More and more businesses are relying on cloud computing - for their own use and to provide their services to end customers. However, cloud computing can be a complex and fast-moving technology, and gives rise to a number of legal issues that parties need to address. While most cloud customers will see data protection and security as an obvious priority, in this article we explore some of the other legal challenges businesses should consider when reviewing a cloud contract.
What is cloud computing?
In broad terms, cloud computing delivers technology as a service on demand, over the internet. In other words, a customer does not need to install stand-alone software or run its own applications and servers. The cloud supplier hosts applications and provides the computing power to many different customers from the supplier's data centres. This allows each customer to benefit from economies of scale and dramatically lowers the costs of obtaining a range of IT services.
Components of a cloud contract
Many cloud suppliers will include some or all of the following documents in their cloud computing contract bundle. These documents will need to be reviewed in conjunction with each other.
- strong>Terms of Service: sets out the general legal terms and conditions that govern the use of the service and the relationship between the supplier and the customer. Also known as the 'Terms of Use'. It may incorporate other documents by reference.
- strong>Privacy Policy: An extremely important document that sets out the cloud supplier's approach to collecting, using and protecting personal information.
- strong>Acceptable Usage Policy (AUP): Often used by social networks and cloud storage providers to specify permitted and prohibited practices when using the cloud service (for example, prohibiting hate speech or forbidding use of the service to deliver spam).
- strong>Service Level Agreement (SLA): The SLA documents any target levels of service availability and other metrics, and possibly service level rebates, that the cloud supplier offers.
6 Golden Rules
When reviewing the various documents that make up a cloud contract a business should consider the impact of the following six 'golden rules' and seek legal advice if necessary:
- Liability: When reviewing a cloud contract
customers and their legal advisers should carefully consider the
issue of liability. Cloud suppliers will often attempt to provide
the services "as is" with no warranties regarding service
availability or quality. It is also common for suppliers to exclude
liability in the event of loss of data or a service outage along
with other forms of direct and indirect loss. However, as cloud
services are increasingly used, customers are putting more data
onto the cloud and their own end-users may be relying on the cloud
service. In light of this, the consequences of unavailability or
loss or corruption of data could be substantial. A customer should
also consider whether it requires unlimited liability on the cloud
supplier in certain scenarios, such as the supplier's breach of
the data protection, privacy or confidentiality provisions in the
contract.
- Intellectual Property Rights (IPR): A
typical cloud contract may state that use of applications only
provides the customer with exclusive use of the cloud service
rather than outright ownership in the IPR created through it. The
customer should consider whether it or the cloud supplier should
own developed material and use-specific adaptions. The IP clause in
the contract should reflect the agreed positions.
- Hidden charges: There are generally two types
of cloud models that a supplier will offer - premium paid services
and free services. Cloud suppliers will usually provide paid
cloud services on a utility basis under recurring billing, for
example, monthly. The supplier will usually calculate the
customer's charges based on either the number of users or the
particular service options that the customer selects.
Alternatively, under a "free" cloud model, the customer
does not pay any upfront or recurring fee but the cloud supplier
may generate revenue by using the customer's personal data to
provide targeted advertising within the service. With either
model, customers need to review carefully the cloud contract for
any hidden charges, in particular charges incurring where the user
exceeds thresholds for storage, set up fees, security/back-up,
support and maintenance, upgrades and premium fees.
- Termination of the contract: Depending on the
type of cloud service, a supplier may impose a minimum service
period in the contract. Customers should be aware of the
possibility of early termination charges if a fixed term cloud
contract is concluded earlier than expected. Equally, customers
should err on the side of caution in relation to the notice period
in the contract for non-renewal/cancellation. If the cloud supplier
only has to provide one month's notice of
non-renewal/cancellation this could leave the customer stranded
with insufficient time to engage an alternative supplier.
- Governing law and jurisdiction: A cloud
customer should check the governing law and jurisdiction clauses to
determine where it is able to enforce the terms of the contract, if
an issue arises in the future. Some cloud contracts also enforce
arbitration on the parties, which may limit the ability of certain
customers to make a claim in their local courts.
- Lock In/Exit: Customers should be cautious in relation to over-dependence on one cloud supplier. A customer should include a provision in the contract allowing it a grace period after termination or expiry of the contract to recover its data and an obligation on the supplier to make sure user data is adequately deleted afterwards. It is also useful for the contract to state what transition-out assistance the cloud supplier has to provide and whether this will be at an additional cost.
Suitable contractual protections
When a customer is choosing a cloud supplier one of the most important things is to plan ahead and review the contractual and pricing documents well in advance. While many cloud suppliers offer "free" services, this may not always be the best option in the long run. When selecting a cloud supplier a business should not only consider the upfront or monthly service fees but also whether the proposed cloud contract has suitable protections in place. To maximise the benefit it will receive from the cloud service a customer should ensure that the cloud contract suitably addresses the 'golden rules' of liability, intellectual property, hidden charges, termination costs, governing law and transition-out requirements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.