Practical GuidanceFree Trial
Learn More AboutPractical Guidance
By: James E. Meadows , Culhane Meadows PLLC.
Cloud computing is a subscription-based service that offers on-demand network access to a shared pool of configurable computer resources (e.g., networks, applications, servers, storage, etc.) that is usually hosted by the supplier and provided over the Internet. Such services can be rapidly provisioned and released with minimal transition services and management effort. Cloud services are outsourcing without a single dedicated data center. There are varying service models and deployment methods in cloud computing that provide a customer with different levels of control, flexibility, and management.
There are four primary service models in cloud-based outsourcing:
Cloud-based outsourcing is compelling for information services because it offers greater flexibility and economy. However, such solutions raise unique legal considerations including data privacy, security, and e-discovery issues. Suppliers are able to offer low cost, flexible solutions because they standardize their offerings for multiple customers. Consequently, suppliers are less likely than traditional outsourcing providers to adapt their solutions to the customer’s needs or negotiate contract terms to meet customer requirements.
Cloud deployment models represent a specific type of cloud environment distinguished primarily by ownership, size, and access. Each deployment model has varying degrees of data security, risk, and investment.
Because each cloud model offers varying degrees of flexibility, efficiency, data security, and cost savings, the customer must select the appropriate model to meet its needs and manage the associated risks. Key considerations include whether the outsourced service is business critical and the sensitivity of the outsourced data. For example, public clouds work better where the outsourced service is not critical to the customer’s business and the outsourced data is not sensitive. Customers should carefully evaluate each of the following in selecting the right cloud computing service, deployment model, and supplier:
Due diligence is essential in the selection process. See Initial Considerations in Cloud Computing Agreements (Due Diligence of the Cloud Provider.)
There are a number of legal challenges and issues that arise in cloud-based outsourcing agreements that need to be carefully considered and managed in order to mitigate the risks inherent in such transactions.
Ownership/Use of Data
While the customer may assume it owns the data that the cloud service / supplier collects, uses, and processes on its behalf, the contract should detail ownership and data usage rights. Company data should be broadly defined to include all data or information provided by, or accessed or collected from or through, the company and its systems, and all data resulting from the processing, generation, or aggregation of such data or the performance of the services. The contract should also expressly limit the supplier’s right to use such data. For example, it should prohibit the supplier from using company data in aggregated, de-identified form for purposes outside of the contract and from disclosing or selling company data, even in aggregated form, to any third parties.
The security and protection of data is critical in cloud-based outsourcing agreements. The contractual requirements will vary based upon the nature and sensitivity of the data outsourced to the cloud solution. The customer should consider including the following: confidentiality obligations that encompass company data even if such data is not confidential; data encryption requirements, applicable both in transit and in storage; a right to audit security procedures and data centers; immediate notification obligations for any incidents that may compromise data and security breaches; and audit rights to assess controls and procedures for storing, handling, and transmitting data. For more information, see Privacy and Data Security in Outsourcing.
Data storage considerations impact privacy and security issues. For example, if data is accessible from, processed, or stored outside the United States, the location of such services (e.g., China, India, Russia, etc.) may increase the risk of a security breach. Moreover, the location of the data also impacts compliance with data privacy and security laws such as the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq., Health Insurance Portability and Accountability Act, 42 U.S.C. § 1320d et seq., and the EU Data Protection Directive, http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=urise rv:OJ.L_.2016.119.01.0089.01.ENG&toc=OJ:L:2016:119:TOC. Thus, consider specifying limitations on the locations where data can be accessed and stored. For example, data shall not be accessible from, transferred to, processed, or stored in any location outside the U.S.
Data Access and Portability
Data access and portability, both during the contract term and upon the expiration or termination of the contract, are problematic in cloud computing agreements. An example would be a technology lock-in position where the supplier stores the customer’s data in a proprietary format not available to, or offered by, other vendors, and then either refuses or charges a high rate to convert that data into a format that would be usable by a successor supplier. Thus, the customer should include obligations for the supplier to provide data in a specified format (to ensure it is usable) upon request at any time during the contract, regardless of whether a party is in default or breach under the agreement, and within a specified period of time upon the expiration or termination of the agreement for any reason. This will protect against customer data being held hostage by the supplier in exchange for an additional fee for access. The contract should also address how the supplier will handle customer data in the event of a government subpoena or other legal action.
Service Level Agreements (SLAs)
Most suppliers will contractually limit and restrict SLAs by referring to them as performance goals or objectives rather than contractual requirements. The customer should consider making the SLA a representation and warranty. It should also consider including specific remedies for service interruptions and outages. Such remedies should include credits, the right to conduct a yearly comprehensive review, the right to have a sit down meeting by the parties’ executives for repeated failures, and termination rights for cause if interruptions/outages are chronic or excessive. This last right should expressly excuse payment of any early termination fee and/or entitle the customer to a refund of any prepaid, unused fees. The customer should also ensure that credits are not specified as the sole and exclusive remedy for an outage, which would conflict with any SLA representations and warranties, as well as termination rights for cause. Finally, the customer should ensure that any exceptions to or carve-outs from the SLA are limited, as overbroad exclusions gut the SLA.
Service Interruptions / Business Continuity / Disaster Recovery
The contractual definition of a service interruption should be carefully reviewed, as well as the supplier’s obligations upon an interruption. For example, does a service interruption include a cyberattack or data breach? Does the agreement include a detailed business continuity and/or disaster recovery plan with specified backup procedures and data recovery mechanisms?
It is important to understand the parties’ obligations and responsibilities, including liability, in the event that the customer cannot gain access to its data due to an interruption. The contract should include the parties’ rights and obligations regarding notice of an interruption, mitigation efforts, suspension of payment provisions and/or interruption credits—with reference to SLAs as discussed above—and termination rights if the interruption cannot be cured after a specified period of time.
Most suppliers will try to limit warranties, but the customer should carefully consider including warranties regarding conformity to service descriptions and specifications; performance/SLA; compliance with laws; compliance with security requirements and obligations; and the non-use of disabling codes, viruses, and cookies or other tracking technologies.
Wind-Down / Termination Assistance
The contract should include a provision permitting a wind- down period upon termination that allows the customer to continue using the service for a specified period of time, in order for the customer to transition to another provider. Alternatively, it could require the supplier to assist in such a transition to maintain business continuity. These types of provisions usually require the supplier to maintain a specified level of service for a predefined period of time. Such a provision may also require the supplier to assist with data migration. At the end of any wind-down or termination assistance period, the contract should detail the supplier’s obligations to destroy or erase, as applicable, all data from the service and its systems.
Force Majeure Events
Force majeure events should be defined as both beyond the reasonable control of the supplier, as well as unforeseeable and unavoidable. This is an important distinction because while some events might be beyond the supplier’s control, they are not unforeseeable or entirely unavoidable. One example of this is a cyberattack. The provision should also specify that any force majeure events do not excuse the supplier’s business continuity / disaster recovery obligations. This is crucial to avoid a potential conflict of terms, because performance is generally excused for force majeure events, but there are continuing obligations under business continuity and disaster recovery plans. It should also be specified that payment obligations are excused during a force majeure event, or for prepaid services, include the right to receive service credits for each day of service interruption. Finally, the supplier should have a duty to mitigate damages, and the customer should have a right to terminate without liability if the force majeure event continues after a specified period of time. For example, the customer should be excused from the obligation to pay any early termination fee and/or should have the right to a refund for any prepaid, unused fees. For more information, see Business Continuity and Contingency Planning in Outsourcing.
Limitation of Liability
Limitations on liability should be carefully considered and should exclude damages arising from certain obligations such as those arising from the supplier’s negligence, breach of its confidentiality / data security obligations, or failure to comply with applicable privacy and data security laws and regulations. The contract should also expressly carve out the supplier’s indemnification obligations from any specified limitations on direct damages and exclude indirect damages.
The indemnification provision should expressly include the supplier’s obligation to indemnify, defend, and hold the customer harmless, as some jurisdictions do not include the duty to defend as inherent to the indemnification obligation. The supplier’s indemnification obligations should cover breach of the supplier’s obligations to protect and secure company data, failure to comply with laws, and third-party claims alleging that access to or use of the cloud service infringes any third-party rights. It should also be specified that the contractual limitations of liability do not apply to the supplier’s indemnification obligations.
The parties’ responsibility to comply with export control regulations should be addressed in the contract as moving data to the cloud is deemed an export if such data is accessible from another jurisdiction.
Additional Terms and Conditions / Supplier’s Right to Change Terms
Depending on the cloud service and deployment model, the contract may incorporate by reference other supplier terms and conditions—specific policies, for example. Any applicable terms, conditions, and policies should be carefully reviewed so as to ensure that they do not conflict with negotiated provisions, such as remedies for SLA failures. This review should be done even if the agreement contains a provision stating that in the event of a conflict, the agreement’s terms will apply, since some courts have not effectively enforced such provisions. Furthermore, the supplier may have the flexibility to change its terms and conditions without the customer’s approval. Some suppliers will agree to a compromise in this area, such as a requirement that any changes do not degrade the service or weaken the security requirements, or that the supplier will notify the customer in writing of any changes and give the customer the right to terminate if any of the changes adversely affect the customer or the service.
James E. Meadows is a managing partner and chair of the outsourcing practice group at Culhane Meadows PLLC. Mr. Meadows is a nationally recognized leading Outsourcing lawyer focused on representing large corporate clients in a wide range of technology law matters.
RESEARCH PATH: Corporate Counsel > Outsourcing > Special Issues in Outsourcing > Practice Notes > Special Issues in Outsourcing
For comprehensive outsourcing guidance, see
> OUTSOURCING CONSIDERATIONS AND PLANNING
RESEARCH PATH: Corporate Counsel > Outsourcing > Planning and Procurement in Outsourcing > PracticeNotes > Planning and Procurement in Outsourcing
For a discussion of cloud computing agreements and due diligence, see
> INITIAL CONSIDERATIONS IN CLOUD COMPUTING AGREEMENTS (DUE DILIGENCE OF THE CLOUDPROVIDER)
RESEARCH PATH: Corporate Counsel > Softwar eand Information Technology > Cloud Computing >Practice Notes > Cloud Computing
For more information on Cloud Computing see
> DRAFTING AND NEGOTIATING EFFECTIVE CLOUD COMPUTING AGREEMENTS
RESEARCH PATH: Corporate Counsel > Software and Information Technology > Cloud Computing >Practice Notes > Cloud Computing