I am going to share my six killer tactics in a cloud computing contract negotiation. These will help you get the best legal outcome while ensuring that the contract obligates the cloud provider to ensure your information and data on the cloud is secure and private. However, the best tip I could ever give you is that all potential customers of cloud services should take time to carefully review and, if possible, set up a cloud computing contract negotiation with the cloud provider before commencing operation of the cloud computing service.
Cloud computing contract negotiation…take off….
Everyone wants to be ‘on the cloud’. More and more of the services we use online are accessed remotely from the cloud provider’s cloud computing systems, which may be located around the world. Often large international suppliers of cloud services will provider pro-forma terms and conditions on a ‘take it or leave it’ basis. These standard agreements often contain incredibly one-sided exclusions and limits. However, depending on your intended spend and the size of the cloud provider, it may be willing to negotiate terms with you. If so, here is what you need to know.
1. Fail to prepare, prepare to fail
The best way for your organisation to manage excessive risk in a cloud computing contract negotiation is to consider if the cloud service solution meets your requirements. The first step is to investigate and understand how your organisation plans to use cloud computing by considering the types and sensitivity of data that your organisation wishes to upload into the cloud and appreciating what internal policies that your organisation has with regards to how this data is transferred and stored.
Cloud computing contract negotiation tip – remember to perform suitable due diligence on the potential provider and the cloud solutions they are offering.
Your organisation will want immediate access to its data stored in the cloud, possibly on a 24/7 basis – but there is the risk of the internet becoming unavailable or the cloud service otherwise becoming interrupted at the provider’s end. Moreover, a provider could arguably assert intellectual property rights in works based on the data and materials your organisation uploads into the provider’s cloud. If you require 24 hour-a-day access to highly critical, sensitive, or personal data then a public cloud solution may not be suitable. In such instances, consider a ‘private cloud’ or ‘shared private cloud’.
Cloud computing contract negotiation tip – data may pass through many hands as it travels through the cloud, so ensure that your organisation’s contractual rights and remedies can be enforced against all parties in the service chain.
Make sure the provider’s security software, systems and practices are on par or exceed those of your own organisations. You should also ensure appropriate access and audit rights are present so that your organsiation can verify the provider’s record keeping and security compliance. The Department of Defence has a list of risks to consider in relation to security.
If data that you intend to upload to the cloud is ‘business critical’ the contract should require the cloud provider to maintain adequate remote back-ups to enable data to be recovered.
Ensure servers or other equipment on which your data is stored in the cloud is protected against security breaches, such as those caused by arson, theft, natural disasters. The cloud provider should also have adequate insurance for such events. You should remember to check the adequacy of you own organisation’s insurance as well.
Cloud computing contract negotiation tip – the contract should set out the cloud provider’s obligations in the event of a security breach or unauthorised access to data.
The cloud provider should accept responsibility for any privacy breaches and should be obligated to notify you as soon as it becomes aware of any breaches of privacy.
To comply with privacy laws, the contract should require the provider to take reasonable steps to ensure that the overseas recipient does not breach privacy laws. The cloud provider should also warrant that any overseas storage and processing of data will only occur in accordance with the privacy laws in your jurisdiction.
Cloud computing contract negotiation tip – the contact should contain indemnities with respect to losses you or your end customer suffer as a result of the provider’s privacy related breaches.
5. Service Levels
To ensure service continuity and protect against data loss make sure that the contract places appropriate obligations on the cloud provider. An common example is service levels regarding the availability or up-time of the cloud service.
Providers will often have service level targets that it will try to meet but the provider’s standard contract will be careful to note that there will be no penalty if the service levels are not met.
Cloud computing contract negotiation tip – you should ensure the contract contains clear and measureable service levels that the provider must meet which are assessable against contractually specified performance benchmarks. The service levels should be made practicably enforceable by the automatic application of service credits or liquidated damages if the service levels are not met.
6. All’s well that ends well
Your organisation should retain a right to continue to access its data, even after termination or expiry of the cloud contract.
There should be disaster recover provisions and transition-out provisions in the contract, which clearly set out what happens at the end of the term. The provider should be required to assist as necessary to facilitate the disengagement and transfer. Negotiate to include a minimum period of prior notice which the cloud provider must give before it may terminate and in any event termination should only be allowed if your organisation has materially breached the contract and not remedy that breach with a set period of time.
Cloud computing contract negotiation tip – carefully review the contract to ensure that there are no exclusivity or lock-in provisions that prevent your organisation from removing its data and migrating to another cloud provider.