Cloud Computing Agreements Should Not Be Cloudy

Steven De Schrijver is the head of the IT & New Media Department of Lorenz, an international law firm with offices in Brussels, Bishkek (Kyrgyzstan) and Geneva. Lorenz offers a wide range of legal services and with a strong focus on the technology sector. Steven De Schrijver regularly advises multinational companies in the IT sector on contractual issues. Therefore, he is perfectly placed to give some practical tips with respect to cloud computing agreements. In order to lower their overall costs and increase productivity, enterprises leverage centralized and virtualized IT systems and a variety of service providers to access IT services. This enables them to focus on their core business activities. In fact, cloud computing service providers offer their IT infrastructure and software to users, who entrust their business data and business functioning to them. It is obvious that this kind of services require appropriate and clear contractual guarantees. Besides data protection and data security related issues which need to be dealt with, it is important that a cloud computing agreement contains a minimum of essential clauses. This article will discuss some of the contractual issues cloud users should take into account when entering a cloud computing agreement with cloud computing service providers. 1) Service Level Agreement A cloud computing agreement should contain a so called Service Level Agreement (SLA) which formally defines the quality level of the provided services that the user may expect. Quality criteria could consist of minimum standard requirements regarding uptime and downtime periods of the system. Typically, the SLA will include a maximum number of hours per month during which the system is likely to be unavailable. If this maximum is exceeded, the user is entitled to claim compensations from the service provider. It is recommended to include specific and enforceable remedies in the agreement in case of infringement of the SLA, such as reimbursements or discounts on the subsequent invoices. 2) Pricing It is also important to accurately describe in the agreement which criteria will be used to calculate the service fees (e.g. storage measure unit, bandwidth, computer resources used, number of registered users, etc.), so that the cloud user remains in control and somehow can anticipate the service related costs in his budget. 3) Vendor Lock -In There is no legal obligation on the service provider to offer for data transfer facilities. Therefore, this possibility should be stipulated in the cloud computing service agreement. Moreover, the cloud user should ascertain that the data, which is still stored with the former data provider after the termination of the contract, is destroyed. Nevertheless, due to a lack of data compatibility standards the transfer of data could become more complicated, so that cloud users often get stuck with one particular vendor.

In case of bankruptcy of the service provider this non-transferability of data may cause data loss to the cloud user. The modalities regarding the transfer of the cloud computing services to other service providers or even the restitution of the data processed to the user should therefore be detailed in the agreement in order to avoid that valuable data gets lost. 4) Ownership of the Data Since the data will be physically stored in the service providers infrastructure, it should be well defined that the data stored remains the ownership of the cloud user, as well as the intellectual properties related to this data. Additionally, strict confidentiality clauses should be included in the contract. 5) Right to Audit Cloud users entrusting their data to service providers should have the right to conduct an audit of the service provider in order to make sure that the provider disposes of decent infrastructure and offers the necessary security measures (business continuity, encryption, firewalls, physical security, etc.) that he pretends to have in place. 6) Location of Data and Applicable Law Although the wording cloud computing may suggest that the data fly around in the clouds, they are actually stored in physical data centres somewhere in the world. Since legislation of many countries prohibits or restraints the free transfer of data outside the country, it may be important to identify where the data centre is located. Questions could also rise with respect to the applicable law; the law of the place where the cloud user is located or of the place where the data is stored? For more legal certainty cloud computing agreements should thus determine the law that governs the contract. Although it is an emerging point in cloud computing that service agreements need to be negotiated, the customer will sometimes still have to agree with the cloud computing service providers standard terms of service without any scope for negotiation. Since the terms are likely to be biased in the providers favour, it is recommendable for the cloud user to carefully examine these standard terms and conditions before entrusting his data and business to the cloud.