Cloud Computing Contracts
For most people, cloud computing has now become a part of everyday life. This means that businesses are increasingly pressured to move their products/services to the “cloud” to meet consumer demand. “Cloud computing” describes a range of computing concepts that involve a real-time communication network (usually the internet) which utilises a network of remote services to store and manage data. Some of the advantages of cloud computing may include:
- reduced IT costs;
- being able to access your data from anywhere;
- having access to the latest technology without large capital costs;
- scalability; and
- back up and recovery systems to ensure business continuity.
While “getting onto the cloud” could be a very beneficial move for your business, before entering into a contract you should carefully consider whether the service provider is suitable to meet the requirements of your business. In this article we have highlighted some of the common issues in cloud computing contracts. While there are a number of different deployment models for cloud services, such as software as a service, infrastructure as a service and platform as a service, the contractual issues associated with each are usually similar.
Depending on the size of your business and bargaining power, most service providers will have standard form contracts which you will be able to change. However, even where your business is not in a position to negotiate, it is important to at least be aware of these issues as a matter of risk management.
Issues and Considerations:
- How sensitive is your data and does the service provide a sufficient level of security? In addition to data security, this also involves physical security – the data is being stored in a data centre in a real physical location;
- What back-up processes are in place for business continuity?
- Does the contract sufficiently deal with the process in the event of a security breach?
- Ensure that you comply with the Privacy Act 1988 (Cth). Does the provider have clear processes in place to comply with privacy laws?
- How is the data being stored and is any sensitive data being aggregated? This may impact upon your obligations under the Privacy Act 1988(Cth);
- From 12 March 2014, the Australian Privacy Principles (APP) will introduce a number of changes which may impact upon cloud computing contracts. If you are an entity required to comply with the APPs, you should be aware that:
………– APP 8 will introduce an accountability approach to organisations’ cross-border disclosures of personal information and the entity must take
……….. reasonable steps to ensure the overseas recipient does not breach the APPPs; and
………– APP 11 requires an organisation to take reasonable steps to protect personal information it holds from interference, in addition to misuse
…………and loss, and unauthorised access, modification and disclosure.
Location of Data
- Is your data held onshore or offshore?
- If your data is held offshore, you should consider:
………– which jurisdiction’s laws will apply to the data?
………– how will this impact upon data access and recovery where the service provide is insolvent or refuses to return your information?
………– is the data restricted by law to be stored onshore?
………– will the data be subject to access by foreign government?
Cloud contracts will ordinarily contain standard confidentiality clauses. However, in some circumstances (for example, where the service provider sends its employees onsite to your premises) you may wish to request its employees to personally sign confidentiality deeds.
One issue which has been in the media recently (particularly in the United States) is the power of the government to require certain companies to release information. As such, you may also (depending on your needs) negotiate notification requirements for the service provider under such circumstances.
Most providers of cloud computing services will attempt to cap their liability to the amount paid by you. Suppliers will also generally attempt to exclude liability for any losses in using their service (e.g. loss of data, indirect loss etc.). Determining each party’s liability, and any relevant indemnities, will almost always be an area that is heavily negotiated.
The contract should state that you retain all ownership of your data/intellectual property.
Be sure to avoid “vendor lock-in”. One possible solution is to insert obligations on the provider to use best endeavours to provide you with data files in a format as agreed between the parties on termination of the contract. This is particularly important where the service provider uses proprietary storage formats.
Generally, you will also want evidence from the provider that all confidential information has been destroyed, and you may even have the right to audit the provider to ensure the provider has adhered to their obligations.
Providers will want to limit any warranties, such as any “fitness for purpose” provisions. The onus will usually be on you as a customer to do due diligence before deciding to purchase a supplier’s services or products. On the other hand, there may be important functionality you need to rely upon for your business which you may insist to be included within the scope of the contract.
Also, most cloud contracts will give service providers some flexibility to provide “updates”. These updates can sometimes remove certain functionality which could be important to you. If possible, you should negotiate a notification period before the service provider can make “functional” changes, ideally a period of 6 to 12 months or longer to allow you to migrate to another service.
While this will not apply to “off the shelf” goods/services, some cloud computing contracts will cover service levels (or have a separate Service Level Agreement) to cover matters such as:
- time services will be available;
- number of users that can be served simultaneously;
- specific performance benchmarks;
- schedule for notification in advance of network changes that may affect users; and
- help desk response time for various classes of problems.
You will need to consider what levels are required for your business and balance this with the costs of services being provided.
You may also wish to negotiate the various circumstances under which the service provider or you may terminate the contract, as well as any notice periods required for termination.
The above list highlights some of the concerns in navigating cloud computing contracts, but is by no means exhaustive. Whether you are a business looking to use cloud computing services, or a provider offering such services, should you require assistance in relation to cloud services contracts we would be happy to provide you with concise and commercial legal advice.
Our global experience, together with our highly qualified te ..
The team at GRT Lawyers has successfully managed large and c ..
Click here to read our newsletter, 'The Specialist E-Ne ..