A Checklist for Cloud Computing Deals

Cloud computing has become the technology buzzword of the new decade. A definition of cloud computing is elusive, but a working definition could be: “A service offered by vendors with large computer server networks to provide infrastructure such as processing capacity, storage for electronic data and records, software-as-a-service (“SaaS”) or provision of services such as e-mail” (see, www.opencloudmanifesto.org/opencloud manifesto1.htm).

The idea, as e-commerce and tech-company (or tech-savvy) counsel may know, is to use a multilayered network of servers and computers to provide computing and hosting power when needed ' sort of a front-end and back-office supplement and backup system without much of the in-house worries that go with those investments in IT structure.

Cloud computing can help e-commerce ventures in a variety of ways, including by allowing expansion of services and support during business peaks, such as holidays, or other seasonal or special shopping times. For expansion to cloud computing where formal contracts, or regulatory, fiduciary or other obligations are involved, e-commerce counsel will be called on to ensure all arrangements are proper and beneficial. More on that below.

The Crux of Cloud Computing

According to the Open Cloud Manifesto (see, http://www.opencloudmanifesto.org/), a consortium that promotes standards for and openness to cloud computing, the practice ' by no means new, but recently rising in prominence and use ' has several components, including:

• The ability of the customer to ramp up or ramp down as business needs require (“scalability”);
• Avoidance of overinvestment in infrastructure and unavailability of in-house resources when such resources are needed;
• Reduced start-up costs; and
• Reduced reliance on in-house computer resources.

The National Institute of Standards (“NIST”) highlights that in cloud computing, the cloud's shared pool of resources “can be rapidly provisioned and released with minimal management effort or service provider interaction” (see, Peter Mell and Tim Grance, “The NIST Definition of Cloud Computing, Version 15,” at http://csrc.nist.gov/groups/SNS/cloud-computing).

This article sets forth a number of the questions, and answers, that the parties will need to address and settle in a cloud-computing arrangement.

What's the Agreement?

Is there a single agreement with schedules for service levels and pricing, which is subject to a merger clause delineating all attachments as being within the “four corners” of the document? Or, are there references to outside documents, such as online acceptable use policies (“AUPs”) that the vendor may unilaterally change over time?

To attain a level of certainty, the customer will want to have a static AUP as a schedule to the agreement, subject to amendment only by the written consent of both parties.

On the other hand, the vendor will want some flexibility with respect to the AUP to be able to adapt it to changing circumstances.

Where Does the Data Go?

The movement of data within the vendor's cloud may involve transfer from servers in one jurisdiction to servers in another. This may invoke different jurisdictional-dependent discovery rules, privacy laws and data-transfer restrictions (particularly for data transferred out of the European Union).

The customer may want to restrict or prohibit the relocation of customer data to avoid exposure to this hodgepodge of laws, regulations and rules.

The vendor, on the other hand, will want the flexibility to use its assets in an efficient way and to take advantage of economies (such as tax perks) arising from its facilities being in various locales.

Does 'One Size Fits All' Work?

Vendors of software-related cloud-computing services often provide those services based on a model of limited, or no, customization of the software, and a fixed schedule for installing software updates and releases. This standardization simplifies the vendor's operational workload and minimizes costs.

The customer should assess whether it needs the right to have the vendor run a particular version of the software, or have software customized for the customer, and whether the software update schedule reflects the customer's needs.

In the end, the customer should realize that changes to the vendor's standard approach may increase the vendor's costs and, subsequently, the charges to the customer. Similar issues apply to refreshing of equipment during the term.

How Reliable Is the Service?

Does the agreement contain service levels for uptime and availability?

The customer will want an appropriate standard for availability, whether it refers to the customer's ability to access stored data, or to operate the application in a software-as-a-service environment.

Other service levels, such as support response time, may also be appropriate from the customer's point of view.

The customer should keep in mind that an overabundance of service levels increases management effort for the vendor and for the customer. The customer may also want to establish a regime for calculating credits based on the vendor's failure to meet the service level standards.

The vendor, if willing to grant such credits, may want them to be the customer's sole and exclusive remedies for service-level failure, without the right of the customer to seek damages for these failures.

What Are the Other Standards for the Services?

The customer will want the agreement to contain a warranty provision with standards to which the vendor is bound, such as compliance with “industry standards,” “performance in a workmanlike manner using qualified personnel,” as well as particular obligations of performance that the customer requires, including help-desk services and support.

The customer may also want specific obligations for:

• Hardware and software maintenance;
• Use of firewalls and intrusion detection;
• Monitoring and maintenance of physical security;
• Environmental requirements; and
• Frequency and duration of scheduled maintenance.

The parties will need to come to an agreement on these services and related charges. The parties also must agree on the allocation of responsibility for compliance with applicable laws, including privacy laws, as well as the extent to which the vendor is obligated to update the service to maintain such compliance.

When and How Can the Customer Get Its Data Back?

The customer will want the right to get its data back at any time, and particularly at termination of the agreement, at no charge and without any other restriction.

The vendor may seek to charge for returning data in a format other than the vendor's standard format ' and if so, the customer will want to assess whether the vendor's format allows for transition to another vendor running a different platform.

How Safe Is the Customer's Data?

For the customer, security of its data is paramount. Some customers may enter into contracts only with vendors committed to procuring SAS 70 Type II audits and/or who have attained ISO 27001 certification regarding security.

Also, the customer may want the agreement to allow the customer the option of having a “private cloud” for its data, and also the ability to restrict data access to certain groups of vendor employees.

The customer may want the vendor to commit to other standards, too, or other particular requirements for data segregation, access and encryption (e.g., HIPAA, Gramm-Leach-Bliley, and specific state information-security laws, such as those in Massachusetts).

Fulfilling any of these requirements may affect the vendor's cost of providing the service, which the vendor may seek to pass along to the customer.

The parties will also need to agree on the vendor's data backup and restoration obligations.

What if There's a Data Breach?

The agreement should address:

• How and when the customer is notified of a data breach;
• The allocation of responsibility for remedying a data breach; and
• The responsibility and cost allocation for notification of such breaches to the owners of the data (as required by state breach-notification laws and, e.g., compliance with data-breach provisions under the HITECH Act).

Also, the agreement should specify the vendor's obligations in the event of the introduction of a virus, the occurrence of hacking or denial of service attacks.

What if There's a Disaster?

The agreement should address the parties' responsibilities in case of a disaster that shuts down the vendor's data center, including the service-level agreements for return to service, and the requirements for periodic tests in which the customer may want to participate.

The customer needs to understand what the vendor's disaster-recovery and business-continuity plans are and how they mesh with the customer's.

What if There's a Dispute?

There should be a clear mechanism for resolving disputes, including an expedited process between the two parties, before going to litigation or arbitration.

Also, the customer will want there to be no circumstances under which the vendor can suspend services during a dispute.

How Much Does the Service Cost?

The pricing should be clear and complete in the agreement, presented so that it is understandable to a third party such as a judge or arbitrator, and address issues such as who bears the costs of obtaining the third-party consents necessary for the vendor to provide the service and other costs of transitioning to the vendor's service.

The customer should conduct a thorough review of its current internal costs so that comparison to the vendor's pricing is “apples to apples.”

The vendor should ensure that it has a complete understanding of the customer's requirements and the costs of meeting them.

If either party fails in this part of due diligence, a failed relationship can result. If the customer has a right to terminate for convenience, then the customer should assess the relationship of the termination fee to the vendor's unamortized costs of providing the service.

How Is Risk Allocated?

The parties will need to agree on an appropriate cap on direct damages and whether there will be any exclusions from this cap, and from the “no consequential damages” provision, such as for breaches of confidentiality and security.

The parties will also need to agree on the indemnifications given by the customer and the vendor (e.g., for infringement claims), and whether these should be without limitation.

What if the Agreement Terminates?

The agreement should address the vendor's obligations to assist the customer in transitioning to another vendor (or in bringing the service back in-house) in the event of termination, as well as the rights the customer has to buy the equipment or license the software used to provide the service.

The customer may also want a license to the software used to provide the service (which the vendor may not be able to grant) and/or have the source code placed in escrow to be released on termination (which may be impractical).

If there's an AUP as part of the agreement, then the customer will not want the vendor to terminate immediately for violation of the AUP, but will want to allow the vendor to, at most, suspend service with a cure period, while the vendor may want immediate termination to protect its network and its other customers' data.

Is It Really Your Vendor Holding The Data?

To what extent does the contract allow the vendor to subcontract the services to a third party? The customer may want approval or control over the vendor's use of subcontractors.

How Can the Customer Review the Vendor's Performance?

The customer may want the agreement to address periodic audits of charges, and have reviews of data security and performance by the customer, its representatives and those agencies with regulatory authority over the customer. These, of course, add to the vendor's costs and may also be viewed by the vendor as a distraction from the normal course of business ' the final point being one that should be dealt with before vendor protests surface.

The customer may also want the agreement to allow for periodic benchmarking to compare the services to the marketplace and require the vendor to meet the market.

Assuming that the vendor agrees to benchmarking, the vendor will likely want any benchmarking results only to trigger discussions between the parties and not be automatically binding.

Cloud computing has become the technology buzzword of the new decade. A definition of cloud computing is elusive, but a working definition could be: “A service offered by vendors with large computer server networks to provide infrastructure such as processing capacity, storage for electronic data and records, software-as-a-service (“SaaS”) or provision of services such as e-mail” (see, www.opencloudmanifesto.org/opencloud manifesto1.htm).

The idea, as e-commerce and tech-company (or tech-savvy) counsel may know, is to use a multilayered network of servers and computers to provide computing and hosting power when needed ' sort of a front-end and back-office supplement and backup system without much of the in-house worries that go with those investments in IT structure.

Cloud computing can help e-commerce ventures in a variety of ways, including by allowing expansion of services and support during business peaks, such as holidays, or other seasonal or special shopping times. For expansion to cloud computing where formal contracts, or regulatory, fiduciary or other obligations are involved, e-commerce counsel will be called on to ensure all arrangements are proper and beneficial. More on that below.

The Crux of Cloud Computing

According to the Open Cloud Manifesto (see, http://www.opencloudmanifesto.org/), a consortium that promotes standards for and openness to cloud computing, the practice ' by no means new, but recently rising in prominence and use ' has several components, including:

• The ability of the customer to ramp up or ramp down as business needs require (“scalability”);
• Avoidance of overinvestment in infrastructure and unavailability of in-house resources when such resources are needed;
• Reduced start-up costs; and
• Reduced reliance on in-house computer resources.

The National Institute of Standards (“NIST”) highlights that in cloud computing, the cloud's shared pool of resources “can be rapidly provisioned and released with minimal management effort or service provider interaction” (see, Peter Mell and Tim Grance, “The NIST Definition of Cloud Computing, Version 15,” at http://csrc.nist.gov/groups/SNS/cloud-computing).

This article sets forth a number of the questions, and answers, that the parties will need to address and settle in a cloud-computing arrangement.

What's the Agreement?

Is there a single agreement with schedules for service levels and pricing, which is subject to a merger clause delineating all attachments as being within the “four corners” of the document? Or, are there references to outside documents, such as online acceptable use policies (“AUPs”) that the vendor may unilaterally change over time?

To attain a level of certainty, the customer will want to have a static AUP as a schedule to the agreement, subject to amendment only by the written consent of both parties.

On the other hand, the vendor will want some flexibility with respect to the AUP to be able to adapt it to changing circumstances.

Where Does the Data Go?

The movement of data within the vendor's cloud may involve transfer from servers in one jurisdiction to servers in another. This may invoke different jurisdictional-dependent discovery rules, privacy laws and data-transfer restrictions (particularly for data transferred out of the European Union).

The customer may want to restrict or prohibit the relocation of customer data to avoid exposure to this hodgepodge of laws, regulations and rules.

The vendor, on the other hand, will want the flexibility to use its assets in an efficient way and to take advantage of economies (such as tax perks) arising from its facilities being in various locales.

Does 'One Size Fits All' Work?

Vendors of software-related cloud-computing services often provide those services based on a model of limited, or no, customization of the software, and a fixed schedule for installing software updates and releases. This standardization simplifies the vendor's operational workload and minimizes costs.

The customer should assess whether it needs the right to have the vendor run a particular version of the software, or have software customized for the customer, and whether the software update schedule reflects the customer's needs.

In the end, the customer should realize that changes to the vendor's standard approach may increase the vendor's costs and, subsequently, the charges to the customer. Similar issues apply to refreshing of equipment during the term.

How Reliable Is the Service?

Does the agreement contain service levels for uptime and availability?

The customer will want an appropriate standard for availability, whether it refers to the customer's ability to access stored data, or to operate the application in a software-as-a-service environment.

Other service levels, such as support response time, may also be appropriate from the customer's point of view.

The customer should keep in mind that an overabundance of service levels increases management effort for the vendor and for the customer. The customer may also want to establish a regime for calculating credits based on the vendor's failure to meet the service level standards.

The vendor, if willing to grant such credits, may want them to be the customer's sole and exclusive remedies for service-level failure, without the right of the customer to seek damages for these failures.

What Are the Other Standards for the Services?

The customer will want the agreement to contain a warranty provision with standards to which the vendor is bound, such as compliance with “industry standards,” “performance in a workmanlike manner using qualified personnel,” as well as particular obligations of performance that the customer requires, including help-desk services and support.

The customer may also want specific obligations for:

• Hardware and software maintenance;
• Use of firewalls and intrusion detection;
• Monitoring and maintenance of physical security;
• Environmental requirements; and
• Frequency and duration of scheduled maintenance.

The parties will need to come to an agreement on these services and related charges. The parties also must agree on the allocation of responsibility for compliance with applicable laws, including privacy laws, as well as the extent to which the vendor is obligated to update the service to maintain such compliance.

When and How Can the Customer Get Its Data Back?

The customer will want the right to get its data back at any time, and particularly at termination of the agreement, at no charge and without any other restriction.

The vendor may seek to charge for returning data in a format other than the vendor's standard format ' and if so, the customer will want to assess whether the vendor's format allows for transition to another vendor running a different platform.

How Safe Is the Customer's Data?

For the customer, security of its data is paramount. Some customers may enter into contracts only with vendors committed to procuring SAS 70 Type II audits and/or who have attained ISO 27001 certification regarding security.

Also, the customer may want the agreement to allow the customer the option of having a “private cloud” for its data, and also the ability to restrict data access to certain groups of vendor employees.

The customer may want the vendor to commit to other standards, too, or other particular requirements for data segregation, access and encryption (e.g., HIPAA, Gramm-Leach-Bliley, and specific state information-security laws, such as those in Massachusetts).

Fulfilling any of these requirements may affect the vendor's cost of providing the service, which the vendor may seek to pass along to the customer.

The parties will also need to agree on the vendor's data backup and restoration obligations.

What if There's a Data Breach?

The agreement should address:

• How and when the customer is notified of a data breach;
• The allocation of responsibility for remedying a data breach; and
• The responsibility and cost allocation for notification of such breaches to the owners of the data (as required by state breach-notification laws and, e.g., compliance with data-breach provisions under the HITECH Act).

Also, the agreement should specify the vendor's obligations in the event of the introduction of a virus, the occurrence of hacking or denial of service attacks.

What if There's a Disaster?

The agreement should address the parties' responsibilities in case of a disaster that shuts down the vendor's data center, including the service-level agreements for return to service, and the requirements for periodic tests in which the customer may want to participate.

The customer needs to understand what the vendor's disaster-recovery and business-continuity plans are and how they mesh with the customer's.

What if There's a Dispute?

There should be a clear mechanism for resolving disputes, including an expedited process between the two parties, before going to litigation or arbitration.

Also, the customer will want there to be no circumstances under which the vendor can suspend services during a dispute.

How Much Does the Service Cost?

The pricing should be clear and complete in the agreement, presented so that it is understandable to a third party such as a judge or arbitrator, and address issues such as who bears the costs of obtaining the third-party consents necessary for the vendor to provide the service and other costs of transitioning to the vendor's service.

The customer should conduct a thorough review of its current internal costs so that comparison to the vendor's pricing is “apples to apples.”

The vendor should ensure that it has a complete understanding of the customer's requirements and the costs of meeting them.

If either party fails in this part of due diligence, a failed relationship can result. If the customer has a right to terminate for convenience, then the customer should assess the relationship of the termination fee to the vendor's unamortized costs of providing the service.

How Is Risk Allocated?

The parties will need to agree on an appropriate cap on direct damages and whether there will be any exclusions from this cap, and from the “no consequential damages” provision, such as for breaches of confidentiality and security.

The parties will also need to agree on the indemnifications given by the customer and the vendor (e.g., for infringement claims), and whether these should be without limitation.

What if the Agreement Terminates?

The agreement should address the vendor's obligations to assist the customer in transitioning to another vendor (or in bringing the service back in-house) in the event of termination, as well as the rights the customer has to buy the equipment or license the software used to provide the service.

The customer may also want a license to the software used to provide the service (which the vendor may not be able to grant) and/or have the source code placed in escrow to be released on termination (which may be impractical).

If there's an AUP as part of the agreement, then the customer will not want the vendor to terminate immediately for violation of the AUP, but will want to allow the vendor to, at most, suspend service with a cure period, while the vendor may want immediate termination to protect its network and its other customers' data.

Is It Really Your Vendor Holding The Data?

To what extent does the contract allow the vendor to subcontract the services to a third party? The customer may want approval or control over the vendor's use of subcontractors.

How Can the Customer Review the Vendor's Performance?

The customer may want the agreement to address periodic audits of charges, and have reviews of data security and performance by the customer, its representatives and those agencies with regulatory authority over the customer. These, of course, add to the vendor's costs and may also be viewed by the vendor as a distraction from the normal course of business ' the final point being one that should be dealt with before vendor protests surface.

The customer may also want the agreement to allow for periodic benchmarking to compare the services to the marketplace and require the vendor to meet the market.

Assuming that the vendor agrees to benchmarking, the vendor will likely want any benchmarking results only to trigger discussions between the parties and not be automatically binding.