring access to data held by service providers. The UAE Central Bank, UK's Prudential Regulation Authority (PRA), European Digital Operational Resilience Act (DORA), and European Banking Authority's guidelines on outsourcing arrangements impose such requirements.

In conclusion, in the era of cloud-based services, ensuring data access is not just a best practice, but a necessity for business continuity and exit planning. Contractual protections and newer escrow models offer viable solutions to this challenge.