We help IT Professionals succeed at work.

How do we cover ourselves legally when offering an API solution?

jaxjags
jaxjags used Ask the Experts™
on
Without providing too much detail publicly... we are a small company that has been asked to craft an API into our system for clients to make updates from their existing software platforms into ours.  We have developers that have created most of the API infrastructure that is needed. However, my question is, from a business standpoint, should we be forcing these interested 3rd parties to sign confidentiality agreements before reviewing the technical documentation that has been created? Should an agreement / contract be created and signed before any work occurs? Are there any best practices when going through this process? This is not our core business function and looking for direction to make sure we have covered ourselves legally as well as an operational and security standpoint. Any feedback or guidance would be appreciated.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Scott FellDeveloper & EE Moderator
Fellow 2018
Most Valuable Expert 2013

Commented:
As it is not likely any of us are attorney's, that question would be best left up to your own attorney.

With that said, you can ask people to sign an NDA.  You do need to think about both sides, not only what may make you liable, but what would make them?
Enterprise Business Process Architect
Commented:
Your essential concern is the loss, compromise, or dissemination of company-confidential methods and data as well as the data of your clients.

Are you exposing your API as a web interface?  Or is your API a set of compiled libraries actually sent to the customer(s) in question?
This could significantly change the legal specifications of any agreement between your organization and the customer(s).

In either event, have data leakage and authentication tests been performed by a disinterested third party to ensure your company's exposure is minimized as much as is reasonably possible?
Are these tests formally documented, reviewed, and approved by the executive management of your company?
Are you charging a fee/annual subscription for use of the API?  If not, WHAT THE HELL?!  Er...I mean... if this is providing value to your customers and simplifies some portion of their business, you will need to somehow fund the continued improvements and available features of the API.

If I were to draw on certain expertise in these areas, I would look to Salesforce and review their agreements as a roadmap/template for protecting intellectual property while mitigating the risk your organization is exposed to with the release of an API.