Despite all the hype surrounding cloud computing, the business cloud services market is still relatively immature — with many cloud service providers (CSPs) using a commoditized approach for delivering high-volume, low-cost, standardized services offered to a large group of users. As a consequence, not all CSPs will negotiate their terms of service. However, as is the case with most contracts, businesses with market leverage have been able to negotiate some changes in standard terms of service. Some of the most frequently negotiated areas of cloud services agreements include:
- Limitations on liability
- Availability of the cloud services
- Security, privacy and regulatory
- Termination of services and exit
Limitations on liability
Limitations on liability, particularly for outages, data breaches and data loss, has been a concern for cloud users. Many standard cloud contracts provide the CSP with broad limitations of liability. When these provisions are negotiated, the losses are often limited to specific defined “direct” losses and are typically capped with limits tied to a percentage of the total amounts paid by the user over a stated period (such 100 percent of the total amount paid for services over the past 12 months). To the extent that a cloud user is able to negotiate the limitation of liability, it should consider whether the cap amount is appropriate based on the scope of the cloud user’s risks and also seek to exclude breaches of confidentiality and breaches of representations and warranties from the cap and ensure that any service level credits or payments (discussed below) do not count toward the cap.
Availability of data and services
Availability of the cloud services is another important area of consideration in cloud contracting. Service level agreements (SLAs) vary among cloud providers and uniform standards have not yet been developed, making it difficult for cloud users to compare different services. It is important for cloud users to determine the functionality and performance requirements they need from cloud services before beginning their cloud services procurement process. Once these have been determined, the cloud user can compare them to what the CSP is offering. Be sure that the cloud services agreement states how availability of the services is measured (i.e., every 5 minutes, 15 minutes or on the hour, etc.). Note that most CSPs offer service credits as a remedy for a breach of service levels and even these credits may be limited to circumstances where the lack of availability was within the CSP’s control.
Ensuring the confidentiality, integrity and availability of cloud data and applications is essential. While many cloud users focus on the liability resulting from data security breaches, it is also important to address the responsibility for data loss and corruption and include monetary compensation for data loss and recovery costs. Make sure that the cloud services agreement addresses the CSP’s business continuity and disaster recovery obligations.
In negotiating the SLA, cloud users should consider how the CSP handles peak spikes and the risk that additional users can adversely impact the availability of the cloud services. Cloud users should also seek a commitment on response times, bandwidth, error correction/resolution, user support and technology upgrades. Downtime is a real risk in using cloud services, as recent network outages by Amazon, Skype, and Google Gmail illustrate. Many cloud users impacted by these outages were unable to properly function as a consequence, and some data was permanently lost. Maintenance also impacts availability of cloud services so be sure to carefully address in the SLA how this is scheduled and place the responsibility for documenting down time on the CSP and not the cloud user.
Information security, privacy and regulatory considerations
Each cloud user has different security, privacy and regulatory obligations that must be considered when contracting for cloud services. For example, cloud users should be aware that, depending on the cloud service, the cloud user’s data may be co-located with third-party data. This multi-tenancy may create the risk for the cloud user’s data may be accessed by third-parties which could result in the waiver of certain privacy protections as well as expose the cloud user to liability for violation of privacy regulations.
Make sure the agreement is clear about who owns the information placed into the cloud and that the agreement restricts the CSP’s use, sale, rental, transfer, distribution, or other disclosure of the information solely and exclusively for the purposes of providing the cloud services.
The cloud services agreement should address the collection, access, use, storage, disposal and disclosure of personal information and whether those procedures comply with the federal and state privacy and data protection laws applicable to the cloud user’s business. At a minimum, the CSP’s information security safeguards should include: (i) limiting access to the cloud user’s information to authorized employees of the CSP; (ii) securing the CSP’s business facilities, data centers, physical files, servers and other computing equipment (including mobile devices and other equipment with information storage capability); (iii) implementing network, device application, database and platform security; (iv) securing information transmission, storage and disposal; and (v) implementing authentication and access controls within media, applications, operating systems and equipment.
Be sure to address the geographic location of the data centers used by the CSP. If the data is sensitive or if there are regulatory concerns, the cloud user should contractually require the data to be stored solely in the United States. Cloud users should understand how data can be located and retrieved, such as for e-discovery purposes, and address location and retrieval of data in the cloud services agreement.
The cloud services agreement should also address what constitutes a security breach and establish procedures which require the CSP to provide cloud user with the name and contact information for an employee of CSP who shall serve as cloud user’s primary security contact and be available to assist cloud user 24 hours per day, seven days per week in resolving obligations associated with a security breach; and notify the cloud user of a security breach as soon as practicable, but no later than 24 hours (or such shorter period of time as may be required by a particular business’ regulatory obligations) after the CSP becomes aware of the security breach; and making available all relevant records, logs, and other materials required to comply with applicable law, regulation, industry standards or as otherwise specified by the cloud user. The allocation of financial and other responsibility for remedying a security breach should be addressed in the cloud services agreement. Ideally, the CSP should be obligated to immediately remedy, at CSP’s expense, any security breach caused by the CSP. However, this is often a subject of negotiation between the CSP and cloud user.
Oversight of security compliance
Cloud users should include a provision that the CSP will provide or allow the cloud user to conduct an annual audit of the information technology and information security controls for all facilities used in supplying the cloud services, including obtaining a network-level vulnerability assessment performed by a recognized third-party audit firm based on the recognized industry best practices. The cloud services agreement should require the CSP to provide to the cloud user, upon its written request, certain specified reports such as the CSP’s latest Payment Card Industry (PCI) Compliance Report, SOC 2 or SOC 3 reports and any other reports such as the CSP’s ISO/ICE 27001 certification. A process for the CSP to address any exceptions noted on the SOC or other audit reports should also be included in the cloud services agreement.
Termination of services; exit
Make sure that the cloud services agreement specifies that CSP cannot terminate the cloud service without first providing the cloud user with notice and consent. Cloud users need to be sure that the cloud services agreement provides for the immediate return of the cloud user’s data in a pre-agreed format and a requirement that the CSP assist the cloud user in its transition to a new vendor. The cloud services agreement should also require the CSP to make available to the cloud user a complete and secure (i.e., encrypted and appropriated authenticated) download file of the cloud user’s data in a cloud user-specified format along with attachments in their native format. The CSP should be required to be available throughout a specified period to assist with the migration of the cloud user’s data to another cloud service.
Note that even if the cloud services agreement provides such advance notice of termination, cloud users need to be prepared for the possibility that the cloud service may suddenly terminate with little or no notice and have a back-up plan if the service is terminated unexpectedly. For example, in January 2012, the U.S. Justice Department shut down a one of the world’s most popular providers of remote data storage and seized its domain name and approximately 1,000 of its servers. After the government shut down the site, users could not access their data, did not know where it was physically located and did not know who had access to the data. More recently, another well-known provider of back-up cloud services announced it will no longer offer its cloud service designed to make it easy for small businesses and remote branch offices to back up their data. This CSP provided its cloud users with little notice of the service ending and the cloud users will have to migrate their own data to any alternative service since the CSP is not offering any data migration services in connection with the cancellation of the service.