As I rewrite and refresh this article – a piece that I wrote in 2009 – I stand in awe as to how much has changed with respect to the internet, and how both individuals and businesses alike use it. Don't get me wrong, cloud-based services certainly were available back then, and gaining in popularity. However, the cloud landscape today is vastly greater, with almost every software application possible having a cloud-based counterpart. To say that the use of the cloud today is prolific, alas, would be a gross understatement. Businesses today are using cloud-based applications for everything from customer management, to file storage and backup, inventory tracking, invoicing, marketing, payroll processing, postage, project management, and a host of other things. Hosted services enable companies of all sizes to leverage economies of scale, permitting access to enterprise-level software at a fraction of what it would cost if deployed in house. However, I continue to wonder just how many of those businesses have actually even read the terms of the contract that they agreed to be bound to when signing up for those services.
I look at contracts almost every day. My work is a testimony to the fact that when most businesses enter into an agreement, they take it seriously. They want to know what it says, what it means, and what both sides will be required to do in performing it. I've worked on agreements ranging from a single page to over a hundred pages in length, for all different sorts of projects, and with all different price tags. However, the one common thread among all of those documents is that the parties involved always, almost without exception, wanted to know what they were agreeing to. They cared enough not only to take the time to read it, but to pay an attorney to read it as well. Indeed, some agreements even take months to negotiate. So why does the internet change things? Why when signing a contract online do we simply click "Accept" just to get to the next screen, without anything more? What about the internet creates a belief that what we are agreeing to online is somewhat not as enforceable as something written on paper? Do we think that internet-based agreements can simply be canceled at will, and with impunity? (Hint: They can't.)
While many online subscriber agreements are indeed non-negotiable (for example, you probably wouldn't be too successful in negotiating the license agreement for your $9.99 a month subscription to a globally popular backup service), depending on the size of your account and the size of the service provider, many are; and as with anything else, you just have to ask.
The basics of hosted services. 'Hosted'
services, also commonly referred to as 'cloud computing,'
'Software as a Service' (SaaS), "Infrastructure as a
Service' (IaaS), or 'Platform as a Service' (PaaS), are
services where one party entrusts the storage and/or processing of
its data to a third-party service provider; the core concept being
that the customer can access its application data (and possibly
even the application itself) without having to worry about the
underlying infrastructure. Providers may offer different types of
hosting. Some providers offer only storage hosting, such as an
online disk or backup service, where users can upload and later
access their data. Other providers offer application hosting or
virtualized computing, services where the application or computing
platform itself is delivered online, an instance where usually both
the application and the data is stored with the provider. In some
instances, your data resides on servers that are actually
maintained by the provider. However, in other instances, the
provider itself may outsource that function to yet another
provider. Moreover, a US-based provider may send your data outside
the US for storage.
The importance of carefully selecting a hosting provider. There are many factors to consider when selecting a service provider. Selecting a hosting provider is in many ways like selecting a bank (except you don't get the added protection of the FDIC), an accountant, or an attorney. In many cases, you are trusting a critical business asset – your data – with the provider. As a result, it is crucial to select a provider that is stable, reliable, and able to deliver the level of service and support that your organization needs. If not otherwise obvious, providers should be willing to answer reasonable questions about their company (such as how long they have been in business, etc.) and their storage and security practices. Providers should also be willing to allow potential customers to tour their facilities and observe the technology infrastructure where their data will be housed. If you get a bad vibe about a specific provider, ask questions until you are comfortable. If you don't feel satisfied with a specific provider, don't be afraid to move along.
The Hosting Agreement. A hosting agreement (which may be called something else; in many cases, the hosting agreement may simply be referred to as the "Terms of Service") is the written contract that governs your relationship with the hosting provider. Much like any other agreement, this is where the terms of your relationship with the provider are set out. Where a service provider offers online sign-up, the hosting agreement will invariably be presented to you online, with the provider asking you to acknowledge that you have read and agree to its terms and conditions before even setting up your account. However, that doesn't mean that you have to just click "Accept." Read the agreement carefully and completely. If you don't agree to something (or something isn't clear), call or email the provider and see if the terms are negotiable. If not, you may have to go elsewhere. If something is explained to you over the phone that is not expressly written in the agreement, get confirmation in writing, even if just via email. As when entering into any other agreement, consultation with an attorney is strongly encouraged.
The Service Level Agreement. A Service Level Agreement (commonly referred to as either an "SLA" or an "uptime" agreement) is an agreement pertaining to how often the service will be available. The SLA may be either a standalone agreement, or incorporated into the hosting agreement. It is important to make sure that the SLA is consistent with the provider's marketing. For example, make sure that if a provider markets itself as providing 99.97%, 99.98%, 99.99%, or even 99.999% uptime, those terms are clearly outlined in the SLA. Check to see how downtime is measured, if there is a cure period that would allow a provider to repeatedly violate the SLA over the course of small periods of downtime, and what you are entitled to if downtime exceeds the stated thresholds. Look for things such as planned service interruptions (see below), and know what your termination rights are in the event of continual outages. This language is one of the most important areas to review. Review it closely and carefully. After all, even the most feature-rich service is worthless if you can't access it when you need it.
Planned service interruptions. Planned service interruptions (sometimes referred to as "planned maintenance") are intentional periods of downtime that are necessary to provide periodic maintenance to the provider's software, hardware, or physical-plant infrastructure. Typically, planned maintenance results in some form of service interruption. Check the agreement to see if planned service interruptions are excluded from the SLA (they usually are), and (absent an emergency) when they are scheduled. While most planned maintenance occurs "after hours," keep in mind that your company's hours may be different from the provider's, and may include evening and weekend time when the service is needed. If maintenance is performed every Saturday and that just happens to be your company's busiest day, a problem will quickly arise. Ultimately, factor all of this into what true system availability will look like.
Data storage. The Hosting Agreement should also specify where (geographically) your data will be stored. Don't assume that your data will be kept in the United States either. If this is a concern, make sure it is clearly spelled out in the agreement. Keep in mind that where your data is stored may implicate the data, privacy, and other laws of different jurisdictions. In addition, if your provider is planning to outsource data storage to yet another provider, it should be clearly disclosed in the Hosting Agreement, and they should be willing to identify who that provider is. If your provider does outsource this function, it likely has a separate hosting agreement with its provider, and those terms may ultimately affect you as an end user.
Data protection and confidentiality. The Hosting Agreement should outline how your data will be protected (in some detail, but not enough as to compromise security), and should obligate the provider to certain responsibilities with respect to data security, access control, and antivirus measures. It should also outline the privacy and confidentiality of your data. Some agreements might simply restrict the provider's ability to disclose your data to third-parties (except in cases where necessary to provide the service or as required by law). However, consider looking or asking for an agreement that restricts the provider's right to even view your data (while the provider will likely except from this technical support requests, this is a reasonable request). Overall, look for the language that best protects your data from being viewed and disclosed, and keep in mind that depending on the nature of your business, federal, state, and local laws may require certain protocols.
Access to your data. Having unattended access to your data is very important. It will allow you to keep an updated copy of the data in-house, should it ever be needed and unavailable to be retrieved from the provider. Being allowed access to your data only upon request to the provider is very different from having unfettered FTP or web-based download access (e.g., imagine having a bank account without ATM access; see the difference?). Even if you are provided with access to download your data, you need to make sure it's kept in a format that you can easily access. This issue would likely come into play with application hosting, although it could also be implicated with traditional data hosting and online backup providers. Many applications store data in proprietary formats, which render the data inaccessible unless being read by that specific application. Make sure that not only is your data accessible, but that it is in a readable format even without the application. If the raw data is proprietary, make sure that it can be exported and made available in a non-proprietary, readable format, such as CSV or XML. After all, having access to your data is meaningless if you can't do anything with it.
Data escrow. Data escrow is relatively simple, and works essentially the way you would expect any other escrow arrangement to work. With data escrow, the hosting provider is typically required to mirror the data you store with it (at an agreed-upon frequency) with yet another third party, the data escrow agent. The data escrow agent then holds a copy of the data, should access to it ever be necessary. Both the agreement with your hosting provider and the escrow agreement with the data escrow agent should address in detail who can access the data, when, and under what terms and circumstances. It is important to make sure that the agreements allow you to have immediate access to your data upon request to the data escrow agent. Language that requires both parties to agree before the data is released may seem fair, but when disputes arise, it may also mean a long delay before you are actually able to get your data. Be careful with data escrow companies that are affiliated with or are operated by the same company as the hosting provider, as this does not offer a true escrow. Ask your provider if it will cooperate with a data escrow provider. If the answer is no, be careful.
Canceling service and switching to another provider. Hosting agreements should expressly cover cancellation, and clearly address who can terminate, when, under what conditions, at what cost, and how your data is returned to you. Make sure you are comfortable with the language, and always make sure the agreement provides that your data is returned to you in a timely fashion, and in a usable format. Some providers may actually facilitate your move to another provider in the event you discontinue your service. Check with them in advance if this is something that is important to you. Make sure that whatever you are told is ultimately incorporated into the hosting agreement.
Summary. With the continued proliferation of affordable cloud-based enterprise-level software, businesses of all sizes will continue to be drawn to the cloud. However, businesses should treat internet-based agreements the same way as they would treat traditional paper-based negotiations, as online agreements are (for the most part) no less enforceable than their paper counterparts. If you are interested in negotiating the terms of your hosting agreement, ask to speak to someone in the provider's legal department. If you are able to negotiate custom terms, get it in writing by someone who is authorized to act on behalf of the provider.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.