Common Sense Rules in Cloud Contracts
By Marie Lingblom
Forbes contributor Joe McKendrick penned an interesting article this month about cloud contract negotiations, based on research findings published in the Stanford Technology Law Review. He poses the question: What’s negotiable and what’s not in a cloud computing arrangement? With cloud computing itself still evolving, negotiations among providers and enterprises are still evolving.
Cloud providers’ and technology buyers’ conversations with University of London researchers, however, identify major points of discussions for cloud engagements. McKendrick shares the findings of W. Kuan Hon, Christopher Millard and Ian in the form of common-sense questions to ask when negotiating a cloud-computing contract. Here are some highlights:
1. Who’s liable for damages from interruptions in service? For the most part, cloud providers do not retain liability for issues, the researchers report. Even large users had difficulty getting providers to accept any monetary liability. Some users pushed back in some deals, however, stating that refusal to accept any liability was as a “deal breaker.”
2. What about service level agreements? SLAs are an important consideration, particularly since standards are lacking. SLAs are often highly negotiable, as they can be adjusted through pricing. The more you pay, the better performance you are guaranteed.
3. Does availability extend to data? While providers emphasize how redundant and fault-tolerant their clouds are, cloud customers still need to do their due diligence. Like fire insurance for an apartment, the provider will rebuild the structure, but not compensate the renter for the damaged contents.
4. Where is the data going to be physically located? The European Union’s Data Protection Directive, which prohibits storing of data outside the boundaries of the EU, is the greatest area of data security and privacy concern at this time, say Hon, Millard and Walden. “Users were not concerned about colocation within a third party’s data center so much as geographical location of data centers.”
5. Who maintains data for legal or compliance purposes, and what happens to it when contracts are terminated? The authors note there hasn’t been much negotiation yet about data retention for legally required purposes, such as litigation, e-discovery or preservation as evidence upon law enforcement request. “We think it will become more important in future,” they add. One area being negotiated with increasing urgency is users’ ability to have data returned upon contract termination.
6. Who maintains intellectual property rights? Intellectual property rights issues are a frequently cited issue. “The line is sometimes unclear between a user’s application and the provider’s platform and integration tools. Where integrators develop applications for their own customers, customers might require intellectual property rights ownership, or at least rights to use the software free after contract termination or transfer,” say the authors.
7. What are the grounds for service termination? Non-payment is cited as the leading reason providers terminate contracts. Other reasons include material breach, breach of acceptable use policies, or receiving third-party complaints regarding breach of intellectual property rights. The main issue is the “actions of one end user customer may trigger rights to terminate the whole service,” the authors say. “However, many services lack granularity. For instance, an IaaS provider may not be able to locate and terminate the offending VM instance, and therefore need to terminate the entire service. Providers, while acknowledging this deficiency, still refused to change terms, but stated they would take a commercial approach to discussions should issues arise.”