But the starting point for most cloud contracts is usually the cloud provider’s standard terms and conditions, which are favorable to the cloud provider and designed for high-volume, low-cost, commoditized services. In order to avoid unwanted surprises, companies should consider addressing the following five issues in their cloud contracts:
Cloud providers almost universally exclude or disclaim all liability for “outages” and “data loss.” Companies need to assess the type of information or data that will reside on the cloud and construct an appropriate liability provision. If properly negotiated and presented, cloud providers will accept liability—but it is typically limited by amount (with a damages cap) and type of damages (with exclusions for indirect, consequential, punitive or other special damages). Cloud providers will typically propose a damages cap that references the amounts paid by the company in total or over a specified period (e.g., 12 months).
As with the Limitations on Liability issue, companies need to assess the type of information or data that will reside on the cloud and construct appropriate service levels. Assuring business continuity and disaster recovery (i.e., integrity and availability of cloud data and applications) are usually what is most important to companies. Depending on the type of data or applications that reside on the cloud, companies also need to consider other service levels, such as uptime/availability and restoration of data (including specifying both a recovery point objective and a recovery time objective). Note that many cloud providers reference service levels by linking to a website for details. Companies should clearly establish whether the service levels and other key terms can be amended by the cloud provider and, if so, whether the company will be provided notice and/or a right to terminate for substantive changes in the service levels.
Companies typically focus on what physical and other security processes and procedures a cloud provider employs to ensure that its data or applications are secure. Since cloud providers use a shared infrastructure (with multiple clients), cloud providers are not typically willing to provide details of their security policies to their clients or allow site visits. In addition, in contrast to most other technology services contracts (e.g., outsourcing contracts), cloud providers will not agree to comply with a company’s security policy because where multiple users share standardized infrastructure, it becomes difficult to comply with each company’s security policies, which likely contain different, and possibly conflicting, requirements. Depending on the sensitivity of the data or applications, a company may want to specify certain specific requirements (e.g., encryption of data and connections).
In most technology services contracts, a company will have a number of termination rights and a service provider’s right to terminate will be limited to non-payment. In most cloud contracts, however, cloud providers have a broad array of termination rights including an immediate right to terminate or “suspend” services for material breach, breach of acceptable use policies (AUPs), or upon receipt of allegations regarding breach of a third-party’s intellectual property rights. From a company’s perspective, the trigger for each of these rights needs to be defined as objectively and precisely as possible. In addition, companies should insist on standard termination rights—breach, change of control, breach of confidentiality, or intellectual property rights.
In tandem with negotiating appropriate termination rights, companies should also focus on what happens on termination or expiration of the cloud services contract. Although most cloud providers do not offer any termination assistance services, companies should focus on data availability and data portability. Specifically, companies should specify in the cloud services contract how long (after termination or expiration) the data will be available on the cloud provider’s systems. The standard protocol for most cloud providers is to delete all data immediately or after a short period (30 days); longer periods must be specifically negotiated. Companies should also specifically negotiate how and in what format the data is returned. Data portability is often overlooked and companies run the risk of depending on one cloud provider’s proprietary service. If the service is terminated, ideally a company should be able recover all its data in formats that are easily accessible, readable and portable into other applications. Most cloud providers will commit to return a company’s data in a standard format (typically CSV) on termination, but to avoid unwanted surprises, the format of the data should be specified in the cloud services contract.