Turkey: Important Points Regarding Preparation Of Cloud Computing Contracts

A. Introduction

As it is known, Cloud Computing Systems ("CCS") can be defined as the provision of computing services including but not limited to servers, storage, databases, software, networks and similar resources over the internet through practical and dynamic methods;

• Cost: Elimination of cost items such as software, hardware, establishment and operation of in- house data centres
• Speed: Swift provision of required resources to relevant parties, reducing both the cost and time of testing and development work.
• Reliability: Utilization of redundant data storage across multiple backups within the cloud system
• Security: Safeguarding existing data on non-host systems of cloud providers with high security measures
• Accessibility: Empoweringusers to access the information they want from anywhere with any device, with only an internet connection

It enables to increase the efficiency of the processes of collecting information in terms of its characteristics, processing the collected information and presenting it to the users.

Therefore, it is very important to determine in detail the framework and conditions under which the services planned to be received in relation to the CCS's will be performed and to draft and execute the Cloud Computing Agreements ("Agreements") between the involved parties taking into account these specifics. This ensures the attainment of the maximum efficiency anticipated from the CCSs

Additionally, it should be noted that CCSs are categorized into three distinct types., as examined in our article titled "Cloud Computing Technology and Its Legal Dimension";

• Infrastructure as a Service (IaaS) is a service model in which the fundamental information resources such as processor, storage and network resources required by the user are provided by the service provider. In this setup, the user does not have full control over the infrastructure, but has an retainsat the operating level.
• Platform as a Service (PaaS) is a service model wherein the service provider provides the user with a platform on which they can develop and run their own application, as well as complementary services and the necessary technological infrastructure. Users can independently manage the applications and services they develop, while the cloud service provider handles all other aspects.
• Software as a Service (SaaS) is a type of service in which the software application hosted on the server by the service provider is made available to more than one institution or organisation.

In this context, in this article, in order to ensure the maximum benefit expected to be obtained from the Agreements without any loss of rights, (i) Data Ownership and Security, (ii) Service Level Agreemet ("SLA"), (iii) Intellectual Property Rights, (iv) Contract Termination Conditions, which are important for these Agreements, will be examined.

B. Provisions Regarding Data Ownership and Data Security in Contracts:

In terms of contracts, one of the most important provisions that should be included in the contract is the provisions on the protection of personal data regulated in relation to data ownership and data security. Given that the data storage function of CCSs results in the obligation of the data controller within the scope of the Personal Data Protection Law ("PDPL") in terms of the storage, protection and transfer of personal data, it is necessary to ensure that the data in question are stored by taking adequate and appropriate security measures.

As a matter of fact, since there is a risk of unauthorised access to the data stored in data centers located in different locations rather than a single server, it is very important for CCSs service providers to back-up this data. Thus, if the said backup operations are not performed by taking the necessary security measures, unauthorised access to the stored data may be caused and therefore data loss may occur. Additionally, the inclusion of provisions regarding data storage and security in the Agreements is also very important in terms of preventing other reasons that may cause data loss problems such as hardware and software failures, infrastructure problems, human errors, cyber-attacks, natural disasters.

Therefore, during the negotiations of the Agreements to be signed with the CCS service providers, it should be ensured that detailed provisions regarding the liability and indemnification conditions regarding the obligation of CCS service providers to ensure data security are included in the Agreements, if this is not possible due to lack of negotiation power, at the very least, verifyingwhether the Agreements to be signed contain such provisions is one of the primary issues to be considered in order to prevent loss and breach of the relevant data. Otherwise, especially in terms of large-scale projects, there is always a risk of theft of sensitive data such as trade secrets and know-how or unauthorized access to such data. Therefore, it is important for the parties to include provisions regarding data ownership and security in the Agreements.

Another important issue is that the provision to be included in the Agreements regarding data ownership and security should encompass the stages of contract preparation. As it is known, confidential and sensitive information is shared not only after the signature of the parties but also during the contract preparation phase. Therefore, the data shared during this stage should also be safeguarded. This applies particularly to the service recipients of CCS service providers.

Another crucial record that should be included in the Agreements is the provision regarding the information, conditions and characteristics of the sub-service providers that the CCS service providers may engage for the provision of services. As a matter of fact, although CCS service providers will be primarily liable in the event of breaches such as breach of confidentiality, data loss and unauthorised access to data, the provisions to be added to the Agreements in terms of service recipients; the authority to review and approve the agreement between sub-service providers and CCS service providers and/or the obligation of these parties to enter into a confidentiality agreement between them may prevent the occurrence of such breaches.

C. SLA Agreements in Conjunctionwith Contracts:

Although the SLA is important not only for the Contracts but also for all information technology agreements, in general, they are typically included as part of the contracts or presented externally., and they encompass the description and scope of the service to be provided, the terms and limits of liability, customer service levels, as well as breach and compensation conditions.

In this respect, since the SLA aims to determine in detail the services to be provided by CCS service providers within the scope of the Contracts, especially in terms of methodology and limitations, the parties may choose to establish an SLA either concurrently with the framework Agreement or separately. Within the SLA, particular attention may be given to;

• Description and scope of the cloud services to be received and details of any special features,
• Detailed explanations of the responsibilities of cloud computing service providers in providing these services,
• Descriptions of indicators that measure the quality and performance of the cloud service, such as availability, reliability, throughput, latency, security, compliance and customer satisfaction,
• How and within what framework and scope the customer service support will be provided in order to quickly resolve the problems that may arise while obtaining cloud computing services,
• Detailed definitions of the circumstances of breach and the remedies to be granted to the parties as a result of the breach,

Indeed, by doing so, the parties not only address the standard provisions typically found in contracts but also define the technical and detailed specifications of the Contracts. In this manner, the parties can fully realize the maximum benefits expected from the signing of the Contracts..

D. Provisions Regarding Intellectual and Industrial Property Rights in Contracts:

As is known, software, hardware and infrastructure services to be provided by software CCS service providers are among the elements that should be protected as an important subject of industrial property rights. Therefore, it should be stated in the Agreements that the ownership rights regarding the technical characteristics of the infrastructure and storage services to be provided are on the CCS service providers and that the service recipient must conduct themselves in a manner that does not infringe upon these rights.

As a matter of fact, it is of utmost importance to comprehensively regulate the software, hardware and infrastructure services protected under industrial property rights, in detail within the framework of the Agreements, as it will prevent possible grievances by CCS service providers. Additionally, within the provisions regarding intellectual and industrial property rights to be included in the Agreements, it is necessary to determine in detail what kind of sanctions will be imposed in case of violation of these provisions.

In this context, contracts may include provisions for compensating damages arising from violations and immediate termination, along with an agreed-upon penalty clause in addition to compensating existing damages. By incorporating a penalty clause, it acts as a deterrent against breaches by the parties, and can be invoked in case of a breach.

E. Provisions Regarding Termination of Contracts:

As it is known, it is crucial to establish detailed provisions outlining the responsibilities of the parties in the event of termination and the manner in which the Contracts will be concluded.. Although there are different opinions in the doctrine regarding the legal nature of the Contracts, which are not regulated under the Code of Obligations numbered 6098 ("Code"), the predominant opinion is that these Contracts are sui generis contracts that incorporate the characteristics of unnamed contracts such as lease, agency, work contracts and licence agreements. In this context, the lack of a single and clear definition of the legal nature of the Agreements raises the question of which type of contract provisions will be applicable in case of dispute, and there is no clear answer to this question. In this

respect, it is very important for the parties to regulate the relevant termination provisions in these Contracts, the nature of which is shaped according to the performance agreed upon by the parties in the Agreements, in order to ensure that the relationship between the parties can be carried out in a healthy manner.

Indeed, the lack of detailed determination of these issues may result in uncertainty regarding how problems arising during the legal relationship will be resolved, as they are not anticipated in advance. This uncertainty can lead to a conflict of wills between the parties. Furthermore, the failure to specify the obligations of the parties may raise doubts as to whether the conditions for compensation have been fulfilled, potentially leading to the victimization of the right holder.

As a matter of fact, for example, the fact that the obligations regarding the return to be imposed on the parties during the termination of the Contracts are not determined in detail may lead to losses for the CCS service provider due to the continued unauthorised use of its hardware and software, while for the service recipients, the loss of the data obtained until that time due to the non-transfer or non-return of the data processed to the CCS to the new CCS and various operational difficulties and financial losses will be incurred.

In this context, especially in the event of termination, it is crucial to determine several key aspects such as how the software and hardware provided by the CCS service providers will be returned, the duration of a reasonable period required, considering that the service recipient has established its operations on the CCS and conducts its operations through these CCSs, the method and timeframe for data transfers and the fate of data remaining on the old CCS after the transfer.

Another very important issue to be determined is the termination rights to be granted to the parties in case of breach of the obligations under the Contracts. As it is known, termination rights are very important in terms of each contract and the way they are regulated should be clear and unambiguous. Therefore, in terms of cloud computing agreements, it is necessary to determine in which cases the parties will have the right to terminate the Agreements. In this framework, the provisions regarding termination in case of breach of payment obligations, confidentiality and security commitments and SLA provisions should be included in the Agreements.

In the absence of a provision regarding contract termination, legal doctrine suggests that the rules governing the conclusion of sui generis contracts shall apply to the termination of the contract. Since it is not possible to speak of an objective essential element in sui generis contracts, it is not possible to apply the Law directly to the contracts. In this context, in the doctrine, if the provisions determined by the parties in the contract are insufficient, the provisions stipulated in the law may be applied by analogy. In this context, termination may be pursued within the framework of the general provisions regulated in the Law concerning contracts that impose obligations on both parties. In the absence of a provision in the Law that directly applies to the specific case, judgment will be made according to the rules of custom and usage. If this is not feasible, the legal gap will be filled by the judge within the framework of precedent decisions.

F. Conclusion

In conclusion, it is paramount for both parties benefiting from CCSs and CCS service providers to include detailed and comprehensive provisions regarding data ownership and security, SLA agreements, intellectual and industrial property provisions, and termination clauses within the Agreements. Failure to do so may result in breaches and loss of shared data, as well as unauthorized use of protected intellectual and industrial property rights. These provisions should be meticulously regulated during the conclusion of the Agreements, particularly to cover the contract preparation stages. This ensures that the desired outcomes from signing the Agreements can be achieved effectively.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.