Contractual Protection in the Cloud
(Article taken from Legal Guidelines 11 – Shoosmiths)
There is no universally accepted definition of Cloud Computing. This is perhaps what underlies so many of the misconceptions and gaps in understanding, and what causes difficulties when it comes to communicating the benefits and risks to the various tiers of a business.
Regardless of how a solution is labelled, it needs to be clear to all parties involved exactly what is being provided. It is only then that further consideration can be given to how that solution is being provided, the timescales involved, and the cost. Blurred terminology has long dogged the IT industry, and too often individuals focus too much on key terms or phrases, making assumptions about what those terms and phrases mean without taking the steps required to ensure everybody is singing to the same tune.
It should not be assumed that Cloud service providers will not seek to capitalise on some of the vagaries surrounding the Cloud, nor lean on some of the assumptions many purchasers may have developed.
Cloud Computing can be defined as ‘computing delivered as an on-demand service across the internet where the end-user need not have knowledge of the underlying technology or infrastructure’. It can, and this does address some of the key elements of Cloud Computing, but it is not a definition carved in stone and should not be relied on without considering the fundamental characteristics of the solution in question. It also needs to be recognised that whilst the end-user does not necessarily ‘need’ to have knowledge of the underlying system, without this transparency it may be opening itself up to innumerable and unquantifiable risks.
Most due diligence exercises will be conducted with regard to the size and value of the deal at hand, but it is important that where business critical processes are involved or where there are regulatory or legal aspects governing the Cloud Computing service, important questions are not overlooked simply because the project does not fall within the relevant price bracket. There are certain questions which a customer would expect to have to address, regardless of the nature of the project and whether or not it involves Cloud Computing. As discussed above, this involves both an assessment of that customer’s current service provision and that of any potential service provider. There are also some further questions and considerations which might not form part of a customer’s standard due diligence procedure, but which should be assessed when considering entering into a relationship with a Cloud service provider.
Firstly, the customer should assess its current business in order to understand how the new project will impact on existing services and to determine what needs to be considered in order to identify the most appropriate solution. This should address the following matters (among others):
- customer’s objectives for the project, and whether the new approach (Cloud Computing) is the best way of achieving those objectives
- services currently being provided, including the current service delivery model and whether the service levels are currently being met, the number of users, and transaction volumes
- customer’s future requirements for the services
- number of employees used to provide the existing services (including contract staff), and the costs of those staff
- third party contracts (e.g. software licences) needed to provide the services, and whether those contracts will continue to be used by any parts of the customer’s business
- any assets used to provide the existing services, including the value of those assets, ownership rights, their condition, whether they are used by other parts of the customer’s business, and any dependencies on those assets
- any other overlap between the existing services and the customer’s retained functions
- regulatory issues, such as the potential need for approvals or consents from regulators
- any dependencies on the customer (or its suppliers) in relation to the services
- internal costs of acquiring and providing the new services
- any tax, funding and structuring issues which need to be addressed.
Assessment of the service provider
Of course, it is also important to assess the Cloud service provider. In larger projects this may form part of the tender process, in smaller projects it may be that questions can be raised in preliminary discussions. Matters that should be considered include:
- how the customer’s requirements are to be met by the service provider’s proposal
- the description of the services offered by the service provider, including any flexibility in the service provider’s approach
- the service provider’s organisation, including group structures, geographical reach, and financial standing
- whether there are any aspects of the services which may be subcontracted out
- the service provider’s qualifications, including in particular its track record, and experience in delivery of similar services to similar sized companies in similar sectors
- the service provider’s proposals for delivering continuous improvement during the life of the contract
- the number of personnel proposed to be used for the services, where such staff are to be located, and how the staff are to be used in the provision of the services
- current staff turnover levels and how these compare to industry norms
- the service provider’s approach to staff and, in particular, the transfer of staff
- the service provider’s approach to, and plans for, implementation, transition, and exit management
- the service provider’s proposals on pricing, including details of charge variation mechanisms, allowing the customer to price up any changes to volumes, service levels and other matters.
- any key assumptions on which the service provider’s proposal is based.
More specific questions to be asked about Cloud service providers
Supplier financial stability
Many Cloud service providers will be relatively new companies and it is therefore important for the customer to conduct thorough credit searches and obtain customer and supplier references.
Check whether the service provider depends on particular resources and the financial stability of the suppliers of those resources to the service provider.
Check what physical and technical security will be put in place. Who will have access to the customer’s data and how those individuals will be vetted and supervised? Does the service provider act for any of the customer’s competitors, and if so what measures are in place to protect its data and confidential information and to keep it segregated?
Does the service provider hold ISO 27001 – Information Security Management? This is the internationally recognised standard for certifying that a service provider’s Information Security System protects its information and that of its customers. Is this something that the customer is contractually obliged to provide to its clients?
Disaster recovery/business continuity
Does the service provider replicate its data and application infrastructure across multiple sites? If so, does this require an extra fee? If not it may be vulnerable and the customer therefore needs to consider whether the service provider has the ability to conduct a complete restoration and how long it will take. A detailed business continuity plan should be made available together with details of any past incidents and how they were resolved.
Does the service provider understand the customer’s regulatory and legal requirements and is it willing to undergo external audits?
Dependence on the service provider
What impact would a small, moderate or severe service outage have on the customer’s business and what happens if the services are not performed at all, or are not up to scratch?
What testing will the customer be entitled to carry out prior to acceptance? What aspects of interoperability, integration and performance need to be considered? Is there any software being provided and if so, does the service provider have the right to licence that software?
How will support be provided and will the customer have any control or say in the maintenance of the application?
The location of data storage can have an impact on the customer’s business and it will need to identify the location of the service provider’s servers. Does the customer have the necessary consents to move data overseas?
Will data be accessed from overseas? If so, the user may be subject to local data protection or privacy laws, even though the customer has no business establishment there. Are there internal processes in place to manage this?
What are the service provider’s commitments on return of customer data both during and after the contract and in what form will the data be returned? How long will it be from customer request to data return?
Will the customer be able to use the data easily in the form in which it is returned? If not, what else needs to be done to make sure the customer can effectively use that data?
Will the service provider co-operate with the customer on termination and deal with the service provider’s successor if the customer requests?
Do any existing licence agreements inhibit use of the Cloud service?
Under a conventional software licence a customer may be limited in terms of the processors or countries on which their software may be hosted. Similarly, typical restrictions on the number of users and on sublicensing are inconsistent with the flexibility offered by Cloud processing. Are there alternatives available?
A key element of Cloud Computing is its perceived simplicity. As noted above, ‘the end-user need not have knowledge of the underlying technology or infrastructure’. But this simplicity is deceiving and the desire for ease of use needs to be balanced against the organisation’s requirements and obligations.
It is therefore essential that there is transparency from day one and that someone within the organisation has visibility of the low level components that would otherwise be obscured from the end user. The right questions need to be asked and the right answers need to be given before any project should proceed. If there are question marks it is important that the customer does not make assumptions but that it is able to ask the service provider to fill in the blanks.
One of the virtues of Cloud Computing is that the parties are contracting for what is, in most cases a ‘standard product’. However, whilst this may provide certainty, it also limits flexibility and the scope for amending a service provider’s standard terms will often be limited.
Negotiation v Standard terms
Unsurprisingly, Cloud service providers’ standard-form contracts are generally short on supplier obligations and warranties and any form of customer rights. In practice, the attention given to these terms will depend both on the nature of the project and the customer organisation’s legal resource.
Contract terms: Optimising the solution
By the time it comes to contracting, the customer organisation should have a fairly good understanding of what it requires and what is on offer (from enquiries and due diligence). The next step is to ensure that these are properly recorded in the contract. Think about…
Contract terms: Minimising the risk
As well as assessing the solutions on offer, any organisation entering into a Cloud Computing arrangement should also evaluate its own practices and requirements in order to identify potential legal barriers which will affect its use of a solution. In addition to this, the following should be considered when selecting Cloud Computing services:
- Change to staff roles
- Integration, interoperability and performance
- Management and control
- Regulatory requirements
- Personal data
- Other data issues (such as data segregation, supplier access, removal of content, data recovery and long term viability of the provider)
In April 2009, the Cloud Security Alliance (CSA) issued a report called Security Guidance for Critical Areas of Focus in Cloud Computing, in which it urged practitioners to ‘look under the hood of their Cloud service providers, and to do so using the broadest precepts of their profession in order to properly assure the security requirements of their organization’1. We would endorse this, but also emphasise the need to look carefully at your own business as well, before deciding on what solution may be appropriate.
Understanding your requirements and the complexities of the various solutions on offer is key to making the right business decision. By assessing your needs you will be compelled to ask the right questions and from this you can make the most of the benefits on offer whilst mitigating the potential risks.
It will not be until you have conducted an appropriate due diligence exercise that you will be able to determine whether the time is right for you to invest in Cloud technology. It might be that the risks do outweigh the benefits or that you simply do not have enough confidence in the Cloud service provider. Similarly, there may be certain areas of your business, for example those that are critical or rely on 24/7 availability, that you do not feel comfortable outsourcing to any third party provider, let alone one whose offering is reliant on the vagaries of the internet.
As observed by the CSA, ‘risk is a component of opportunity’ and, whilst it can be mitigated by due diligence and contractual protection, it is all but impossible to eliminate entirely. That said, the Cloud continues to evolve and the market continues to grow. There will be areas in which the Cloud can provide significant benefits to your business, but it is essential you ensure that the solution you opt for is right for your organisation, and that you have the necessary contractual protection in place should things go wrong.
1 Security guidance for Critical Areas of focus in Cloud Computing
You can can purchase Legal Guidelines 11: Contractual Protection in the Cloud (PDF)
Qualifying Members can download it for free. Find out more about Membership.