Providing that the cloud customer has the sufficient bargaining power to negotiate the contractual terms of a cloud service, there are many issues that need to be addressed on behalf of the client. Depending on the service and deployment models of the cloud service, the issues become even more diverse, however the following ones are generally applicable to all cloud types.

 

Since the type of the business function may be complementary to the core business itself or it may be mission critical, it is important to tailor the contract with the cloud provider accordingly. From this perspective the following clauses should be negotiated properly:

  • Indemnification of the cloud customer from claims of third parties in connection with the provided cloud service (e.g. a PaaS service provider should indemnify and defend its customer from third parties’ IP infringement or misappropriation claims connected to the cloud service). Usually, cloud providers impose only indemnification obligations on their clients, but do not provide any vice versa.
  • Service Level Agreement (SLA) terms should be tuned in accordance with the migrated function. The client has to make sure that the service quality and availability granted in the SLA is in line with at least the minimum technical needs of the given function. Furthermore, the client needs to make sure that in case the migrated function has a fluctuant nature, the cloud service will be able to meet properly even the highest possible demand spikes. In addition, the client should negotiate the scheduled downtime and maintenance times with the cloud provider to make it in line with the timing of the business function. Prior notification of the client regarding unscheduled maintenance and unexpected downtime (together with the soonest up time estimation) as soon as possible is advised as well.
  • Warranties and liabilities of the cloud provider regarding the cloud service have to be negotiated in order to make them reasonable for both parties, since cloud providers by default tend to exclude any liability and warranty. The client should receive the warranty regarding the minimum service level that enables it to keep the migrated function viable. Although, cloud providers tend to exclude the liability for fitness for any purpose, the client should try to negotiate and incorporate in to the contract a satisfactory level of liability (e.g. a capped monetary compensation, additional service credit). Nevertheless, in case of confidentiality breach regarding intellectual properties and trade secrets stored in the cloud high damage claims may arise, therefore, such risks need to be addressed separately if applicable.
  • Notification about changes with respect to unilateral amendments of the general terms of the cloud service allowed by the contract.

 

Furthermore, in either way the given business function might involve personal or even sensitive data controlling and/or processing. Therefore, the proper contractual regulation of data related issues is unavoidable:

 

  • It is advised to make clear from the perspective of applicable data protection regulations what are the responsibilities of the contracting parties (e.g. under the European Union’s restrictive Data Protection Directive and its national implementations or the upcoming General Data Protection Regulation). Data protection compliance might result in obligation of sub-providers, who are not in direct contractual relationship with the client, but whose service and performance is integrated in the supply chain of the cloud service. Thus, the cloud provider’s liability for data protection compliance is advised to be expressly incorporated in the contract. Responsibility for data loss and back-up (including disaster recovery) need to be incorporated in the contract.
  • With reference to the above, the description of data types to be processed in the cloud are important in order to allocate the responsibilities and to set up the appropriate level of security (e.g. encryption, access authentication).
  • Any significant changes that effect the data protection compliance or security of data in the cloud should be discussed between the parties prior to their implementation with sufficient time for the client to exit the service in case of disagreement.

 

Last but not least, the following issues are advised to be addressed in the contract:

  • The ownership of any stored or created data (including meta data) need to be stated clearly in the contract, since even meta data might have a huge value for both parties.
  • The terms for termination on behalf of the client have to be clearly stated in the contract. It is important to incorporate an exit option for the client even in case of fixed term contracts when serious breaches occur or the provider is unable to adhere to the minimum uninterrupted service availability within a given time period.
  • In connection with the termination, the data portability related services and assistance need to be expressly stated (including format and structure of data and period of support).
  • Notification prior to any disclosure of data to third parties (including authorities) in connection with the client and its business function in the cloud, unless it is prohibited by law.