Vendors who provide cloud computing capability, like technology vendors in a traditional distribution model, are often focused on issues such as protection of intellectual property rights and limiting liability. However, there a number of issues that are particularly unique to cloud computing vendors. Further still, there are specific issues companies may consider when dealing with cloud computing vendors since cloud computing, by its nature, involves the use of software and hardware that are not located on the customer's premises and remain under the control of the vendor. This column highlights some key issues to consider in cloud computing services agreements.
One of the key issues for a cloud computing vendor can be summarized generally as the service level the vendor is providing to its customer, which is usually set forth in service level terms that can part of the cloud computing agreement or in a separate service level agreement that is incorporated by reference. Some of the considerations in developing service level agreements are as follows:
- Level of effort: Vendors should consider whether they want their performance under the service agreement to be absolute or subject to a less than absolute standard, such as "commercially reasonable efforts". Though it is more beneficial for the vendor's efforts to be limited to using "commercially reasonable efforts," such a term, though defined through judicial precedent in other legal contexts, does not yet have a clear definition in the cloud computing context.
- Nature of Obligations: Most service level agreements focus on availability of the service but vendors should also be prepared to respond to requests for service level commitments on performance of the service, such as response times (i.e., how quickly the software processes requests) and bandwidth (i.e., how much computing capacity is available at a given time).
- Definition of Uptime: The availability of the service, or uptime, should be comprised of four distinct variables: (1) basis for measurement (i.e., the period for measurement, which is usually monthly or annually, the percentage of committed uptime, anywhere from 95% to 99.99%, whether or not the measurement is averaged over all users or just calculated on an individual user basis); (2) what constitutes downtime (i.e., minimum downtime increments, whether downtime must occur during a particular time of day and/or whether the frequency of downtimes is a factor; (3) permitted downtime (such as scheduled maintenance or emergency maintenance, each of which should be carefully defined with prescribed notice periods to the customer); and (4) circumstances that do not constitute downtime (such as downtime caused by the customer or downtimes that do not affect the vendor's customer base generally or are otherwise isolated or specific to a given customer).
- Ability to Suspend Services: In some cases, the cloud computing vendor may find it necessary to suspend services, such as if a customer's use of the services creates a security risk. While it is reasonable for the vendor to retain this right, it will be important for the vendor to consider how much and whether notice can be given in advance to its customers of any service suspension and whether the suspension should be considered "permitted downtime."
- Service Credits: Vendors must consider the amount of service credits available to customers, whether customers are automatically entitled to the credits or must apply for them, whether there are any circumstances under which the vendor can provide an actual refund to the customer.
While the above is not an exhaustive list of all issues that cloud computing vendors should consider in their service agreements with customers, they are among the key issues that vendors will face when negotiating with their customers.
My next column will discuss some of additional issues surrounding cloud computing service agreements but from the perspective of the customer.