No longer the new kid on the block, cloud computing agreements are now common place both in the private and public sector. Cloud computing brings with it clear technical and commercial advantages. Customers leverage delivery of information technology as services via the Internet, with no requirement to purchase or install software, meanwhile benefitting from large economies of scale. It is an attractive offer for a customer, particularly those with ever increasing budgetary pressures. However, the nature of cloud computing means that a number of well-established IT concepts continue to need consideration from a legal perspective as the technology continues to be developed and refined.
Sharpe Pritchard LLP advises a range of clients on cloud computing agreements, so what contractual challenges continue to arise?
Standard terms, with little or no ability to negotiate, are a key feature of cloud computing arrangements (see for example, AWS, Microsoft Azure, etc.). Often we find that standard terms simply do not meet the customers needs, particularly where a customer is seeking to use the cloud for business critical applications and services. In particular, the following issues arise frequently: data protection, service levels, issues on exit, intellectual property and escrow.
Data Protection Compliance
Cloud computing arrangements often involve some processing of personal data, which puts data at the heart of cloud based services. Contractual provisions concerning data and personal data are therefore usually given a significant degree of scrutiny in any contractual negotiations. It is usual for the service provider to attempt to emphasise their role as data processor, with the role of data controller clearly assigned to the customer. Due to the potential reputational risk caused by data breaches, customers will often require the service provider to take steps to ensure that there are relevant security obligations including appropriate technical and organisational measures to safeguard data from unauthorised access or corruption/amendment.
However, with the introduction of the General Data Protection Regulation on 25 May 2018, this sets out in plain terms the role of processors and is expected to impose additional burden on cloud providers. With these increased statutory obligations on the processor now looming large, this is likely to become a hot topic in cloud based arrangements over the next 12 months and beyond.
Commitments on availability levels and performance are important given that this is what will provide an objective and measurable assessment of the critical elements of the cloud based service provision. Generally, standards in the cloud computing arena have been lacking in this area.
Traditionally in a standard software licensing arrangement, the customer makes an assessment of the software to be provided and decides whether or not the software meets its needs. In cloud computing, by comparison, the customer is reliant on the services description which makes negotiating service level and service credit regimes particularly important.
Generally, the service provider will offer a standard availability level, and often these can be negotiated. Customers can expect to pay more for a bespoke service level regime, which will need to be negotiated with the service provider.
Extraction of Data on Exit
One of the most difficult areas to navigate in a cloud based environment – particularly a public cloud based solution – is how you exit at the end of the contract, whether through expiry or termination.
A lack of focus on exit provisions is not unique to cloud computing agreements, given the primary focus at the outset of any project is to award the contract.
Exit provisions are routinely overlooked, but are particularly important in a cloud based agreement. A service provider will very rarely give a customer access to the cloud to extract their own data. This means that only the service provider will be able to access and extract any customer data hosted in the cloud and often at an additional cost – customers should be prepared to consider this at the outset. Provisions dealing with charging for this service should be expressly set out to avoid any unwanted surprises at the end of the contract.
Although cloud computing agreements take the form of the provision of services, appropriate software licences still need to be granted to the customer in order to allow users to have online use of the software.
The licence terms are usually very narrowly defined and limited to the use of the online application for the customer’s own business purposes. The usual rights allowing customers to make copies, modifications, enhancements or to sub-licence to third parties are often not granted. This can present issues when contracting on behalf of more than one customer and thought as to contract structure in these cases will need to be considered at the outset of the project.
In a traditional software licensing arrangement, escrow has only been concerned with the source code because under these models the object code runs on the customers’ own servers. With cloud computing, customers put both their applications and data in the hands of the service provider. Customers will need to carefully consider what the service provider has in place to ensure service continuity.
Escrow providers are alive to this, with NCC Group offering a “SaaS Assured” Escrow Agreement which permits access to an up to date copy of any data and the application environment should anything happen to the service provider. However, there are certain limitations to this service – it appears that this does not guarantee a live snapshot of the whole production environment. There are other potential work-around solutions which may need to be considered. What is clear is that service continuity provisions and the requirements of the customer should be carefully considered at the outset, and appropriate solutions developed and put in place.
Customers are accustomed to information technology services being designed specifically to meet their needs. The downside to the standardised nature of cloud computing is that it places the emphasis squarely on customers taking back risks that they would normally expect to be outsourced. Customers will need to be aware of these risks when embarking on a project involving a cloud computing solution, and should be alive to the requirement on the customer itself to manage these risks.
Gemma Townley, Partner in Sharpe Pritchard’s Technology and Data team.
This article is for general awareness only and does not constitute legal or professional advice. The law may have changed since this page was first published.