JHS 166 Terms and Conditions of Public IT Procurement

Annex 8. Special Terms and Conditions for Services Delivered via a Data Network (JIT 2015 Services via Network)

  • Version: 2.2
  • Published: 19 September 2018
  • Valid until: until further notice

INSTRUCTIONS FOR USE

These Special Terms and Conditions are intended to be used in the procurement of software services produced as a cloud service that are intended for specific organisations or user groups (e.g. state administration or specific municipal fields; software service produced in a community cloud, Community Cloud - SaaS). The way the user communities are organised may vary but, usually, members of the community have similar requirements for security, privacy and usability as well as similar needs created by legislation.

General information about cloud services 1

Cloud services refer to a service model whereby easily controllable IT resources shared between several users are offered via data networks. Establishing a connection to the cloud service is uncomplicated, and service functionalities can be switched on, connected to other services and disabled quickly and easily according to user needs.

Cloud services can be defined based on key service properties, service models and usage models.

Key properties of cloud services are:

Use as a self-service

Customers may independently modify the operating method or appearance of the service within the limits permitted by the service. Available resources may be increased or reduced independently without any actions required from the service provider's personnel.

Extensive access via the Internet

Access to cloud services takes place using standard Internet technologies. Access is possible using various terminal devices from the location selected by the user and at the time desired by the user.

Shared use of resources

A service produced using the same devices and platforms is offered to different customers. Customer information has been separated from one another on the program-level, and resources are distributed to customers according to their changing needs. The services are independent of location in the sense that users usually do not possess accurate information about the location of the resources used for the service. However, users may be able to define the location at a higher layer of abstraction, such as at the level of a continent, country or data centre.

Fast flexibility

Resources may be taken into use and released quickly and flexibly, also automatically in some cases according to service needs. To users, the service capacity may often seem unlimited.

Measured service

Cloud services automatically measure and optimise the use of resources using an indicator suitable for the specific service. The use of resources may be monitored, controlled and reported and, thereby, transparency can be brought in to the use of the service and to invoicing.

Because of the shared use of resources, it is easily believed that cloud services can be located anywhere. However, parties offering cloud services may offer various options to customers for selecting the location of the service.

Compared with traditional outsourcing services, the most important properties of cloud services that enable cost efficiency are their use as a self-service, the automatic mobilisation of resources and related fast flexibility. This property allows organisations to implement functional changes significantly more quickly than by using traditional operating methods and helps to achieve functional benefits.

Cloud service models are usually grouped into three categories: Cloud Infrastructure as a Service (IaaS), Cloud Platform as a Service (PaaS) and Cloud Software as a Service (SaaS).

Cloud Software as a Service (SaaS) is the model these Special Terms and Conditions are based on. In the SaaS model, service users are able to use the service provider's applications that are run utilising the basic structures of the cloud. Applications may be operated using various terminal devices and user interfaces, such as browsers. Users do not manage or control the basic structures of the cloud service, such as the communications network, servers, operating systems, storage systems or individual applications or their properties, apart from user-specific application settings.

Operating models of cloud services are usually grouped into four categories: Private Cloud, Community Cloud, Public Cloud and Hybrid Cloud.

Community cloud is the model these Special Terms and Conditions are based on. In the community cloud model, a single service is used by several organisations, and the purpose of the service is to serve a community with shared requirements and needs. The service may be managed by the organisations themselves or it may be maintained by a third party. The service may be produced inside or outside the premises of the organisations.

Evaluating the suitability of the software service on the basis of a service description

The SaaS is acquired as a public procurement, which means that the service description and the service offered must fulfil the client's requirements. On the basis of the service description, the client must evaluate whether the software service fulfils, when used for the purpose forming the object of the invitation to tender, the requirements set for the use of the service. This means that the supplier is not responsible for ensuring that the software service is suitable for the client's purpose of use.

The organisation planning the introduction and procurement of a software service must identify and spell out the requirements related to each purpose of use. These may be related to e.g. information security levels, data protection and the management of documents of authorities.

The shared requirements and needs of a specific user community form the starting point of the design and implementation of the community cloud offered by the supplier. Usually, the cloud service supplier produces the SaaS-model cloud services so that they are identical to all users of the specific service.

In order for the client to be able to evaluate the suitability of the offered service for the client s purpose of use, the service description must include at least the following information:

  • a detailed specification of the content and implementation of the service
  • the supplier's subcontractors and their use
  • the procedures in place to secure the client's material in the software service
  • installation, modification and maintenance windows
  • the location where the software service is produced (Finland or another country; the objective is that the service description includes sufficient information in order to identify the legislation applied to the service and its production. The location where the service is produced covers data centres and management services, and the geographic location of the information stored.)
  • the principles of processing personal data
  • the methods used to monitor user rights to the service and the use of the service
  • requirements concerning the client's operating environment and the data connection required.

Implementation and use of the service

The supplier will deliver the service so that it is available at the access point in accordance with the agreement and service description. The access point is either a connection point in the public electronic communications network or another connection point separately agreed upon in the agreement. The client will be responsible for the acquisition of the hardware, data connections and software it needs to use the service, and their operating condition and protection, unless they are agreed to be within the scope of the supplier's responsibilities under the agreement.

For the sake of clarity, the structure of the terms and conditions follows the life cycle of the use of the software service: agreeing upon use, preconditions for use, rollout, use and modifications during use, and procedures upon termination of the agreement.

The Special Terms and Conditions include a number of (contributory) obligations for the contracting parties which aim for a smooth rollout and use of the software service, and well-defined procedures for a possible termination of the use of the service.

The Special Terms and Conditions set the basic level for certain matters, and they shall be complied with unless otherwise agreed in the agreement. Such matters include:

  • distribution of liability related to information security and data protection
  • specific actions related to the management of information security
  • the format in which the supplier must return the client's material to the client upon termination of the agreement.

According to the Special Terms and Conditions, the supplier may use subcontractors to implement the software service or its part and to carry out other tasks related to the fulfilment of the agreement. No other conditions are set for the use of subcontractors except that the use of subcontractors must be described and possible contractors processing personal data must be identified in the service description.

The contracting parties shall agree in writing whether or not the client transfers personal data to the supplier. If the supplier processes personal data on behalf of the client, it is recommended that the JIT 2015 Special Terms and Conditions for the Processing of Personal Data (JIT 2015 Personal Data) be attached to the agreement.

These use instructions do not form part of the agreement.

Agreement date and no.: _____________________________Annex no.: _____________

JIT 2015: Special Terms and Conditions for Services Delivered via a Data Network

    1 Scope of application

(1) These Special Terms and Conditions are applied to the procurement by public procurement units of software services delivered via a data network, if these Special Terms and Conditions are referred to in the agreement and to the extent they have not been otherwise agreed upon in writing.

(2) These Special Terms and Conditions are used together with the General Terms and Conditions of Public IT Procurement. In case of any conflict, these Special Terms and Conditions take precedence over the aforementioned General Terms and Conditions of Government IT Procurement with regard to their corresponding provisions.

    2 Definitions

In addition to the following definitions of the Special Terms and Conditions, the definitions of JIT 2015 General Terms and Conditions shall be applied.

service description

fipalvelukuvaus

a detailed specification of the content of the service

The service description of the software service must be sufficiently detailed so that, on the basis of it, the client is able to determine whether or not the service is suitable for the client's purpose of use.

software service

fiohjelmistopalvelu

a service where an application or service is produced in a centralised data centre so that it is available at the access point via a data network, and where access to the software as well as the right to use it are offered against a recurring charge

The service is produced using networks, servers and operating and storage systems included in the service provider's service environment, without the service user taking part in their management or configuration, apart from limited user-related settings.

client's material

fitilaajan aineisto

material which has been transferred to the software service by the client or material otherwise delivered or placed available to the supplier for the client's software service, data material produced by the client in the use of the service, or other data material defined as client's material by the contracting parties

supplier's material

fitoimittajan aineisto

material delivered or placed available to the client for using the supplier's software service as well as other data or material defined as supplier's material by the contracting parties

combined material

fiyhdistetty aineisto

the presentation of the client's material as produced in the software service in such a way that the client's material and the supplier's material are combined

access point

fiyhteyspiste

a point or points where the supplier connects the software service to a public electronic communications network or to another connection point agreed upon in the agreement

    3 Object of the agreement

(1) The content of the software service has been specified in the agreement and service description.

(2) The supplier may use subcontractors to implement the software service or a part thereof and to carry out other tasks related to the fulfilment of the agreement in accordance with the service description. Subcontractors must be named in the service description if they process personal data. The supplier is responsible for the work of its subcontractors as for its own work.

    4 General obligations of the supplier

(1) The supplier is responsible for ensuring that the software service corresponds with the agreement and service description.

(2) The supplier is responsible for ensuring that all tasks for which the supplier is responsible are performed in compliance with the agreement, with care and following the professional competence required by the tasks.

(3) The supplier shall provide the client with written operating instructions and operating environment requirements for the software service.

(4) For the client's queries related to the software services, the supplier shall notify the client in writing of its contact persons, other contact details as well as any changes therein.

    5 General obligations of the client

(1) The client is responsible for ensuring that all tasks for which the client is responsible are performed with care and in accordance with the agreement.

(2) The client is responsible for ensuring that the software service is suitable for the client's purpose of use.

(3) The client is responsible for the acquisition of the hardware, data connections and software it requires to use the software service, and for their operating condition and protection, unless they are within the scope of the supplier's responsibilities under the agreement. The client is responsible for setting up its operating environment so that it is in accordance with the specifications presented in the service description.

(4) The client shall instruct the users of the software service in its employment or operating on its behalf to comply with the instructions issued by the supplier when using the software service. When offering such instructions, special attention shall be paid to questions related to information security in the use of the software service.

(5) For the supplier s queries related to the software services, the client shall notify the supplier in writing of its contact persons, other contact details and any changes therein.

    6 Content and service level of the software service

(1) The contracting parties shall agree in writing upon the use of the software service specified in the service description and the possible consequences resulting from any deviation from the specifications. Insofar as the content or service level of the software service has not been agreed upon to any extent, the supplier's terms and conditions in force and published at the time in question shall be applied.

(2) The supplier shall without delay notify the client of any circumstances it has become aware of which may prevent the software service from being used in accordance with the agreement.

(3) The software service includes tasks related to training offered to the client's personnel and the rollout of the software service only insofar as such tasks have been agreed upon in writing.

    7 Rights and the client's material

(1) The right of ownership and intellectual property rights to the software service, the supplier's material and any changes made thereto belong to the supplier or a third party.

(2) The right of ownership and intellectual property rights to the client's material belong to the client or a third party.

(3) The supplier shall have the right to process the client's material solely for purposes of fulfilling the agreement.

(4) The client shall be responsible for the client's material and for ensuring that the client's material is not in violation of any rights of third parties or the legislation in force at the time.

(5) No existing intellectual property rights are transferred between the contracting parties under this agreement.

(6) The client and a third party operating on behalf of the client have the right to use and modify the supplier's material and the combined material during the term of the agreement for the client's activities. However, the client and a third party operating on behalf of the client as well as a party to which the client's task are possibly transferred shall, even after the termination of the agreement, have the unlimited right to use and modify the combined material obtained from the software service, including any backup copies of this material transferred to the client.

    8 Starting the use of the software service

(1) The client shall provide the supplier with sufficient and correct information for the delivery and, otherwise, contribute to the delivery of the software service in the best possible manner. The client shall be responsible for the information it has issued to the supplier and for updating such information.

(2) The supplier shall provide the client with sufficient instructions to start the use of the software service as early as possible. The supplier shall provide the client with other support related to the rollout of the software service only if this has been agreed upon separately.

(3) The supplier shall start the software service at the access point on the agreed delivery date or within an agreed period. If no delivery time or delivery date has been agreed, the supplier shall start the software service at the access point within a reasonable time from signing the agreement or issuing an order confirmation. The software service shall be considered started when the software service under the agreement is available for use at the access point and the supplier has given notification of it to the client.

(4) If the software service includes a possibility to store the client's material, the supplier's responsibility for the storage of the material shall start from the time when the data has been successfully stored as part of the start of the use of the software service.

(5) If the start of the use of the software service is delayed due to a reason attributable to the client, the delivery time shall be extended until the factor which prevented the start of the use has been corrected or has ceased to exist. The supplier's right to invoice the service shall begin from the time when the service would be available for use were it to depend only on the supplier.

(6) The client shall, without any undue delay after starting the use of the software service, inspect the functionality of the software service and make a complaint regarding any inoperability or other error or defect identified in the delivery. If the client has not given notification of errors within seven (7) weekdays of the start of the delivery of the software service, the software service shall be deemed to have been accepted. Furthermore, the software service shall be deemed to have been accepted immediately after it has been found to be functional in a rollout test conducted mutually by the contracting parties. Any deficiencies or faults that do not significantly impair the use of the software service do not prevent the delivery from being accepted but the supplier is obligated to correct them without any undue delay.

(7) The supplier and the client may agree upon a test run period for the software service. During the test run period, the supplier shall not have any obligations or any liability for damages. The client is not obligated to pay the service charge for the test run period, but the client shall otherwise comply with the agreement and these terms and conditions.

    9 Identifiers

(1) The supplier shall provide the client with access point names and identifiers (e.g. user credentials, technical addresses and identifiers) in accordance with the agreement for the use of the service and for the agreed purpose for the duration of the term of the agreement. The supplier shall give notification of any changes therein well in advance.

(2) The client is responsible for ensuring that its users store all identifiers and passwords with care and do not disclose them to third parties. The client shall be responsible for the use of the software service taking place with its identifiers. However, the client shall not be responsible for the use if the client's identifiers are disclosed without authorisation to a third party for a reason independent of the client or a party operating on behalf of the client, such as due to a computer break-in targeted at the supplier's system, or if the supplier's representative uses the client's identifiers contrary to the agreement.

(3) The client commits to notifying the supplier, without any delay, of any disclosure of identifiers or passwords to a third party or any suspected misuse of an identifier or password. The client's responsibility for the use of the software service taking place with the user credentials and password of its users ceases when the supplier has received the client's notification or the supplier has otherwise detected the misuse. However, in order for the responsibility to cease, it is required that the client does not, through its activities, prevent the supplier from changing or disabling the identifiers related to the misuse.

(4) The client is obligated, upon the written request of the supplier, to change the password required to use the software service if it is necessary due to a serious information security threat aimed at the software service.

    10 Backups

(1) The supplier shall be responsible for taking backup copies of the client's material located in the software service in the manner specified in the service description. The contracting parties shall agree upon backup copying dates in writing. Unless otherwise agreed, the supplier's obligation is to take backup copies of the client's material at least once during the supplier's working day or at other intervals as notified by the supplier to the client in advance, and to store the backup copies in a manner suitable for the purpose in accordance with the practice notified by the supplier to the client in advance. In other respects the client shall be responsible for taking backup copies of the client's material.

(2) If the client's material is destroyed, misplaced, altered or damaged after the client or a party for which the client is responsible has used the client's user credentials and password, or if the client or a party for which the client is responsible has otherwise, through its activities, destroyed, misplaced, altered or damaged the client's material, the supplier is entitled to charge for the recovery of such information according to agreed pricing criteria or those in accordance with its price list.

(3) If the client so requests, the supplier shall deliver, at most once per calendar year, all of the client's material stored in the service to the client in accordance with the data material openness requirement. When delivering the client's material, the supplier shall also deliver a data description which fulfils the data material openness requirement. The supplier is not entitled to any separate charge for the delivery of the client's material or the data description in accordance with this section, unless otherwise agreed.

    11 Changes in the software service

(1) The supplier shall always have the right to make such changes in the service which are directed at the production environment of the software service and do not have an impact on the content or service level of the service, or which are necessary in order to prevent a serious information security threat (including serious availability threats), or which are caused by a mandatory legal provision or order of an authority concerning the production environment. If a change has an impact on the service description, the supplier shall notify the client of the change well in advance or, if this is not reasonably possible, for example, due to the prevention of an urgent and serious information security threat, without delay after the supplier has obtained information about the matter.

(2) In situations other than those referred to in Section 11(1) above, the supplier is obligated to notify the client of any needs to make changes in the software service well in advance. The impact of the change shall be processed by and between the client and the supplier before implementing the change. If the intended change has a significant impact on the content or service level of the service, the supplier shall notify the client of the change in writing at least three (3) months before the change enters into force, and the client shall have the right to terminate the agreement in accordance with Section 16. Changes with a significant impact on the content include the transfer of the processing of personal data to a subcontractor or location that the client does not approve of for justified reasons.

(3) The supplier shall provide the client with a revised service description as well as operating instructions and other material of the supplier.

(4) The supplier shall strive to take into consideration the client's wish concerning the date on which the change in the software service enters into use. The supplier must allow the client to familiarise itself with the changes before they are taken into use, if this can reasonably be arranged.

(5) The client may propose changes to the software service. The implementation of such changes and their impact on costs shall be agreed separately.

    12 Interruptions of the software service

(1) Unless regular installation, modification or maintenance procedures for the software service have been specified in the service description, the terms and conditions set out in this Section 12(1) shall apply. The supplier shall have the right to interrupt the production of the software service for a reasonable time from Monday to Friday between 6 pm and 8 am and on Saturdays, Sundays or public holidays, if it is necessary due to installation, modification or maintenance procedures performed for the software service and if the installation, modification or maintenance cannot be performed at reasonable costs without interrupting the production of the software service. If the supplier interrupts the production of the software service for a reason stated in this Section 12(1) , the supplier shall (a) notify the client of the interruption of the software service and the duration of the interruption well in advance; (b) strive to ensure that the disturbance caused by the interruption will be as minor as possible; and (c) upon the written request of the client, compensate the client for the non-fulfilment of the service level in accordance with the agreement.

(2) The supplier shall have the right to interrupt the production of the software service due to installation, modification or maintenance measures for the public communications network or due to a serious information security threat directed at the software service, or if so required by legislation or order of an authority, or due to a force majeure situation. If the supplier interrupts the production of the software service for a reason stated in this Section 12(2) , the supplier shall notify the client of the interruption and its estimated duration well in advance or, if this is not reasonably possible, without delay after the supplier has become aware of the matter in question.

(3) The supplier shall have the right, without hearing the client, to prevent the client from accessing the software service, if the supplier has a justifiable reason to suspect that the client, in breach of the agreement, loads or uses the software service in a manner which endangers the production of the software service for other users. The supplier must, without any undue delay, notify the client of the reasons for the prevention of access. If the client proves that it has used the software service in accordance with the agreement, the supplier is obligated to compensate the client for the non-fulfilment of the service level due to the prevented access in accordance with the agreement, or the client is entitled to receive a price reduction over the time of interruption.

    13 Information security and data protection

(1) The contracting parties commit, each on their part, to ensuring and taking responsibility of information security and protection of privacy in compliance with the laws of Finland in force at the time. If necessary, the distribution of liabilities related to information security and data protection between the contracting parties shall be agreed in more detail.

(2) Each contracting party is responsible for information security in its own communications network. Neither contracting party shall be responsible for information security in the public Internet or for any disturbances arising therein, or for any other factors beyond their control that impair the use of the software service, or for any damage resulting thereof.

(3) A contracting party has the right to take action in order to prevent information security violations and to eliminate disturbances directed at information security. The contracting party shall ensure its actions are proportionate to the severity of the disturbance being prevented and end them as soon as there are no grounds for their use.

(4) The contracting parties shall agree in writing whether or not the client transfers personal data to the supplier. As the data controller, the client shall be responsible for such personal data. The client shall be responsible for ensuring that it has the right to transfer the personal data to the supplier for processing in accordance with the agreement. When processing personal data, the supplier shall comply with the good personal data processing practice required in the legislation and any provisions on the protection and processing of data. The supplier shall process personal data only in accordance with the agreement and written instructions issued by the client. The supplier shall implement the technical and organisational actions that have been agreed.

    14 Handling information security violations

(1) A contracting party is obligated to notify the other contracting party, without undue delay, of detecting any significant changes in the information security situation threatening the software service or its use, or any increased information security risks, data protection risks, violations of information security or data protection, or suspicions thereof.

(2) A contracting party shall, on its part, take immediate action to eliminate or reduce the impact of the aforementioned violations. Specific actions required by the management of information security risks shall be agreed separately.

(3) A contracting party is obligated to contribute to the interpretation of the violations of information security and data protection.

    15 Location of the production of the software service

(1) The supplier may offer the entire software service or a part of it from Finland or from another country, provided that the supplier otherwise fulfils the terms and conditions of the agreement. If the supplier offers the service outside the European Economic Area, the supplier shall ensure that any transfer of personal data is implemented in accordance with legislation.

(2) The geographic location of the data centres and management services used to produce the service, as well as of the information stored, shall be specified in the service description. The supplier is obligated to give notification of any changes in the location.

    16 Validity and termination

(1) A fixed-term agreement on the software service ends without any separate termination once the fixed term has expired. However, the client may terminate a fixed-term agreement in situations referred to in Section 11(2) by issuing a written notice to the supplier, in which case the agreement shall terminate three (3) months after the issuance of the notice.

(2) Unless otherwise agreed in writing, an agreement valid until further notice may be terminated in writing with a three (3) months notice period on the part of the client and with a six (6) months notice period on the part of the supplier. In addition, termination is possible in accordance with Section 11(2) . The period of notice is calculated from the last day of the calendar month during which the notice of termination of the agreement was given.

(3) If the client has paid a service charge for a specific period in advance and the agreement terminates prematurely for a reason not attributable to the client, the client shall have the right to receive a refund for the non-fulfilled period for the service charge paid in advance.

    17 Assistance obligation upon termination of the agreement

(1) Upon the termination of the software service or a part thereof, the supplier commits to assisting the client in transferring the terminating service to a third party or the client itself. As part of its assistance obligation, the supplier is obligated to take the following actions upon the client's request:

      1. The supplier shall continue the delivery of the services to the client under the terms and conditions of the agreement and in the extent requested by the client until the termination of the agreement.
      2. The supplier shall assist the client in the performance of the tasks required for the transfer in the extent requested by the client and shall take part in the transfer by supplying information, material, support, training and consulting and by working in cooperation with the client and its other service providers. This shall be carried out at the supplier's prices under the agreement or, if the prices have not been agreed upon, at the prices of the supplier's general price list.

(2) The assistance obligation shall begin already before the agreement terminates, upon a notice of termination or cancellation, or upon the client notifying that it will initiate a procurement process concerning the services under agreement. The obligation shall continue at most until three (3) months have passed from the termination of the agreement.

(3) The supplier's obligation to store the client's material will end sixty (60) days after the termination of the agreement, after which the supplier is obligated, at its own expense, to destroy the client's material, unless the client has prior to this requested that the material be returned in accordance with Section 17(4) . If the client requests that the material be returned, the supplier shall return to the client the up-to-date material handed over by the client or other client s material concerning the service. However, the supplier shall have the right to destroy or retain the client's material to the extent the supplier is obligated to do so based on law or an order of an authority.

(4) Unless otherwise agreed in writing, the supplier shall return the client's material to the client within thirty (30) days of a written request issued by the client in accordance with the data material openness requirement or in an agreed format. When delivering the client's material, the supplier shall also deliver a data description which fulfils the data material openness requirement. The supplier is not entitled to any separate charge for the delivery of the client's material or the data description in accordance with this section, unless otherwise agreed.

(5) The supplier shall not have the assistance obligation referred to in Section 17(1) if the agreement terminated due to the client's essential breach of the agreement. If the supplier has cancelled the agreement because the client has not paid charges related to the use of the software service, the supplier shall, however, have the contributory obligation referred to in Section 17(1) if the client pays its due and payable charges to the supplier and lodges an acceptable security for the payment of future charges.

Alaviitteet

1) This text is based on the document The NIST Definition of Cloud Computing, Special Publication 800-145, National Institute of Standards and Technology, U.S. Department of Commerce, 2011.