The TIO Guidelines are based on the TIO Libre Definitions. If you are planning to move your company to TIO, follow 3 steps to assess the Service Level Agreement (SLA)
Step 1: is the TIO service open ?
Read the Service Level Agreement (SLA) and make sure that it is possible to migrate all user data including configuration and logs to an infrastructure operated by any other party. Data must be provided in a format which is fully specified and documented, and which can parsed by the user with common of the shelf software (COTS).
Using an Open TIO service gives a guarantee that your data is accessible for any kinds of audit (ex. legal, quality, data mining) and that your data can be migrated to another software or another TIO service, although tis may require much work.
Step 2: is the TIO service Libre ?
Read the Service Level Agreement (SLA) and make sure that all software required to leave and benefit from the same service on a standalone infrastructure operated by any other party is distributed as Open Source / Free Software.
Make also sure that no legal lock (ex. patent, NDA, etc.) prevent a competitor from copying and trying to provide the same service.
Using a TIO Libre service gives the guarantee that it is possible to migrate from one TIO provider to another with little effort, and that the TIO service can be customised to your needs by a third party.
Step 3: is the TIO service Loyal ?
Read the Service Level Agreement (SLA) and make sure that the service can be used by anyone anywhere with no discrimination. Make sure that no data in relation with the usage of the service can be provided to a third party either in verbatim or in anonymised form without prior explicit approval from you on a case by case basis. Make sure that you will be notified of any incidents or changes which may cause or have caused a security breach in the service or a change in the service. Make sure also that the service provider is taking take appropriate measures to enforce the SLA through its staff or suppliers and that it will disclose to you such measures upon request.
Using a Loyal TIO service gives the same level of garantee on trade secret and transparency of operations as by implementing the service yourself.
What happens if ?
- The TIO Service is not open: then you have no garantee that you can reuse the data entered by your users in the TIO service for whatever purpose (audit, migration, etc.). In a sense, there is no way to escape.
- The TIO Service is not Libre: then you have to consider expensive migration costs to change TIO provider.
- The TIO Service is not Loyal: then you can not be certain that trade secret will be respected or that the service will be provided in a transparent manner with appropriate notifications of incidents or changes.
If you find a sentence in the SLA which states something like "The data you enter will never be provided to third parties unless... <SOME CONDITION HERE>" then read carefully the part of the sentence <SOME CONDITION HERE>. It is a usual trick in legalese to write sentences in which the clause <SOME CONDITION HERE> is always true.
Make also sure that you have enough information about the Laws in the country of the TIO provider. For example, US Laws force TIO providers to cooperate with intelligence services without notifying you whenever there is a risk of corruption in international trade. Intelligence services are then allowed to provide this information to US competitors of foreign companies. The notion of "risk of corruption" is so vague and common that it is nearly a 'blanc seing' to allow massive economic intelligence on foreign corporations which are hosting their data in the USA where most TIO providers are currently located. The same legal situation exists in other countries.