Key Highlights:
- Cloud computing offers companies many benefits, including the ability to increase or reduce the volume of services on demand.
- Cloud computing is different enough from the traditional method of on-premise software licensing that corporations considering cloud solutions need to take a careful look at the contract’s terms and conditions.
- Cloud presents a new set of risks that both parties need to share.
- As a customer, assess whether the cloud solution considered will work for you.
Cloud computing is an environment where a business outsources the development, hosting, or running of all or part of its applications and information to a third party, and away from the business’s hardware and premises.
Businesses are increasingly moving their software solutions to the cloud. You may already use the cloud in your personal capacity; Gmail, Facebook, TikTok and LinkedIn can all be classified as software-as-a-service or cloud. As corporations and in-house counsel move more of their software solutions to the cloud, there are few things they should be aware of when reviewing and negotiating cloud contracts.
1. Cloud is NOT on-premises
In its simplest sense, moving to the cloud is moving your software solutions (and the related code) from your own local drives or networks, which are on your premises or “on-prem”, to an off-site data center. The National Institute of Standards and Technology (NIST) defines cloud computing as follows:
“Cloud computing is a model for enabling convenience, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released. This cloud model is composed of five essential characteristics, three service models and four deployment models.”
There are many benefits to using the cloud. As an on-demand service, it is available when you need it. It is available how you need it, whether on your desktop, on your tablet or even from a computer terminal at the airport. Its rapid elasticity and scalability make it easy to increase or decrease your capacity as your needs change.
The legal issues associated with cloud computing are distinct enough such that the terms of your current on-premises solutions do not necessarily work for cloud solutions.
2. Data ownership is misstated
When software is on-prem, data ownership is not an issue that arises - all data created stays on your systems. In the cloud, the data’s location can be a cause of concern, and in-house counsel need to ensure that the company gets it right. Lawyers may tell you that you need ownership of the data. This is a misnomer. You cannot actually own data; you cannot own information or ideas, and that really is what data is - just information. Most intellectual property (IP) laws revolve around the form of data, how it is presented, for example, in tabular form, or compiled in a certain manner. In these cases, a copyright may attach to the presentation, but not to the underlying information itself. Putting your data in the cloud, however, does not mean you lose it to the cloud provider as your data may still be protected as a trade secret.
When in-house counsel enter into a cloud agreement, they should focus on control of the data: what can the cloud provider do with the data? There is no “right” or “wrong” position on this, as the answer depends on the parties’ needs.
The cloud vendor needs to use the data so it can provide the services to the customer. A cloud-based client relationship management solution is not viable if the vendor cannot use the customer’s data.
Cloud vendors may seek to use that data in other ways, especially in an aggregate form to improve their services, and even to market their solution to other customers. The customer needs to understand exactly what data the vendor wants to use, and how the vendor is going to use the data. Cloud customers need to assess whether they have the right to allow a third party use the data for something beyond a ‘reasonable’ purpose.
For example, a market research company engages a cloud-based mass-payment solution to pay individuals who make up survey panel members; the market research firm will need to share the individual’s information with the cloud vendor. The customer may not need the individual’s consent to share information so the individual can get paid.
The vendor may also want to use the customer’s data for other reasons, for example to know the purchasing activities of the payment recipients - the customer may need to obtain consent from all individuals for whom it holds data.
A customer may not want to let the vendor use performance data without putting certain restrictions in place. Availability and response time may be innocuous data, but performance data could include the customer’s level of transactions, which could be considered proprietary or competitive information.
As the customer and the custodian of that data, you have the ability to decide how important control of the data is to you. If the vendor only wants to use anonymized data in the aggregate, this may be something to trade for. If the vendor wants the specific data, which may include personal information, that requires a whole other legal analysis, especially regarding privacy laws.
Remember that if you are going to let the cloud vendor use the data, you may want to specify in what form the vendor can use the data. De-identified is not the same thing as anonymized. De-identification removes all personally identifiable information to prevent an individual’s identity from being compromised. Anonymization prevents any future re-identification even by the party that controls the data under any condition.
3. Get your data returned
Even though you may not technically or legally own the data, you still want to ensure that your company can retrieve its data when it stops using the cloud solution. If you choose to leave the vendor, your relationship ends and unless you have made specific provisions in your contract, you may lose access to your data in that vendor’s cloud solution. Almost all cloud vendors should be able to extract your data for you in a commonly used form, so you can migrate that data to another solution. It is thus important to agree - at the time of contract execution - on the format in which the data will be returned. Even if you have to pay for this at the end of the term, that cost may be a worthwhile investment if you need to use that data in the future.
4. Carefully review the security and privacy policies
When you contract for a cloud solution, depending on how that cloud solution is delivered, you often cannot change the cloud vendor’s data security and data privacy configurations. This is one of the tradeoffs you accept for the numerous advantages of cloud solutions.
As a purchaser and in-house counsel, you should carefully review the cloud vendor’s data security and privacy policies and statements, especially the technical configurations. Almost all privacy laws place the ultimate responsibility for personal information on the party that collects the personal information, which is usually the purchaser of the cloud solution.
Make sure you and your information security team are comfortable with what the cloud solution provider is offering, or ask to increase the security and privacy measures, which may mean a different delivery method and higher fees. Some of those security features that in-house counsel needs to ensure the corporation is aware of are the physical and technical security, encryption, and the network security. For example, if a vendor only offers encryption at rest, and a customer wants their data to be encrypted in transit too, then the customer has two choices: ask the vendor if they offer encryption in transit; or find a vendor that does.
There are other protections you can seek contractually, including requiring the cloud vendor to have certain third-party certifications. SOC 2 or SSAE 16 are two of the more common ones, and both from the American Institute of CPAs. A SOC 2 certification is a report on the controls of a cloud vendor’s safety and privacy; it is based on five trust services criteria: security; availability; processing integrity; confidentiality; and privacy. SSAE 16 is a report on the controls at a service organization that may be relevant to user entities’ internal control over financial reporting.
Prudent in-house counsel advising cloud customers should insist on including a clause in the contract that requires the cloud vendor to notify the purchaser in the event of an actual or suspected data breach. An example of a data breach notification clause is:
“Upon becoming aware of a data breach that may involve Customer’s information, Vendor shall without undue delay, and in no event no later than 72 hours of becoming aware of such data breach, inform Customer and provide written details of the data breach, including the type of data affected, the identity of affected person(s), the likely consequences of the personal information, any other information Customer may reasonably request concerning the affected persons, and the measures Vendor has taken or proposes to be taken to address the data breach.”
Canada and all fifty states of the United States have recently enacted changes to their privacy legislations requiring a party that suffers a data breach to provide certain notifications. Purchasers should still include a notification requirement, as well as a requirement that the purchaser will notify its own customers at the vendor’s expense. The purchaser does not want the vendor notifying its customers. The purchaser usually wants to control the message to its customers.
5. Service Levels
Cloud solutions are not a software product, because you are not actually licensing any software, nor are they a service because an individual is not doing something for you. Even calling them X-as-a-Service is a bit of a misnomer. Cloud solutions fall somewhere in between a product and a service. What purchasers are paying for is the ability to access the solution, because that is how they use it. They want to make sure they can access it when they need to use it.
Purchasers’ in-house counsel should ensure that the vendor will provide a representation, warranty or a covenant that the solution will be available a certain percentage of time. A vendor may or may not be able to adjust its service levels to meet a party’s specific needs. When evaluating various cloud solutions, take a closer look at the service levels to ensure they are acceptable.
A service level is a commitment the vendor makes to its customer in their contract. In a cloud contract, one of the typical service levels is the cloud solution’s availability, which is the percentage of time a customer can access the solution. A cloud solution can never be 100% available, because it still has to be maintained and upgraded from time-to-time, and a vendor will want some margin of error for unexpected outages.
If a vendor is unwilling to change its service levels, a customer may be able to negotiate what will happen if the vendor does not meet the agreed-upon service level. Vendors may offer credits for missed service levels, which is usually a percentage of a month’s fees and is offered as a credit. More often than not, the credit for missed service levels will be a credit, and not cash, and will be the customer’s exclusive remedy for a missed service level. A service level credit is not designed to provide a remedy; they are really to encourage good behavior by the vendor.
6. IP ownership
This is one of the most negotiated clauses, not because it is such an important clause to the contract but because it is one of the most misunderstood clauses for a cloud solution. The IP ownership clause is probably one of the main reasons to use a vendor’s paper, because that contract will have these clauses properly drafted to reflect the reality of the situation of cloud. A vendor’s clause may read as follows:
“Except for any Customer Information, Provider shall retain all rights, title and interest in and to the Software, Services, and the Provider Information and all legally protectable elements or derivate works thereof.”
Unlike a traditional software development or services agreement, which usually gives ownership of any materials produced or developed, including any accompanying intellectual property rights, to the customer, the cloud agreement has the opposite clause. Even then, the potential purchaser will usually redline those clauses, because of the purchaser’s familiarity with clauses for on-premise solutions.
In the traditional on-prem context, intellectual property ownership clauses give ownership rights to the client for all newly created material during the services. This is a reasonable position for a client to take - you paid for it, you should get to keep it, and especially if you gave the vendor specific directions how to design or develop it.
A lot of purchasers use that same approach with cloud solutions, i.e., they want to own whatever is created for them and paid for by them. A lot of purchasers have a hard time distinguishing between custom development and custom configuration, and expect to continue to own a custom configuration.
Configuration is when the cloud solution provider makes the cloud solution fit a purchaser’s specific needs. Think of it as turning switches and knobs, and pressing some buttons to make the cloud solution look the way the purchaser wants it to look, and perform certain functionalities that are part of an out-of-the-box solution. Custom development would be when a vendor creates a whole new solution for the purchaser.
If a cloud vendor was to give a purchaser ownership of their configurations, this would defeat the very purpose of how the cloud solution provider’s business model would work. The cloud solution provider needs to be able to re-sell those configurations. A purchaser is not going to be the only client who may want their configuration in cornflower blue, and if that purchaser was the only one who could have it in cornflower blue, it would really interfere with the cloud solution provider’s business model.
7. Perpetual license
Another challenge that cloud solutions providers face when dealing with clients who are more familiar with on-prem solutions, is the customer's request for a perpetual license to any of the vendor’s pre-existing intellectual property necessary for the client to use the software.
With on prem solutions, a software vendor may use some of its intellectual property, for example, some of its own code libraries when it customizes or configures the solution for the client.
When reviewing an agreement for a cloud solution, a request for a perpetual license does not align with the way the cloud solution operates. The vendor’s main piece of proprietary intellectual property is the cloud solution itself; a customer pays to access this solution in a subscription form, like a magazine. When the magazine subscription ends, unless the subscriber pays to renew it, the subscriber does not get any more issues.
Granting a perpetual license, i.e. a license forever, for the cloud solution would go against the vendor’s very business model.
8. Indemnity
A vendor may require an indemnity from a customer, depending on what the cloud solution does and how the customer may use it. For example, for an on-line storage solution for which the vendor has little or no control of how the customer will use it, the vendor will want the customer to indemnify the vendor for anything the customer may upload or store in the solution that violates a third party’s intellectual property rights. The vendor will also want the customer to provide indemnification if the cloud solution provider configures or customizes the solution to the client’s specifications, for example using the client’s logos or other designs.
Similar to an on-prem software solution, customers will want to be indemnified by the vendor for a third party’s claims of intellectual property infringement. This author’s view is that because of the nature of software-as-a-service where the entire solution sits on the cloud vendor’s premises, an indemnity from the vendor to the customer for a third-party intellectual property claim may be moot - the entire intellectual property regime, with minor exceptions (such as a custom portal that may be developed and is hosted on the customer’s site or another site), is on the provider’s systems, including configurations and code development.
9. Limitation of Liability
No matter the contract, whether on-prem or cloud, the limitation of liability is always going to be one of the most heavily negotiated clauses. Vendors find one of the biggest challenges for purchasers relates to a limitation of liability. While the traditional on-prem solution usually involves a significant up-front payment for the solution, and on-going fees for maintenance (usually about 20% of the license fees), a cloud solution provider does not have the same level of guaranteed revenue.
Any limitation of liability that a vendor agrees to should take into account the upside of the deal for them. Clients should not expect their cloud vendors to take on disproportionate liabilities. A client decides to use a cloud solution because they expect certain benefits as described above; they cannot expect to outsource 100% of the risk.
A limitation of liability needs to be a fair allocation of the risk-reward for both parties. Setting the limitation of liability at a certain amount of fees, usually between six to 12 months’ worth of service, is a balanced approach. To address a purchaser’s concern of damages potentially occurring within the first few months, the parties may agree to set a liability floor, such as an amount equal to the average of the fees paid for the number of months the limitation of liability represents. For example, a limitation of liability of 12 months of fees paid may have a liability floor of what the fees would have been over 12 months, based on the average of the fees for the months already completed.
The agreed-upon limitation of liability will be based on a variety of factors, including the duration of the contract, the total fees the vendor expects to earn, and the risk profile of the transaction for both parties.
One facet that is always the most negotiated is the limitation of liability for personal information and data breaches. As more solutions move to the cloud, these will become of greater concern. Purchasers almost always expect unlimited liability for breaches of obligations around these two areas. There must be the same risk allocation analysis as described above. Purchasers have more control over the type of information they put into the cloud solution, and the type of security they want configured.
It is perfectly acceptable to negotiate a higher limitation of liability for breaches of the cloud solution provider’s obligations for personal information, security and confidentiality. The key word is obligations because no party should take on a strict liability, with very rare circumstances.
10. Read the contract and understand its business implications
Purchasers of cloud solutions may think it is just another contract. While this is the last item in this list, it is probably the most important one. The client really needs to know what they are contracting for, and whether they are getting the solution they want.
In an on-prem custom development solution, it is very easy for the client to get what it wants from the developer. The client and vendor will spend months discussing and codifying the statement of work, the deliverables, the milestones, and other aspects. With a cloud solution, it is the exact opposite. The cloud vendor is offering you a solution that has certain parameters, and the purchaser has to decide whether those parameters meet what you want to achieve.
Depending on the cloud solution you select, there may be room for configuration or even customization. Those come with a cost. All your key stakeholders need to get comfortable with the cloud solution - the specific business unit that would use the solution, your technology team, and especially the security and privacy team. And for certain of those items that they or legal counsel are not comfortable with, a client can always negotiate.
Conclusion
Cloud computing offers a lot of benefits to companies that decide to use it. Companies can save money with cloud computing, and still access to better technologies than if a company opted for an on-premise software solution. Companies considering cloud computing should use a lawyer who is familiar with the concepts, who can best explain and educate the company about the specific terms of a cloud computing contract because of their significant differences from contracts for on-premises software. A company needs to be comfortable with how the cloud solution works and what rights, obligations and limitations they face in their contracts with the cloud vendor.
Author: Jacob Kojfman, Legal Counsel, CGI Information Systems and Management Consultants Inc.
The views presented in this article are of the author alone and not anyone else, including his employer.
Check out ACC Additional Resources:
-“Parting the Clouds of Digitalization”, by Blaise Benoit and Deana Uhl, ACC Docket, September 2019
-Template Letter of Technology Vendor Requesting Improvements (Sample, 2018)
-“Cloud Computing Agreements: Negotiating Privacy Issues with Large Cloud Vendors”, by David Y. Chen, William F. Wilson, ACC Docket, June 24, 2016
-Guide to Handling Contract Negotiations for IT Technology License, Employment Agreements and Commercial Leasing Contracts (United States), ACC InfoPAK (ACC Guide), by Arent Fox LLP (2015)
-Interest Area: Technology, Privacy, And Ecommerce
-Join the IT, Privacy & eCommerce ACC Network (ACC members only)
Not a member of ACC? Join today!