As cloud computing becomes more and more prevalent for companies in a variety of industries, it is increasingly important for corporate counsel to understand the issues associated with cloud services agreements. Cloud services agreements can be complicated due to the myriad of legal concerns they raise relating to issues such as indemnification, data security, data privacy, and regulatory compliance, to list a few. This article describes some common mistakes customers and service providers make, and should be aware of, when negotiating cloud services agreements, but is not meant to be an exhaustive list. No entities or persons may be held responsible for the use which may be made of the information contained in this article.
Some Common Mistakes that Customers Make When Negotiating Cloud Services Agreements:
Failing to understand the technical aspects of the cloud services that the customer is subscribing to
When negotiating a cloud services agreement, an attorney needs to have a reasonable understanding of the technology involved. Not all cloud services are the same and the differences between various types of cloud services and even between different providers of the same type of cloud services may impact how the cloud services agreement is drafted. For example, if the customer is looking to add new human-resources ("HR") related cloud services to its existing suite of HR related technology, the attorney should ask his or her client "Will the new HR related cloud services need to integrate into the existing HR technology?" If the answer to this question is "yes," the attorney should ensure that the customer has the right in the cloud services agreement for the new HR cloud services to receive and/or develop custom integrations, including the right to receive the service provider's application programming interface (or similar technology) to build such integrations. Additionally, since HR data may contain personally-identifiable information or "PII," the attorney should also ask the service provider "What types of data security and data privacy measures does the service provider use to protect the customer's PII?"
Failing to understand the scope of the cloud services agreement
One of the first questions that an attorney should ask his or her client is "What are we buying?" This may seem basic, but in some cases the customer has not determined what cloud services it will purchase or subscribe to under the cloud services agreement prior to commencing negotiations with the service provider. Many service providers offer a variety of products and services, each of which may be governed by different terms and conditions. Therefore, if an attorney does not have clarity as to what the customer is purchasing under the cloud services agreement, he or she will not be able to assess whether the agreement is sufficiently protective of the customer. For example, the service provider may offer one type of cloud services that uses only proprietary software where the service provider explicitly restricts the customer from modifying, decompiling or redistributing the software source code. In this case, an attorney must ensure that his or her client understands these restrictions and does not inadvertently breach the cloud services agreement by performing a restricted activity. However, the same service provider may also offer another type of cloud services that incorporates open source software ("OSS"). Although the exact rights granted under an OSS license differ depending on the terms of the OSS license agreement, OSS licenses generally allow the user to copy, modify and redistribute the applicable software (although the OSS license agreement may impose certain restrictions on these rights). In this case, the customer will have the right to copy, modify and distribute the applicable software source code, although this may raise different concerns, such as whether the service provider will combine the customer's proprietary software into the OSS, thereby causing the customer to incur an obligation to share the source code of its proprietary software with third parties.
Failing to consider the three W's
When beginning to negotiate a cloud services agreement, the customer should consider the three W's:
- Who has access to the customer's data ("Customer Data")?
- What rights and obligations does the service provider have in connection with Customer Data?
- Where will the facilities receiving, storing, and transmitting Customer Data be located?
Without considering these three W's, the parties can find themselves with different beliefs as to what can and cannot be done by the other party. For example, the customer may not want third party contractors or agents to have access to any Customer Data, while the service provider may provide third parties access to Customer Data as a matter of technical necessity because the service provider relies on third parties to host the cloud services. If, for example, the service provider uses a third party hosting service, the service provider will be reliant on such third party hosting service to provide many of the data security protections that another service provider that does not use a third party hosting service would provide on its own. Therefore, an attorney negotiating a cloud services agreement for cloud services that use third party hosting should ask the service provider many questions including the following: (1) will the service provider be liable for data breaches that result in unauthorized access to Customer Data even if the data breach was caused by a third party provider and not the service provider? and (2) will the service provider flow the representations and warranties and/or other rights granted to the service provider from the third party provider to the customer?
Failing to assess the customer's key risks when negotiating the indemnification and limitation of liability provisions of the cloud services agreement
The customer often wants the service provider's indemnity to include, among other obligations, coverage for claims arising out of the following:
- Any allegations that the cloud services infringe upon, or violate, the intellectual property or other proprietary rights of any third party;
- The negligence or willful misconduct of the service provider, including its contractors and agents;
- Any claim that the service provider, including its contractors and agents, caused any bodily injury to the customer's personnel or property damage to the customer's property; and
- A breach of any of the service provider's data security or data privacy obligations, or other Customer Data-related obligations.
However, the service provider will often seek to reduce the scope of its indemnity obligations to the customer, as further described in the section titled "Some Common Mistakes Service Providers Make When Negotiating Cloud Services Agreements." The service provider may also try to limit its indemnity obligations to the customer by negotiating a cap on the amount that it is obligated to indemnify the customer for. However, it is a risky strategy for the customer to agree to any caps on the service provider's indemnity obligations because if the damages incurred by the applicable third-party claimant exceed the cap, then the customer will have to pay such third-party claimant any damages incurred by such third-party claimant that exceed the cap even though the third-party claim was caused by or arose out of the service provider's actions or omissions, the customer will not have control of the defense or settlement of the third-party claim and the customer will not receive any of that amount. Furthermore, agreeing to a cap on the service provider's indemnity obligations reduces the service provider's incentives to negotiate a lower settlement amount or defend the customer zealously in litigation.
Failing to protect the customer's access to its Customer Data during the term of the cloud services agreement
Although there are many benefits to transitioning from a traditional self-hosted solution to a cloud based solution, one of the potential drawbacks of this transition is that the customer loses some control over its Customer Data. Therefore, it is very important for an attorney to ensure that the cloud services agreement obligates the service provider to provide the customer rights to access its Customer Data at all times. There are a variety of ways to do this, which are not mutually exclusive. For example, the customer can negotiate a service level agreement, whereby the service provider contractually promises to provide a certain level of availability or up-time (the "Service Level Commitment") and if the service provider does not meet this Service Level Commitment, it must provide remedies such as credits to the customer or rights to terminate the cloud services agreement.
Failing to protect the customer's right to retrieve its Customer Data after termination of the cloud services agreement
The attorney also needs to provide the customer rights to retrieve its Customer Data after termination or expiration of the cloud services agreement. The service provider should be obligated to provide the customer a way to transition its Customer Data off of the service provider's servers and sufficient time to do so. Furthermore, the customer may also wish to require the service provider to provide technical assistance with such transition e.g. assistance with converting the Customer Data into alternative formats that are useable by the customer.
Some Common Mistakes that Service Providers Make When Negotiating Cloud Services Agreements:
Failing to account for risks that are out of the service provider's control
The service provider should be careful not to agree to obligations where the service provider's ability to comply is affected by factors that are outside of the service provider's control. In these circumstances, the attorney must be careful to account for or at least recognize all the provisions in the cloud services agreement that may cause the service provider to incur liability for factors that it cannot control. For example, although the service provider can control its data security measures behind its own firewall, it will not be able to control the flow of Customer Data across the Internet after the service provider's demarcation point on its premises. Although this may seem basic, sometimes the service provider does not specify in its service level agreement with the customer that any time that the cloud services are unavailable because of the Internet should not be counted against the service provider in determining its service availability. Additionally, if the service provider has agreed to provide nightly backups of the customer's Customer Data and uses servers that are neither owned nor operated by the service provider, it should make clear in the cloud services agreement that the service provider is not in breach of its obligations if it cannot perform the nightly backup due to a problem with the third party's servers.
If using the customer's template agreement as the basis for the cloud services agreement, failing to make appropriate changes to reflect the cloud services' technical features
Even before negotiating the substance of the cloud services agreement, the parties will often negotiate with each other to determine whose template will be used as the basis for the cloud services agreement. If the parties decide to use the customer's template, it is important that the attorney has a good understanding of how the cloud services work in order to ensure that the customer's template is consistent with how the cloud services function. For example, if the cloud services utilize a multi-tenant architecture as opposed to a single tenant architecture, the service provider will generally not be able to comply, as a technical matter, with a provision in the customer's template that says that the service provider has an obligation to provide different features of the cloud services to different divisions of the customer's organization based on the individual preferences of the various divisions.
Failing to consider the three W's
Just as it is important for the customer to consider the three W's, it is also important for the service provider to consider the three W's. For example, if the answer to the first W (Who has access to Customer Data?) is that the service provider and its contractors and agents have access to the Customer Data, the service provider may wish to review its agreements with its contractors and agents to make sure they have obligations with respect to the Customer Data that are similar to the obligations that the service provider has to the customer with respect to the Customer Data. Therefore, if the service provider becomes liable to the customer for a breach of its data security or data privacy obligations and such breach was caused by the actions or omissions of the service provider's contractors or agents, the service provider can in turn sue its contractors and agents under the agreement between the service provider and such contractors and agents. Furthermore, if the answer to the third W (Where will the facilities receiving, storing, and transmitting Customer Data be located?) is that the facilities receiving, storing, and transmitting Customer Data will be located in the United States but the customer is in Europe, the service provider must ensure that it is in compliance with the European Directive and other data laws that apply when data is transmitted from Europe to outside of Europe. Failure to consider the three W's may cause the service provider to overlook certain risk areas in the cloud services agreement.
Failing to consider the service provider's long term plans for the cloud services
Cloud services are rarely stagnant, as service providers continually implement new versions, releases, updates and features for their cloud services. Not considering upfront how to deal with these modifications is a mistake that the service provider should avoid. Therefore, the service provider should ensure that the cloud services agreement is sufficiently flexible to allow the service provider to change the cloud services over time. For example, the service provider may wish to include provisions in the cloud services agreement that allow the service provider to offer new versions, releases, upgrades, updates and other modifications to the cloud services, with limited or no requirement to get the customer's consent. The service provider should also plan for the possibility that it may not always offer the same cloud services. Therefore, the service provider may also wish to include certain obsolescence procedures in the cloud services agreement that allow the service provider to discontinue certain cloud services and/or stop providing support for certain cloud services or certain versions of cloud services as long as the service provider gives the customer sufficient notice of the obsolescence of such cloud services.
Failing to assess the service provider's key risks when negotiating the indemnification and limitation of liability provisions of the cloud services agreement
While the customer often wants the service provider to indemnify it for a broad scope of claims, the service provider often wants to limit the scope of its indemnification obligations and its exposure to liability in the cloud services agreement. Below is a non-exhaustive list of examples of limitations and exclusions the service provider may want to seek from the customer, although it is probable that it will not achieve all of them, especially if the customer has equal or greater bargaining power.
Types of limits on the service provider's indemnification obligations that the service provider may try to negotiate into the cloud services agreement
- The obligation is limited to finally adjudicated adverse judgments or settlements;
- The obligation applies to only the infringement of intellectual property rights in certain territories (e.g., the US and Canada);
- The obligation applies only to certain intellectual property rights (e.g., copyright and trademark but not patent);
- The obligation applies only to the infringement of intellectual property rights existing as of the effective date of the cloud services agreement; and
- The service provider's indemnity obligation with respect to "negligence" is instead qualified to "gross negligence."
Types of exclusions from the service provider's indemnification obligations that the service provider may try to negotiate into the cloud services agreement
- There is no indemnity obligation if the customer fails to stop using the cloud services upon receipt of a notice of an infringement claim;
- There is no indemnity obligation if the customer is not using the current version of the cloud services;
- There is no indemnity obligation with respect to so-called "combination" or "misuse" claims (e.g., a claim that would not have occurred but for the combination of the cloud services with third party software not supported by the cloud services or use of the cloud services in a manner that is not consistent with the documentation provided to the customer); and
- There is no indemnity obligation with respect to breaches of data privacy or data security obligations.
Attaching "non-legal" materials into cloud services agreements
Sometimes service providers will incorporate additional materials into the cloud services agreement, such as marketing or technical materials, without considering the ramifications. These materials are often not written by lawyers and do not contemplate the specific agreements made by the customer and the service provider in the cloud services agreement. By incorporating these materials into a legally binding document, however, the service provider is incorporating any representations and warranties contained in those additional materials into the cloud services agreement, as well as potentially placing additional obligations on itself. For example, marketing materials may represent the cloud services as available all the time, while failures can occur. Or, the service provider may include a technical manual as an exhibit to the cloud services agreement that says that the service provider promptly resolves the customer's support tickets, when in fact, the cloud services agreement states that it will prioritize support tickets based on level of severity of the issue and will use commercially reasonable efforts only to respond to, but not resolve, the customer's support ticket within twenty-four (24) hours of receiving the customer's support request. In this case, the service provider has unintentionally imposed a higher level of support obligations on itself than it was willing to make.
About the Author
This article was prepared by Arent Fox. For more information on Arent Fox, go to www.arentfox.com. If you have any questions about this Quick Counsel, please contact: Alan Fishel, Partner, Arent Fox LLP, 202.857.6450, firstname.lastname@example.org or Charlyn Ho, Associate, Arent Fox LLP, 202.350.3614, email@example.com