Cloud ComputingContract Law

Cloud computing contract: 8 clauses to beware

cloud computing contract

Cloud computing contracts are big news. Previously, I examined some techniques and tactics that customers can use to help them when negotiating cloud computing contract clauses with vendors.  However, it may not always be possible to negotiate your cloud computing contract if the vendor is a large company, or is offering you an ‘off-the-shelf’ product. As part of my series on cloud computing I will analyse 8 dangerous cloud computing contract clauses that businesses need to look out for and beware of in standard cloud computing contracts issued by major cloud vendors such as Amazon, Google and Microsoft.

Why can’t I negotiate my cloud computing contract: old wine in a new bottle

Cloud vendors often argue that they are submitting their lowest price based on offering you their cloud service on standard cloud computing contract terms and conditions that all their customer must agree to. They are in essence saying that it would be too expensive for them to negotiate and manage individual contracts for every single one of their cloud customers. This ‘take it or leave it’ approach from large suppliers will not be new to those who have tried to negotiate terms and conditions with large software or telecommunications suppliers. It supports the view that negotiating a cloud computing contract is just ‘old wine in a new bottle’.

What is the point if I have to agree to all the cloud computing contract clauses anyway?

While you may not be able to negotiate your cloud computing contract, this article aims to help you, as a customer, make a more accurate risk assessment of the contract. From a practical perspective, if you are aware of the risks of a particular contract you will be better placed to decide if your organisation has the appetite to accept that risk and agree to use the cloud service. If you do not you may wish to try to negotiate the terms of the contract or consider stepping away completely and using an alternative cloud service.

1. No warranties regarding the cloud service

What they say: Microsoft Azure

Limited warranty. We warrant that the Services will meet the terms of the SLAs during the Term. Your only remedies for breach of this warranty are those in the SLAs. DISCLAIMER. Other than this warranty, we provide no warranties, whether express, implied, statutory, or otherwise, including warranties of merchantability or fitness for a particular purpose. These disclaimers will apply except to the extent applicable law does not permit them.

What they mean: Microsoft do not provide any promises or warranties in relation to the fitness for purpose of quality of the cloud service outside of any applicable provisions under statutory law. They do promise that the cloud services will meet any service level agreement. However, if the cloud service is not operating correctly your only remedy is limited to claiming service level rebates in the service level agreement (SLA).  You are agreeing that you cannot also terminate the agreement for breach and bring a claim for damages. You will need to carefully review the SLA to decide if the service level rebates are suitable compensation for any downtime or loss of data you may suffer.

2. No liability for hacking or unauthorised access

What they say: Amazon Web Services

We and our affiliates or licensors will not be liable to you for any direct, indirect, incidental, special, consequential or exemplary damages (including damages for loss of profits, goodwill, use, or data) your inability to use the services, including as a result of any…our discontinuation of any or all of the service offering…any unanticipated or unscheduled downtime of all or a portion of the services for any reason, including as a result of power outages, system failures or other interruptions…or any unauthorized access to, alteration of, or the deletion, destruction, damage, loss or failure to store any of your content or other data.

What they mean: If you cannot use the cloud service or access your data Amazon exclude all liability to you for both direct loss and consequential loss. You are essentially agreeing that Amazon are not liable to you even if:

  • you are unable to access the cloud service (regardless of whether it is Amazon’s fault there is a power outage or system failure);
  • Amazon withdraw the cloud service; or
  • there is any unauthorized attack or access, or deletion or damage, to your content or data stored on the cloud service.

3. US governing law and jurisdiction for claims

What they say: Google Cloud Platform

All claims arising out of or relating to this agreement or the services will be governed by California law, excluding that State’s conflict of laws rules, and will be litigated exclusively in the Federal or State courts of Santa Clara county, California, USA; The parties consent to personal jurisdiction in those courts.

What they mean: If you are a company located in, for example Ireland or the UK, the chances are very high that you will have to bring a dispute or claim against Google exclusively in the courts of the State of California in the US. Where the parties to a business to business cloud contract agree a foreign venue for the adjudication or arbitration of disputes arising under that contract, a UK or Irish court will generally stay proceedings brought in the UK or Ireland to decide a dispute unless the claimant can show that there are strong reasons justifying non-enforcement of the parties’ choice of venue under the contract.

4. Changes and variations to the cloud contract

What they say: Amazon Web Services

We may modify this Agreement (including any Policies) at any time by posting a revised version on the AWS Site or by otherwise notifying you…The modified terms will become effective upon posting or, if we notify you by email, as stated in the email message. By continuing to use the Service Offerings after the effective date of any modifications to this Agreement, you agree to be bound by the modified terms. It is your responsibility to check the AWS Site regularly for modifications to this Agreement.

What they mean: Amazon can change the cloud computing contract at any time. They may email you about the amendment or they may post a notice on the AWS website. You are expected to check the AWS website to review the updated terms. If you continue to use the Amazon cloud service after the date the modifications are posted then you are deemed to accept the updated terms and conditions. If you are a government or other large enterprise customer you will have to determine if Amazon’s ability to unilaterally vary the agreement meets you legal or internal risk compliance processes.

5. Complicated service level rebate process

What they say: Amazon EC2 SLA

To receive a Service Credit, you must submit a claim by opening a case in the AWS Support Center. To be eligible, the credit request must be received by us by the end of the second billing cycle after which the incident occurred and must include:

  1. the words “SLA Credit Request” in the subject line;
  2. the dates and times of each Unavailability incident that you are claiming;
  3. the affected EC2 instance IDs or the affected EBS volume IDs; and
  4. your request logs that document the errors and corroborate your claimed outage (any confidential or sensitive information in these logs should be removed or replaced with asterisks).

If the Monthly Uptime Percentage of such request is confirmed by us and is less than the Service Commitment, then we will issue the Service Credit to you within one billing cycle following the month in which your request is confirmed by us. Your failure to provide the request and other information as required above will disqualify you from receiving a Service Credit.

What they mean: Amazon does not automatically credit the service level rebates to your account . If is your responsibility claim a rebate by going to the AWS Support Center and providing the four pieces if information set out above. If you do not provide all of this information correctly you will not be eligible for a service level rebate. You must also remember that Amazon have to receive your claim by the end of the second billing cycle after the cloud service fault occurred. You will need to decide who in your company will be responsible for monitoring the service logs and submitting detailed service outage claims to Amazon within the allotted time period.

6. Transferring data anywhere overseas

What they say: Microsoft Azure

Privacy and data location – We treat Customer Data in accordance with our Privacy Statement. Subject to any restrictions set forth in the Privacy Statement, we may transfer to, store, or process Customer Data in any country where we or our Affiliates or subcontractors have facilities used to provide or support the Services. We are a data processor (or sub-processor) acting on your behalf, and you appoint us to do these things with Customer Data in order to provide the Services to you. You will obtain any necessary consent from End Users or others whose personal information or other data you will be hosting using the Services.

What they mean: Under the cloud computing contract Microsoft may transfer your data (or your end customer data) overseas to any location where their subcontractors are located. You do not know who these subcontractors are. They also could be located anywhere in the world, for example in India or the Philippines. The subcontractors will be able to store and process your data and your customer data. You will need to ensure that your end customer is aware of this disclosure and consents to it. For the purposes of EU data privacy law, Microsoft notes that it is only a ‘data processor’.

7. Consent to use your company in all publicity

What they say: Google Cloud Platform

Publicity. Google may include Customer’s name or Brand Features in a list of Google customers, online or in promotional materials. Google may also verbally reference Customer as a customer of the Google products or services that are the subject of this Agreement. Neither party needs approval if it is repeating a public statement that is substantially similar to a previously-approved public statement.

What they mean: Google can use your company’s name and refer to you as a user of their cloud services in any press release, oral reference or other promotional material Google releases. This may be a risk if your company (or your end users) do not want your competitors, customer or the general public knowing that you are using cloud services in relation to parts of your business.

8. Short payment dispute period

What they say: Google Cloud Platform

Invoice Disputes & Refunds. To the fullest extent permitted by law, Customer waives all claims relating to Fees unless claimed within sixty days after charged (this does not affect any Customer rights with its credit card issuer). Refunds (if any) are at the discretion of Google and will only be in the form of credit for the Services.

What they mean: You only have 60 days (ie. two months) from the date of an invoice to dispute an amount. If you find an error in a bill for your cloud service after this period, for example six months after the bill was issued then Google will argue that your claim is out of date and that you have contractually waived your rights to dispute the invoice. You will have to have notify your internal finance department of this short time period and ensure that they review all invoices from Google in a timely manner.

Sources

Amazon Web Services Terms of Use

Amazon EC2 Service Level Agreement (SLA)

Microsoft Azure Service (Ireland)

Google Cloud Platform

 

Photo credit: Pixabay

4 thoughts on “Cloud computing contract: 8 clauses to beware

  1. Do any of the services provides have to disclose where the information is being kept? What I mean is, do they have to tell the customer where the servers are? Do you think the location of the servers makes a difference in the mind of the customer?

    1. Hi Michelle, that is an interesting question. In the UK under the Data Protection Act Principle 1 requires a ‘data controller’ to provide information to individuals about the processing of personal data about them. This could include notifying the data subject that their personal information will be transferred overseas outside of the EEA. There are also restrictions in relation to the transfer of personal data from the EU to countries outside the EU that are not considered to provide an ‘adequate level of protection’. In Australia, the Australia Privacy Principle 1.4(g) requires that “if [you are] likely to disclose personal information to overseas recipients [you must list] the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.”. The reality is that due to cost savings and the global economy all technology providers will be utilising data centres in various locations around the world. The trick will be for the data controller to ensure that the overseas location has an adequate level of data security safeguards and protections in place and that it has followed the data protection laws applicable in its jurisdiction.

  2. Mark, would any of these terms be potentially found void under unfair terms legislation? For example, the second clause from Amazon where they exclude liability for even direct loss. What do you think?

Leave a Reply