For service providers operating outside of US soil, managing data properly and securely can be the defining factor for even being considered as an option for third-party partnerships.
The regulatory landscape has grown more difficult to traverse in the US. Service providers should become acquainted with the ins and outs of that terrain, with its safe roads and pitfalls, if they wish to steer clear from reputational catastrophe or, even worse, legal hot waters.
For this Q&A session, NSAM spoke with Carlos Melendez, Co-Founder and COO at Wovenware, a software development and AI firm based in San Juan, Puerto Rico. As a businessman, lawyer and software engineer, Carlos has a deep understanding of the tech services industry and the challenges it faces from US regulators.
From the main data concerns among US companies and their perceptions about third-party providers, to the finer legal details of data mismanagement cases and even where Puerto Rico stands in the onshore/nearshore spectrum, Carlos paints a picture which illustrates both the growing complexities in the IT services sector and the opportunities arising for alternative geos to seize.
NSAM: In cases of data mismanagement in cross-border contracts, who’s legally accountable?
Carlos Melendez: The owner of the data is accountable for the data. I’m also a lawyer, and that’s a simple answer to the question.
You can transfer part of that responsibility to your providers through a contract, but if someone will sue a company, they’ll start with whomever owns the data.
Data ownership is, I believe, non-transferable. You as a company can gather that data. Your customers gave it to you, trusted in you, so it’s on the company, on the owner of the data, to handle it responsibly and handle it as it should.
NSAM: Liability tends to fall on the client instead of the service provider then?
Carlos Melendez: Liability falls on whoever owns the data, which [in service contracts] tends to be the client.
NSAM: Is there a way that partial ownership of data can be negotiated in a contract?
Carlos Melendez: This is a legal question. It can happen. Let’s take, for example, financial services; credit card transactions specifically. There’s a lot of regulation if you gather payments and store credit cards. Let’s say a provider [of financial services] has a website where payments are managed. But this provider outsources its payment solution. If the company states in its terms of use that it hired another company to process payments and that such company is responsible for payment information, I think liability would fall on the [third-party] service provider if legal trouble arises. But the terms of use and the contracts would have to be very clear about the situation.
NSAM: In the case of cloud service platforms, is it usually the provider of the service who owns the data? Or does it belong to the client, with the cloud serving only as a place for storage?
Carlos Melendez: Cloud providers, particularly the bigger, more established ones, shouldn’t have access to the data, or they outright have no access to it. It’s not theirs, they can’t do anything with it.
The owner of the data is accountable for the data […] Data ownership is, I believe, non-transferable
NSAM: Are data management and compliance an obstacle for companies, specifically in the US, whenever they consider outsourcing their tech needs offshore/nearshore?
Carlos Melendez: It is a very important concern. Some companies historically haven’t taken it as seriously as they need to, but at some point they understand that this is an issue of high risk for them. Then they begin to make some changes in either how they contract or in the work they outsource to other companies, or even how they manage their relationships with vendors outside of their national territory.
NSAM: So they’re being selective when it comes to the sort of work they send offshore/nearshore. What sort of work do US companies tend to outsource?
Carlos Meléndez: It depends. Take, for example, telecommunications, where there’s a lot of data that is highly regulated and which cannot leave US soil. In that case, the client will manage systems which don’t touch recorded data from calls, or billing records, or other information that is highly regulated or which falls under the label of PII [personal identifiable information]. Whatever system does not require handling any data of this sort, that tends to be their choice.
If it’s a project that has PII or other kind of sensitive data, the client will either do it internally or hire someone within their own territory.
NSAM: In service contracts, is there well-established language for data management and security provisions?
Carlos Melendez: It is evolving. We signed contracts last year in which customers from highly regulated industries began including addendums to the regular services contract. Data management addendums, which companies have made clear are non-negotiable, that their terms have to be followed. Every vendor needs to follow the same, exact rules on how they will manage their data.
NSAM: In the case of industries which aren’t as highly regulated, are contractual provisions for data management more lax?
Carlos Melendez: They are, because regulation isn’t as heavy. Those clients are not thinking [about data management] the same way a telco or a healthcare company would. I think they see their data more as an asset, a differentiator. They would like to protect it, but the driving force behind that desire to protect isn’t regulatory, which is scarier for other companies, and that leads them to do more to protect their data.
Customers from highly regulated industries began including [data management] addendums to the regular services contract […] which companies have made clear are non-negotiable, that their terms have to be followed
NSAM: In cases where regulation isn’t as lax and providers are allowed to handle sensitive information, who stores the data in their premises?
Carlos Melendez: At Wovenware, we try to follow an approach to take better care of our customer’s data. That said, we almost always try not to store customer data.
What we usually do is help customers spin a server or data storage specific to the purpose we will use that data for. We then remotely access that storage, and when we finish our project, we ask the customer to decommission and delete those servers, which won’t be needed anymore.
You want to make sure those assets are protected. And if the data isn’t needed anymore, you want to make sure to delete it from where it’s been stored.
NSAM: Is Puerto Rico considered nearshore in relation to the US?
Carlos Melendez: By definition it should be onshore, because it is part of the US. As a go-to-market strategy for us [at Wovenware] we use the term “nearshore” because it drives the message that we’re an outside provider, which brings several benefits with it.
NSAM: How does Puerto Rico compare in pricing with other territories in the US? Discounting hot markets like San Jose [California], New York City and Seattle, of course.
Carlos Melendez: We believe Puerto Rico is about 20% or 30% less expensive than other cities in the US.
NSAM: How does Puerto Rico compare with other territories offshore and nearshore? I’m speaking of India, Mexico, Brazil, Colombia.
Carlos Melendez: Puerto Rico is probably more expensive than those territories. How much more? I’m not sure, because prices for nearshore providers have gone up very rapidly in the last few years. Still, Puerto Rico might be a bit more expensive than those cities.
If the data isn’t needed anymore, you want to make sure to delete it from where it’s been stored.
NSAM: If Puerto Rico isn’t as affordable as offshore and nearshore alternatives, what’s Wovenware’s sales pitch then?
Carlos Melendez: There is a very unique value proposition in Puerto RIco, and is doing work for highly regulated industries in the US, where offshoring and nearshoring are not the best options, or not even very good. In those cases, Puerto Rico still offers a price advantage over other US territories.
NSAM: How do companies in other US territories see providers in Puerto Rico? Do they even consider Puerto Rico as an option?
Carlos Melendez: Every day, more companies are realizing what Puerto Rico is and the benefits that it can bring. You can see this not only in the companies who contract our services, but also in those that are moving some of their development centers to Puerto Rico. I’m speaking of highly regulated industries, like defense contracting, life sciences and financial services.
NSAM: Is extreme weather a concern for providers and potential investors eyeing Puerto Rico as an option to set up operations?
Carlos Melendez: After Hurricane Maria hit Puerto Rico in 2017, I think there was some concern over that. I think the pandemic showed us that this can happen anywhere, not only in tropical islands. Every area in the world has its challenges. There are forest fires in California, extreme weather in other parts of the East Coast.
What our customers were able to see and benefit from was that we were able to handle these natural disasters. That put us in a very unique position to be able to handle the pandemic without greater challenges. A lot of our customers asked us to train them on how we were running our operations and the procedures we had in place to keep things running.
Add comment