"Cloud computing" has been rolling in for several years now and it's clear that it's here to stay. Amazon, Apple, AT&T, Google, Microsoft and Verizon all have cloud service offerings for individuals and enterprises. Furthermore, other businesses such as Salesforce.com, GoGrid and Rackspace are focused solely on cloud computing. Service offerings include software-as-a-service (Salesforce.com), infrastructure-as-a-service (Cisco's Unified Service Delivery solution) and platform-as-a-service (to give developers the tools to build and host Web applications). The provision of these computing infrastructure and application services over the Internet has increased dramatically in popularity with IT managers and consumers. For many individuals and businesses, cloud computing is the opportunity to outsource some or all software and hardware infrastructure purchasing, installation, maintenance and upgrading in exchange for a monthly payment - this allows them to focus on their core business.
By its nature, cloud computing requires a new legal relationship between customer and service provider. Where previously, the customer would purchase and install its own software applications and hardware equipment from various technology companies, today, using the cloud computing model, the customer has the option to purchase services from one or more cloud computing service providers. So, instead of a purchase and sale agreement for software and hardware, the customer will enter into a service level agreement that defines the quantity and quality of the services to be provided and allocates the risks of cloud computing between the service provider and the customer.
What should the customer and the service provider include in this agreement? Well, that depends on the service being provided and the customer's requirements. For example, if the customer is purchasing data storage for information, then the agreement will need to contemplate the security required to safeguard the customer's information and the ability for the customer to retrieve its data. Or, if the service provider is providing software-as-a-service, then it will want to include realistic service levels for its software and ensure that it is not liable to the customer for indirect damages if those software levels are not met, such as damages for lost business, lost revenues, lost profit or loss of goodwill.
A full discussion of cloud computing agreements is beyond the scope of this blog posting, but here are five things to consider when negotiating and drafting an agreement between a cloud service provider and a customer.
1. Confidential information
If you store information with a cloud service provider, then you need to consider whether you are permitted to do so under applicable privacy legislation, your contractual arrangements with third parties and, in certain circumstances, the regulations governing your profession (such as the medical and legal professions). For example, have you entered into non-disclosure or confidentiality agreements with your customers, suppliers or partners that prohibit you from transferring information to a third party? If not and you do transfer information to a cloud service provider, then what recourse will you have if the service provider's systems are hacked and that confidential information is made available to the public or to a competing business? From a practical point of view and regardless of contractual terms, you should also consider whether your own customers will have any concerns with outsourcing arrangements made with a cloud service provider before making those arrangements.
2. Security of data
Cloud computing service providers are concerned about a variety of potential security issues: data access, data segregation, privacy, bug exploitation, recovery of data, accountability, malicious insiders, and account control. Even cloud providers are susceptible to theft, hacking, strikes, natural disasters and other factors that may result in damage or even loss of data, applications or software. Businesses outsourcing data to the cloud or building their business plan based on a third party cloud provider must have a backup or disaster plan and should ensure that they are carrying appropriate insurance coverage.
3. Export of "controlled" data
The export of certain data and technology is heavily regulated for national security reasons. For example, the U.S. International Traffic in Arms Regulations (ITAR) and the Controlled Goods Program in Canada prohibit the export of "technical data" (as defined in the ITAR). Accordingly, the customer must be diligent about the location of the infrastructure offered by their cloud service provider. Can the data being stored be transmitted without breaching such data export regulations?
4. Continuity of service
What happens if your cloud service provider ceases to provide services whether for business reasons or as a result of insolvency or bankruptcy? Do you have a backup copy of all data provided to the service provider or is the service provider obligated to return your data to you? Are there other service providers who can provide a similar software solution? If the software is unique, then an escrow arrangement with a third party escrow agent holding an up-to-date copy of the software may be advisable.
5. Enforcing your rights and dispute resolution
Is your cloud provider located in a different legal jurisdiction? If so, can you enforce your rights in that jurisdiction? For example, if the cloud provider is in a jurisdiction where intellectual property rights are difficult to enforce, if a dispute arises and the customer and the cloud provider are in different countries or states, where and how will the dispute be resolved?
Many of the above issues are dealt with in the standard forms of legal agreements used by cloud service providers. Nevertheless, you will want to ensure that any agreement deals expressly with the requirements of the customer and the service provider based on a careful analysis of the services being purchased and the type of data being transmitted or generated. Watch this space for an upcoming post regarding some of the specific contractual matters to be addressed, including the protection of confidential information.
For more information, contact Alex Kilgour in FMC's Ottawa office. Alex’s practice focuses on advising technology companies and investors in technology companies. He practises in the areas of corporate finance, mergers and acquisitions, intellectual property licensing and other technology-related commercial matters.