Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreigpa2jxymgtsy4k3xf7fn6xdjzo6knp2eijaq2oujmvoktpvd5jqq",
    "uri": "at://did:plc:ei7bjz4znfapbhkcszctjjd6/app.bsky.feed.post/3mgrv6sxs7vn2"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreicckxvk4m6lfpsi3fwuyvh2v3lyirauwu5zdyl4ovlop6ncjfxity"
    },
    "mimeType": "image/jpeg",
    "size": 141311
  },
  "path": "/article/4143641/storage-vendor-offers-a-real-guarantee-but-check-out-those-fine-print-exceptions.html",
  "publishedAt": "2026-03-11T11:21:59.000Z",
  "site": "https://www.computerworld.com",
  "tags": [
    "Cloud Computing, Cloud Storage, Technology Industry",
    "for a long time",
    "_very_ long time",
    "This Willy Wonka clip"
  ],
  "textContent": "For as long as most junior coders have been alive, tech vendors have talked up performance guarantees even though they neglect to detail just what happens if they don’t deliver as promised.\n\nI have been begging vendors to knock off these deceptions for a long time — a _very_ long time.\n\nLast week, I briefly celebrated when storage vendor Scality announced a guarantee and backed it up with a promised payment of $100,000 if it failed. So far, so good.\n\nIn its announcement, the company boasted that the guarantee did _not_ come with a lengthy list of limitations. “Unlike complex vendor programs that advertise larger amounts but are difficult to claim,” the vendor said, “Scality’s guarantee is designed to be clear, accessible.”\n\nIt argued that the guarantee was “simple” and came with “straightforward eligibility” requirements and company execs made a lot of noise about what they were doing.\n\nIn an interview, Scality CMO Paul Speciale elaborated, dismissing other companies that deliver a “long list of stipulations and terms” and an “onerous list of conditions.”\n\nIn a statement, Scality CEO Jérôme Lecat said, “With this cyber guarantee, we’re putting our money where our architecture is. It’s a simple, direct promise that reflects the confidence we have.”\n\nGiven that we journalists are a cynical and suspicious lot, those words sounded too good to be true, so I took a look at the company’s end-user license agreement (EULA). More on that in a moment, but let’s just say my suspicions turned out to be warranted.\n\n## Read the EULA\n\nThe lesson here for IT? Always read every word in the EULA and other documents before signing any deals.\n\nLet’s start with the guarantee, which relates to customers using its Artesca storage line: “A $100,000 financial guarantee to customers if an external cyberattack destroys or encrypts data stored immutably on Artesca. The program applies to every Artesca customer without requiring the purchase of additional services. As long as organizations keep Artesca up to date and protect data using Object Lock in compliance mode, they qualify for the guarantee.”\n\nForget the limitations, even the initial offer has limts. The cyberattack must be external — somehow exempting insider attacks from this guarantee — and the attack must destroy or encrypt data. If an attacker simply exfiltrates data or even just accesses it without authorization, the customer gets no money. (This Willy Wonka clip strikes the right note.)\n\nBy the way, the absence of exfiltration was no oversight. As Speciale said, “Even with stolen or leaked credentials, we can prevent data stored immutably from being deleted or encrypted. But anyone with proper access credentials can read and therefore exfiltrate data. A deletion/encryption can be audited whereas a data exfiltration cannot be audited.”\n\nHe also said his company has mechanisms in place to make it less likely for an attack on the vendor to expose customer data. “First, our support team does not have the customers’ Artesca access credentials,” Speciale said. “Next, even if we would, our product implements MFA, so it would not be enough that the credentials are stolen. The device enabling the real-time second factor authentication needs to also be under control of the attacker, a much rarer occurrence. This would require more active participation of the person attacked by the social engineering, but again we don’t even have the access credentials for the customers’ system to begin with.”\n\nWhat other limits are in the fine print? “Customers must notify Scality within 48 hours of discovering a qualifying incident and cooperate in root cause analysis, including providing relevant logs and telemetry.”\n\nOh, really? A customer that’s just been hit with a cyberattack is going to be insanely busy those first two days. Customers could easily blow by that deadline — if they’re even aware of it — before even thinking of applying for the money.\n\nSpeciale said the 48-hour time frame is only for an initial heads up. Why theshort window? “If a customer waits weeks or months to report the incident, critical system logs may be overwritten, and evidence of how the breach occurred will be lost, making it impossible to verify if the software failed or if the customer made a configuration error.” So Scality wants to see those logs to decide for itself whether the incident qualifies.\n\nThe dilution of the guarantee deepens elsewhere. The news release said the guarantee “applies to every Artesca customer without requiring the purchase of additional services.” Not exactly, given that it excludes free license customers.\n\nThe documents also limit that ethereal $100,000 to customers “with a minimum of 50TB license.” That’s not an especially onerous requirement, but it does undermine the “applies to every Artesca customer” claim.\n\nThere is also a strange exemption that kicks in if an attacker does anything _beyond_ deleting or encrypting data; the EULA says that encryption or deletion must be “the direct and sole consequence” of the attack.\n\n## How much is enough?\n\nScality also includes this interesting line in its news release: “Many Artesca customers protect 50TB or more, while investing only a few thousand dollars per year in software. For those customers, a $100,000 payout represents a multiple of their annual investment, thereby delivering very strong proportional assurance.”\n\nBut when a breach occurs that is the vendor’s fault, the issue is how much did that mistake cost the customers. If a customer loses $15 million, the company CFO is not going to say, “That’s OK because we only spent $10,000 on the product.” That company is going to want full compensation.\n\nIt makes me wonder: Is this guarantee a cute way of sidestepping a civil court verdict that could easily cost far more? The EULA says: “Licensee acknowledges and agrees that the Guarantee Payment shall constitute the sole and exclusive remedy for any Qualifying Cyber Incident, and no other damages, including, but not limited to, direct, indirect, incidental, or consequential damages, shall be available to the Licensee.”\n\nAsked about this, Speciale said that other paperwork signed by the customers already blocked alternative legal mechanisms, whether by civil lawsuit or arbitration.\n\n“The guarantee is actually an enhancement, since without the Cyber Guarantee, standard commercial terms from most storage vendors, including Scality, disclaim liability for loss of data or a security breach. Our standard liability is also capped at the amount paid by the customer.”\n\nIn other words, if customers don’t read the initial documentation carefully and sign it, they’ve already have surrendered their right to be made whole.\n\nMaybe loudly touting a guarantee that comes with with an extensive list of exemptions is slightly better than offering no guarantee at all. But the underlying lesson remains: _caveat emptor_ has never been more apt.",
  "title": "Storage vendor offers a real guarantee — but check out those fine-print exceptions"
}