Outsourcing Contracts: Protecting Project Information

So you’ve landed a business deal. Do you know how to sign the contract and move on? Also, how should confidential data collected during an IT outsourcing project be protected?

Contract signing procedures will be covered first, followed by data protection.

Cultural Norms

Contract etiquette varies by country, with North American formalities most commonly followed when one or both parties are located in the U.S.

Here are the basics:

  • Accuracy: Read the contract and verify its accuracy and acceptability before signing it and thereby agreeing to implement its provisions.
  • Binding nature: In’s experience with entry-level Indian call center outsourcing contracts, roughly one-quarter of the Indian IT executives who sign those contracts have not read or fully understood what they are signing. They view contracts as starting points for negotiation rather than definitive commitments. For this reason, it is recommended that unproved facilities be tested with low-risk IT outsourcing programs before giving them mission-critical work.
  • Correct entities: Are the names of the firms correct?
  • Legal authority: Do you have legal authority to execute contracts for your firm? If not, find someone who does.
  • Agreement: Have an authorized official sign and date the acceptance and agreement section. Then have them print their name and title below their signature. No autopens or stamped signatures — for your own protection.
  • Initials and dates: On each of the non-signature pages, the signer should hand write their initials and the date signed. Since different countries use different date formats, the month can be abbreviated rather than given as a number.
  • Sealed: A corporate seal can be used on every page. Since American seals are usually inkless embossing devices, each page can be embossed separately if the document is to be scanned.
  • Originals: Two original identical hard copies are usually executed. If there are subcontractors, then each subcontractor might also receive an original.
  • Soft copies: To speed up the implementation process, soft copies might be exchanged via fax or scanned version, with hard copies to be sent out shortly thereafter.
  • Scanning: Individual pages are to be scanned and incorporated into the same file. 200 dpi PDF formats are currently the norm. Margins in the scanned document should resemble the original paper version as closely as possible. Close cropping prevents printing and is unprofessional. QA each scan before sending.
  • No compression: Zipping PDFs does not significantly reduce file sizes. For security reasons, many firms are now rejecting all zipped files sent to them.
  • Faxing internationally: Since India “sold” VSNL to the Tata Group for a negative price, conventional fax transmissions to India have become technically impossible from many parts of the U.S. Faxing to Pakistan is not much easier. This is leading to increased use of PDFs.
  • Implementation: Do not sign contracts that you cannot agree with or cannot implement. Be ready to answer questions about how you are implementing individual contractual provisions.
  • Some IT outsourcers will sign contracts without the necessary infrastructure in place to start the work on time. This is not ethical. It would be better to negotiate an implementation schedule that allows for the necessary infrastructure to be put in place, if the client will permit a delayed start.

Client Service

Once a contract has been signed, there are three things that clients appreciate:

  1. Constant communication: never run an outsourcing contract on stealth mode.
  2. Reporting: send reports within 12 hours of the end of operations on the previous day.
  3. Action plans: when things do not go according to plan, communicate how you are going to set things right, then implement corrective actions.

Confidential Information

The cost of managing confidential information can be controlled by only accepting confidential information on an as-needed basis. At, if we receive a document marked “confidential” that we did not request, we immediately delete it.

At Indian call centers and IT outsourcing firms, there is a tendency to make everything classified, which makes it very difficult to implement confidentially protections where they are genuinely needed. Confidentiality procedures need to be well thought out and then implemented as planned.

Newer IT firms appear to be better equipped to manage confidential information than old-line colonial-era firms or stodgy family based conglomerates. The bad actors commonly lack procedures for labeling, segregating, and protecting confidential information. Policies, procedures and training to support effective implementation of data protection obligations at most South Asian outsourcing firms can often be an ongoing struggle.

A provision in our mutual non-disclosure agreement requires that we be notified within 48 hours of a successful hacking or virus attack against one of our IT partner facilities. The provision reads:

Each Party further agrees to notify the other Party in writing within forty eight (48) hours of any actual or suspected misuse, misappropriation, unauthorized disclosure of, or unauthorized access to one Party’s Confidential Information that may come to the other Party’s attention, and that includes unauthorized access to one Party’s computer or computers (including those of any subcontractor involved in the Relationship) containing one Party’s Confidential Information or the Confidential Information of a client arranged by one Party for the other Party. Unauthorized access may include a virus or worm that penetrates and gains access to a computer and places a back door or keystroke logger on it, or a directed hack/crack that gains access to and some control over a computer.

None of the facilities that we currently work with have been breached, but several that are seeking outsourcing contracts are routinely sending out automated attacks. To find out where attacks are originating from, go to and type in the originating DNS number. Then contact the individual ISP listed.

Protection of Project Data

U.S. clients that use project management firms such as should probably exclude those firms from having access to confidential customer data, particularly health and financial data. Exceptions would be to allow for onsite inspection or call monitoring for quality assurance, in which cases project management staff should not record or copy confidential information overheard during a call.

Firms outside of the U.S. sending financial or health data back to the U.S. should encrypt that data, even if only single key encryption is used. The key should be sent separately from encrypted files, or if a single key is used, then it should be transmitted over the telephone.

Current trends are for data to be entered on password protected databases hosted in the U.S., with no confidential data stored outside of the U.S. Another option is to set up a separate room within a call center where access is strictly controlled during operating hours.

Protection systems for project data collected overseas are far better today than they were two years ago. Many facilities have perfect data protection records.

Anthony Mitchell , an E-Commerce Times columnist, has beeninvolved with the Indian IT industry since 1987, specializing through in offshore process migration, call center program management, turnkey software development and help desk management.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Anthony Mitchell
More in Security

E-Commerce Times Channels