Negotiating a Cloud Services Agreement

For years, Cloud service providers have had standard terms of use and service level agreements that were generally accepted by companies just as easily as a consumer accepts the terms of use for an iTunes account. This continues to be the case for Cloud services targeted at consumers and Cloud services subscribed for over the Internet. However, at least for larger customers (relative to the size of the provider), there is usually an opportunity for some negotiation of terms for Cloud services designed to store and process important enterprise data used in business communications or used to stage and distribute business media.  This is where it is critical to have legal involvement to ensure your interests are protected. Some of the provisions of the service agreement that should be carefully scrutinized and negotiated are described below.

Service Level Agreements (SLAs) – You should attempt to increase the uptime commitment and the credits you receive if actual performance does not meet the commitment.  You should also have a right of immediate termination, and potentially other recourse, if total downtime over an extended period of several months or year, or consecutive hours of downtime, exceeds a certain level.  You should also scrutinize the definition of downtime to include that the absence of any subcomponent of the service material to your daily use counts as downtime. Indemnification – Cloud providers generally will not indemnify you for damages caused by the Cloud provider’s failure to perform under the service agreement.  It is simply incompatible with a business model with hundreds, thousands or more customers paying a small monthly fee for the hosting, processing, manipulation or distribution of data.  Many Cloud providers will, however, indemnify customers for third-party claims alleging that the customer’s use of the Cloud service breaches third-party intellectual property rights.  Cloud providers may also be willing to indemnify customers for third-party claims related to breach of confidentiality obligations, although this indemnification is usually limited in some way (such as to negligence or intentional wrongful acts). Liability Limitations – Limits on liability are standard in Cloud service agreements.  Although it is unlikely that a Cloud provider will eliminate the liability limitation altogether, the total dollar limit is often negotiable.  In addition, you may seek to have liability for lost profits or productivity excluded from the liability limitation – although most Cloud providers are not willing to allow any type of consequential damages.  As noted above, Cloud providers should be willing to exclude their indemnification obligations related to breach of confidentiality and intellectual property infringement from the liability cap. E-Discovery – In modern litigation, one of the most important discovery tools is to review a company’s emails, internal memos and other documents.  Although you may not anticipate being a party to litigations, it is almost certain that you will be at some point.  Once you are a party to litigation, you will be required to place a “litigation hold” on, or freeze the status of, your documents and emails to permit the other side to complete electronic discovery.  Failure to properly freeze your documents may result in sanctions, or presumptions of wrongdoing, as part of your litigation.  As part of your due diligence process, it is important that you verify your Cloud service includes features permitting the administrator to freeze all documents and emails in a manner that prohibits modification or deletion and to make copies of all documents and emails as of a particular date for discovery purposes.  For security and discovery purposes, the service should also track the date, time, user and related information with respect to the creation, modification and deletion of data. Subpoenas and Warrants – A related, and increasingly common, occurrence is for government officials or counterparties to litigation to serve a litigation hold letter, subpoena or warrant on your Cloud service provider.  As part of your service agreement, you should require that your Cloud service provider notify you, to the extent permitted by law, of its receipt of such a letter, subpoena or warrant and offer you the opportunity to oppose (or cooperate in the manner you deem appropriate) the request before the Cloud service provider gives a third party access to your data. General Notifications – You should ensure the service agreement outlines the type and timing of notifications required by the Cloud provider for material changes to the service, potential price increases, transition by the provider to a new data center, adverse changes in security protocols and other events that may affect how you use the service or whether you want to continue using the service.  For changes to the service that affect critical elements, such as a decision to weaken security protocols, you should seek to include a termination option. Price Increase Provisions – In most Cloud service agreements, the pricing structure is fixed for the initial period of the agreement, but becomes variable over time.  Because it is often very expensive and time consuming to choose a new Cloud provider, or an alternative to the Cloud, you should seek to include in the Cloud service agreement limits on future price increases. A common practice is to link maximum price increases to increases in the Consumer Price Index for All Urban Consumers. Post-Termination Transition Provisions – It is essential that you address, as part of the due diligence and negotiation process, what happens to your data after your relationship with the Cloud provider has terminated. Identifying a new Cloud provider or building an in-house data management system requires time, as does the data migration process. The service agreement should include provisions under which you are provided at least 90-days, and preferably 180-days, notice of the date your data will be locked or deleted. The Cloud provider should also be obligated to cooperate and assist at market rates with the data migration process. Once the data is migrated, your service agreement should require that all of your data will promptly be deleted in a manner precluding subsequent reconstruction of the data. The Cloud provider should certify the completion of the deletion. Some Cloud providers offer a service in which information in the Cloud is periodically replicated on a server located at your location or in a secure, third-party data center. Such arrangements not only provide an additional confidence that data will not be lost but facilitate the migration to a new system. Security and Confidentiality Provisions – Your Cloud service agreement should include provisions designed to ensure the security and confidentiality of your data, including the following:

  • Require in the service agreement that the Cloud provider have standard security and internal control certifications, such SSAE 16 (a successor to as SAS 70 Type II);
  • Ensure that the service agreement acknowledges your sole ownership of the data stored on the service;
  • Ensure that the service agreement includes an obligation not to access your data, other than as specifically provided in the service agreement or authorized in writing, and includes an obligation to keep any data accessed confidential;
  • Ensure that the service agreement requires that all data centers, whether owned by the vendor or third parties, maintain an adequate level of physical security controls, such as appropriate alarm systems, fire suppression, visitor access procedures, security guards and video surveillance.
  • If your data includes data regulated by statutory privacy provisions, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or the Gramm–Leach–Bliley Act, ensure that the service agreement (or an Exhibit or side agreement) contains any provisions required to ensure such compliance.

Tax Provisions – Cloud service agreements generally include provisions requiring the customer to pay all sales, use, value added and other taxes charged on the Cloud service. States are increasingly passing laws and rules requiring that Cloud providers charge, withhold and submit these tax amounts.  Although customers should be willing to permit such withholding if it is based on the laws of the customer’s jurisdiction, you should seek to have the Cloud provider be responsible for sale and use taxes based on the law if its jurisdiction (if different from your own), at least to the extent the tax paid to that jurisdiction does not offset any amounts that you may owe.

Related Articles:

For more information contact Bryan T. Allen

Return to Data, Security, Privacy & the Cloud Services Page