Technology outsourcing has become a cornerstone of digital transformation. Whether it is IT support, data centre operations, cybersecurity monitoring, software development, software deployment, cloud migration or full-scale managed services, organisations increasingly rely on external service providers to perform functions that are critical to their day-to-day operations.

However, outsourcing contracts carry significantly higher risk than many companies realise. Outsourcing places systems, data, operations and sometimes even customers of an organisation into the hands of another party. If the contract governing the technology outsourcing exercise is weak, the organisation may be exposed to risk of operational downtime, regulatory breaches, reputational damage, loss of data, or even disputes.

From our collective experience reviewing and negotiating technology outsourcing agreements across the financial services, public, insurance, media, telecommunications and technology sectors, here are the 9 most common red flags that organisations tend to overlook.

1. Vague Scope of Work

The scope of work, or more commonly known as an “SOW”, of a service provider is arguably the most important part of a technology outsourcing contract. It sets out the nature and extent of the services that the service provider is supposed to be delivering under the contract, which then justifies the payment of the contract fees to the service provider. Perhaps owing to the fact that SOW is more often than not structured as a schedule to a technology outsourcing agreement, it has a tendency of being overlooked by parties during the finalisation of agreement.

In our experience, we have seen instances where SOW lacks clarity on the information below:

i) Precise deliverables (common issues include who should be handling hosting of data, who should be taking care of maintenance and procurement of consumables where applicable, whether support services are included, etc.)

ii) Clear description of the parties’ responsibilities;

iii) Exclusions of scope;

iv) Manner of delivery of the required services (whether it is to be onsite or remote, and whether there is a need for the service provider to second its personnel to the customer’s office);

v) Timelines and milestones, especially where a project consists of several deliverables that are expected to be delivered based on certain fixed schedules.

A vague and non-exhaustive SOW can result in scope creep, misaligned expectations, and worse still – finger-pointing which may very well possibly turn into a dispute.

2. Lack of Clear Transition-Out Obligations

Outsourcing is not a plug-and-play arrangement, especially in the context of technology. When an outsourcing arrangement is coming to an end, regardless of whether the customer is taking over the outsourced responsibility in-house, or a new outsourced service provider is going to be onboarded to replace the outgoing service provider, there will need to be some form of transition-out implementation. If this is not addressed upfront during the finalisation of agreement, it creates ambiguity as to whether the outgoing service provider has the responsibility to provide assistance for transition-out. In turn, this creates an avenue for the service provider to decline to provide any assistance for transition-out, or demand for additional charges to do so, which goes beyond the budget allocated by the project team.

3. No Service Levels or Service Levels That Are Too Soft

Service levels are the backbone of measurable performance. Customers pay service providers not just for the delivery of their services, but also to deliver these services at a certain predetermined or expected standards. Service levels are meant to be used by the customers as yardsticks to measure whether the services delivered by the service providers meet the expected standards. In cases where the service levels are badly drafted, or are ill-structured, such that they are not suitable as metrics to measure the performance of the service providers, service providers can get away with underperforming with little to no consequences.

4. Weak Data Protection and PDPA Compliance Obligations

Some technology outsourcing may involve the service providers having access to the personal data in the possession of the customers. In these cases, the service providers are considered the data processors of the customers, and the customers are, in turn, the data controllers vis-à-vis the processing of the personal data of the data subjects. Under the Personal Data Protection Act 2010 (“PDPA”), the data controllers will have the main responsibilities to ensure the processing of personal data complies with the PDPA, even when some parts of the processing activities are outsourced to data processors. To ensure compliance with the PDPA, a technology outsourcing contract should contain, provisions which requires the service provider to, among other things (i) adhere to the instructions and policies of the customers relating to personal data protection; (ii) implement specific security controls; (iii) provide notification and assistance on data breach; (iv) only process personal data according to the instructions of the customers and to dispose of the personal data forthwith upon termination of the engagement.

5. No Governance Structure or Reporting Requirements

How effective a technology outsourcing project is would depend on the governance structure of the project. Outsourcing does not mean that an organisation can just blindly rely on the service provider to perform its jobs – it will still be crucial for the customer to monitor and continuously assess the performance of the service provider. As such, it would be helpful if the technology outsourcing agreement sets out clearly the governance requirements, especially the frequency and level of details of reporting from the service provider. Commonly, we do see larger scale projects to require the formation of joint project steering committee by the customers and the service providers to facilitate the implementation of the project.

6. Excessive Reliance on Subcontractors

Subcontracting is fairly common in technology outsourcing. The appointed service provider may not necessarily be performing all the agreed scope of work on its own, some parts of the scope of work may be performed by the software principal or by related parties of the service provider, especially where the service provider is a reseller or system integrator. While subcontracting itself is not a red flag, excessive reliance on subcontractors may be a cause for concern, considering that the customers will almost never have direct contact with the subcontractors. Additionally, excessive subcontracting also present security, confidentiality and operational risks, considering that sensitive data or information of the customers can potentially be accessed by companies not known personally by the customers. As such, it would be important for customers’ consent to be obtained before subcontracting can be carried out, and for the customers to have the right to reject any subcontracting arrangement absolutely.

7. One-Sided Liability and Indemnity Clauses

If the template agreement of a service provider is used, you should not be surprised to see heavily one-sided liability and indemnity clauses. When it comes to liability, service providers will typically try to impose a low monetary cap to keep exposure as low as possible. Indemnity clauses will also often come with a long list of carve-outs and exceptions. From the customers’ perspective, liability cap should be set at a level that is proportionate to the scale and criticality of the outsourcing arrangement, whether that is 100% or 150% or 200% of the contractual sum. Acceptability of indemnity carve-outs, on the other hand, will have to be carefully assessed from a legal perspective to ensure their reasonableness.

8. Intellectual Property Issues for Customised Work or Developed Solutions

Where a technology outsourcing project involves the customisation or development of certain technology solutions according to the customers’ needs, ownership of foreground intellectual property may then be subject to heavy negotiation. That being said, ownership of foreground intellectual property may not necessarily be a “must” from the customers’ perspective. Depending on the nature and criticality of the customised or developed solutions, customers may not absolutely need to own the foreground intellectual property, as long as the right to continued usage is secured. When negotiating on intellectual property clauses, it is crucial to take into account the commercial needs of the organisations, instead of blindly asking for ownership to everything.

9. No Right to Step-In

A step-in right is essentially a right for the customer to intervene and assume the responsibilities which are supposedly outsourced to the technology service provider. Where a service provider repeatedly fails to perform its obligations under the agreement, or where the services delivered consistently and materially fall short of the agreed standards, the customer should be allowed to step in and to perform the services that have been outsourced, whether on its own or through a newly appointed service provider. This is critical where the outsourced services are mission critical and are key to the business operation of the organisation, where continuity and quality of services are of utmost priority.

Technology outsourcing transforms how organisations operate. While it brings about operational efficiency and flexibility to businesses, on the flip side it also creates new legal and operational risks when compared to traditional procurement deals. To properly ensure that organisations reap the full benefits of technology outsourcing while managing all risks associated with the exercise, it is always advisable to engage the assistance of legal professionals who are well versed in technology law with a deep understanding of the technology industry. The risks presented in a technology outsourcing exercise are unique, hence the solutions and the ways in which these risks are to be dealt with should also be carefully structured and considered to ensure the interest of the organisations are well protected.

If your organisation is embarking on a digitisation journey and is in need of lawyers who are specialised in technology offerings, you can reach out to our partners at the Technology Practice Group of Halim Hong & Quek.

Our Technology Practice continues to be recognised by leading legal directories and industry benchmarks. Recent accolades include FinTech Law Firm of the Year at the ALB Malaysia Law Awards (2024 and 2025), Law Firm of the Year for Technology, Media and Telecommunications by the In-House Community, FinTech Law Firm of the Year by the Asia Business Law Journal, a Band 2 ranking for FinTech by Chambers and Partners, and a Tier 3 ranking by Legal 500.