Contracting for the Cloud Marcus Lee
What is “Cloud Computing”? The use of computing resources (hardware and software) that are delivered as a service over a network (typically the internet). Google Apps Amazon Web Services Microsoft Cloud
Three Main Cloud Computing Models: 1. Infrastructure as a Service (IaaS) An organization outsources the equipment used to support operations, including storage, hardware, servers and network components. The service provider owns the equipment and is responsible for running and maintaining it. The client typically pays on a per-use basis.
Three Main Cloud Computing Models: 2. Platform as a Service (PaaS) A method to rent hardware, operating systems, storage and network capacity over the Internet in order for client to develop, test and deploy software applications.
Three Main Cloud Computing Models: 3. Software as a Service (SaaS) The service provider delivers software via the Internet for use by the client. Client doesn’t need to install applications on its own servers or computers. Typically only need a web-browser to use the software.
Four Types of Clouds: 1. Private Cloud Operated for a single organization 2. Community Cloud Operated for use by a specific community of users.
Four Types of Clouds: 3. Public Cloud Delivery of cloud services over the Internet to the general public. 4. Hybrid Cloud A cloud computing environment in which an organization provides and manages some resources in-house and has others provided externally.
Benefits to Cloud Computing: Cost Reduction (savings on hardware and software infrastructure and IT personnel) Scalability (easily increase or decrease use based on needs) Converting capital expenditures into operational expenses
Risks to Cloud Computing: Data Security Availability of Service Data Ownership
Contractual Issues Data Ownership and Access Acknowledgment that all data you input into the software or provide the vendor is owned by you Requirement that, at the termination of the contract, the vendor will provide you a copy of your data in an agreed-upon format Requirement that vendor permanently deletes all copies of your data at the termination of the contract (including back-up media) Maintain a copy of all data you provide the vendor Litigation-cooperation clause requiring the vendor to preserve your data and cooperate with any discovery requests if you become involved in any litigation
Contractual Issues Service Levels Uptime guarantee (e.g., you will be able to access and use the services 99 percent of the time) Support response time guarantee (e.g., vendor will respond to service issues within one business hour) Server response time guarantee (e.g., the services will process transactions within an agreed-upon time frame)
Contractual Issues Service Levels Measurement Requirements: Require provider to actively monitor SLAs and provide a monthly report Remedies for SLA failures: Credit of refund of fees Right to terminate for very poor performance (e.g., Less than 90% uptime during a month) Right to terminate your contract for persistent service level failures (e.g., 3 or more SLA failures in 6 month period)
Contractual Issues Sample Language: Service Level Commitment. Service Provider agrees that the Hosted Software will be Available to Customer 99% of the minutes during each month (the “Availability Standard”). If the Availability Standard is not met for a given month, then Service Provider will provide Customer with the following refund: If the Availability of the Hosted Software for a given month is: Then Service Provider shall provide Customer a refund equal to: 99% or more $0 95% to 98.99% 10% times the monthly hosting fee 90% to 94.99% 25% times the monthly hosting fee 85% to 89.99% 50% times the monthly hosting fee 80% to 84.99% 75% times the monthly hosting fee 75% to 79.99% 100% times the monthly hosting fee
Contractual Issues Sample Language: For purposes of this Agreement, “Available” means Customer is able to access and use the Hosted Software, the Hosted Software is not experiencing a Priority Level 1 or 2 Issue, and the server response time to all accesses of the Hosted Software is less than 1.5 seconds. Service Provider shall maintain accurate records sufficient to show the number of minutes that the Hosted Software was Available during each month. Service Provider will promptly provide Customer with a copy of such records at such times as requested by Customer. The remedies in this Section shall apply regardless of whether the un-Availability results from a Force Majeure Event. Minutes during which the Hosted Software is not Available because of scheduled maintenance activities will not be counted as minutes when the Hosted Software is not Available so long as (i) the scheduled maintenance occurs during the hours of 11 PM to 5 AM, Eastern Time and (ii) Service Provider provides Customer with five business days prior written notice of the date and time of the scheduled maintenance.
Contractual Issues Back-Up Capability Redundant systems in place so that if vendor’s main data center goes down (e.g., because of a natural disaster or cyber attack), you will continue to be able to access and use the services Have IT professional review vendor’s back-up policies Required procedure for backing up your data
Contractual Issues Sample Language: Hosting Sites. The primary site for the Hosting Services will be at a carrier grade facility located at the place designated in the applicable Software Hosting Description Document and the secondary site for the Hosting Services will be at a carrier grade facility located at the place designated in the applicable Software Hosting Description Document (each, a “Hosting Site”). Service Provider shall not change the location of a Hosting Site without Customer’s written approval. Back-up and Disaster Recovery. Each Hosting Site shall (i) be SSAE 16 certified; (ii) have redundant high speed connections to the Internet; and (iii) have backup electrical systems, including an uninterruptible power supply and an electrical generator allowing for at least two months of generated power. Data from the primary Hosting Site shall be replicated to the secondary Hosting Site every evening for disaster recovery purposes. In the event that the Hosted Software is not Available as a result of an issue with the primary Hosting Site, then Service Provider shall ensure that the Hosted Software is immediately Available via the secondary Hosting Site.
Contractual Issues Force Majeure Limit to causes beyond the vendor’s reasonable control and that could not be avoided by the exercise of due diligence Credit or refund for period in which services are not available Right to terminate contract if force majeure event continues for more than an agreed-upon number of days Requirement that vendor use its best efforts to resume service as soon as possible Make clear that force majeure events do not relieve the vendor of its disaster recovery or service level obligations
Contractual Issues Sample Language: Force Majeure. Neither party shall be liable to the other party or be deemed to have breached this Agreement for any failure or delay in the performance of all or any portion of its obligations under this Agreement if such failure or delay is due to any contingency beyond its reasonable control (a “Force Majeure Event”). Service Provider shall be obligated to provide reasonable back-up capability to avoid the potential interruptions from a Force Majeure Event. If a Force Majeure Event occurs, the party delayed or unable to perform shall give immediate notice to the other party. If a party is unable to perform any of its obligations because of a Force Majeure Event, then (i) such party shall immediately resume performing its obligations once the Force Majeure Event is removed, (ii) the other party may cease performing its obligations during the period in which the affected party is not performing, (iii) the other party may terminate this Agreement or any Exhibit or Description Document if a Force Majeure Event prevents a party from performing its obligations under this Agreement or such Exhibit or Description Document for more than 30 days, or (iv) if Service Provider is unable to perform any of its Services as a result of a Force Majeure Event, then Service Provider shall refund Customer a pro rata amount of the fees most-recently paid by Customer for such Services.
Contractual Issues Data Security 1. Confidentiality Provisions: Restrict who can have access to your information Require vendor to be responsible for contractors Restrict how your information can be used Require vendor to use at least reasonable measures to protect your information Require vendor to be responsible for any data that is lost, stolen or compromised while in the possession or control of vendor
Contractual Issues Data Security 2. Data Encryption Requirements: Requirements when transmitting data Requirements when storing data 3. Compliance with Laws: Vendor should be required to comply with all applicable privacy and data protection laws and regulations
Contractual Issues Data Security 4. Audit Rights: You should have right to audit the security procedures and data centers of vendor. 5. Security Breach Procedures: Requirement for prompt notification of actual or suspected breach. Provide that customer has sole control over the timing, content and method of the notice. Requirement to cooperate and provide assistance in remedying breach. Remedial obligations, including payment of notification and credit monitoring costs, if applicable.
Contractual Issues Data Security 6. Due Diligence: Type II SSAE 16 Examinations: Requirement that the vendor have Type II SSAE 16 examinations conducted on its controls and procedures for storing, processing and transmitting data, and to provide you copies of the examination reports. Have data security professional review the provider’s security policies.
Contractual Issues Sample Language: During the term of the Master Agreement, Service Provider agrees to comply with the following security provisions: (a) Service Provider shall maintain data security controls, measures, policies and procedures consistent with industry best practices and use its best efforts to prevent unauthorized access to all Customer data. In the event of any security breach or loss of any Customer data, Service Provider shall immediately notify Customer and use its best efforts to remedy such breach or loss, including, but not limited to, taking such actions as reasonably requested by Customer. Customer shall be the sole and exclusive owner of all the Customer data and Service Provider shall only use the Customer data during the term of the Master Agreement to the extent necessary to provide Services to Customer. Service Provider shall promptly provide Customer with any or all of the Customer data requested by Customer from time-to-time in such hard-copy or electronic format as requested by Customer. (b) Service Provider represents and warrants to Customer that attached hereto as Schedule 1 is a current copy of Service Provider’s disaster recovery and backup policy (the “DR Policy”). Service Provider agrees to comply with the DR Policy during the term of the Master Agreement. Service Provider agrees not to make changes to the DR Policy except for changes that do not reduce the protections of the current DR Policy (c) Service Provider shall comply with all applicable federal, state and local privacy related laws and regulations (whether in effect on the date of the Master Agreement or enacted during the term of the Master Agreement).
Contractual Issues Sample Language: (d) When sending any files containing any Customer data over the Internet or other network, Service Provider shall first encrypt such files using PGP encryption software. (e) Service Provider will cause Type II SSAE 16 examinations (or equivalent examinations) to be conducted annually on any information systems and networks used in connection with providing any Services to Customer. Service Provider will provide Customer with a report from each such SSAE 16 examination to facilitate periodic compliance reporting by Customer under Sarbanes-Oxley and other applicable laws and regulations. If any such audit results in Service Provider being notified of control deficiencies or that Service Provider is not in compliance with any requirement set forth in this Data Security Exhibit, Service Provider will promptly take actions to remedy such control deficiencies or comply with such requirement, as the case may be, at no cost to Customer. Upon Customer’s request, Service Provider will provide Customer with an update of Service Provider’s internal controls covering the period from the date of Service Provider’s last SSAE 16 report to the date of the request. (f) Unless Customer instructs Service Provider in writing otherwise, Service Provider shall maintain and retain all Customer data and records in accordance with the records retention policy set forth on Schedule 2 attached hereto (the “Retention Policy”). If requested by Customer in connection with a legal matter involving Customer, Service Provider shall continue to maintain and retain all requested Customer Data and records beyond the periods set forth in the Retention Policy.
Contractual Issues Limitation of Liability Exclusion for IP infringement claims. Exclusion for gross negligence or willful misconduct. Exclusion for breach of confidentiality obligations (and data breach, if possible). Exclusion for property damage/bodily injury. Exclusion for remedial obligations for data breach. If not obtainable, consider a negotiated cap on liability.
Contractual Issues Insurance General commercial liability Professional liability Worker’s compensation Cybersecurity (data breaches, business interruption, and network damage)
Indemnification Tortious acts and omissions. Intellectual property infringement. Personal injury/property damage. Breach of confidentiality/security breach.
Contractual Issues Sample Language: Indemnification. Service Provider shall defend and indemnify Customer and its directors, officers, employees and agents (each, an “Indemnified Party”) against, reimburse each Indemnified Party for, and hold each Indemnified Party harmless from, all losses, claims, damages, liabilities and costs (including reasonable attorneys’ fees and expenses) (collectively, the “Losses”) incurred by an Indemnified Party as a result of (a) any breach by Service Provider of any of the terms, conditions, covenants, representations or warranties contained in this Agreement; (b) any personal injury, death or property damage caused by any defective Product or by any employees, contractors or representatives of Service Provider; (c) any claim by a Service Provider employee or contractor for wages, benefits or other compensation; (d) the negligence, willful misconduct or other tortious acts of Service Provider or its employees or contractors; (e) any data of Customer that is lost, stolen or compromised while in the possession or control of Service Provider or the possession or control of any third-party to whom Service Provider provided any Customer data; or (f) any third-party claim alleging that any of the Products, Software, Deliverables or Services infringes on such third-party’s patent, copyright, trademark, trade secret or other intellectual property rights. Service Provider agrees to reimburse each Indemnified Party promptly for all such Losses as they are incurred by such Indemnified Party in connection with the investigation of, preparation for or defense of any pending or threatened claim or any action or proceeding arising therefrom.
QUESTIONS?