Navigating and Negotiating IT Contracts for Nonprofits

The latest technologies and digital tools offer innovative ways for nonprofit organizations to engage with visitors, donors, and even global audiences. Many organizations are also using tech-based solutions to improve vital behind-the-scenes functions through tools like digital collections management processes and state-of-the-art security systems. To properly implement and maintain the hardware, software, and remote services that power these tools, most organizations need to look beyond their in-house teams and contract with third-party technology experts. However, tech vendors often require organizations to sign long, complex contracts or agree to click-through terms and conditions. [1] Signing technology contracts without careful review comes with high risks: tech vendors are uniquely positioned to have back-door access to privileged information and crucial internal systems. In the event of a technical problem, your organization may lose access to its own systems or be exposed to data leaks and cyber-attacks. Here are some important questions to ask and key terms to include when negotiating a technology contract to help ensure your organization is adequately protected.

When there are multiple contracts, how will they work together?

Often, technology agreements are made up of multiple contracts that work together to form one full agreement between the parties. For one single service, a tech vendor may ask you to sign a master services agreement, statement of work, terms and conditions, privacy policy, acceptable use policy, and any number of additional forms. By signing one of these contracts, you also may be automatically agreeing to additional terms that are buried within hyperlinks. The purpose of this multi-part structure is to allow parts of an agreement to be updated easily without affecting the rest. However, it is important to ensure that key terms, such as fees and schedules, cannot be changed without deliberate and explicit agreement by both parties. Additionally, you should confirm that the various contracts do not contain conflicting terms and think carefully about which contract should supersede the others in case of any future conflicts between terms. For example, you may want the termination of one contract to automatically trigger the termination of other related contracts.

When do services start and when do they end?

Oftentimes, a tech vendor will need to develop, adapt, install, or take other preliminary steps before an organization can start using its new technology. Some technology may also require a testing period to ensure that it will be compatible with your existing systems. The contract should include timelines so that the parties remain on schedule during these preliminary steps. The contract should also address each party’s responsibilities, including payment obligations, before regular services begin and remedies if there are delays during the set-up phase.

It is equally important to consider when and how the contract will end. Rapid changes in technology may mean your organization needs to upgrade its systems or equipment sooner than anticipated. In the event your organization’s needs change in the future, the contract should be flexible enough to allow for modifications or even early termination of the agreement. When the time comes to end a contract, make sure that your organization will be able to access its own data that may be stored on the vendor’s equipment or systems. Contract terms can help ensure that the vendor will cooperate with transitioning your data to your internal system or to a new vendor.

Confidentiality and Data Security:

Tech vendors often have privileged access to an organization’s confidential information and other sensitive data, including information about your collection, donors, finances, and security systems. It is vital to ensure that vendors (and their employees and subcontractors) uphold high standards with respect to confidentiality and data security. Not only is this a practical security measure, but it may also be a legal requirement on your organization. If your organization collects personal information or data of employees, visitors, or even website users, you may be subject to certain legal requirements that govern how you collect and handle that data. Within your contracts, you should ensure that your vendors treat sensitive information carefully to keep your organization in compliance with applicable laws.

What happens in the event of a data leak or cyber-attack?

Unfortunately, museums and other nonprofit organizations are not immune from data leaks and cyber-attacks. The American Alliance of Museums has warned that museums should “take a when, not if approach to cybersecurity. [A cyber-attack] is very likely to happen.”[2] The average financial fallout from a data breach in the U.S. in 2024 was approximately $9.36 million, a cost which could be devastating to many nonprofit organizations.[3] The best time to address this risk is before an attack happens. Prepare for such an event by making sure that your contracts are clear about each party’s responsibilities and liabilities in the event of an attack and require your vendors to have adequate insurance coverage for the type of services they offer.

What does AI mean for tech contracts today, and tomorrow?

With the rapid rise of artificial intelligence comes legal questions about copyright ownership, publicity, privacy, and information accuracy.[4] When hiring a tech vendor, your organization should find out in advance whether the vendor’s products and services rely on AI. Consider whether your intellectual property will be used to train AI models and review the vendor’s liability for AI-generated results. Organizations want to be sure that their vendors not only comply with existing laws; they should also be bound to comply with future laws and best practices related to AI as this field develops.

While technology contracts can be complex and come with unique risks, a well-drafted contract can help ensure your organization is able to safely and smartly benefit from exciting new technologies. If you would like assistance in negotiating a technology contract or would like to better understand the concepts outlined here, our firm can advise on the important considerations that apply to your organization.

This post published by Gonsowski Law, P.C. is available for informational purposes only and is not considered legal advice on any subject matter. By viewing blog posts, the reader understands there is no attorney-client relationship between the reader and Gonsowski Law, P.C. or any of its attorneys. The blog should not be used as a substitute for legal advice from a licensed professional attorney, and readers are urged to consult their own legal counsel on any specific legal questions concerning a specific situation.

[1] Some vendors may agree to a contract drafted by your organization’s legal counsel, while many tech vendors will insist on using their own forms with only minimal or no changes. Even if you cannot make changes to the contract, understanding these common terms and key provisions will help you select the right vendor and protect your organization.

[2]Elizabeth Blosfield, The Art of Managing Cyber Risk for Museums, Insurance Journal (February 14, 2024), https://www.insurancejournal.com/news/2024/02/14/760618.htm.

[3] IBM Corp., Cost of a Data Breach Report (2024).

[4] E.g., Andrea V. Seikaly, Copyright: It’s Only Human (Sept. 19, 2023). https://www.gonsowskilaw.com/post/copyright-it-s-only-human.