This tip is a part of the SearchCloudSecurity.com mini learning guide series, Cloud computing legal issues: Developing cloud computing contracts.
1. Modification to the contract terms
First off, scrutinize the cloud service provider’s ability to change the terms of the contract. Many cloud service agreements allow the cloud service provider to change, at any time and without advance notice, the terms of the contract, the fees and rate structure, or the services provided. Imagine renting an apartment where the landlord can at any time turn off electricity, remove the windows, or shut off the elevator!
2. Description of the service
Make sure there is a clear description of the cloud service. This should include the type of services provided, the functionalities to be achieved, and whether and how they will evolve during the life of the contract. Many contracts grant the vendor the freedom to add or remove features. Cloud customers may need to ensure some stability; for example, the ability to continue using the features or version of an application that are most appropriate to their operations.
Service level agreements (SLAs) are an essential part of the contract. They define when the service will be available, and when interruptions are permitted or to be expected. They also identify how the customer will be compensated for interruption in service.
3. Limitation on the use or reuse of the data
Customers will want to limit access to and use of their data by the cloud provider unless strictly required for the provision of the services. This requirement may stem from applicable laws, such as HIPAA, GLBA, or foreign data protection laws, and it may make sense. The cloud provider is intended to be a host or a facilitator; it should not be using the customer’s data for its own benefit, unless specifically permitted by the customer.
Also of particular importance is the location of the data. The parties should agree on the location of the data, because location is likely to determine which law applies to the data. For example, if the cloud provider transfers personal data to a server located in Argentina, Belgium or Canada, the data will be subject to the local laws of those countries. And, the data protection laws of these countries contain very specific provisions, limiting how personal data may be transferred out of that country.
4. Confidentiality and security requirements
Cloud customers should also ensure the confidentiality and security of the data. In many cases, they will also want to be promptly informed of any breach of security that may have affected their data. Appropriate provisions that address the vendors’ confidentiality and security obligations, and allocate liability among the parties are essential.
5. Intellectual property rights
Intellectual property right issues may appear in many different forms. Some services may allow for the posting or publication of the user’s photos, video clips, poems or other content. When the service is provided at no cost, it’s likely that the related contract may grant the hosting provider a royalty-free license to use this content.
Some cloud services may involve granting the user a license to the cloud provider’s intellectual property. This license may be very narrow. For example, it may be limited to the use of the technology or application, and prohibit any modification. As a result, the user may only be able to use generic, standardized features, and may be barred from developing customizations that would make its use of the service easier or more efficient. The service may grant access to a database, but strictly limit what the customer can do with the information contained within the data.
Thus, it is very important for the cloud user to understand the precise scope of the licenses granted to each other’s intellectual property. The scope of the license granted or received may be a crucial element when balancing the pros and cons of entering in a contract for the service.
6. Representations and warranties
Representation and warranty clauses contain statements by a party on which the other party may rely. There are specific remedies if the statements or promises made are untrue or not fulfilled. The party who relied upon the statement or promises is entitled to damages from the other party. Representations and warranties in cloud services contracts may address, for example, where or how the services will be performed, the qualifications of the individuals performing the services, the reliability of the technology used to perform the services, or ownership of intellectual property rights.
Indemnification provisions identify how one party will compensate the other for a loss incurred as a result of the indemnitor’s acts or omissions. For example, a cloud service provider may agree to indemnify the customer if the technology used to provide the services infringes or misappropriates a third party’s intellectual property rights. A customer might agree to indemnify the cloud provider if it is faced with a third party’s claim that arises out of the customer’s negligence, misconduct or violation of law.
8. Limitation of liability and damages
Limitation of liability clauses are among the most negotiated. They are critical because they determine the extent of the damages that a party may have to pay, or may receive, in the event of a breach of contract, or other act or omission.
9. Term and renewal of the contract
Make sure you know when the contact ends and whether and under which conditions it may be terminated or extended. Often wrongly neglected when the parties enter into the contract, these clauses are highly scrutinized when disputes arise. For example, the contract may give the vendor the freedom to terminate the contract at any time and for no reason. Or it could automatically renew the contract for another term if the customer fails to inform the vendor within a certain window of time. The unexpected termination or extension of the contract could cause significant loss to the affected party.
10. Effect of termination
It’s not enough to know when the contract will terminate. Make sure you anticipate what will happen upon termination of the contract. What will happen to the data? How can it be retrieved? In which form and format? Will the service provider be required to keep the data on its systems during a transition period?
It can be easy to sign on with a cloud provider, but companies that don’t pay attention to these cloud computing contract provisions may pay a steep price. Take the time to make sure your company’s interests and data are protected when contracting with a cloud service. In future articles, we’ll examine how some cloud computing contracts address -- or fail to address -- the provisions outlined above.
About the author:
Francoise Gilbert is the managing director of the IT Law Group and serves as the general counsel of the Cloud Security Alliance. She focuses on information privacy and security, cloud computing, and data governance. She has been named one of the country’s top privacy advisors in a recent survey and has been recognized by Chambers USA and Best Lawyers in America as a leading lawyer in the field of information privacy and security. .Gilbert is the author and editor of the two-volume treatise Global Privacy & Security Law, which analyzes the data protection laws of 60-plus countries on all continents. She serves on the board of directors of the International Technology Law Association and on the Technical Board of Advisors of the ALI-ABA. This article only reflects her personal opinion and not that of her clients or the Cloud Security Alliance.
This was first published in April 2011