The first and perhaps most important question to consider when considering a cloud contract is whether it is in fact open to negotiation. Cloud services are often very commoditised in nature – provided in the same way and on the same terms to many customers. This approach leads to many of the benefits of cloud computing (including lower costs through standardisation), but also means that vendors are often rigid in the way the services are provided and contracted for, offering customers a "take it or leave it" position. In this situation, businesses should closely review the contract and put appropriate technical and commercial mitigation strategies in place to manage any risks inherent in it.
However, there are circumstances where a contract for cloud services can be negotiated. If a customer is purchasing a high volume of cloud services, cloud services that are customised in any way or dealing with a niche provider, customers should consider negotiating the terms rather than simply assuming they are non-negotiable.
While there are a wide range of issues that need to be considered when entering into a cloud contract, some of the key legal issues are as follows.
- Lock in and data access
Many customers think of cloud services, particularly commodity cloud services such as data hosting, as being interchangeable and simple to transition between. However, this may not always be the case – in some cases customers may be locked in by the use of proprietary data formats or an inability to readily extract their data in a readily useable form.
If you can negotiate, ensure that the customer has an immediate right to access its data at all times during the contract term in an agreed format. If no format is agreed, the vendor should be required to provide access to data in an open, industry-standard format. The vendor’s obligation to provide access to data should continue for an appropriate period following termination to allow for transition. Termination rights should be flexible, allowing the customer to terminate for convenience on as little notice as possible (and not, for example, only at the end of a three-year term). Break fees or other charges payable on termination should be considered carefully and kept to a minimum.
If you can’t negotiate, review the way in which data is stored and accessed before purchasing the service. If ongoing access to data is not guaranteed on termination of the contract, consider keeping separate back-ups of data to ensure continuity of access (and ensure the data can be extracted in format that can readily be converted into other formats as needed without reliance on the vendor's proprietary tools).
- Data sovereignty
In most cases, it is not required by law that data remain onshore in Australia – it is simply that a decision to allow offshoring of the data increases risk for the customer. The reputational risks associated with data breaches and the differing privacy regimes which apply across the world result in many Australian organisations having a strong preference for their data to be housed within Australia. For government clients, this may be required from a policy perspective.
If you can negotiate, ensure that the vendor commits to storing all data in Australia (including back-up copies). Consider including restrictions on when data can be accessed from outside of Australia for support purposes (for example, a requirement for the vendor to seek express consent to data being accessed from overseas on a case-by-case basis).
If you can’t negotiate, review the vendor’s data storage policies and data centre locations. If data sovereignty is a key issue from a commercial perspective, look to use a vendor who operates its own data centres in Australia. Review vendor policies carefully to determine if offshoring may occur has part of disaster recovery or load balancing (a number of vendors reserve the right to do this).
- Data security
Cloud service providers each have their own data security practices in place. Because of the commoditised nature of the services, vendors will generally not agree to comply with different security requirements for individual customers. Vendors will also often only agree to implement security practices which are "consistent with" standards (such as ISO 27001) rather than committing to comply strictly with any particular standard.
If you can negotiate, seek to ensure that the contract requires the vendor to comply with specific security standards that are acceptable to the customer. If this cannot be agreed, ask for further information to understand the current security certifications held by the vendor and its security practices. Also seek to include a provision which prohibits the security of the service being materially reduced during the subscription term.
If you can’t negotiate, carefully review the security information provided by the vendor to determine whether the security measures it adopts are sufficient in the context of the business criticality of the proposed application and sensitivity of any data to be stored. Ask vendors whether security audit reports (such as ISO compliance reports and SOC 2 reports) are available to customers. Consider these in light of your ability to terminate and transition to another service if security practices change or are insufficient.
- Remedies for poor performance
If cloud contracts contain any warranties regarding the services, those warranties will usually be limited to the fact that the service will materially comply with its specifications and/or meet certain service levels (such as availability). While these warranties may provide some comfort, many vendors limit the remedies available to a customer for breaches of these warranties through the use of a "sole and exclusive remedy" provision. Depending on the terms of the contract, this approach may mean that a customer’s only remedy for a breach of warranty will be the resupply of services (which does not cure the impact of a previous outage or failure) or payment of service credits (which are typically very limited, with entitlements to them often being very heavily qualified). Further, vendors will often reserve a right to terminate the service entirely if it is not commercially reasonable for them to resolve the non-compliance. In these circumstances, a sole remedy provision may well prevent a customer from seeking damages for withdrawal of the service.
If you can negotiate, remove any clauses stating that a remedy is the customer’s "sole and exclusive" remedy for any particular breach or service failure. As a fall-back position, alternatives can be negotiated (for example, middle-ground positions which retain a right for the customer to exercise non-financial remedies such as termination rights). Ensure service credit entitlements are not unduly qualified and will provide a sufficient incentive for the cloud service provider to maintain a quality service.
If you can’t negotiate, be aware of your termination rights and any alternative services you could transition to in the event of a significant service failure. Alternative options and possible transition approaches and costs should be considered in detail before entering into the contract, to provide a technical risk mitigation strategy. If a service is not performing at the required level, the best long-term option from a commercial perspective may be to terminate and transition to another service even if a termination fee is payable.
- Changes to services and terms
Due to the constantly evolving nature of many cloud services, vendors’ standard terms often reserve a right for the vendor to make changes to both the cloud services themselves and the ancillary terms which apply to them (such as acceptable use policies, privacy policies and security policies).
While this approach reduces certainty for customers, it also allows customers to benefit from improvements to services made during the term. There is however a risk that services or the terms applicable to them may be changed in a manner which reduces the value of the services to the customer or exposes it to additional risks or costs.
If you can negotiate, seek to ensure that the service itself cannot be changed during the term in a manner which materially reduce its functionality (including compatibility or interoperability with other systems with which it is used), performance, security or availability. Request that any ancillary terms (such as acceptable use policies) be frozen for the term (or at least a minimum acceptable period) by incorporating a static version in the contract.
If you can’t negotiate, as with sole remedies – know when and how you can termination rights and what options are available to replace the service. It is also important to ensure you monitor notifications from the vendor regarding changes. In many cases, a customer’s only practical recourse if a service is modified in an adverse way may be to terminate the contract and transition to an alternative service. In these cases, no fee should be payable by the customer to walk away.