The cloud computing market has evolved in recent years. The commercial offerings of service providers have become more flexible, and we have also seen changes in providers’ traditional ‘take it or leave it’ approach to cloud contract terms.
However, although there’s now more negotiation of cloud contracts, the key for organisations evaluating cloud solutions is to know which elements of contracts can be negotiated, and by how much. Here are some of the key issues to consider.
Cloud contracts: Understand provider’s terms
Cloud computing services are generally implemented on the provider’s terms - although it can often be a struggle to figure out exactly what those terms are.
Watch out for some cloud providers’ complex, multi-document contract structures that may be poorly updated and oddly worded. In particular, don’t assume that you know what’s in a provision based on its heading. For example, in some terms, ‘force majeure’ seems to be elastic-sided enough to capture “changes in the taxation basis of services delivered via the Internet” as a force majeure event!
Understandably, contracts for private cloud solutions and with system integrators/resellers allow more scope for negotiation than contracts with public cloud providers. However, even in public cloud deals, terms are increasingly negotiable - although the degree of negotiability certainly pales in comparison with traditional outsourcing contracts.
Some of the key issues that tend to recur in cloud contract negotiations include:
• customer control and visibility over subcontracting, with a general reluctance from providers to allow approval over, or even to identify, subcontractors;
• limitations on the provider’s ability to change the nature of the services. (Here it’s generally advisable for customers to focus on the commercial implications of such changes, rather than the right itself);
• privacy and data security commitments;
• rights of the provider to suspend services, e.g., for non-payment or violation of an acceptable use policy;
• limitations of liability; and
• exit provisions allowing the customer to extend service for a period after termination or expiry to allow migration to the replacement solution.
Technical areas don’t tend to lend themselves to negotiation given the commoditised nature of cloud solutions - and you can show your naivety by asking for changes that directly contradict the services model.
Cloud contracts: 2. Due diligence
Because of the constraints on your ability to negotiate the provider’s cloud terms, it’s essential to carry out appropriate due diligence on the provider. Areas of focus should include:
- Location of services
- Service performance and usability
- Existing customers (references)
- Data location, processing, portability and recovery
- Business continuity
Cloud contracts: 3 - Data privacy remains centre stage
It’s also vital to understand how responsibility for data privacy obligations will be allocated between you and the provider, including who is responsible for data security.
Typically, providers have been more willing to take on responsibility for network integrity, while trying to steer clear of obligations in relation to security of the data itself.
However, over recent years, cloud service providers have been improving their privacy offerings. For example, there has been an increased willingness of providers to adopt the EU model clauses for data transfer.
In addition, many providers now offer European-based data centres, reacting to commercial pressures from Europe-based clients.
When evaluating cloud solutions:
• classify the data concerned (including its sensitivity), and consider what would happen if data was disclosed, lost or corrupted;
• consider what the business impact would be if you were unable to use the data;
• check whether the provider is compliant with ISO/IEC 27001/2 and, if a public cloud provider, ISO/IEC 27018; and
• ensure that your deployment of cloud will comply with applicable data protection law, taking into account all relevant regulatory guidance, e.g., the EU Data Protection Working Party 29’s opinion on cloud, the EU Cloud Standardisation Guidelines and the ICO’s guidance on cloud computing.
Cloud contracts: 4 - Performance commitments are hard to find
Ensure that you are comfortable with the level of service performance commitment offered by the cloud provider.
Most cloud contracts remain pretty light in terms of service levels, with availability being the typical measurement metric. Check the wording of the SLAs carefully – watch out for references to ‘service levels designed to be available’, ‘target service levels’, etc.
Also, identify the remedies available for service failure – it’s common for providers to offer credit for additional services, despite the fact that it’s hard to see ‘more of the same’ as a valuable remedy.
Cloud contracts: 5 - Regulators are taking notice
If you are a regulated entity, you will need to take account of relevant regulatory guidance. For example, the FCA published draft guidance on cloud computing in November 2015 (due to be published in final form this year). This high level guidance is aimed at ensuring regulated firms appropriately identify and manage risks relating to the deployment of cloud-based solutions. Issues identified in the guidance include:
• legal and regulatory considerations
• risk management
• oversight and audit
• data privacy and security
• change management
• business continuity
Cloud contracts: Conclusion
Ultimately, you need to approach cloud transactions with a heavy dose of pragmatism, accepting that it may be very difficult to negotiate material changes to a cloud provider’s terms.
You need to carry out a thorough risk/benefit analysis exercise in order to evaluate whether the particular cloud solution is right for your business. If you perceive the risks to be so great that significant contract negotiation seems essential before putting services in the cloud, it may be that cloud isn’t the right solution for you after all.