knowledge | 31 May 2021 |
Procuring Cloud IT Solutions – Seven Key Areas in Cloud Agreements for Customers
Over the last number of years, we have seen a move to cloud-based solutions being the norm rather than the exception when clients are procuring IT solutions to support their businesses.
The onset of the pandemic, and the switch to widespread remote working, has further accelerated the move to cloud-based solutions becoming the default mode of service provision. In that period, we have assisted a number of clients in procuring new cloud IT solutions and thought it would be timely to share our seven key areas in cloud contracts.
The seven areas in this briefing apply to most types of cloud IT service provision (e.g. data centre hosting services or cloud-based enterprise back-up), but clearly there will be elements specific to any individual solution which may require a bespoke approach in each case.
Cloud IT suppliers have a tendency to offer limited (or, sometimes, no) ability for customers to negotiate the relevant IT contract which is almost always provided on a supplier’s standard terms. Where significant changes are not commercially possible, it may be that the customer has to consider the terms of the contract (e.g. in the areas below) against what it might otherwise consider acceptable and seek to understand the risks were it to decide to adopt and use the solution. A further alternative would be to consider using the solution but additionally considering whether there are any mitigation measures the customer can separately put in place to reduce the risk to it (e.g. its own separate back-up(s) of data).
In our experience, here are seven key areas of contracting for customers to consider when procuring cloud IT solutions.
- A good description and clear pricing: It sounds obvious but a contract should properly describe the cloud solution which is being offered and should be such that a customer could later on look at the contract, note a particular key feature or element which is not being provided or not functioning, and seek to point to the contract’s description and have that rectified. One of the things we have found recently is that, at times, the description of the cloud solution is very basic (when compared to its glossy marketing material) or even missing key elements. The contract should also be very clear on the basis on which fees are payable, which may be based on usage (and so be variable).
- Service levels and credits: Linked to a good service description is the need for a defined set of service levels which may be expressed to involve ‘availability levels’ and/or ‘response’/’resolution’ time periods to address issues. Customers should take care to ensure that these are sufficiently robust if relying significantly on the solution in its own activities for its end-customers. Where service credits are offered, customers should avoid drafting which seeks to provide that any such service credits (which can often be reasonably low in value) are the customer’s ‘sole remedy’ for breach of the service level.
- Warranty and indemnity protection: It will be important from a customer’s perspective to seek to make sure that at least some basic warranty protection is provided in the cloud contract and, in our experience, protections in supplier draft contracts can be very limited. Where the cloud system is more crucial to the customer or more bespoke, greater warranty protection would be appropriate. In our view, customers should consider including warranties that the service will comply with applicable law and operate in accordance with the service description/documentation, that use of the service by the customer will not infringe the IP rights of any third party and that the service will not include any malware, viruses etc. Customers should be very wary of statements that the service is provided on an ‘as is’ basis or similar. An indemnity covering the customer for claims of third party IP infringement is also a key customer protection and this should not be artificially limited (e.g. not limited to patents only or only covering US infringements, particularly if the customer intends worldwide use of the cloud service).
- Term and termination: As in any agreement, the term of the agreement and the circumstances where the cloud agreement can come to an end are important to consider fully. Often the cloud service will be provided on a rolling/annual subscription basis, but in other situations it will be for a defined period of years and, here, there are usually significant fees for early termination by the customer. It is also worth bearing in mind that a customer may be more content to sign up to other terms which are not favourable to it if the customer is fairly readily (and without significant cost) able to terminate cloud services agreement. Any migration assistance (e.g. data transfer) needed at the end of the contract should also be provided for.
- Security measures: Most cloud based services will, or are highly likely to, host and process customer data. Recent events with the HSE cyberattack in Ireland have highlighted the need for the most up to date and robust IT security measures. These measures should be assessed by the customer’s IT team (or relevant third party specialist) to ensure that the supplier’s intended measures offer a suitable degree of protection for customer data. While warranty protection can be sought (e.g. a warranty that any such measures are and will be in accordance with good industry practice), this will be no substitute for having assessed, and been content with, the technical and operational sufficiency of the supplier’s intended security measures.
- Data protection: As a controller of personal data (or even as a processor considering further sub-processing on behalf of a third party controller) the customer will need to be mindful of ensuring that the IT supplier hosting or processing its data is subject to the contractual obligations required in data processing contracts by Article 28 of the GDPR. We have found cloud IT suppliers, mindful of the GDPR, often provide a separate data processing addendum for EU-based customers but that, at times, this needs amending to ensure those requirements are fully covered. The physical location of any cloud hosting (e.g. all in EEA or outside of it), and any access by non-EEA supplier entities, should also be established as it may be necessary to consider an appropriate data transfer mechanism for transfers of personal data outside the EEA (and, potentially, supplemental measures if standard contractual clauses are being relied on).
- Limitations and exclusions: As with any important commercial contract, any limitations on, or exclusions of, the cloud supplier’s liability should be carefully reviewed. How any liability cap is set up and whether there are any unreasonable or unsuitable exclusions of loss are two particularly important aspects to consider. For example, we have recently seen cloud IT contracts where it was not clear whether the supplier intended an ‘aggregate’ or ‘per event’ cap on its liability and, almost paradoxically, we frequently see data hosting providers seek to exclude their liability for ‘loss of data’. Depending on perceived risk, and the nature of the data involved, we have also seen customers successfully obtaining at least separate higher supplier liability caps for breaches of confidentiality or for data protection losses.
This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.