Key Highlights:
- Get involved early in the business discussions regarding cloud solutions.
- Ensure key technical experts are involved in the planning.
- Obtain all applicable contracts for review.
- Understand the asymmetric leverage when dealing with public cloud providers.
- Negotiate using a list of issues rather than redlines.
Many businesses and organizations use public cloud services. In-house counsel can play a key role with the business through the selection, negotiation, and implementation of such solutions. How do you explain cloud concepts in simple terms? How do you prepare with your business teams for such a project? How do you negotiate with cloud service providers? Below are key practical tips drawn from experience as in-house counsel.
1. Explain public cloud concepts in simple terms: the townhouse analogy
Our townhouse in a shared development. The first property my husband and I bought was a townhouse in a small development. Each owner in the development paid a monthly fee in exchange for security and maintenance of everything in this development outside of our four walls. The leaky roof would be fixed at no additional cost following a short phone call to request a repair. Driveways were plowed, flowers planted, and trash picked up, with no involvement from us. Each house shared a wall with the neighboring structure. We technically owned the inside of our home, but nothing else, and we had no right or obligation to maintain anything else in the development.
What does this have to do with cloud agreements? As a lawyer handling technology contracts, I have witnessed the evolution of companies moving from believing they would never agree to transfer their information outside of their own data centers to getting comfortable with dedicated private cloud options, then embracing a full-scale enterprise transition to the public cloud.
For me, this journey included developing a new legal mindset and skillset and collaborating with a number of subject matter experts that are normally not involved in contract discussions. At times, this required breaking down the explanation of the intangible ‘public cloud’ concepts, use and risks, into clear simple analogies - for example, by reference to the townhouse ownership model described above.
Privacy and security precautions and risks. As the owner of a townhouse, you will have relative privacy and security inside your home, provided that you cared to lock the doors, draw the curtains, close the garage door, and not lose your keys. The reason this privacy is relative is that the property manager can enter your residence in certain circumstances, most common of which would be concerns for safety or the need to conduct a repair or inspection. You could experience a break-in (rare, but it happens) and there will be packages dropped at your door which you can choose to accept or reject. You can invite guests at your own risk.
As a public cloud tenant, your organization will enjoy similar benefits and, likewise, be subject to analogous risks:
- Essentially, you (or rather, your company) own the inside of your ‘virtual townhouse’ – in this case, a virtual server instance on a private cloud network, where you are able to configure security controls, as long as you pay the usage fees. You will share the environment with other public cloud tenants who have set up their own instances for their use.
- You will be dependent on the public cloud provider’s support services.
- You will need to agree that the provider will have the right to access your secure environment in the event, for example, of a security threat and in response to a support request.
- Your right to “quiet enjoyment” of the public cloud services may also be suspended (likely, in similar circumstances).
- Last but not least, you will need to develop your own set of controls and protocols to secure and protect all data and materials in your instance, by monitoring access and making sure there is no unauthorized entry. In other words, you can’t rely on the public cloud provider to completely protect your house. You will need to take additional steps to keep it secure and meet the objectives of your client.
By contrast, a private cloud environment, which is dedicated specifically to your organization and not shared with other tenants, is analogous to a gated mansion on a large plot of land and comes, accordingly, at a substantial increase in maintenance (or, in cloud terms, operational) expenses.
2. Take initial deal steps
Identify providers. There are a few commonly-used large public cloud providers, although the market has been expanding. Based on the cost and maturity of the services, you will likely need to choose among AWS, Microsoft and Google, or negotiate deals with all three. Hopefully, the selection is staggered, and you are starting with one negotiation rather than running a couple in parallel.
Get involved early. If you are the lead contract attorney assigned to the deal, you need to pull your own chair to the table where the initial discussions are taking place. It is not news that the contract attorney’s participation is frequently overlooked until a few weeks prior to the need for contracts to be signed.
Ask questions and understand the business case. As the lead contract attorney, it will be highly beneficial for you to understand the business objectives, proposed structure of the contemplated arrangement, and available options. Raise contract-related questions early in the process, to get a sense of the provider’s approach to negotiations, and the people and personalities on the provider’s contract team. Joining these meetings will also allow you to: (a) understand the timeline better and (b) identify the persons in your company who should be your technical go-to resources.
3. Assemble an effective contract working group
Connect with the technical team. Tackling a significant project will involve an internal technical team, and sometimes external consultants. Among other tasks, that team will conduct technical due diligence, map out potential architecture, and evaluate which additional products are needed for the implementation. They may also need to determine which workflows will have to change.
Ensure key stakeholders are involved. It will be up to you to ensure that you have assembled the right resources to assist you as part of the contract working group. Whether it’s through a nice lunch or flattery, or an extra show of appreciation – whatever you have available – use it in order to assemble a working group of knowledgeable internal resources. This group will be key in ensuring a thoughtful and fast internal progress on the contract side. In my experience, a small team consisting of the lead contract attorney, a procurement analyst, the technical expert who will handle the actual implementation, and a cybersecurity specialist, can do wonders. This small team can be as or more successful than a team of ten outside lawyers. It will definitely be a lot more cost-effective for your company.
4. There will be more than one contract
You would think that one enterprise cloud agreement means one contract. This makes sense: all the applicable terms are clearly documented in the master agreement. In a public cloud deal, however, there will be more than one significant contract.
Ask for all applicable contracts. I can’t emphasize this point enough. You have to proactively ask the cloud provider’s liaison to give you a list, and links to each applicable contract that will apply to your cloud use. Additionally, you should ask for a chart with the contract hierarchy, i.e., a chart showing which contract documents prevail in the event of a conflict. This is absolutely necessary for a comprehensive deal risk analysis and successful negotiation. If you have preexisting agreements in place (e.g., master business or framework agreement), you should request that all of the contracts applicable to the contemplated cloud services be included in this chart.
Beware of printing. Years back, for my first large public cloud deal, I sent the chart with these applicable contract links to my administrative assistant and asked her to print them and create a binder. That binder ended up about four inches deep! The binder made a good visual artifact and was useful for reference while the contracts remained unchanged (which they did not for long). Learning from my mistakes, this was the last time I asked for a printout. If you print all of the cloud documents each time they are updated, you will eventually run out of storage space in your office and the world may possibly run out of trees.
Dig and check to identify all contracts. Finally, though you would think that by asking for all applicable contracts, you will get all applicable contracts. But this may not be the case. For example, if your company is a financial institution, you will need to proactively ask for a financial services addendum, which you will get, but only upon request. You may want to consult with outside counsel about what other types of contracts you should request specifically based on the counsel’s experience with public cloud deals for companies in your industry.
5. Issues lists are your best friend
List vs. Redline. Based on the volume of the contracts, agreement hierarchy and, at times, overlapping terms, the only practical way to get your arms around the risk analysis is by creating a comprehensive list of issues. Exchanging redlines is not common in this case. Raising specific well-reasoned issues is the best course of action.
Go through the contracts and identify issues. This means that you (with or without outside counsel’s support) will have to digest, line by line, all of the voluminous documents - which are not written in a way that is easy to interpret. As you read, think about each provision in terms of whether you would redline it with alternative language and, if so, mark it in the margins or in the actual document if you have an editable copy. One by one, summarize each adjustment as an issue.
Categorize the issues. Once you are done with the issue-spotting step, you can start creating the issues list and grouping the issues by categories to review with the contract working group. Below are key categories:
(1) Operational (e.g., service suspension, data retention post termination, service levels, service descriptions, etc.);
(2) Data security (e.g., data protection terms, breach notifications);
(3) Financial impact (e.g., minimum commitments, true-up, tax implications).;
(4) Legal and regulatory (e.g., privacy compliance, regulatory audits, indemnification, and liability limits) and
(5) Miscellaneous (e.g., choice of law, dispute resolution).
Next to each issue in your list, you should capture comments and your company’s preferred positions, and document the rationale for each request. It will inform the points you need to make during negotiations, and will help you keep your sanity.
6. Potential pitfalls
There might be a few surprises along the way. Paying attention to the contract terms hierarchy and referring back to defined terms is a mechanical and slow process, but it is necessary to ensure that you will not be surprised after the contract is signed. Below are common issues that you may encounter.
Ensure confidential information will be protected, including administrative data and non-personal information. When it comes to data, security protections will apply to your content hosted or processed in the cloud, but not necessarily to other information that you provide to utilize the service - for example, your employee directory, or similar information that the provider might define as administrative data.
Additionally, frequently, data processing agreements only protect personal information. It would be critical for you to work closely with the cybersecurity expert (who, hopefully, is part of your contract working group) to make sure that the contract terms actually require the provider to protect all of your confidential information in the way that meets your regulatory and business requirements. Similar to the townhouse analogy I offered above, even if you protect the inside of your home, you will still need to monitor the property manager that is in charge of opening the gates to the community.
Narrow down service suspension rights and require notice. Frequently, the contracts will give the provider a very broad right to suspend the services. Analyze the impact of suspension with your business and technical resources, and try narrowing the suspension rights to specific accounts rather than the entire service. By analogy to the townhouse model, this situation would be similar to the property manager denying you rights to your own home because of your improper disposal of trash. In both cases, you would want to be notified in advance of the suspension (denial of access) and have the right to remedy to get your services and access restored as quickly as possible.
Beware of additional click-wrap terms and unilateral amendment rights. Another surprise may come in the form of clickwrap terms that impose different or additional obligations on you as a customer. While we all have to make peace with the fact that the providers may unilaterally change the applicable contracts, it is always puzzling when your last unresolved issue is a request to agree that other terms (not available for review) may change your expectations and contractual rights and commitments.
This is one of the inherent risks of the public cloud and many online services: the service providers can unilaterally amend the terms of the contract. This is also one of the risks that you may not be able to close contractually – in such a case, you will have to develop an operational work-around to mitigate exposure (e.g., training users to spot clickwrap terms and send them to legal counsel prior to using the services or products that these terms govern).
Additionally, there are a few suppliers of relatively inexpensive SaaS services that are designed to send to you an alert when the provider’s online services terms or privacy policies change.
7. Don’t forget the subject matter experts
Which experts? As mentioned earlier, the expertise of colleagues who are not typically involved in contract negotiations is essential to analyze all potential risks and issues. These resources might be different for different industries and locations, but, at a minimum, they should include eDiscovery counsel and records retention specialists, as well as regulatory and compliance attorneys for the areas of your organization impacted by the cloud engagement.
For which topics? You would need to discuss, among other topics, how your company will be able to impose litigation holds in the cloud or tag data for destruction in accordance with its records retention policies, and whether your use is consistent with your regulatory obligations – for example, whether and how your company’s regulators are able to examine how your customers data may be handled in the cloud environment. This is one of the areas when it is helpful to consult with outside counsel, particularly, if your company’s operations spread across various geographic regions or involve a highly regulated industry.
8. Negotiation Tips
Unfortunately, I have to share some bad news: regardless of how much money your company will be spending, your leverage in negotiating the contract terms is not great. The cloud provider’s initial position is always: “We have many customers and none of them are asking for modifications” and “we simply cannot make changes for one customer, as the same terms must apply to all users.”
These statements are valid; however, if you have a clear rationale as to why a particular provision does not work for your industry (e.g., our regulators do not sign NDAs) or your operations (we cannot tolerate a broad suspension), you should be able to reach a workable compromise.
It may be helpful to share with the cloud provider your internal issues list for purposes of the negotiation, so that both parties can track progress. Trading redlines is not as standard as discussing issues or even framing your issues in the form of questions. Remember, your leverage more than anything, is your persistence and persuasiveness in obtaining beneficial terms, such as regulatory audits rights or increased limits of liability.
Involve your working group’s experts when needed. You will likely not need your working group for all of the negotiations, but where possible, include them when their areas of expertise are discussed.
9. There will be gaps
You will not be able to win every issue, which means a good number of them will remain as gaps between your company’s desired terms and what the contract provides. Hopefully, you have narrowed down the original three-page list to a one-pager.
Before you meet with your company’s leadership to ask for approval or risk acceptance, you should reassemble your contract working group, and collaboratively consider the practical implications of each gap and whether you can mitigate the risk exposure operationally.
For example, if services are suspended, but there is a back-up plan in place, the risk related to the suspension of the services is substantially reduced.
10. Post-execution
One big difference between a traditional SaaS contract and cloud agreements is that the enterprise public cloud agreement typically covers all cloud services, whether or not they are even in existence at the time of the contract execution.
Using the townhouse analogy: there are no contracts to get the grass mowed or to fix a structural issue. In the public cloud world, this means that there will be no additional contracts (e.g., ordering documents) to consume any particular cloud service.
This means that, although the contract is signed and your company’s then-current use does not create any unreasonable risk, there is no contractual mitigation for the inherent risks of unforeseen exposures arising out of the ever-changing and newly-emerging cloud services.
Your best line of defense is continued diligence and thoughtful governance processes that will allow the company to monitor, evaluate, and track the use of new cloud capabilities. The specifics of the governance will depend on the nature of your industry, operations and cloud activities. The best tip is to hold regular discussions and coordinate tracking and approach to risk assessment with the key stakeholders (e.g., IT, finance, records retention, compliance or data governance internal resources).
Conclusion
Cloud providers will regularly modify some of the applicable governing terms and policies and introduce new services. Your organizations will come up with new use cases, which could alter the risk profile and original assumptions you relied on in your negotiations. This means that your job will not be done when the original contract is executed. If, like me, you enjoy continued learning and get excited by discussing emerging new technologies and related issues, you are in luck, as there is no shortage of future challenges related to the evolving cloud landscape.
Check out additional resources:
“Top Ten Issues and Tips to Consider When Negotiating Contracts for Cloud Solutions,” by Jacob Kojfman, Legal Counsel, CGI Information Systems and Management Consultants Inc., August 17, 2021
“Software/ Technology Services Contract Review Checklist,” by Foley & Lardner, May 3, 2021
“Top Ten Tips for Managing Risk in Commercial Contracts,” by Todd Borow (Associate General Counsel, AmeriHealth Caritas), Brian Campbell (Chief Legal Officer & Corporate Secretary, DHI Group, Inc.), Megan Lutes (Director of Legal, Convoy, Inc.) & Penny Williams (Vice President, Associate General Counsel, Sotheby’s), June 22, 2021
“Privacy Ramifications of Moving Your Data to the Cloud,” ACC Webcast, 2021
Find more resources in the ACC Resource Library
Join the IT, Privacy & eCommerce ACC Network (ACC members only)
Not a member of ACC? Join today!
Author: Elena Antonetti, Executive Counsel, Travelers