Drafting and Negotiating Effective Cloud Computing Agreements

Posted on 11-30-2015

By: Michael R. Overly, Foley & Lardner LLP.

LEXIS PRACTICE ADVISOR RESEARCH PATH: IntellectualProperty & Technology > Software & Information Technology >Cloud Computing > Practice Notes > Drafting and Negotiating EffectiveCloud Computing Agreements by Michael R. Overly, Foley & Lardner LLP

Cloud computing involves accessing a provider’s software and infrastructure remotely and often includes storing the customer’s data with that provider. To that end, cloud computing agreements have some similarity to traditional software licensing agreements, but often have more in common with hosting or application service provider agreements. As such,the most critical issues and concerns that arise with hosting and application service provider agreements are equally applicable to cloud computing agreements.

IN A TRADITIONAL SOFTWARE LICENSING or hardware purchase engagement, the provider installs the software or equipment in the customer’s environment. The customer can have the software or hardware configured to meet its particular business needs and retains control over its data. In a cloud computing environment, the software, hardware, and the customer’s data are hosted by the provider, typically in a shared environment (i.e., many customers per server), and the software and hardware configuration is much more homogeneous across all customers. Accordingly, the customer’s top priorities shift from configuration, implementation, and acceptance to service availability, performance (i.e., service levels), and data security and control. However, like a traditional software licensing agreement or hardware purchase agreement, provisions such as insurance, indemnity, intellectual property, limitations of liability, and warranties remain important.

Key issues to consider when drafting and negotiating cloud computing agreements include:

  • Service availability
  • Service levels
  • Data – security, redundancy, ownership and use rights, and conversion
  • Insurance
  • Indemnification
  • Intellectual property
  • Limitation of liability
  • Implementation
  • Fees
  • Term
  • Warranties
  • Publicity and use of the customer’s trademarks
  • Assignment
  • Post-execution ongoing provider assessment

Final risk assessment

Service Availability

A customer needs to continue to operate its business and have access to its data at all times. The customer must ensure that it has the proper contractual protections to address the various risks relating to service availability.

The customer may have no or limited access to the provider’s services (which may be supporting a critical business function) and, perhaps more importantly, no access to its data stored on the provider’s systems if the provider stops delivering services to the customer, perhaps due to

  • a server being down,
  • the failure of a telecommunications link,
  • a natural disaster causing damage to the provider’s data center,
  • the provider withholding services because of a fee dispute, or
  • the provider closing its business because of financial difficulties.

Service Levels

Appropriate service levels are needed to ensure that service availability is aligned with the customer’s expectations, and should be delineated in the agreement. Also, the appropriate remedies should be available to ensure that the provider is incentivized to perform in accordance with the agreed-upon service levels. See Service Levels later in this article for uptime service level and the corresponding remedies.

Customer Data

Appropriate data protection provisions should be included in the agreement, including a provision that explicitly specifies the customer’s ownership of any information stored by the provider for the customer, and a provision that requires the provider to (1) perform regular data backups to an off-site storage facility and (2) either deliver periodic copies of all data to the customer or provide the customer ongoing access to such data. See Data – Security, Redundancy, Ownership and Use Rights, and Conversion later in this article for data ownership and redundancy in more detail.

Disaster Recovery and Business Continuity

Customers should include disaster recovery and business continuity provisions requiring the provider to demonstrate and promise that it can continue to make the services available even in the event of a disaster, power outage, or similarly significant event. In the event of a prolonged outage, continuity of services should be provided through a secondary server, data center, or provider, as appropriate.

Too often the customer does not request these provisions or, even if it does, it does not read the actual provider policies and procedures. The customer should review any related provider policies and procedures, and obtain contractual assurance regarding disasters and continuity. A sample provision of what the customer should ask of the provider is below.

Provider shall maintain and implement disaster recovery and avoidance procedures to ensure that the Services are not interrupted during any disaster. Provider shall provide Customer with a copy of its current disaster recovery plan and all updates thereto during the Term. All requirements of this Agreement, including those relating to security, personnel due diligence, and training, shall apply to the Provider disaster recovery site.

Withholding of Services

In any cloud computing agreement, the customer should request a general provision prohibiting the provider’s withholding of services. The provider should not withhold services because of a fee dispute. An example provision is provided below.

Provided Customer continues to timely make all undisputed payments, Provider warrants that during the Term of this Agreement it will not withhold Services provided hereunder, for any reason, including but not limited to a dispute between the parties arising under this Agreement, except as may be specifically authorized herein.

Bankruptcy; Financial Wherewithal

Typically, an agreement may include a provision providing the customer the right to terminate the Agreement in the event of a provider bankruptcy, and include a separate provision requiring the provider to assist in transitioning the services to a third party provider or to the customer in the event of expiration or termination of the Agreement. However, once the provider has declared bankruptcy, the provider’s ability to assist the customer will be limited.

If a customer is not confident of a provider’s financial stability, the customer should consider adding a provision that enables the customer to identify issues in advance. For example, a provision requiring the provider to deliver periodic reports on its financial condition enables the customer to assess ahead of time whether the provider will be able to continue to provide services. If the customer identifies any issues, it has an opportunity to take the appropriate action to minimize any negative impact. Provided below is a sample provision.

Quarterly, during the Term, Provider shall provide Customer with all information reasonably requested by Customer to assess the overall financial strength and viability of Provider and Provider’s ability to fully perform its obligations under this Agreement. In the event Customer concludes that Provider does not have the financial wherewithal to fully perform as required hereunder, Customer may terminate this Agreement without further obligation or liability by providing written notice to Provider.

In-House Software Solution

In the event that a provider stops providing infrastructure services, the customer may be able to switch to another third party provider with comparable services or purchase the required equipment to replace the infrastructure services. However, the provider’s software services may be unique and more difficult to replace. Therefore, for critical applications provided as a service, the customer should consider requiring the provider to make available or develop an in-house solution. A simple example of such a provision is below.

Customer may desire to license from Provider the necessary software and other technology (the “In-House Solution”) to directly provide, maintain, and host the Software and related Services from Customer internal facilities or those of its agents. Customer may, in its discretion, elect to license the In-House Solution at the end of the Initial Term or any Renewal Term. In such event, after transition to the In-House Solution, the hosted portion of the Services shall terminate and the fees adjusted accordingly. Nothing in this Agreement, however, will be deemed or interpreted as a commitment on the part of Customer to deploy the In-House Solution.

The inclusion of this provision is very much dependent on the nature of the software provided as a service. The more critical the application, the more important it becomes that the provider be required to develop a long term in-house solution.

Service Levels

One of the most critical aspects in drafting and negotiating a cloud computing agreement is establishing appropriate service levels in relation to the availability and responsiveness of the services. Because the software and infrastructure are hosted by the provider, outside the control of the customer, service levels fulfill two main purposes:

1. Service levels assure the customer that it can rely on the services in its business and provide appropriate remedies if the provider fails to meet the agreed service levels.

2. Service levels provide agreed-upon benchmarks that facilitate the provider’s continuous quality improvement process and provide incentives that encourage the provider to be diligent in addressing issues.

The most common service level issues that the customer should address are:

  • uptime,
  • service response time,
  • simultaneous visitors,
  • problem response time and resolution time,
  • data return, and
  • remedies.

Uptime Service Level

The provider must provide a stable environment where the services are available to the customer at least during the customer’s normal business hours, if not 24/7. Thus, the provider should agree that the services will have an uptime, or availability, of a certain percentage, during certain hours, measured over an agreed-upon period. An example of this type of provision is:

Provider will make the Services Available continuously, as measured over the course of each calendar month period, an average of 99.99% of the time, excluding unavailability as a result of Exceptions, as defined below (the “Availability Percentage”). “Available” means the Services shall be available for access and use by Customer. For purposes of calculating the Availability Percentage, the following are “Exceptions” to the service level requirement, and the Services shall not be considered Un-Available, if any inaccessibility is due to: (i) Customer’s acts or omissions; (ii) Customer’s internet connectivity; and (iii) Provider’s regularly scheduled downtime (which shall occur weekly, Sundays, from 2 am – 4 am central time).

The specific service level targets depend on the facts and circumstances of each case, including the relative leverage during negotiation. Customers should not simply accept the default provider positions on uptime percentages, measurement periods, and exceptions, but should instead negotiate terms that address the customer’s business needs. A customer should carefully consider the outage measurement window (e.g., daily, monthly, quarterly). Providers tend to want longer measurement periods because they dilute the effects of a downtime, and thus make remedies less available to the customer.

As part of the SLA (service level agreement) obligations under the cloud computing agreement, customers should receive written documentation of a provider’s scheduled downtime and ensure the window creates no issues for the customer’s business. Customers may also request the provider be pro- active in detecting downtime by explicitly requiring the provider to constantly monitor the “heartbeat” of all its servers through automated “pinging.” This requirement should allow the provider to know very quickly that a server is down without having to wait for a notice from the customer.

The concept of “unavailability” should also include severe performance degradation and inoperability of any service feature. See Service Response Time Service Level below.

Service Response Time Service Level

The response time service level is closely related to and often intertwined with the uptime service level. The response time service level sets forth maximum latencies and response times for a customer’s use of the services. Services that fail to provide timely responses to its users are effectively unavailable. As with the uptime service level, the specific service level target depends on the facts and circumstances of each case, including the complexity of the transaction, the processing time required, and how critical speed is to achieving the customer’s business objectives.

For example, if a customer is accessing services over an Internet connection, then it should set the service level in terms of the Keynote Business 40 Internet Performance Index, which measures the average download time for 40 important business websites. This index is designed to provide a real- world means of assessing the impact of using the Internet to access information at well-known sites. Since certain areas of the Internet may be operating more slowly than others (e.g., because of heavy traffic or technical issues), the index is designed to take the average of response times using test sites set up over the country. This provides a better representation of response times, in general, of known websites. However, if the services are accessed over a leased line, then the Keynote Business 40 Internet Performance Index should be replaced with some other measure or by imposing a response time requirement measured at the provider’s external router.

An example provision for a response time service level is:

The average download time for each page of the Services, including all content contained therein, shall be within the lesser of (i) 0.5 seconds of the weekly Keynote Business 40 Internet Performance Index (KB40) or (ii) two (2) seconds.

In the event the KB40 is discontinued, a successor index (such as average download times for all other customers of Provider) may be mutually agreed upon by the parties.

If the provider does not commit to a service response time service level, then the customer should ask that the provider at least share its history of response time measurements. The customer should also establish some ongoing management of risk in this area, such as conducting an end user satisfaction survey and requiring the provider to take action to improve any dissatisfaction with respect to service response.

Simultaneous Visitors Service Level

If the customer expects the services to support many simultaneous users, which is usually the case, then a service level should be included to explicitly specify such requirement. The customer should conduct an assessment and calculate the average number of users that it expects to use the service at any one time. That number could be a few dozen or tens of thousands. You should write the service levels to ensure that the provider’s services are capable of supporting that number of users while still achieving all service levels.

Problem Response Time and Resolution Time Service Levels

The customer must include in the agreement the provider’s obligation to timely resolve service level issues. Providers often include only a response time measurement, meaning the time period from when the problem is reported to when the provider notifies the customer and begins working to address the issue. These obligations typically fall short of what is necessary. Customers should include a resolution time measurement, meaning the time period from when the problem is reported to when the provider implements a fix or acceptable workaround.

Data Return Service Level

For services involving a critical business function or sensitive customer information, the customer should also add a service level that measures the time period between the customer’s request for data and the provider’s return of such data. This incentivizes the provider to deliver the customer data in accordance with those time-frame requirements, and provides additional assurance to the customer that it will be able to operate in the event that the provider stops providing services.

Remedies

Typically, remedies for failure to hit a service level start out as credits toward the next period’s service. For example, a remedy might provide: for every X increment of downtime below the agreed-upon level in the measurement period, or for every Severity Level 1 support issue that the provider does not resolve within the stipulated time, the customer receives a credit of 5% of the next month’s bill, up to a maximum credit of 75%.

The remedies should scale such that if repeated failure occurs, the customer should have the right to terminate the agreement without penalty and without having to wait for the current term to expire. Such a provision may read:

In the event the Services are not Available 99.99% of the time but are Available at least 95% of the time, then in addition to any other remedies available under this Agreement or applicable law, Customer shall be entitled to a credit in the amount of each month this service level is not satisfied. In the event the Services are not Available at least 95% of the time, then in addition to any other remedies available under this Agreement or applicable law, Customer shall be entitled to a credit in the amount of each month this service level is not satisfied. Additionally, in the event the Services are not Available 99.99% for (a) three (3) months consecutively or (b) any three (3) months during a consecutive six (6) month period, then, in addition to all other remedies available to Customer, Customer shall be entitled to terminate this Agreement upon written notice to Provider with no further liability, expense, or obligation to Provider.

Data – Security, Redundancy, Ownership and Use Rights, and Conversion

Ensuring customer ownership of its data, addressing the provider’s use of such customer data, and safeguarding the security and confidentiality of customer data are very important in a cloud computing agreement. The provider should deliver details regarding, and agree to reasonable provisions addressing, its competency and its policies and procedures related to

  • protection against security vulnerabilities,
  • data backups,
  • the use of customer data, and
  • data conversion.

Data Security

The need for data security is obvious. A cloud computing provider may possess a customer’s most sensitive data, including data that may be subject to state and federal regulations (e.g., personally identifiable financial and healthcare information). Loss of such data or unauthorized disclosure of the data is a significant concern. The customer is ultimately accountable for complying with applicable regulations, regardless of where the data is stored. Indeed, data breaches are costly for an organization.

Customers must be mindful of the unique data security issues that arise in a cloud computing environment. For example, in an ASP environment, a single physical server may be dedicated to the customer for hosting the application and storing the customer’s data. However, in a cloud computing environment, technologies and approaches used to facilitate scalability, such as virtualization and multi-tenancy, may be stored on a physical server that is shared among the provider’s customers, which may increase the risk of unauthorized disclosure.

Some data security risks can be managed by carefully considering the type of data that will be processed under a cloud solution. The customer should determine whether the cloud solution under consideration aligns with the data’s sensitivity level. For example, general market research has a lower sensitivity level than trade secret information or data comprising personally identifiable information. Even if the data transmitted is not highly sensitive, it is always good practice to review the provider’s data protection controls and reference those controls in the cloud service agreement.

To address data security issues, customers should determine

  • the location of the data center where the data will be physically stored and who may have access to the data,
  • the operator of the data center,
  • and the provider’s security practices.

Any cloud computing agreement should include specific contractual protections relating to data and information security.

Location of the Data Center

Data centers located in foreign countries may

  • reduce or eliminate the customer’s opportunity to inspect the location to ensure it complies with its information security requirements or
  • dictate the jurisdiction and law governing the data. For example, personally identifiable information located in Europe may be governed by European law, regardless of the contract terms. This is a concern even if the data center is located in the United States, but help desk personnel, for example, access the data from a foreign country with limited security and privacy laws.

The customer should consider adding a restriction against offshore work and data flow to foreign countries, including a requirement that the data center (including the hosted software, infrastructure, and data) be located and the services be performed in the United States, and that no data be made available to those located outside the United States.

Operator of the Data Center

The customer should also identify the operator of the data center. If the provider is not operating the data center itself (e.g., the provider is the owner of the software and will be providing support, but is using a third party data center to host the software), then the provider should be required to

  • ensure that the third party host complies with the terms of the agreement (including the data security requirements),
  • accept responsibility for all acts of the third-party host, and
  • be jointly and severally liable with the third-party host for any breach by the third-party host of the agreement.

The customer should consider entering into a separate confidentiality and non-disclosure agreement with the third party host for the protection of the customer’s data. Additionally, if the provider ever desires to change the host, the provider should be required to provide the customer advance notice, and the customer should be given time to conduct due diligence with regard to the security of the proposed host and the right to reject any proposed host.

Provider’s Security Practices

Providers should be required to provide specific details in the agreement regarding baseline security measures, security incident management, and hardware, software, and security policies. These details should be reviewed by someone competent in data security – either someone within the customer’s organization, a data security attorney, or a third party consultant. The provider’s policies should address security risks particular to cloud computing, and services being delivered over the Internet and accessible through a Web browser (e.g., security risk relating to Adobe Flash that allows hackers to upload malicious Flash objects and launch attacks on users).

Some providers will not distribute copies of their security policies but will allow customers to come to the provider’s site and inspect them. Such policy inspection should be done if the customer information at issue is very sensitive or mission- critical. A customer should compare the provider’s policies to its own, and in fact, many customers demand the provider match the customer’s policies. The customer should also consider verifying the provider’s capabilities via a physical visit or SSAE 16 (IT internal controls audit) conducted by a third party, or both. It is becoming far more expected that providers regularly demonstrate to their customers that their security controls remain intact and robust.

Consider the following sample of a typical data security provision:

  • In General. Provider will maintain and enforce safety and physical security procedures with respect to its access and maintenance of Customer Information that are (1) at least equal to industry standards for such types of locations, (2) in accordance with reasonable Customer security requirements, and (3) which provide reasonably appropriate technical and organizational safeguards against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access of Customer Information and all other data owned by Customer and accessible by Provider under this Agreement.
  • Storage of Customer Information. All Customer Information must be stored in a physically and logically secure environment that protects it from unauthorized access, modification, theft, misuse, and destruction. In addition to the general standards set forth above, Provider will maintain an adequate level of physical security controls over its facility. Further, Provider will maintain an adequate level of data security controls. See Exhibit A for detailed information on Provider’s security policies protections.
  • Security Audits. During the Term, Customer or its third party designee may, but is not obligated to, perform audits of the Provider environment, including unannounced penetration and security tests, as it relates to the receipt, maintenance, use, or retention of Customer Information. Any of Customer’s regulators shall have the same right upon request. Provider agrees to comply with all reasonable recommendations that result from such inspections, tests, and audits within reasonable time frames.

The cloud computing agreement should require that if a breach of security or confidentiality occurs, and it requires notification to the customer’s customers or employees under any privacy law, then the customer should have sole control over the timing, content, and method of such notification. The agreement should also provide that if the provider is culpable for the breach, then the provider must reimburse the customer for its reasonable out-of-pocket costs in providing the notification.

You should further consider whether the cloud provider can meet discovery obligations and litigation holds in the event that the data held by the service provider is requested in connection with a lawsuit or investigation. If so, the agreed- upon process should be in the agreement.

Data Redundancy

Because the customer relies on the provider as the custodian of its data, the customer should demand that the cloud computing agreement contain explicit provisions regarding

  • the provider’s duty to back up customer data and the frequency of that backup, and
  • the customer’s ongoing access to such data or the delivery of such data to the customer on a regular basis.

A good place to start is for the customer to compare the provider’s backup policies to its own and make sure they are at least as stringent. Below is a sample provision addressing these obligations:

Provider will: (i) execute (A) nightly database backups to a backup server, (B) incremental database transaction log file backups every 30 minutes to a backup server, (C) weekly backups of all hosted Customer Information and the default path to a backup server, and (D) nightly incremental backups of the default path to a backup server; (ii) replicate Customer’s database and default path to an off-site location (i.e., other than the primary data center); and (iii) save the last 14 nightly database backups on a secure transfer server (i.e., at any given time, the last 14 nightly database backups will be on the secure transfer server) from which Customer may retrieve the database backups at any time.

Data Ownership and Use Rights

The customer must clarify that it owns all data stored by the provider for the customer. In the event that the provider stops providing services and the customer requests the return of its data, there should be no dispute as to ownership of the data that resides on the provider’s servers.

Because the provider will have access to, and will be storing, the customer’s sensitive information, the agreement should contain specific language

  • regarding the provider’s obligations to maintain the confidentiality of such information and
  • placing appropriate limitations on the provider’s use of such customer information (i.e., confirming that the provider has no right to use such information except in connection with its performance under the cloud computing agreement).

Many cloud computing providers want to analyze and use the customer data that resides on their servers for their own commercial benefit; in particular, they are interested in the data customers create as they use the services. For example, the provider may wish to use the customer’s data, aggregated along with other customers’ data, to provide data analysis to industry groups or marketers. The provider may suggest that it will limit its use to de-identified customer data, and that such use is similar to Internet “cookies” that follow where a user goes and what a user does.

In the cloud, however, the customer data is proprietary and confidential to the customer and its business, and the customer should consider such use of any of its data very carefully. Most customers should conclude that the provider should not have any right to use the customer’s data, whether in raw form, aggregated, or de-identified, beyond what is strictly necessary to provide the services. However, commercial use might be acceptable where the provider provides a service that directly depends on the ancillary use of such data, such as aggregating customer data to provide data trending and analysis to the customer and similarly situated customers within an industry. If the agreement is silent as to the provider’s use of customer data, the customer should discuss such uses with the provider and add a provider representation about which uses, if any, are permitted.

Data Conversion

Data conversion, both at the onset and termination of the cloud computing agreement, must be addressed to avoid hidden costs and being “locked in” to the provider’s solution. When entering the relationship, the customer should confirm that its data can be directly imported into the provider’s services or that any data conversion needed will be done at the provider’s cost or at the customer’s cost (with the customer’s agreement). A customer should consider conducting a test run of the provider’s mapping scheme to see how easy or complicated it will be (likewise when checking the provider’s references, a customer should ask about data migration experiences). Lastly, the customer does not want to be trapped into staying with the provider because of data format issues. To that point, the agreement should include explicit obligations on the part of the provider to return the customer’s data, both in the provider’s data format and in a platform-agnostic format, and thereafter destroy all of the customer’s information on the provider’s servers, all upon expiration or termination of the agreement.

Here is a sample provision to illustrate this obligation:

At Customer’s request, Provider will provide a copy of Customer Information to Customer in an ASCII comma-delimited format on a CD-ROM or DVD-ROM. Upon expiration of this Agreement or termination of this Agreement for any reason, Provider shall (a) deliver to Customer, at no cost to Customer, a current copy of all of the Customer Information in the form in use as of the date of such expiration or termination and (b) completely destroy or erase all other copies of the Customer Information in Provider’s or its agents’ or subcontractors’ possession in any form, including but not limited to electronic, hard copy, or other memory device. At Customer’s request, Provider shall have its officers certify in writing that it has so destroyed or erased all copies of the Customer Information and that it shall not make any use of the Customer Information.

Insurance

The customer should always address insurance issues in cloud computing situations, both as to the customer’s own insurance policies and the provider’s insurance. Most data privacy and security laws hold the customer liable for a security breach, whether it was the customer’s fault or the provider’s fault. Thus, the customer should help self-insure against IT risks, including those related to data and privacy issues, by obtaining a cyber-liability policy.

Cyber liability insurance can protect the customer against a wide range of losses. Most cyber insurance policies cover damages arising from unauthorized access to a computer system, theft or destruction of data, hacker attacks, denial of service attacks, and malicious code. Some policies also cover privacy risks like security breaches of personal information, may apply to violations of state and federal privacy regulations, and may provide reimbursement for expenses related to the resulting legal and public relations expenses.

Requiring the provider to carry certain types of insurance enhances the likelihood that the provider can meet its obligations and provides direct protection for the customer. The primary forms of liability insurance that a provider should be required to carry

  • are technology errors and omissions liability insurance and
  • a commercial blanket bond, including electronic and computer crime or unauthorized computer access insurance.

These types of insurance will cover damages the customer or others may suffer as a result of the provider’s professional negligence or intentional acts by others (the provider’s employees, hackers, etc.).

It is critical that the customer require that the provider have these sorts of policies and not just a general liability policy. Many commercial general liability policies contain a professional services exclusion that precludes coverage for liability arising from IT services as well as other exclusions and limitations that make them largely inapplicable to IT- related risks. The customer should also consider requiring the provider to list the customer as an additional insured on its policies; doing so allows the customer to go directly against the provider’s insurance company in the event of a claim.

Indemnification

The provider should agree to defend, indemnify, and hold harmless the customer and its affiliates and agents from any claim where the provider breaches its confidentiality and data security obligations. Any intentional breach should be fully indemnified, protecting the customer from out-of-pocket costs or expenses related to recovery of the data and compliance with any applicable notice provisions or other obligations required by data privacy laws. In the event the data breach is not intentional, the provider may require a cap on its potential liability exposure, which may be reasonable depending on the type of customer data in question.

The provider should also agree to defend, indemnify, and hold harmless the customer and its affiliates and agents from any claim that the services infringe the intellectual property rights of any third party. This protects the customer from out-of-pocket costs or expenses if some third party claims infringement.

Providers often try to limit the intellectual property indemnification only to infringement of copyrights. That is not acceptable, as many infringement actions arise out of patent or trade secret rights. The indemnity should extend to infringement claims of any “patent, copyright, trade secret, trademark, or any other proprietary rights of a third party.” In addition, customers should avoid any restriction to patents “issued as of the Effective Date” of the agreement. Providers usually also limit the indemnification to “United States” intellectual property rights, which may be acceptable if the customer will not use the services outside of the United States. Regardless, the customer should consider whether its use of the services will occur overseas.

Intellectual Property

The customer must understand the impact of intellectual property rights on its business. If the provider will be performing significant implementation services (e.g., extensive software or hardware installation, configuration, or customization services) in connection with the cloud computing services, the intellectual property ownership structure proposed by a provider may not effectively address the customer’s business needs. If the provider’s intellectual property is incorporated into the work product delivered to the customer, then such provider intellectual property may be embedded in the customer’s business processes as a result. This could encumber the customer’s business by creating uncertainty about the customer’s rights to such processes on which the business depends. Therefore, the customer should obtain ownership of any work product and a very broad license to use any provider intellectual property incorporated into any work product, so that it can retain sole control of the direction of its business and each of its underlying processes.

Even where significant implementation services are not being provided, and the customer is merely providing direction as to configurable screens that will be used by the customer, the customer should realize the potential impact on its business. As a provider may benefit from such ideas provided by the customer, the customer should consider adding a restriction against the provider using those same ideas in services delivered from the provider to any of the customer’s competitors.

Limitation of Liability

The provider’s limitation of liability is very important in a cloud computing engagement because virtually all aspects of data security are controlled by the provider. Thus, the provider should not be allowed to use a limitation of liability clause to unduly limit its exposure. A fair limitation of liability clause must balance the provider’s concern about unlimited damages with the customer’s right to have reasonable recourse in the event of a data breach or other incident.

A provider’s limitation of liability clause usually (1) limits any liability to the customer to the amount of fees paid under the agreement or a portion of the agreement (e.g., fees paid for the portion of the services at issue) and (2) excludes incidental, consequential (e.g., lost revenues), exemplary, punitive, and other indirect damages. While a customer may not be able to eliminate the limitation of liability in its entirety, it should ask for the following concessions:

  • The limitation of liability should apply to both parties. The customer should be entitled to the same protections from damages that the provider is seeking.
  • The following should be excluded from all limitations of liability and damages: (1) breach of the confidentiality and security provision by either party, (2) claims for which the provider is insured, (3) the parties’ respective third party indemnity obligations, (4) either party’s infringement of the other party’s intellectual property rights, and (5) breach of the advertising/publicity provision.
  • The overall liability cap (usually limited to fees paid) should be increased to some multiple of all fees paid (e.g., two to four times the total fees paid or the fees paid in the 12 months prior to the claim arising). The customer should keep in mind that the overall liability cap should not apply to the exclusions in the bullet point above.

Implementation

In the event significant implementation services are being provided, the definition of “services” in a cloud computing agreement should be broadly worded to capture all of the services being provided. For example:

“Services” shall mean Provider’s provision of software and infrastructure services described in Exhibit A (Software and Infrastructure Services) and implementation services described in Exhibit B (Implementation Services), and any other products, deliverables, and services to be provided by Provider to Customer (i) described in a Statement of Work, (ii) identified in this Agreement, or (iii) otherwise necessary to comply with this Agreement, whether or not specifically set forth in (i) or (ii).

A broad definition of services limits the provider’s claims of “out of scope” activity and requests for additional money.

In addition, the customer must fully understand its requirements and the capabilities of the services being provided to determine if any additional features or functionality are needed. Any additional work required to support such features or functionality should be discussed and identified up front, as typically a cloud computing offering may have more limited configuration and customization options (e.g., multi- tenant application) in order for the provider to more efficiently manage the services and provide a more scalable solution. Any additional work agreed upon to support such features or functionality should be included in the description of services.

Fees

Typically, a cloud computing service is offered on a “pay-as- you-go” or “pay-per-use” cost structure (e.g., per virtual machine each hour, per gigabyte of storage each month, per active user each month). Accordingly, the agreement should provide for the ability to both add and remove resources, with a corresponding upward and downward adjustment of the service fees. The customer should negotiate rates for incremental and decremental use before signing the agreement, and should attempt to lock in any recurring fees for a period of time (one to three years). Thereafter an escalator based on a cost performance index (CPI) or other third party index should apply.

In addition, the customer should identify all potential revenue streams and make sure that the identified fees are inclusive of all such revenue streams. For example, the provider may attempt to charge additional fees for additional storage after a certain amount of data, or additional fees for software updates. The customer should ensure that these are included as part of the negotiated fees.

Term

Because the software and infrastructure are provided as a service, like any service, the customer should be able to terminate the agreement at any time without penalty upon reasonable notice (14 to 30 days). The provider may request a minimum commitment period from the customer to recoup the provider’s “investment” in securing the customer as a customer (i.e., sales expenses and related costs). If the customer agrees, then the committed term should be no more than one year and the provider should produce evidence of its up-front costs to justify such a requirement.

Warranties

Beyond the warranties discussed above, there are other warranties that are typically included in a cloud computing agreement.

The provider should represent and warrant the following:

  • The services will materially conform to the specifications and, to the extent not inconsistent with the specifications, provider’s documentation.
  • All services will be provided in a professional, competent, and timely manner by appropriately qualified provider personnel in accordance with the agreement and consistent with the provider’s best practices.
  • The provider will provide adequate training, as needed, to the customer on the use of the services.
  • The services will comply with all federal, state, and local laws, rules, and regulations.
  • The customer’s data and information will not be shared with or disclosed in any manner to any third party by the provider without first obtaining the express written consent of the customer.
  • The services will not infringe the intellectual property rights of any third person. The services will be free from viruses and other destructive programs.
  • There is no pending or threatened litigation involving the provider that may impair or interfere with the customer’s right to use the services.
  • The provider has sufficient authority to enter into the agreement and grant the rights provided in the agreement to the customer.

Publicity and Use of the Customer’s Trademarks

The customer’s reputation and goodwill are substantial and important assets. This reputation and goodwill are often symbolized and recognized through the customer’s name and other trademarks. Accordingly, every agreement should contain a provision covering any announcements and publicity in connection with the transaction. The provider should be prohibited from distributing any media releases or making other public announcements relating to the agreement, or otherwise using the customer’s name and trademarks without the customer’s prior written consent.

Assignment

The customer should be able to assign its rights under the agreement to its affiliates and other entities, which may become successors or affiliates due to a reorganization, consolidation, divestiture, or the like. To address any concerns the provider has about such an assignment, the customer can require any assignee to accept all of the customer’s obligations under the agreement. Similarly, the customer should obtain assurance that any provider assignee will agree to be bound by all of the terms and conditions of the agreement, including without limitation, service level obligations.

Post-Execution Ongoing Provider Assessment It is recommended that the customer and provider agree to implementation of a regular program of evaluating the provider’s performance, under which the provider would be required to supply the requisite information to assess the services, notify the customer of any changes with regard to the provider, and provide any recommendations to improve the services. The customer could then use this information to perform ongoing risk assessments, and determine whether to continue the provider relationship.

Final Risk Assessment

If the customer has substantial leverage when negotiating a cloud computing agreement, then it should seek to obtain the protections described above. However, in circumstances where the customer does not have such leverage, providers may be resistant to such protections and any modification of its form contract provisions. Therefore, it may not be realistic to expect that the customer can obtain all of the protections listed above.

The customer must then evaluate the business risks, including whether the services support a critical business function, involve sensitive customer information, or are customer- facing. If the customer is not able to obtain the level of protection needed in the most significant areas of risk, then it should consider walking away from the transaction. If walking away is not an acceptable option, then the customer needs to focus on risk mitigation. For example, if the provider refuses to modify its uptime service level, arguing that it cannot separately administer such a service level for different customers, then the customer should negotiate improved remedies and exit rights for a failure of such service level. In this type of situation, where a customer is unable to obtain the appropriate contractual protections and chooses to proceed, the post-execution ongoing assessment of the provider relationship described above becomes even more important.

Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP.

LEXIS PRACTICE ADVISOR RESEARCH PATH: IntellectualProperty & Technology > Software & Information Technology >Cloud Computing > Practice Notes > Drafting and Negotiating EffectiveCloud Computing Agreements by Michael R. Overly, Foley & Lardner LLP