Cloud computing contracts: tips for choosing the best service
The deployment of cloud technologies across all business sectors, strongly influenced in their growth also by the emergence of Coronavirus, brings into play unique factors and mechanisms that must be taken into account by IT suppliers and customers when negotiating and executing IT contracts. In particular, the profiles to be taken into consideration in cloud contracts are the protection of personal data, the levels of service performance as well as business continuity and disaster recovery plans. What other information do you need to know?
The digital revolution has been characterized during the last decade by the startling rise of the cloud computing technologies and the seemingly overwhelming growth of the relevant market, which now encompasses a wide array of solutions in terms of public, private, hybrid and edge computing. This has also been propped up by the increasing interest of the market toward Artificial Intelligence technologies (e.g., machine learning) and the widespread practice of outsourcing business processes and functions to third party suppliers across all sectors.
The current Covid-19 outbreak will likely boost this growth as cloud technologies can ensure that we continue to do business as closely before the outbreak as possible.
The recent market developments and the cloud computing rush require IT customers and suppliers to pay significant attention to certain commercial and legal aspects of IT contracts in order to cut-off the best deal in pursuance of their business needs.
A cloud computing service is a service-model entailing the provision of software or other technological resources through remote access to the cloud provider’s IT platform. The success of the cloud services is due to their flexibility - in terms of scalability, speed, reliability and availability of the service -, and the cost-effectiveness of the access to the technologies, thanks also to the on-demand and pay-per-use usage and pricing model. Cloud services can be split into three main categories, i.e. Software-as-a-Service, Infrastructure-as-a-Service and Platform-as-a-Service.
From a contract point of view, cloud services present many differences from professional IT services and classic software licenses. The cloud service model allows the customers to benefit from the services by directly accessing the provider’s platform, without any physical intervention by IT professionals nor the deployment or download of any copy of the software. Furthermore, the parties of a cloud agreement do not have to necessarily pay attention to the specific rights licensed by the service providers - e.g., the right to install, use, make copies, create derivative works, etc. - considering that the customers are usually granted a mere access right to the supplier services.
However, it is crucial to clearly describe the service provided within the cloud contract in order to avoid any ambiguities and uncertainty and define / balance beforehand the legitimate interests of the parties in relation to the services being purchased. For practical reasons, such description is often detailed in one or more technical annexes which form an integral and essential part of the cloud agreement.
Another profile to be taken into account in cloud contracts is the protection of personal data. The relationship between the cloud service provider and the customer is usually a relationship between a data processor and a data controller. Nonetheless, in certain cases the cloud provider may also act as an autonomous data controller, for example when the provider processes the customer’s employees personal data in relation to the management of the contractual relationship, or in the event the cloud provider is authorized to further process personal data for its own purposes (e.g. anonymizing customer’s data to further enhance the cloud experience).
In accordance with data protection law, alongside the IT contract the parties have to execute a specific data processing agreement which must include, among other things, the instructions that the customer gives to the supplier for the processing of personal data, the parties’ respective obligations, and the technical and organizational security measures adopted by the supplier in carrying out the processing. Contrary to what some may believe, a data processing agreement is not a standard contract and can be negotiated: for instance an audit clause may be drafted in a number of different ways (e.g. entitling the customer to perform penetration tests only in non-production environment, limitations of liability, etc.).
The wide-spread use of cloud services also encompasses a number of data protection risks both in terms of control by the customer over the flow of personal data and in terms of lack of information related to the processing activities, in particular in case different sub-processors are appointed or in the event of complex processing technologies (e.g. machine learning). The customer must therefore carefully assess these aspects prior to entering into a cloud agreement. The cloud service provider must be reliable and ensure that specific measures are in place to face cyber-attacks as well as a cyber-insurance is in effect. Another aspect to consider is the transfer and store of personal data outside of the European Economic Area which have to be done in accordance with the relevant provisions set forth in the GDPR (European Regulation (EU) 2016/679).
One of the main advantages of cloud solutions is the reliability of the service provided by the companies that are able to ensure high levels of performance and availability of the services. In this regard, the parties of IT contracts have to pay particular attention to the service level agreements ("SLAs"). The SLAs indicate the levels of performance of the service in terms of speed, availability and business continuity, offering the customer not only a contractual warranty of performance but also a benchmark to vet the service offered by the cloud service provider.
The service levels have to be determined in a quantifiable, measurable and objective way. Based on the types of service, at a contractual level, the SLAs may be determined on an event-basis - taking into account the errors or events that may prevent the availability of the service - or on a performance-basis where the service level is determined in terms of availability, speed or continuity of the service. In such cases, the supplier’s failure to meet the performance level may lead to a breach of contract or the application of price-adjustment mechanisms.
As a general business practice, the service levels description is done by the supplier due to its greater knowledge of the service being offered. On the other hand, the customer often negotiates the remedies and consequences available in the event a violation of the service levels occur. One of the most contentious issues in this regard is the penalty system applicable in case the provider fails to meet the level of services promised under the SLAs. As a general matter, in case of failure the customer has a right to deduct from the fees owed to the cloud provider the amounts of penalty accrued vis-a-vis the number of violations. From the supplier’s point of view, the penalty system should be envisaged as the exclusive remedy in case of breach of SLA, while, on the other hand, the customers usually seek to have the penalty applicable on top of other contractual remedies, such as compensation for greater damages suffered due to the interruption or latency of the service.
Finally, the parties should specify in which cases the supplier's breach of the service levels is so significant to result in the customer's right to terminate the contract. However, even in the absence of such specification, the customer could terminate the contract by way of law in the event a material malfunctioning of the system prevents the customer to benefit from the service for a long period of time.
One of the characteristics that pushes customers to look for cloud services is most definitely the high level of availability of the service purchased, i.e. the round-the-clock access without interruption, alongside the quality and speed of the service. As a matter of fact, the leading companies in the industry are usually able to guarantee high levels of performance offering the service seamlessly and on a continuous basis, without delay or interruption. The need for the service continuity is key for customers in particular when an incident or an exceptional event occur affecting the IT infrastructure as a whole. Also, business continuity and disaster recovery are legal requirements in certain industries (i.e. the financial sector).
In this regard, cloud service providers adopt special business continuity and disaster recovery plans, consisting of procedures implemented in order to avoid or mitigate as much as possible the negative effects of a service interruption, as well as procedures that restore the service (and data) to the level attended by the customers. The customers thoroughly select the suppliers also in light of their ability to guarantee the execution of the business continuity and disaster recovery measures as quickly and effectively as possible, including, for example, data back-up, offsite replication of the system and IT recovery processes.
The deployment of cloud technologies across all business sectors brings into play unique factors and mechanisms that must be taken into account by IT suppliers and customers when negotiating and executing IT contracts. Some of these have been discussed in this article. However, there are many others that we will address in subsequent publications.