MEMBER FIRM OF
Cloud computing contracts
Types of contract
What forms of cloud computing contract are usually adopted in your jurisdiction, including cloud provider supply chains (if applicable)?
Cloud computing contracts typically manifest in different forms and draw on different legacy contracts and precedents depending on the particular vendor, offering and customer. For example, cloud computing contracts can resemble legacy software licence agreements, legacy managed services or hosting agreements, and limited purpose outsourcing agreements. As cloud services become more and more commoditised, cloud computing contracts are increasingly being presented by vendors as click-wrap agreements that are little- to non-negotiable agreements or as otherwise negotiable agreements that have significant portions that are designated as non-negotiable (eg, links to click-wrap maintenance, warranty, service level, acceptable use and privacy terms).
Typical terms for governing law
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering governing law, jurisdiction, enforceability and cross-border issues, and dispute resolution?
It is common practice in the US to choose as the governing law of a B2B public cloud contract the law of the state where one of the parties is located, typically the vendor (ie, where the party is headquartered or has a principal place of business). The governing law provision typically also includes a specific statement that the named state’s choice of law principles should not apply. This statement is important because one state’s choice of law principles may mandate application of another state’s laws under the circumstances, which would subvert the intent of choosing the state’s law to apply. Also, it is common to include an express statement that the UN Convention on Contracts does not apply, usually because the parties are more familiar and comfortable with US case law. As an alternative to the law of the state where one of the parties is located, the parties may choose a neutral state’s law to apply. Common choices for a neutral state with significant commercial contract case law include New York and Delaware.
It is common practice in the US to choose a specific city or county located within the state that was chosen for the governing law as having exclusive jurisdiction over a dispute relating to the contract.
In cloud computing contracts, there are a number of cross-border issues, particularly relating to data protection laws.
Dispute resolution tends to include some mechanism for internal dispute resolution, which may be pro forma or more meaningful, followed by either arbitration or litigation. Whether the parties agree on arbitration or litigation depends on the parties’ experiences and preferences.
Typical terms of service
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering material terms, such as commercial terms of service and acceptable use, and variation?
Typically there are subscription fees for the cloud service that are invoiced monthly. Certain professional services may be offered and are typically billed as a fixed fee or on a time and materials basis. Professional services could include implementation, integration, training, support, enhanced maintenance (beyond that covered by the subscription fees), customisation or data analysis.
Cloud agreements generally contain audit provisions to ensure compliance with billing or payment obligations. However, audits may also be directed to other issues, such as regulatory and compliance, quality, and security. The audit provision typically specifies parameters and limitations for the audit (eg, during business hours, once per year), use of a third-party professional, such as an accountant, confidentiality and limited use of results of an audit.
Either party (most commonly the vendor) or, in some cases, both parties may be required to obtain and maintain specified levels of insurance during the term of the agreement (eg, commercial general liability, errors and omissions) and cyber insurance that specifically covers a data breach. These provisions typically require the other party to be provided with a certificate of insurance or the actual policy (to confirm scope of coverage) and to be named as an additional insured.
Typical acceptable use restrictions include:
Often the cloud provider will include as a remedy its ability to suspend or terminate the service for any breach of the acceptable use restrictions.
Typical terms covering data protection
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering data and confidentiality considerations?
Data and confidentiality (generally)
Most cloud computing contracts include mutual confidentiality provisions. The definition of confidential information is categorical, but may include specific items each party wants to protect as confidential information (eg, the customer’s data). Obligations of confidentiality typically survive termination or expiration of the agreement, and it is not uncommon for this survival to have a sunset (eg, five years after termination or expiration), with or without express carve-outs for trade secrets. In recent practice, the US federal Defend Trade Secrets Act requires certain language to be included in agreements to make clear that individuals may share confidential information with attorneys or with law enforcement in connection with whistle-blowing activities. Because this language must be included to preserve certain remedies in the event of a trade secret claim later, this language is more and more often being added to agreements that include confidentiality provisions.
Customers typically request an express statement that they own all their data and are only granting the cloud provider the right to access, use or manipulate the data as required to provide the cloud service. Cloud providers often want to have rights to aggregate and use customers’ data; this is a point of negotiation in some cases.
Customers typically want their data backed up by the cloud provider, with visibility into the process and geography implicated by the back-up, and commitments (ie, warranties) regarding frequency, recovery point objective, recovery time objective and periodic restoration testing. Typically, upon termination of the agreement, cloud providers are obligated to promptly return all data to the customer, in an agreed-upon format (preferably a standard format) or to certify destruction in writing after return of the data and confirmation by the customer that the data are accessible.
Premises and data security
This can vary widely. For data centres, customers look for electrical sources and generator backups, cooling, humidity and temperature controls, internet connectivity, physical security (video cameras, locks and access badges, escorted visitors, security personnel stationed there), information security (firewalls, passwords, encryption, etc), maintenance and redundancy. Usually require third-party security audits such as SOC2 or SOC3.
Data disclosure is typically limited only to employees or agents who have a ‘need to know’ for the purpose of the agreement and who have signed a confidentiality agreement or are bound by professional obligations of confidentiality.
Disclosures may only be made if required by law (subpoena, court order, etc) so long as the party that received the data provides notice to and cooperates with the party that disclosed the data to the receiving party so that the disclosing party can seek to fight the disclosure.
Location of servers and data
Customers typically want the data to stay in their jurisdiction (ie, stay inside the US) and commonly vendors will not be able to move the location of servers or data without prior written approval from the customer.
Cross-border data transfers
There are numerous laws and mechanisms governing cross-border data transfers. The most recent is the EU-US Privacy Shield.
Typical terms covering liability
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering liability, warranties and provision of service?
Representations and warranties
Typical representations and warranties in a cloud computing contract fall into three categories: ability to enter or perform the agreement generally, service-related and software-related.
The first category of representations and warranties is directed to the parties stating that they have the ability to enter into the agreement, they have all the rights necessary to grant the rights granted therein, they aren’t under any pre-existing agreement that would limit their ability to perform this agreement, they will not enter into any agreement that would limit their ability to perform this agreement, and they will comply with all applicable laws (including data breach notification laws).
The second category of representations and warranties target the performance of services under the agreement. Generally, the vendor is required to represent and warrant that it will perform all services in a good and workmanlike manner, with qualified personnel having the skill required of the industry, it will replace any unsatisfactory personnel (if applicable) and re-perform any unsatisfactory services, and it will use its established, industry-standard methodologies to provide services. The vendor may also expressly warrant that it will meet its service levels.
The third category of representations and warranties target the software components of the cloud service. Typically the vendor will represent and warrant that there is no malicious code or virus within the cloud software, and that the software itself (and use of it) does not violate any third-party intellectual property right (eg, patents and copyrights). Open source representations and warranties may be appropriate or not depending on the offering.
Limitation of liability
The limitation of liability provision is closely connected to the indemnification provisions and addresses qualitative limits on type of damages and quantitative limits on amount of damages. The limit on type of damages typically excludes indirect, consequential, special, incidental and punitive damages and may expressly exclude lost revenues or profits, loss of use and loss of data. The limit on amount of damages can be set at a specific number or it can scale (eg, with reference to the amount paid or payable under the agreement (or some multiple thereof)) over a certain period of time. Typically, when the quantitative limitation of liability references amounts paid or payable over some period of time, there is also some reasonable floor to cover a significant liability in the early part of the contract term when payments have not accrued sufficiently to cover such a liability.
Often there are exceptions to the limitations of liability for specific items, such as breach of an obligation of confidentiality or data security or privacy, indemnification obligations, misuse of intellectual property, bodily injury (including death) and injury to personal or real property (not unusual to see, but less likely to be relevant in a cloud computing agreement), fraud, gross negligence or wilful misconduct. The parties typically will spend a lot of time negotiating the limit on liability exceptions. An alternative is to set a separate (often higher) limit for these items (rather than excepting them from any limitation of liability).
The indemnification provision typically includes an obligation to indemnify and hold the other party harmless for certain enumerated circumstances. Often the indemnification provision includes an obligation to defend, though this depends on the offering and the parties.
Indemnified parties are typically defined to include the parties to the agreement, their affiliates and their directors, officers, employees and successors. This list can be expanded to include subcontractors, suppliers, and customers, under certain circumstances.
The items for which a party (typically the vendor, but in some circumstances the customer) has an indemnification obligation in cloud computing contracts typically include:
Also addressed in the indemnification provision is the procedure for obtaining indemnification, including terms for notice, cooperation and the right to participate in the defence.
Service-level agreements (SLAs)
SLAs typically address availability (uptime), latency, incident response times and work levels until resolution, and backup and restoration procedures.
The single most common SLA is availability, and some vendors, if they offer any SLAs, will offer only an availability SLA. It is common for a vendor to qualify an availability SLA with a commitment to use ‘commercially reasonable efforts’ to achieve a stated availability (though this is often objected to by the customer). The availability SLA commonly has exclusions for scheduled and emergency maintenance and force majeure events, and specific notice and reporting to customer in preparation for downtime. Customers will want vendors to self-monitor and report compliance with SLAs to the customer, whereas the vendor will want customers to have to monitor (or ‘feel’) and report suspected SLA failures to the vendor.
Often the remedy for a breach of an SLA will be limited to the vendor providing a service credit to customers.
Typical terms covering IP rights
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering intellectual property rights (IPR) ownership in content and the consequences of infringement of third-party rights?
Typically, the cloud vendor owns the software underlying the cloud computing services and any software the vendor makes available for direct use by the customer. The customer typically owns all its data and provides a licence right to the cloud vendor to access and use the data as needed to provide the service.
If there is any development work or customisation work, the parties typically negotiate ownership rights. Typically, the customer will own all right, title, and interest in and to all work product created under the agreement specifically for the customer, and the vendor will name the customer as ‘the person for whom the work is prepared’ and designate the work product as a ‘work made for hire’. The vendor should also assign all of its right, title, and interest in and to such work product to the customer, in case any work product does not meet statutory requirements to be a ‘work made for hire’, and provide further assurances from itself and its employees as necessary to vest ownership rights in customer. Typically, the vendor will also give a licence to any of its background technology that is used in the work product.
As discussed above, IP infringement is typically addressed via a representation and warranty that there is no infringement or by an indemnification obligation for third-party IP infringement claims.
Typical terms covering termination
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering termination?
Termination for cause
There is typically a mutual right of termination for cause (ie, for a material breach of the agreement by the other party that has not been cured for a certain period of time since notice of the material breach, eg, 30 days). The parties may specifically identify certain breaches that are deemed material breaches in order to forgo any dispute over materiality later. For example, the customer may seek an express termination right if the vendor catastrophically fails to meet an availability SLA.
Termination for convenience
Often the customer will want a termination for convenience clause, which allows the customer to terminate the agreement at any time and for any reason, upon written notice to the vendor. A termination for convenience right can greatly help to mitigate a customer’s risk in a contract. Vendors very commonly object to a customer’s right to terminate for convenience. Often, for a vendor to accept a customer’s right to terminate for convenience, there is typically a liquidated damages term (ie, an early termination fee). The amount of the fee varies.
Survival of terms
The parties typically stipulate which provisions survive termination of the agreement. Often, the parties want terms for confidentiality, IP ownership, dispute resolution, limitations on liability and indemnification to survive termination.
The customer typically will seek some level of transition services upon expiration or termination of the agreement, which typically includes an extension of cloud services for a set time after termination, such as 30-90 days, so that the customer will still have access to the cloud solution while it transitions to a replacement provider. Transition services typically also include a provision that the vendor will cooperate as necessary with the replacement provider in order to assist with the transfer of the customer’s data and operations.
Effect of termination
The parties typically include in an ‘effect of termination’ provision terms that require the return or deletion of all data and confidential information of the other party, and transfer of all deliverables, whether complete or in progress, from the vendor to the customer.
Employment law considerations
Identify any labour and employment law considerations that apply specifically to cloud computing in your jurisdiction.
There is typically a provision that states that the parties are independent contractors and not in an employment or joint venture relationship, with an express statement that neither party has the ability to bind the other party. Less common is a provision that distinguishes between working hours and non-working hours for non-exempt employees under the Fair Labor Standards Act.
