According to studies, an increasing number of businesses are “moving to the cloud” as a way to save costs, increase flexibility, and increase computing power. Cloud computing is driven by the convergence of several technological trends, such as social networking, mobility, alternative business models, and a desire by organizations to have a consistent and easy access to its information at any given time.
With so many cloud providers offering similar yet competing services, how can organizations make the right choices? Let’s first talk about the basics.
Three Main Cloud Models
To determine how an organization can negotiate an effective cloud services agreement, it must determine the type of cloud services it requires. Generally, there are three models with differing levels of organizational control:
• Software as a Service (SaaS) providers (e.g., such as Google Docs, Microsoft Office 365, and Salesforce) are services designed for end users. SaaS is centrally hosted and subscription-based offering the ability to utilize software anywhere, anytime. No installation of software is required. This service offers the least control to organizations.
• Platform as a Service (PaaS) offerings, (e.g., Windows Azure) are services that IT personnel use in application development and for providing applications (SaaS) and Web hosting to end users. PaaS functions as a platform on which software can be developed and deployed. The trade-off is that IT personnel will have less control over the underlying operating system. However, this model allows organizations to run leaner IT departments.
• Infrastructure as a Service (IaaS) providers (e.g., Amazon AWS) are similar to PaaS providers, but they usually offer IT personnel more control. IaaS provides greater control and complexity in the development and deployment of systems used by an organization. One of the main advantages of this arrangement is the ability to scale up or down quickly. This service carries the greatest amount of control.
Once a model has been selected, it is important to carefully negotiate an effective cloud services agreement. This can sometimes be difficult depending on the cloud service providers. Not every item in the agreement needs to be negotiations. That said, the items listed below are some of the key items that organizations should pay particularly close attention.
Where Will the Data Be Located?
Where will the data be physically stored and who will have access to the data? As a general rule, Canadian laws do not prohibit the transfer of data outside of Canada (except in very limited circumstances). That said, data centres located in foreign countries may be subject to very different legal compliance rules than in Canada.
What Are The Provider’s Security Practices?
Ideally, organizations would be able to verify the provider’s capabilities through a physical visit, or by way of a reliable third-party. In the case of web services, it is more likely that a security white paper will be provided for review by the customer. Providers should regularly demonstrate to that their security controls remain intact and robust.
If a breach of security or confidentiality occurs, it may require a customer to notify its end customers or employees in compliance with any applicable data protection and/or privacy laws. The customer should have sole control over the timing, content, and method of notification. If the service provider is responsible for the breach, then they must reimburse the customer for its reasonable out-of-pocket costs in providing the notification. Also, the customer should consider whether the cloud provider can meet discovery obligations and litigation holds in the event that the data is requested in connection with a lawsuit or investigation.
Term: How Long Will the Agreement Last?
Software and infrastructure are provided as a service. The customer should be able to terminate the agreement at any time without penalty and upon reasonable notice (14 to 30 calendar days). The provider may request a minimum commitment period from the customer to recoup the provider’s “investment” in securing the customer. If the customer agrees, then the committed term should be no more than one year and the provider should produce evidence of its up-front costs to justify this requirement.
Indemnification: Protecting Against Loss, Allocating Financial Burdens
The service provider should agree to defend, indemnify, and hold harmless the customer and its affiliates and agents from any claim where:
1. The provider breaches its confidentiality and data security obligations. Any intentional breach should be fully indemnified, protecting the customer from out-of-pocket costs or expenses related to the recovery of the data and compliance with any applicable notice provisions or obligations under data privacy laws. In the event the data breach is not intentional; the provider may require a cap on its potential liability exposure.
2. From any claim that the services infringe the intellectual property rights of any third party. This protects the customer from out-of-pocket costs or expenses if a third-party claims infringement.
It is not advisable to limit the intellectual property indemnification merely to infringement of copyrights. Many infringement actions do arise out of patent or trade secret rights. Therefore, indemnity should extend to infringement claims of any “patent, copyright, trade secret, trademark, or any other proprietary rights of a third party” as well.
Limitation of Liability: Allocation of Damages Between the Parties
A fair limitation of liability clause must balance the providers concern about unlimited damages with the customers right to have reasonable recourse in the event of a data breach or other incident. The limitation of liability should apply to both parties. The following should be excluded from all limitations of liability and damages:
1. Breach of the confidentiality and security provision by either party, (2) claims for which the provider is insured, (3) the parties’ respective third party indemnity obligations, (4) either party’s infringement of the other party’s intellectual property rights, and (5) breach of the advertising/publicity provision.
2. The overall liability cap (usually limited to fees paid) should be increased to some multiple of all fees paid.
The above is only a brief overview of some of the nuances to consider when negotiating an effective cloud services agreement.
Needless to say, much will depend on the organizations particular needs and appetite for risk. However, although cloud services providers will often position their agreements as “take it or leave it”, organizations should keep in mind that certain key sections of the services can be negotiated and that there are several options currently available in the market.
Imran Ahmad is a partner at the law firm Miller Thomson LLP and practices in the areas of cybersecurity and technology law. He can be reached at firstname.lastname@example.org. Shan Alavi is a lawyer practising in the area of technology law.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…