Despite all the hype surrounding cloud computing, the business cloud services market is still relatively immature — with many cloud service providers (CSPs) using a commoditized approach for delivering high-volume, low-cost, standardized services offered to a large group of users. As a consequence, not all CSPs will negotiate their terms of service. However, as is the case with most contracts, businesses with market leverage have been able to negotiate some changes in standard terms of service. Some of the most frequently negotiated areas of cloud services agreements include:
- Limitations on liability
- Availability of the cloud services
- Security, privacy and regulatory
- Termination of services and exit
Limitations on liability
Be sure to address the geographic location of the data centers used by the CSP. If the data is sensitive or if there are regulatory concerns, the cloud user should contractually require the data to be stored solely in the United States. Cloud users should understand how data can be located and retrieved, such as for e-discovery purposes, and address location and retrieval of data in the cloud services agreement.
The cloud services agreement should also address what constitutes a security breach and establish procedures which require the CSP to provide cloud user with the name and contact information for an employee of CSP who shall serve as cloud user’s primary security contact and be available to assist cloud user 24 hours per day, seven days per week in resolving obligations associated with a security breach; and notify the cloud user of a security breach as soon as practicable, but no later than 24 hours (or such shorter period of time as may be required by a particular business’ regulatory obligations) after the CSP becomes aware of the security breach; and making available all relevant records, logs, and other materials required to comply with applicable law, regulation, industry standards or as otherwise specified by the cloud user. The allocation of financial and other responsibility for remedying a security breach should be addressed in the cloud services agreement. Ideally, the CSP should be obligated to immediately remedy, at CSP’s expense, any security breach caused by the CSP. However, this is often a subject of negotiation between the CSP and cloud user.