What is a VPN Agreement?
Expressed simply, a Virtual Private Network (VPN) agreement is a contract between two or more parties for the provision of remote access to a private network or a public network, over the public Internet or other communication system. A VPN agreement is typically necessary when either the service provider agrees to provide secure remote access to the customer, or the customer agrees with the service provider to provide this access. The primary purpose for forming a VPN agreement is the safeguard of the network and the data contained therein, while the primary goal of the VPN agreement is to establish the security protocols, specific functionalities and key points in this relationship . The real value of the VPN agreement to an organization is its specification of the protocols that all applicable parties must adhere to. When drafting a VPN agreement, it’s important to define terms as much as possible and to identify the parties involved so the disambiguation of the relationship can be clearly defined. It’s also important to include a discussion of "acceptable use" principles for the participating parties, as this helps to alleviate any concerns about abuses. Every VPN agreement should incorporate all "user policies" including those related to support, uptime, forms of acceptable uses, etc. It is also useful to include contractual obligations, service level agreements (SLAs) and technical responsibilities for both parties.
VPN agreement essentials
A well-drafted VPN agreement must contain several essential elements to ensure that the relationship between the parties is clearly defined. Below are the key items that should be included in a comprehensive but flexible VPN agreement template:
Data protection: Since, by definition, a VPN allows two or more networks to transmit data securely across the same transmission medium, a VPN agreement must provide that the parties will comply with all applicable privacy, data breach notification and data protection laws to ensure that sensitive data transmitted through the VPN remains confidential and secure. Like all internet or mobile app services, a VPN service must comply with U.S. and non-U.S. laws concerning consumer privacy. For example, the Federal Trade Commission has brought enforcement actions against companies that failed to implement a data security program or to provide adequate privacy notices to consumers to convey how their personal information was handled.
Usage policy: A flexible but detailed usage policy element in a VPN agreement gives it the heft to enforce usage terms against a user that violates them. For example, a VPN agreement can provide a list of permitted uses, including use by third-party developers, servers that will not be permitted, and countries where use can be restricted, in addition to providing for early termination of the agreement for any violation of the usage terms or conditions.
Liability: Liability clauses are also key to protecting the VPN from potential liabilities arising from its use. For example, liability language can provide that the VPN provider will not indemnify, credit, refund or discount amounts paid by a user after a VPN incident or loss, or that it may recover any amounts paid on behalf of the user for these events. The language also can address, among other things, the time period from the incident to claim, coverage for direct damages and consequential damages, and how subrogation and third-party actions, including regulatory proceedings, will be handled.
Termination: A flexible but detailed termination provision is essential in a VPN agreement to enable the service to respond quickly to any incidents that require immediate termination. It also can define how a termination will be handled in the event of an acquisition, merger, sale of assets or bankruptcy proceeding involving either party.
Benefits of using a VPN agreement template
Using a ready-made VPN agreement template has several advantages. First and foremost, it saves time. Instead of drafting an agreement from scratch, which can be both daunting and time-consuming, employers have the option to insert their terms directly into an existing template. By avoiding the obstacle of having to research VPN agreements for hours and hours, employers can devote that time to other important tasks.
Second, using a template ensures coverage of all necessary provisions. While not all VPN agreements will contain the same terms or be suitable for all situations, the vast majority will contain the necessary provisions outlined in the examples given above. This ensures compliance with all legal standards and more importantly, gives both parties clear expectations of their obligations under the agreement.
Third, using a template ensures compliance with legal terms. As mentioned, most VPN agreements will contain provisions that are legally required, such as restrictions on trade secrets and restrictions on the use of company information. It may be difficult for an employer to remember all necessary provisions when drafting the agreement from scratch. For this reason, using a template is incredibly beneficial.
Customising your VPN agreement
While having a basic template to start from is a solid first step, businesses should not use a generic VPN agreement for their customer agreements. A VPN agreement should be customized by businesses based on the specific services and risks that their business model presents in order to protect themselves as much as possible.
For example, if a business offers a Service Level Agreement ("SLA") regarding its network availability, the business should include the SLA as a separate exhibit or in the main body of the agreement. The business should specifically indicate what the SLA covers such as the amount of compensation that the business will provide and what type of services fall under the SLA if there is a disruption. Or the business might want to include language indicating what level of availability the service will be (99%? 99.999%?). This is especially important if the pricing for the services will be contingent upon meeting the SLA and disruption of the services will impact the price.
If your business is required to comply with certain laws because you are working with a government entity or will be working with credit cards and PCI compliance is required, your business must include the applicable privacy requirements in the agreement. The privacy laws that are most likely to apply are HIPAA (Health Insurance Portability and Accountability Act) and PCI (Payment Card Industry Data Security Standards). Both of these laws have strict requirements about how and when to report breaches, and when those breaches are incurred and who is responsible for paying for them.
The following are some examples of clauses that a business may want to fully consider including in their custom VPN agreement depending on its specific business model.
If a business chooses to use a VPN provider, the business must make sure that its service agreement specifically protects its business. It must also protect its customers when they have an outage or breach.
Legal aspects of VPN agreements
There are multiple legal issues that must be considered when drafting a "VPN Agreement". First, is the purpose of the VPN and what data will be shared via the VPN. However, there are standards regarding the privacy of the user and standards for reliable network security.
Art. 29 WP Opinion of 1/2002 concerning the use of cookies: One of the most common uses of a VPN is to surf the net under a different IP address, e.g. to visit websites blocked in certain countries. However, a VPN tends to use tracking features and cookies to allow the parties to confirm the identity of the users, which may have privacy implications. The European Data Protection Working Party ("Art. 29 WP") has concluded that since a VPN can store cookies and IP addresses, using a VPN may violate EU Directive 2002/58/EC (the "ePrivacy Directive"), if the VPN is going to track users. To comply with the ePrivacy Directive, a VPN will need to obtain consent from the user prior to storing any IP address or cookie on the device or other network connected device of the user.
Art. 29 WP Opinion on data storage services on the internet: In order to comply with the Opinion’s requirements related to storage, the VPN Agreement should clearly describe what information is being stored for how long.
Global Privacy Standards Even if the VPN is not based in Europe or not collecting or storing IP addresses, your servers may be located cross border. Therefore , your VPN Agreement should inform the user of the cross border data transfer and the manner in which the data will be transferred.
FISMA: The VPN Agreement should describe the security measures used to ensure the confidentiality and integrity of the data being transferred by the VPN. Specifically, FISMA requires that the VPN encryption is compliant. If the VPN will be used by the interested parties to transmit sensitive or classified data, have your users sign an agreement.
FISMA defines "Classified" as: "Any information, the unauthorized disclosure of which could reasonably be expected to cause damage to the national security, which has been so designated by an Executive Order or other proper authority."
FIPS 199, NIST SP 800-60: If the VPN will be used to transmit sensitive data, the VPN servers must have the appropriate security level and be registered with the FIPS. The FIPS has three levels: • Low: "Low impact, requiring the lowest degree of protection for confidentiality, integrity, and availability." • Moderate: "AOCI -An impact would be Confidentiality= SBU ; Integrity=Limited harm & "availability=alternate sites are available." • High: "Severe impact; Confidentiality= Secret, Integrity= integrity must be protected, availability= no physical access."
Strict Liability on the Mandated Privacy Notice: Under the EU Data Protection Regulation, the data controllers (website operator) is strictly liable for not providing clear and comprehensible privacy notice to the data subjects. The VPN Agreement will serve as the privacy notice.
Mistakes to avoid
VPN agreements are important tools for outlining the terms of use, responsibilities and liabilities for both parties involved in providing and using a company’s VPN network. But like any other contract, it’s important not to make mistakes when crafting a VPN agreement. Here are some common pitfalls to be aware of and how to avoid them:
1. Alarming Terms and Conditions
While the terms and conditions for use of confidential data should be robust, ensuring that you draw up an agreement that is in tune with your employees and customers is important. If the majority of your employees are viewing data on a daily basis, it is unlikely that they will take all of the terms and conditions into account when using the VPN. If there are multiple terms relating to VPN use, make sure that these are consolidated into a concise point. It is also advisable to consult your attorneys and other professionals in drafting terms and conditions.
2. Overlooking the Need for Confidentiality
One common error of many VPN agreements is not stating the requirement for confidentiality. When creating your VPN agreement template, ensure that there is a confidentiality clause, particularly if private information will be transferred over the network. This will help preserve the notion of confidentiality if a member of staff uses their login credentials to sign into the network, but negligently leaves confidential information open on their computer.
3. Too Much on Responsibility
You should never make your employees or customers sign away their responsibility. For example, it may seem tempting to make users of your VPN solely responsible for added bandwidth and use of the VPN system. But this, in practical terms, is not enforceable. If too many extra charges are incurred by a user, it is likely that this would be found in pursuit of the agreement. Therefore, make these terms specific and manageable on the part of your employees or customers.
4. Not Defining Access
Your staff’s role determines the level of access they should be allowed on the VPN. It is advisable that you make it clear what an employee can or cannot see over the network to ensure security and maintain confidentiality of company information. This is particularly vital if your organization includes many different departments as well as executives who may have access to different information. Without clearly defined access, you may run into problems over whether a specific department had excess information.
5. Blending Personal and Professional Use
It might seem like a good idea to avoid having to draft and implement two separate VPN agreements. However, this could lead to issues later on if a user feels they are being unfairly treated by the terms of the agreement. A personal use provision or specific use agreement is crucial for your internal users of the VPN to ensure that discretion is followed where needed.
Where to get VPN agreement templates
There are numerous online resources where you can find VPN agreement templates, but it’s crucial to choose one that is reliable and adaptable for your particular needs. Reputable sources often provide templates that include both a clause-by-clause explanation and a fill-in-the-blank version for you to complete. One example is Rocket Lawyer, which allows you to customize an agreement as per your business’s specific requirements. The site walks you through each clause, explaining its purpose and importance, and then enables you to either edit or save the agreement.
Another trustworthy online provider is LegalZoom, which offers a slew of legal templates, including those for VPN agreements . The templates are editable and allow you to personalize the agreement for your specific circumstances.
It’s also worth consulting your own legal counsel for VPN agreement templates. Many law firms specializing in IT law offer blank templates or customizable legal documents for their clients. These documents are often specifically tailored to meet the legal requirements of a particular region or country, ensuring both parties of effective and specific protection.
A key factor to consider when choosing a pre-made template is that it should be adaptable. You need to ensure that the agreed-upon terms align with your business operations and specific security requirements. A cookie-cutter agreement can make it difficult to enforce all terms and negatively impact your networking operations.