Professional Documents
Culture Documents
TECHNOLOGY CONTRACTS
Advanced Issues in Cloud Computing
Agreements
Cloud computing has brought a revolution in the world of internet and technology in the
last decade. Microsoft’s new resurgence under the leadership of Satya Nadella is also
Common Internet and technology contracts
Advanced Issues in Cloud Computing Agreements
based on its growth in the cloud services segment. Google, Microsoft, Amazon, Apple and
all such major service providers are themselves using and also providing cloud computing
services. Amazon Web Services, Skydrive, Google Drive, internet hosting services like
HostGator are some examples of cloud computing services.
Cloud computing agreements are generally made for three different types of models of
cloud computing:
SaaS or Software as a service - Here the software can be accessed by the client through
a web browser. Many of today’s softwares as SaaS based products, for example, Google
Docs
This shift has enabled businesses to reduce costs and at the same time retain the
capability to scale up quickly when the need arises. Cloud computing raises certain legal
issues - related to data protection and others related to contractual aspects, which are
discussed here.
This chapter is relevant for businesses which utilize cloud based services - it covers key
legal and contractual issues that arise with respect to any cloud computing agreement,
and provides pointers for negotiating them. Some agreements may be standardized and
offer little room for negotiation, while others may be more customizable depending on
the needs of individual users. Examples from standardized agreements of the largest
cloud computing services providers (listed below) are used to discuss these issues
wherever possible:
1
Amazon Customer Agreement (version updated on March 15, 2012) at http://aws.amazon.com/agreement/
2
Available at http://www.sfdcstatic.com/assets/pdf/misc/salesforce_MSA.pdf
For example, most terms of the AWS agreement are standardized, with one exception -
the data-retrieval terms in the agreement (these terms are applicable if the customer
wants to recover any data from AWS services) clearly specify that Amazon may provide
additional data retrieval assistance (over and above the assistance ordinarily provided to
other users) depending on mutual agreement between parties.4 Therefore, there is room
to negotiate these terms for a business.
Cloud service agreements (CSA) primarily consists of three different agreements (though
there is a variation within the industry):
ii) Acceptable Use Policy (AUP): Most cloud providers would prohibit usage of their
services for illegal use or improper use.
iii) Service Level Agreement (SLA): This defines the performance level, availability,
etc.
In addition to the above agreements, there might be “Privacy Policy” which is applicable
on the usage of the cloud services.
3
Available at http://www.google.co.in/apps/intl/en/terms/premier_terms.html
4
See Clause 7.3, Amazon Customer Agreement.
else they may have to risk finding another service provider. Since the terms of the contract
are drafted by the service provider itself, they are usually one sided to begin with, but may
be modified to accommodate the interest of the business. It is much easier for
entrepreneurs to negotiate if they are able to adequately identify the risks arising from
such contracts. It is equally important for entrepreneurs who are planning to provide
cloud based services and entrepreneurs using cloud services to understand key terms in
cloud computing service agreements. After going through this chapter, they should be
able to identify the risks and even negotiate terms of agreements pertaining to cloud-
related services.
1. License to use
All cloud services, will be required to grant the user a license to use and access the
Service. The following clause can be used for a software as a service (SaaS) based
provider:
During the term of this Agreement, Customer may access and use Vendor’s
_______ service (the “Service”) pursuant to Vendor’s policies posted on Vendor’s
website at www.____________, as such policies may be updated from time to time.
Vendor retains all right, title, and interest in and to the Service, including
without limitation all software used to provide the Service and all logos and
trademarks reproduced through the Service, and this Agreement does not
grant Customer any intellectual property rights in the Service or any of its
components.
The following clause can be used for IaaS (infrastructure as a service) or PaaS
(platform as a service), where the customer is given remote access to servers:
Customer may access and use the computer system described on Attachment __ (the
“System”) from ________ until _________ (the “Subscription Period”). Vendor retains all right,
title, and interest in and to the System, including without limitation all computers, other
hardware, and software incorporated into or used by the System, and this Agreement
does not grant Customer any intellectual property rights in the System or any of its
components.
provisions for data security and confidentiality is on your business, not the cloud
computing service provider. Breach of this responsibility can result in serious
liabilities. Key legal and contractual issues connected with this are described below:
ii) Some organizations also state that their controls, processes and data
protection policies will be periodically reviewed and audited – often, clients
are not provided the opportunity to understand or observe the results of
the audit process. Wherever possible, an entrepreneur should incorporate
an opportunity to be informed about review and audit processes.
iv) It is also important for the entity using the cloud computing services that
confidential data is not used by the cloud computing service provider, its
agents, or any third parties who provide backend services to the cloud
computing service provider, for any purpose, apart from providing the specific
service that is the subject matter of the agreement.
● AWS: Section 9.2 of the AWS Agreement provides that the Amazon Services
does not have any confidentiality obligation and cannot be held liable in
case of breach of privacy.
Ideally, in case of a negotiated cloud SLA, the cloud service provider should be
informed about the importance of the service to the entire process by the business
availing of the service, and the quantum of loss that interruptions could cause to it
– which should be recorded in the contract. Even if indirect or special damages are
excluded, any financial limitations on the liability of the service provider should be
computed keeping in mind how critical the function outsourced to the cloud
computing service provider is to the business operation as a whole.
Sometimes, third parties can provide extremely critical services to the cloud
computing service provider which endangers the availability of the cloud computing
service itself. In such cases, cloud computing service providers tend to retain the
right to terminate the agreement altogether (without providing any costs or
compensation to the client/ enterprise user) if a third party relationship has been
adversely affected.
5
Clause 11, Salesforce Agreement.
For example, a clause in the AWS Agreement characterizes the uncertainty inherent
in cloud computing agreements – it states that Amazon can terminate the
agreement immediately upon notice if its relationship with a third party partner who
provides software or other technology it uses to provide its services expires,
terminates or requires it to change the way it provides software or other technology
as part of its services, if it believes providing the services could create a substantial
economic or technical burden or material security risk for itself.6
It is important to understand whether third parties (other than the cloud provider)
are involved in the provision of cloud services. From the perspective of a business
availing cloud-based services, it is important that the responsibility for performance
of the third party’s services is undertaken by the cloud service provider, since it does
not itself have a direct relationship with the third party service providers.
Often the providers will put the responsibility of updating third party software on
the client itself. This is often done to absolve liability in case the update breaks the
system and disrupts client’s operation. Another way of updating of third party
software is done through “push updates”. While negotiating agreements, one should
ensure that the provider must provide prior notification of the same with an on
option to opt out or defer the update. In some cases, the provider might not be
willing to provide support for older systems. The provider should generally seek an
exception for updates for critical security updates which can be made mandatory.
It is one thing when the cloud fails to serve you (personally), and another when it
fails all your customers. As, cloud computing service providers may be dependent
on third party vendors for provision of their own services, it can create a potential
risk for an enterprise user. They may state in their SLAs that they are only
responsible for failures in performance arising from infrastructure or services that
they own, but not from failures of any third parties that their services are dependent
on. This is extremely risky for businesses, and many entrepreneurs are not insist on
SLAs or fail to read them carefully enough - hence, they fail to address such risks.
Thus, any business availing a cloud-based service must undertake efforts to find out
about third party dependencies of the service provider and specifically allocate risk
of failures arising from the dependencies through negotiation of the agreement. If
6
Clause 7.2(b)(ii) of the AWS Agreement.
the service provider is unwilling to accept appropriate responsibility for such risks,
it may be worthwhile to consider alternative service providers.
ii) Excess use: What will happen if the usage exceeds the prescribed level
mentioned by the provider? Users may find that some of the service
providers might have clauses which might state usage above the thresholds
would result in high costs (often in a punitive manner). This needs to be
taken into account.
iii) Activation: It is important to identify from when the service will start, for
example, it can start from a designated date or when the user logged in to
the system for the first time. As many performance indicators are laid down
for particular time period, it would be essential to identify the starting date
of activation of the service to measure such performances.
iv) Payment: Most cloud providers require the customers to make payment
on a periodical basis (say 1 month/ 3 months/ 1 year) or “pay as you use”
basis (where the invoice is made based on usage). In certain agreements,
the provider gives credits (in compensation for outages and downtimes)
which can be used to make payment as well. Understand the terms clearly.
vi) Renewal: Many agreements have clauses that will lead to automatic
renewal of the agreement if no notice of cancellation of service is given
before the specified date (often 90 to 30 days). This might impact you, if you
are planning to move to a different service or want to cancel the service
altogether after the first term. In case, there are such clauses, do keep a
reminder to cancel before such due dates.
vii) Transferability: One must check, if the user can transfer the license to
someone else (especially if the business is acquired or merged). At the same
time, one might not want to continue with the service, if the provider is
acquired by a different company. Is there a way to terminate the agreement
in such cases.In case an user has multiple accounts with the same provider,
is it possible to offset credits between such accounts.
viii) Support: It is one of the most important clauses in the agreement. The
support clause should clearly lay down service levels for providing support,
for example first response time, resolution time, escalation metrics, etc.
An entity availing of cloud computing services must bear in mind whether the
agreement can be terminated prematurely when it is not at fault. It may consider
specifying a longer notice period (so that it can look for alternative service providers)
or compensation by the service provider if a shorter notice is provided in case of
premature termination.
Usually the notice period is longer if the contract is terminated due to no fault of the
customer, and much shorter if it is terminated for reasons of breach, or due to
changes caused by occurrences that are not in the hands of a cloud computing
services provider, e.g. a change in legal regulations that make it difficult or
commercially unviable to provide the services.
Examples
● AWS: under the AWS Contract, Amazon can terminate the contract any time
for any reason or no reason after giving a notice 60 days in advance.
● Google Apps: The Google Apps Service Contract provides for a 6-month notice
period, if the termination is without cause, or for 30 day notice period if a user
fails to cure any breach of contract caused by him. In case of multiple instances
of a breach by a client, Google can terminate, suspend or modify the terms
service at its option, after giving a reasonable notice. Google may also do so if
Examples:
● AWS: As per Clause 2 of the Amazon Web Services (AWS) agreement, Amazon
reserves the right to revise or modify the terms of the contract anytime, which
become effective upon posting on the website and it is the user’s responsibility
to keep checking the website for renewed/ modified agreements.
● Google Apps: As per the Google Apps agreement, Google can make
modifications to the agreement at any time, which become effective upon
posting on the website and it is the user’s responsibility to keep checking the
website for renewed/ modified agreements.
1) In case of both – AWS and the Google Apps agreement, it is not necessary for
the user to have been specifically intimated about the change or for it to have
read the modified conditions on the website - if the user continues to use the
service, it is automatically assumed that it has accepted the revised condition.
2) The agreements do not specify whether the customer has any consequential
right to terminate the agreement (apart from the ability to terminate the
Note: As per the Indian Contract Act, 1872, such modification of the contract
amounts to novation, which is considered to be a fresh agreement in law. A fresh
agreement requires fresh consent of all parties and cannot be effective simply
through unilateral alteration. Secondly, if a service provider can unilaterally modify
the agreement at any time, a court of law may hold (in case the agreement is
challenged) that the agreement is uncertain and hence ineffective.
Examples
AWS: As per Clause 7 of the AWS agreement, Amazon can suspend the service for
any reason, including system failure. Amazon is only required to give a 60-day
notice. It is not required to assign any reason. For suspension on account of a
reason specified in the contract, a shorter notice of only 15 days is sufficient.
Salesforce: Salesforce can suspend service under the Salesforce Agreement if the
amount owed by the user is overdue for more than 30 days, after a 7-day notice.7
7
Clause 6.4, Salesforce Agreement.
support available from the service provider’s end for migration of client’s data in
such cases should be known in advance.
For example, the AWS agreement and the Google Apps Agreement are both subject
to laws of the US, while the Salesforce agreement is subject to the law of U.S.,
Canada, Switzerland, Japan or Singapore, depending upon the place of contract.
Standard form agreements drafted by major service providers specify that all legal
claims are subject to the exclusive jurisdiction of the country where the service
provider is situated (and not the user’s country). In a substantial number of cases,
the user is based in another country, making the clause extremely inconvenient for
the user to enforce (in case such a situation arises).
For example, under the AWS Agreement, any dispute where compensation of more
than US $7,500 is claimed is subject to exclusive the jurisdiction of courts in
Washington. The Salesforce contract, on the other hand, specifies 5 cities (by region)
where disputes may be settled, depending on the region where the user is based.
India is not one of the countries on that list.
There must be an escalation clause included within all contracts for disputes. Clear
processes should be in place for resolving contractual issues, especially those
associated with SLA adherence. Strong escalation processes around SLAs can be a
critical element in establishing open communication, transparency and a healthy
overall relationship with key vendors.
At the time of entering into the contract, an entrepreneur must be aware of how
data will be treated post termination of the contract - whether it will be stored on
the cloud servers post-termination for some time or immediately deleted, whether
data can be migrated in a usable form, downloaded for transfer in a format which
is compatible for use on other cloud computing platforms (without compromising
on confidentiality or security of the data).
Since there are no obligations for a service provider to facilitate data migration, an
obligation for facilitating and cooperating in the process of data migration or
retrieval must be specified in the contract. Where a cloud computing agreement is
negotiable, the user should make sure that terms regarding data transition are well-
documented under the SLA.
i) Does the SLA have any provision regarding data transfer? What is the
mechanism for data transfer?
The contract must also clearly specify the liability of service provider in case
of loss of data. Specific provisions regarding the form, appearance or
presentation in which data needs to be returned should be given in the
contract.
ii) For how long after termination will data be stored on the cloud? What are
the conditions for retrieving data?
(Note: This question is especially relevant if third party data is also stored on
the cloud)
The user might prefer that the data is deleted and that no backups of the
same remain once he terminates the services of the cloud operator.
Questions relating to confidentiality and circumstances permitting
disclosure of data assume even more important if the business has availed
of cloud services for storing or processing third party data. The user’s
responsibility for the third party data will depend on the provisions of the
Information Technology Act and terms and conditions in any contract, end-
user license agreement (EULA) or disclosure statement with the third
parties.
Examples
● AWS: As per the AWS Agreement, ordinarily data will be stored for 30
days post termination (barring exceptional cases), and Amazon will
extend the same level of assistance in data retrieval as is provided to
other users. Any further assistance is subject to mutual agreement
between the user and Amazon.
IaaS
● Cloud IaaS CSAs are similar to SLAs for network services, hosting, and data
center outsourcing. The main issues concern the mapping of high-level
application requirements on infrastructure services levels.
● Metrics are well understood across the IaaS abstractions (compute, network,
and storage). Customers should expect to find a subset of the following
metrics in their cloud SLA.
PaaS
● Two main approaches exist for building PaaS solutions: integrated solutions
and deploy-based solutions. When reviewing the PaaS service agreement,
customers should consider tradeoffs in flexibility, control, and ease of use to
determine which approach best meets their business needs.
● Customers should ensure their CSA includes support for open standards, as
they become available, to reduce vendor lock in.
SaaS
● Customers should insist on flexible CSAs that are measurable against their
objectives, not the cloud providers’ reporting needs.
● Given the wide variation of services provided at the SaaS level, it is difficult to
provide a comprehensive and representative list of SaaS service level
objectives for customers to look out for in their CSAs.
● Customers should expect general SaaS service level objectives like monthly
cumulative application downtime, application response time, persistence of
customer information, and automatic scalability to be included in their CSA.
● Public - With public model, the security risk increases as the IT resources are
used by multiple clients. Customers should carefully review the CSA to
understand how the provider addresses the added security, availability,
reliability and performance risks introduced by multi-tenancy. One should also
check whether they have the ability to measure and track specific service level
objectives.
● Hybrid model- The considerations are similar to the public model, with
specific requirement of integrating cloud services with enterprise solutions.
The agreement should cover the service and data integration requirements,
and security requirements.
● Response time: It is the elapsed time between when the service is invoked
and when it is completed (measured in milliseconds).
A business should ideally identify critical needs and times when the cloud computing
service must be available for users. Usually, this is done through managerial
processes which identify and establish key performance indicators (KPIs) which are
unique to the company’s business requirements. Some of the metrics which are
relevant to establish KPIs could be:
For example, if a business expects peak transaction load at certain times of the
month (and at other times the transactions are relatively insignificant), latency
figures based on monthly averages will not be ideal indicators of the quality of the
service – it is possible that the monthly average is good, but the service is not
available during times when the business faces peak transaction load.
In January 2011, Google announced that it will no longer provide an exception for
scheduled downtime (usually services are down during pre-planned upgrades) or
intermittent downtime (downtime (downtime lasting less than 10 continuous
minutes). Therefore, both scheduled downtime and intermittent downtime would
be considered by Google as regular downtime and hence would be counted as a
shortfall in the service. It became the first cloud provider to eliminate headroom for
maintenance activity.
At the time of entering into an agreement with a cloud service provider, the
consequences of failure to meet desired service levels should be known in advance.
What is the policy of the service provider if it fails to meet agreed service levels?
Many SLAs entitle users to receive ‘credits’, which usually is set-off against future
payments of the service to the provider (money is not usually refunded directly in
liquid cash or equivalents). A more sophisticated structure could involve service
credits that progressively escalate as the length of downtime increases. The credits
should impose significant obligations on the vendor, so that he is incentivised to
provide acceptable levels of service.
Secondly, the length of the period over which downtime is measured is important.
The longer the measurement period, the more diluted the effects of the downtime.
For example, downtime of 5 minutes per week may be more acceptable, as
compared to 5 minutes per day.
Thirdly, any circumstances when failure to meet service credits will not lead to
accumulation of credits should be taken into account.
vi) Problem reports: Reports that focus on the current reporting period
addressing:
❏ Here are a list of questions/pointers that must be taken into account to deal
with downtimes and outages:
❏ How is service outage defined?
❏ What level of redundancy is in place to minimize outages including co-
location of services in different geographical regions?
❏ Will there be a need for scheduled down time?
❏ Who has the burden of proof to report outages? This can be difficult to prove
in case of conflicts with the cloud providers.
❏ What is the process that will be followed to resolve unplanned incidents?
❏ How will unplanned incidents be prevented or reduced?
❏ When does the time clock start on lack of service availability in order to
measure service credits?
❏ How will incidents be documented or logged?
❏ What actions will be taken in the event of a prolonged disruption or a
disruption with a serious business impact?
❏ What is the process of performing disaster recovery testing, and how often
are the tests conducted? Are the reports of the tests provided to clients and
are the tests automated?
❏ What is the problem escalation process?
❏ Who are the key service provider and customer contacts (name, phone
number, email address)?
❏ What is the contingency plan during a natural disaster?
❏ How is the customer compensated for an outage? It must be noted that cloud
providers have limits on the maximum compensation provided in case of an
outage, and the compensation is an insignificant remedy in case of serious
outage.
❏ Does the cloud vendor provide cloud insurance to mitigate user losses in
case of failure? Although this is a new concept, some major cloud vendors
are already working with insurance providers.