Offshore software developers risks and advantages

The onset of COVID-19 has hastened CEOs’ prioritization of digital transformation to future-proof their organizations. This paradigm change is driving the IT outsourcing spend to improve operational agility, integrate new technologies, and achieve cost-savings and faster time-to-market.

Risks and advantages of using offshore software developers

The pandemic has also changed how companies (customers) leverage their outsourcing providers (vendors). While cost reduction and talent augmentation remain key drivers, businesses are taking steps to incorporate enterprise resilience in their outsourcing strategies. This shift in operating models is forcing companies to reevaluate cybersecurity, business continuity, and intellectual property (IP) considerations in selecting their outsourcing providers. Below, we discuss a few important legal and risk issues that a customer should consider:

1. Intellectual Property and Confidentiality Protection to secure Ownership:

When engaging a vendor, companies must exercise vigilant control over IP ownership and licensing. Enterprise companies, such as Netflix or Amazon, often rely on open-source software (OSS), a public source code that is made freely available for modification and redistribution under a license. For many developments teams, OSS forms the core building blocks to develop, deploy, and update applications. Some OSS licenses require the customer to disclose not only the OSS source code modified by vendor but also that of any derivative work that combines OSS with other IPs (known as the “Strong Copyleft License”). In order to avoid the viral effect of Strong Copyleft License “infecting” the proprietary deliverables, customers need to closely monitor the use and incorporation of any OSS in the deliverables. In the vendor agreement, a customer should provide vendor’s obligations with respect to (i) disclosure of any OSS (including other 3rd party materials) and license terms for customer’s approval before incorporating them in the deliverables; (ii) mandatory flow-down terms in subcontractor contracts including confidentiality, IP assignment, and background screen; and (iii) IP warranties, indemnification, and remedies, under which vendor agrees to perform due diligence, replace infringing components, defend and pay damages relating to IP infringement claims, and refund service fees in some cases. Finally, customers should require vendors and their developers to execute non-disclosure agreements and set staffing restrictions to protect proprietary information. This protects against developers who leave the vendor and use stolen ideas to build a similar platform for a competitor.

2. Data Security Requirements to mitigate Cyber risks:

In today’s data-driven world, customers need to share with vendors an increasing amount of sensitive information to achieve their outsourcing goals. This information includes trade secrets, customer logins, health information, credit card numbers, etc. Further, many offshore software development designations do not mandate security measures at the same levels as the regulatory standards in the U.S. and E.U. Therefore, transferring sensitive information offshore could cause customers significant financial and reputational risks if its vendor reports a ransomware attack. Customers should take a security-by-design approach in vetting and engaging vendors throughout the software development lifecycle (SDLC). Further, a customer must set contractual protections to require appropriate technical and organizational security measures, including (i) data access control limited to employees or pre-approved contractors on a need-to-know basis, (ii) business continuity plan and written information security policy, (iii) data breach and incident response protocols, and (iv) maintenance of security certifications (e.g., ISO 27001 or SOC 2), among others. For an offshore software development firm, security can be its strongest selling point and competitive differentiator that will make or break an engagement. 

3. Privacy Risks and Regulatory Restrictions on cross-border data transfer:

Privacy compliance is vital when an outsourcing engagement involves building technology platforms that process personal data.  customers need to work with their vendors to incorporate privacy at the outset of the SDLC, rather than treat it as an afterthought. This privacy-by-design mindset results in end-products that respect individuals’ privacy out-of-the-box. The end-product will be nimbler and more adaptable to evolving privacy standards in new countries and markets. Finally, certain privacy regulations, such as E.U.’s general data protection regulations (GDPR), California privacy laws, or HIPAA, require additional standards of care with respect to personal data protection. For example, before transferring E.U. personal data to the U.S., the parties must conduct and document a rigorous transfer impact assessment to protect data against U.S. government access for certain national security purposes. The GDPR also requires the parties to implement specific technical and organizational safeguards for data protection. 

4. Governing Law and Jurisdiction for Dispute Resolution:

Outsourcing has made software development a truly global process. Customers and vendors should invest time to determine where they should resolve disputes and the laws that should govern contracts. If the offshore software development firm does not have any physical presence in the U.S., the customer should include an arbitration clause. Arbitration provides the parties with a greater degree of flexibility and even facilitates expedited proceedings in certain countries. Further, most countries are party to the UN Convention on the Recognition and Enforcement of Foreign Arbitral Awards. This allows for easier enforcement of arbitration awards in member countries, including Argentina, Costa Rica, India, Ukraine, and other popular nearshore or offshore IT development designations.

Digital transformation trends following the COVID-19 lockdown have accelerated IT outsourcing. Before engaging a vendor, a customer should invest time in vendor assessment and contract negotiation to align the contractual terms with the overall risks and benefits of the relationship. To further set up the engagement for success, customers must treat vendor management as a year-round risk mitigation process for competitive advantage.