SaaS and technology professional services providers face risks in undertaking and implementing their
supply of services, including security risks, compliance risks, supplier risk and most importantly
execution risk. One way a firm can manage the fallout if these risks materialise is to have a clear
terms of service/master service agreement with their customer.
The first line of defence
Technology firms are typically entrusted with managing, accessing, and safeguarding sensitive data
and digital assets. As such, they can face challenges as digitalisation increases and bad actors
become more adept at exploiting vulnerabilities. Having watertight terms of service is the first line of
defence, not only do they establish the rules of engagement but also serve as a legal framework to
mitigate a variety of risks.
Professional indemnity insurance (PII) is an added safety net that provides financial protection
against when the terms of service are frustrated as a result of errors, omissions, or negligence in the
provision of technology products and professional services. The interplay between standard terms of
service and changing insurance policy terms and conditions is key to managing evolving risks and
having the requisite policy coverage in place.
The devil is in the detail.
Many technology PII policy wordings include clauses that can be broadly interpreted as excluding
coverage for certain types of liabilities. For such policies, there are some key terms that should be
considered in relation to a firm’s service agreement with its clients:
1. Conditions precedent to liability – if there are any conditions in the policy of this nature,
they can require the policyholder to meet certain onerous obligations to be eligible for
cover. Accepting liability provisions that align with the services rendered is crucial to ensure
that the coverage provided by PII is not inadvertently rendered ineffective.
2. Exclusions for some types of liability – there may be gaps between the liability being
accepted in the services agreement and the types of liability being indemnified in the PII
policy wording. It is important to run through the PII exclusions to ensure that they do not
contradict with your terms of service.
3. Notification restrictions in contract – in cases where the PII insurance or accompanying
cyber insurance have strict notification requirements, they can conflict with the terms of
service. This may prevent notification in line with the policy requirements.
4. Force majeure – acts of God are usually quite broad in contracts; however, a narrower set of
scenarios may be present in the PII policy, possibly allowing a wider scope in contract.
5. Disputes – these will typically trigger a notification to PII insurers if they remain unresolved,
and there will usually be a mechanism in a PII policy to handle disputes. It is important to
ensure alignment with the mechanisms offered in the terms of service.
The relationship between a technology firm’s terms of service and PII liability provisions should
never be underestimated or overlooked. It demands a proactive and collaborative approach, where
legal experts craft terms of reference that not only reflect the nature of the services but also align
seamlessly with the protection offered by PII.
As the technology landscape continues to evolve, firms must pay close attention to potential
alignment issues and ensure that they don’t fall short when matching terms of service with PPI
For further information and advice on managing infosec risks, contact the Elmore team.