Cloud Computing Agreements

Before diving into any agreement for a cloud service, it is important to understand exactly what the service is intended to do, and how it is supposed to perform (from both the technical and business standpoints). A cloud service may provide software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), or platform-as-a-service (PaaS) technology. Understanding the business and technical expectations on the front end will allow you to define the scope of the relationship and tailor the duties and liabilities of the parties accordingly. In general, cloud-services vendors do not sell or transfer ownership of their technology, but provide a right to use the technology subject to restrictions on its use (for example, how long you can use it, how many users may access the technology, quantity limitations, the locations where it may be used, etc.). Having a full understanding of what the vendor is expected to provide is important and will affect many provisions of a cloud-services agreement (and help order priorities for negotiation). In short, understanding the business goals will inform drafting decisions. Particular items of concern include the establishment of required interfaces, contemplating the required output, and understanding the interoperability of the service with other systems, software or databases.

What Is the Nature of the Data Being Processed?

Different data sets give rise to different concerns. Certain company financial information may trigger audit concerns: healthcare-related information may give rise to HIPAA concerns; credit-card information may give rise to PCI compliance issues; and financial data may trigger Gramm-Leach-Bliley issues.

Understanding the Data Flow

Once you have an understanding of the nature of the service and the data that is to be processed by the service, it is also important to understand the flow of that data. Cross-border data flows may give rise to a host of issues, from data privacy (e.g., transfers regulated by the EU Data Directive) to export control restrictions. You must understand where the data being processed is coming from, where it is going, and to where it will be returned. Furthermore, it is important to understand the chain of custody of the data throughout its handling. Will the service provider be permitted to store it abroad? Will the service provider be permitted to use contractors? Will copies of data be kept by the service provider and, if so, where will they be stored and for how long? Does data need to be encrypted when at rest and when “in flight”? Laws governing the handling of certain kinds of data may dictate the answers to these questions, but understanding the flow of the data is critical to knowing the questions that must be asked.

Items to Consider During Review and Drafting

Incorporation of Additional Terms

A common concern with agreements provided by cloud vendors is the incorporation of terms outside of the actual document that is negotiated and signed by the parties. Additional or conflicting terms and conditions may be incorporated via a website or through a vendor-published document incorporated into the services agreement. Alternatively, the vendor may require acceptance of an additional click-through agreement upon a user's log-in to the service. Either option can be problematic as the vendor may change these terms unilaterally at any time or use a click-through agreement to supersede the terms of any initial agreement. Any agreement with a cloud-services vendor should ensure that the agreement of the parties is not subject to being altered or superseded by these extraneous terms, or at a minimum, that the agreement prevails in the event of any conflict.

Service Levels and Remedies

Service levels for cloud-based services can take many forms. The most common service level is a commitment for availability, which is important as the service is worthless if it is not available for use. Availability service levels will generally contain carve-outs for necessary maintenance, but you will want to ensure that any permitted downtime is consistent with the business goals for the service. Other necessary service levels should also be considered on a case-by-case basis and may include issues such as latency ( i.e. , how long it takes the vendor's system to respond), scalability, or responsiveness to maintenance requests. Generally, it is important to have objective and measureable service levels, prompt reporting of the actual metrics, and actual remedies. The remedies for failures to meet service levels are usually heavily negotiated. While most service-level agreements include some kind of credit or monetary component, it is recommended that any remedies for the vendor's failures to meet service levels address chronic failures and catastrophic failures of the services, while providing for an escalation path that ultimately allows for termination of the services without penalty.

Accessibility and Data Integrity

The nature of the service, the nature of the data involved and the nature of the service's output will dictate the importance of accessibility to your company's data. In addition to general confidentiality and data security protections (addressed below), a cloud-services agreement should contemplate how and when the customer can access and retrieve its data. Will the customer be able to access and export its data at any time? Will periodic data exports be provided (and in what format)? Also, under what circumstances can the vendor suspend the services? It is very common to specifically provide that the vendor has no ability to suspend the services where the services are mission-critical. Likewise, the responsibility for ongoing data integrity should be addressed.

The agreement should properly document which party will be responsible for backup of the data and what, if any, disaster recovery requirements will apply (including committed recovery-time and recovery-point objectives). An acknowledgement of the customer's ownership of its data is also advisable, along with provisions addressing the ownership of the output of the services. Some vendors limit the use of the output, granting only a license to use the data during the term of the subscription. It may not be appropriate to limit the customer's right to use output data solely for the duration of the term if use of the data will be required for customer's ongoing business needs.

Transition Upon Termination

One of the most important provisions in any cloud-services agreement is addressing what happens when the agreement ends. Depending on the nature and complexity of the service and the data involved, appropriate provisions may require prompt delivery of all data stored by the provider or, alternatively, the provider making the data available for download. When data is to be delivered or made available at the end of the term, the format for the returned data should be agreed-upon. If data is returned in the vendor's proprietary format, it may not be usable by the customer.

Another consideration will be whether or not any professional services related to a transition should be included in connection with the engagement (as migration to a new vendor or to an in-house solution may require cooperation from the outgoing vendor). Ultimately, the company's business continuity at the end of the agreement must be kept in mind on the front end.

Confidentiality and Data Security

The nature of the data being processed will dictate what confidentiality restrictions and data security requirements should be added. At a minimum, confidential information should be identified and coupled with an affirmative obligation for the vendor to protect that confidential information. Some data (like healthcare information, credit card information or financial information) requires specific protections, so any specific standard of care should be specifically incorporated.

For services that will affect financial controls, specific audit standards related to the handling of confidential information will be required for publicly traded entities, so reporting in accordance with those standards should be required (as well as remedies in the event of the vendor's failure to comply with those standards). Another important concern is ensuring prompt notice by the vendor in the event of any data breach, particularly where any personal information is compromised (as there are various laws throughout the U.S. and abroad requiring notification to affected individuals).

Additional concerns to consider are whether or not any testing of the vendor's security is appropriate (or if the customer may conduct security testing itself) and whether the vendor will be able to use data for any other purposes (a growing trend is for vendor's to request the ability to use “de-identified” data for their own business purposes).

Legal Process

The landscape for electronic discovery has given rise to broad duties to preserve information relevant to litigation. If it is foreseeable that data or services from a cloud service may ultimately be needed for litigation, a duty of cooperation by the vendor is appropriate. In addition, a customer will want to ensure that it receives notice of any third-party subpoena served on the cloud provider and that the customer has a reasonable opportunity to oppose or limit any subpoena of the customer's data and other information.

Ensuring Continued Functionality of the Services

A cloud service may be updated and enhanced during the duration of a subscription. If your company is subscribing to a particular cloud service because of specific functionality that the service offers, it only makes sense to ensure that the vendor commits to maintain that functionality during the term of the agreement. This can be done by incorporating a functional specification document as an exhibit for required baseline functionality or by a more general representation that the functionality and interoperability of the service will not be reduced during the term of a subscription.

Insurance

Cyber-risk insurance is now commonplace. Data breaches can result in not only adverse public relations, but also in fines and lawsuits by affected third parties. Where a cloud-services vendor will be handling sensitive data, an insurance requirement (addressing data breaches) should be standard.

Dealing with Organizational Changes

The restrictions required by a cloud vendor may limit (or impose additional costs on) the ability to expand use of the technology if your organization grows or requires additional services. As the customer will likely never have more leverage that at the time of the initial transaction, the customer will want to consider negotiating future needs in light of the scope of the license or services, such as price protection for any purchase of additional licenses or quantities. Likewise, what happens if your user base or demand for the service shrinks or there is a divestiture? Many cloud services lock in the customer at the “high water” mark, never allowing quantities to be reduced. An ability to adjust consumption metrics should be considered, particularly if there is a long-term commitment.

Conclusion

While far from being an exhaustive list, the items above provide a short primer on high-priority items to consider in negotiating any agreement for cloud services. As with any agreement, a strong understanding of the business objectives will greatly help in identifying “deal breakers.”

Jeffrey Kosc is a member of the Innovations, Information Technology & Intellectual Property (3iP) and Litigation Practice Groups at Benesch, Friedlander, Coplan & Aronoff, LLP in Indianapolis, IN. He can be reached at [email protected].

Cloud-based services have exploded in popularity over the last decade due to their ability to provide the convenience of on-demand resources along with generating efficiencies by eliminating the need for dedicated hardware, software and ongoing maintenance. However, given the importance of information technology (IT) to most modern entities' operations, companies must balance the benefits of such outsourced cloud services with the risks associated with entrusting data and critical business processes to third parties. The rise of “big data” and business intelligence only raises the importance of a company's IT resources. Strong agreements are essential for any cloud service that supports critical IT systems. While the circumstances of each cloud implementation are different, this article provides an overview of key areas that need to be considered for any agreement to acquire cloud-based services.

Global Issues to Consider Before Review or Drafting

Understanding the Scope of the Services

Before diving into any agreement for a cloud service, it is important to understand exactly what the service is intended to do, and how it is supposed to perform (from both the technical and business standpoints). A cloud service may provide software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), or platform-as-a-service (PaaS) technology. Understanding the business and technical expectations on the front end will allow you to define the scope of the relationship and tailor the duties and liabilities of the parties accordingly. In general, cloud-services vendors do not sell or transfer ownership of their technology, but provide a right to use the technology subject to restrictions on its use (for example, how long you can use it, how many users may access the technology, quantity limitations, the locations where it may be used, etc.). Having a full understanding of what the vendor is expected to provide is important and will affect many provisions of a cloud-services agreement (and help order priorities for negotiation). In short, understanding the business goals will inform drafting decisions. Particular items of concern include the establishment of required interfaces, contemplating the required output, and understanding the interoperability of the service with other systems, software or databases.

What Is the Nature of the Data Being Processed?

Different data sets give rise to different concerns. Certain company financial information may trigger audit concerns: healthcare-related information may give rise to HIPAA concerns; credit-card information may give rise to PCI compliance issues; and financial data may trigger Gramm-Leach-Bliley issues.

Understanding the Data Flow

Once you have an understanding of the nature of the service and the data that is to be processed by the service, it is also important to understand the flow of that data. Cross-border data flows may give rise to a host of issues, from data privacy (e.g., transfers regulated by the EU Data Directive) to export control restrictions. You must understand where the data being processed is coming from, where it is going, and to where it will be returned. Furthermore, it is important to understand the chain of custody of the data throughout its handling. Will the service provider be permitted to store it abroad? Will the service provider be permitted to use contractors? Will copies of data be kept by the service provider and, if so, where will they be stored and for how long? Does data need to be encrypted when at rest and when “in flight”? Laws governing the handling of certain kinds of data may dictate the answers to these questions, but understanding the flow of the data is critical to knowing the questions that must be asked.

Items to Consider During Review and Drafting

Incorporation of Additional Terms

A common concern with agreements provided by cloud vendors is the incorporation of terms outside of the actual document that is negotiated and signed by the parties. Additional or conflicting terms and conditions may be incorporated via a website or through a vendor-published document incorporated into the services agreement. Alternatively, the vendor may require acceptance of an additional click-through agreement upon a user's log-in to the service. Either option can be problematic as the vendor may change these terms unilaterally at any time or use a click-through agreement to supersede the terms of any initial agreement. Any agreement with a cloud-services vendor should ensure that the agreement of the parties is not subject to being altered or superseded by these extraneous terms, or at a minimum, that the agreement prevails in the event of any conflict.

Service Levels and Remedies

Service levels for cloud-based services can take many forms. The most common service level is a commitment for availability, which is important as the service is worthless if it is not available for use. Availability service levels will generally contain carve-outs for necessary maintenance, but you will want to ensure that any permitted downtime is consistent with the business goals for the service. Other necessary service levels should also be considered on a case-by-case basis and may include issues such as latency ( i.e. , how long it takes the vendor's system to respond), scalability, or responsiveness to maintenance requests. Generally, it is important to have objective and measureable service levels, prompt reporting of the actual metrics, and actual remedies. The remedies for failures to meet service levels are usually heavily negotiated. While most service-level agreements include some kind of credit or monetary component, it is recommended that any remedies for the vendor's failures to meet service levels address chronic failures and catastrophic failures of the services, while providing for an escalation path that ultimately allows for termination of the services without penalty.

Accessibility and Data Integrity

The nature of the service, the nature of the data involved and the nature of the service's output will dictate the importance of accessibility to your company's data. In addition to general confidentiality and data security protections (addressed below), a cloud-services agreement should contemplate how and when the customer can access and retrieve its data. Will the customer be able to access and export its data at any time? Will periodic data exports be provided (and in what format)? Also, under what circumstances can the vendor suspend the services? It is very common to specifically provide that the vendor has no ability to suspend the services where the services are mission-critical. Likewise, the responsibility for ongoing data integrity should be addressed.

The agreement should properly document which party will be responsible for backup of the data and what, if any, disaster recovery requirements will apply (including committed recovery-time and recovery-point objectives). An acknowledgement of the customer's ownership of its data is also advisable, along with provisions addressing the ownership of the output of the services. Some vendors limit the use of the output, granting only a license to use the data during the term of the subscription. It may not be appropriate to limit the customer's right to use output data solely for the duration of the term if use of the data will be required for customer's ongoing business needs.

Transition Upon Termination

One of the most important provisions in any cloud-services agreement is addressing what happens when the agreement ends. Depending on the nature and complexity of the service and the data involved, appropriate provisions may require prompt delivery of all data stored by the provider or, alternatively, the provider making the data available for download. When data is to be delivered or made available at the end of the term, the format for the returned data should be agreed-upon. If data is returned in the vendor's proprietary format, it may not be usable by the customer.

Another consideration will be whether or not any professional services related to a transition should be included in connection with the engagement (as migration to a new vendor or to an in-house solution may require cooperation from the outgoing vendor). Ultimately, the company's business continuity at the end of the agreement must be kept in mind on the front end.

Confidentiality and Data Security

The nature of the data being processed will dictate what confidentiality restrictions and data security requirements should be added. At a minimum, confidential information should be identified and coupled with an affirmative obligation for the vendor to protect that confidential information. Some data (like healthcare information, credit card information or financial information) requires specific protections, so any specific standard of care should be specifically incorporated.

For services that will affect financial controls, specific audit standards related to the handling of confidential information will be required for publicly traded entities, so reporting in accordance with those standards should be required (as well as remedies in the event of the vendor's failure to comply with those standards). Another important concern is ensuring prompt notice by the vendor in the event of any data breach, particularly where any personal information is compromised (as there are various laws throughout the U.S. and abroad requiring notification to affected individuals).

Additional concerns to consider are whether or not any testing of the vendor's security is appropriate (or if the customer may conduct security testing itself) and whether the vendor will be able to use data for any other purposes (a growing trend is for vendor's to request the ability to use “de-identified” data for their own business purposes).

Legal Process

The landscape for electronic discovery has given rise to broad duties to preserve information relevant to litigation. If it is foreseeable that data or services from a cloud service may ultimately be needed for litigation, a duty of cooperation by the vendor is appropriate. In addition, a customer will want to ensure that it receives notice of any third-party subpoena served on the cloud provider and that the customer has a reasonable opportunity to oppose or limit any subpoena of the customer's data and other information.

Ensuring Continued Functionality of the Services

A cloud service may be updated and enhanced during the duration of a subscription. If your company is subscribing to a particular cloud service because of specific functionality that the service offers, it only makes sense to ensure that the vendor commits to maintain that functionality during the term of the agreement. This can be done by incorporating a functional specification document as an exhibit for required baseline functionality or by a more general representation that the functionality and interoperability of the service will not be reduced during the term of a subscription.

Insurance

Cyber-risk insurance is now commonplace. Data breaches can result in not only adverse public relations, but also in fines and lawsuits by affected third parties. Where a cloud-services vendor will be handling sensitive data, an insurance requirement (addressing data breaches) should be standard.

Dealing with Organizational Changes

The restrictions required by a cloud vendor may limit (or impose additional costs on) the ability to expand use of the technology if your organization grows or requires additional services. As the customer will likely never have more leverage that at the time of the initial transaction, the customer will want to consider negotiating future needs in light of the scope of the license or services, such as price protection for any purchase of additional licenses or quantities. Likewise, what happens if your user base or demand for the service shrinks or there is a divestiture? Many cloud services lock in the customer at the “high water” mark, never allowing quantities to be reduced. An ability to adjust consumption metrics should be considered, particularly if there is a long-term commitment.

Conclusion

While far from being an exhaustive list, the items above provide a short primer on high-priority items to consider in negotiating any agreement for cloud services. As with any agreement, a strong understanding of the business objectives will greatly help in identifying “deal breakers.”

Jeffrey Kosc is a member of the Innovations, Information Technology & Intellectual Property (3iP) and Litigation Practice Groups at Benesch, Friedlander, Coplan & Aronoff, LLP in Indianapolis, IN. He can be reached at [email protected].