Do’s, Don’ts and Cautions Cloud Agreements Do’s, Don’ts and Cautions ISM Greater Grand Rapids November 14, 2017

Disclaimer

Myth Online click-through agreements are not negotiable

The Standard Line “All of our customers operate under the same MSA (which is attached) which reflects standard Software- as-a-Service industry terms in use by thousands of companies. . . . Please make sure your legal group is aware of this when you send them the contract. They can give a thumbs up or thumbs down, but they should not waste time doing a mark-up. This is not enterprise software licensing, it's SaaS.”

Outline/Summary Top 11 Issues in Cloud Agreements (in no particular order) Pricing Changes Service Level Agreements Termination/Suspension Disaster Recovery / Data Backups Security Obligations Subcontracting Third Party IP Warranties Indemnification Limitation of Liability

Pricing – Service Provider Version “Service Provider reserves the right to modify its fees, effective as of the end of the then-current Term upon at least thirty (30) days prior notice to you, which notice may be provided by e-mail.”

Pricing – Dos Limited number and timing Hard cap Advance notice Allow for services to become less expensive

Pricing - Compromise Service Provider may increase the price for the Services no more than once annually upon at least sixty (60) days written notice prior to the end of Customer’s present billing cycle; provided, however, that: (1) any such increase shall not exceed the lesser of X% or the increase in CPI for the 12 month period immediately preceding such increase; and (2) such increase will not become effective until the start of Customer’s next billing cycle.

Modifications– Service Provider Versions We may modify the Terms upon notice to you at any time through a service announcement or by sending email to your primary email address. We may change, discontinue or deprecate any of the Service Offerings (including the Service Offerings as a whole) or change or remove features or functionality of the Service Offerings from time to time.

Term Modifications Really? No provision of this Agreement may be modified except by a written document signed by duly authorized representatives of the parties.

Service Modifications How you may see it No desire for unexpected changes or changes that result in a loss of functionality Counting on certain functionality, especially for business critical aspects of the Service Significant time in transitioning to new service provider if we have to move How Vendor may see it: Beneficial to the Customer to allow us to add new functionality Ever-evolving nature of the cloud prevents us from guaranteeing every aspect of functionality for the service as a whole

Service Modifications - Compromise Customer acknowledges that during the Term, Service Provider may need and/or desire to make modifications to the Service. Such modifications are permitted provided that any modification may not result in or cause a material degradation to the Service or a loss of any functionality then being utilized by Customer and Service Provider shall provide Customer at least sixty (60) days’ advance written notice of any material change to the Service.

Service Level Agreements (SLA) – Service Provider Version The Service will be available 100% of the time, excluding scheduled or emergency maintenance. Service downtime exists when Customer is unable to transmit and receive data with the Service, but does not include the effects of any Internet, Customer network or other connectivity issues not within the control of Service Provider, and is measured from the time the trouble ticket is opened by the Customer. Upon receiving a report of downtime from the Customer, for each full hour of downtime, Service Provider will credit the Customer two percent (2%) of the monthly fee, up to fifty percent (50%) of Customer's monthly fee for the affected Service.

Service Level Agreements - Dos Beware the “standard” SLA of the vendor Consider multiple measures (i.e. system availability commitment & system response time commitment) Get an uptime commitment Take into account the nature of the service Clearly define what qualifies as downtime Limit the amount of any permitted downtime Make clear who monitors uptime Address remedies Termination right for severe or chronic failures

Service Level Agreements - Dos “Scheduled Downtime” means up to four (4) hours of planned and scheduled maintenance performed during the relevant month to perform necessary hardware, OS, network, database, application software maintenance, repair, upgrades and updates and for which Customer has at least seventy-two (72) hours advance written notice. Service Provider will use best efforts to ensure that Scheduled Downtime takes place during non-business hours. In the event: (a) system availability falls below 99.9% in (i) two (2) consecutive calendar months or (ii) any three (3), or more, non-consecutive months in any twelve (12) month period; or (b) system availability falls below 90% in any given month, then, notwithstanding anything in the Agreement to the contrary, Customer may terminate the Agreement upon written notice to Service Provider and without early termination liability.

Termination/Suspension – Service Provider Version Service Provider may suspend or terminate Customer’s right to access or use any portion or all of the Service Offerings immediately and without notice if Service Provider determines, in its sole discretion, that (a) Customer’s use of Service Offerings (i) poses a security risk to the Service Offerings or any third party, (ii) may adversely impact the Service Offerings or the systems or Content of any other Service Provider customer, (iii) may subject Service Provider, its affiliates, or any third party to liability, or (iv) may be fraudulent; (b) Customer is in breach of this Agreement, including if Customer is delinquent on its payment obligations for more than 15 days; or (c) Customer has ceased to operate in the ordinary course, made an assignment for the benefit of creditors or similar disposition of Customer’s assets, or become the subject of any bankruptcy, reorganization, liquidation, dissolution or similar proceeding.

Termination/Suspension “If you are putting the security of our system at risk, we are going to suspend your access immediately.”

Termination/Suspension – Dos Notice Separate suspension and termination Express good faith requirement Limited Scope Limited Duration

Termination/Suspension – Compromise Service Provider may suspend Customer’s or an Authorized User’s access to the Service, in the event Service Provider determines in good faith that such party’s use of Service (i) poses a security risk to the Service, (ii) is or is reasonably likely to adversely and immediately impact the Service or the systems or Content of any other Service Provider customer, or (iii) is in material breach of this Agreement. Service Provider shall provide Customer with prior notice of any such suspension, provided that if prior notice is not possible, Service Provider will notify Customer as soon as reasonably possible following such suspension. Any such suspension will be limited in both scope and duration as necessary to address the event or cause giving rise to the suspension.

Disaster Recovery/Data Backup Responsibilities and Carve-Outs You are responsible for properly configuring and using the Service Offerings and taking your own steps to maintain appropriate security, protection and backup of Your Content, which may include the use of encryption technology to protect Your Content from unauthorized access and routine archiving Your Content. Sample provision You acknowledge that you are solely responsible for taking steps to maintain appropriate security, protection and backup of Customer Data.

Disaster Recovery/Data Backup Responsibilities and Carve-Outs Backups Who? When? Where? Disaster recovery Does the Service Provider have a disaster recovery plan? Is it adequate? Who’s allowed to declare a disaster?

Disaster Recovery/Data Backup Responsibilities and Carve-Outs Compromise? Clarity In the contract Does it satisfy customer’s organizational requirements?

Security Obligations – Service Provider Version Service Provider will operate in conformance with its operating, security and privacy policies, and will act promptly to address any nonconformance therewith identified by Service Provider or any other party. Service Provider will make available to Customer its annual SSAE-16 (or successor type) audit report covering its operations and shall take prompt action to address any exception identified in such reports.

Security Obligations – Dos Issues to consider: Type of data being put “in the cloud” Legal requirements for securing data Industry specific requirements for securing data Common area of disagreement: Who takes financial responsibility for a breach of security? What level of “attack” triggers notice to Customer? Locking in to specific security standards

Security Obligations - Compromise Without limiting the Disclaimer of Warranties, or Customer’s obligations under this Agreement, Service Provider will implement (or ensure the implementation of), commercially reasonable administrative, physical and technical measures designed to secure Customer Data against accidental or unlawful loss, access or disclosure. To the extent that Service Provider processes any Personal Data on behalf of Customer, Service Provider shall process such Personal Data strictly in accordance with the terms of this Agreement and Customer's instructions from time to time. Accordingly and in all such cases, Service Provider shall be the “data processor” and Customer shall be “data controller” under the applicable law. The transfer of any EU Personal Data or Australian Personal Data to territories outside the EU or Australia, respectively, is not contemplated by this Agreement. Customer shall obtain any consents from Users or anyone else whose Personal Data will be processed by the Services.

Subcontracting – Service Provider Version Service Provider may utilize subcontractors to perform any services pursuant to this Agreement.

Subcontracting – Preferred Language Service Provider shall not engage any subcontractor to perform any services under any Order Form without the prior written consent of Customer, which shall not be unreasonably withheld. Service Provider shall obtain and maintain in effect a written agreement with the subcontractor, which agreement shall contain sufficient terms for Service Provider to fully comply with all provisions of this Agreement and to support all grants and assignments of rights and ownership hereunder; however, nothing contained in any such agreement shall create, nor represent to create, a contractual relationship between Customer and any subcontractor. Such agreement shall also impose an obligation of confidentiality on the subcontractor with respect to Customer's Confidential Information consistent with this Agreement. Service Provider shall be fully responsible for the acts of all subcontractors to the same extent it is responsible for the acts of its own employees.

Subcontracting - Compromise Service Provider shall promptly notify Customer in the event it engages any subcontractor to perform any material services under an Order Form, and Customer may terminate the applicable Order Form with thirty (30) days’ notice to Service Provider if it has a good faith reason objection to the use of such subcontractor. [Notwithstanding the foregoing, Customer expressly consents to Service Provider’s utilization of Amazon Web Services for the provision of hosting services.] Service Provider shall be fully responsible for the acts of all subcontractors to the same extent it is responsible for the acts of its own employees.

Third Party IP – Service Provider Version The Services may contain Third Party Materials. Such Third Party Materials are provided “as is” without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose, and non-infringement. In no event shall Service Provider be liable for any claim, damage, or other liability arising from, out of, or in connection with such Third Party Materials, including the use of such Third Party Materials in connection with the Services.

Third Party IP – Dos Know What is Used Right to Grant License Open Source vs. Proprietary Copies of applicable licenses Right to Grant License Warranty that Service Provider has the right to give access to the materials Indemnification for infringement claims Ability to Negotiate Terms with Third Party “Service provider will put Customer in contact with the third-party to allow Spectrum Health to negotiate the terms of such third-party license agreement.” Pass-Through Terms “Service Provider shall pass-through to Customer any warranty and indemnity provided to Service Provider by the third-party manufacturer or licensor for the Third-Party Materials.”

Subcontracting - Compromise Service Provider hereby represents and warrants that it has the right to provide Customer access to, including, without limitation, a license to use, as provided in the Agreement, any Third-Party Materials provided under the terms of the Agreement.

Warranties – Service Provider Version THE SERVICES ARE PROVIDED ON AN “AS IS,” “AS AVAILABLE” BASIS WITHOUT ANY REPRESENTATIONS OR WARRANTIES. SERVICE PROVIDER DOES NOT REPRESENT OR WARRANT THAT THE SERVICES WILL BE AVAILABLE, ACCESSIBLE, UNINTERRUPTED, TIMELY, SECURE, ACCURATE, COMPLETE, OR ENTIRELY ERROR FREE. CUSTOMER MAY NOT RELY UPON ANY REPRESENTATION OR WARRANTY REGARDING THE SERVICES BY ANY THIRD PARTY IN CONTRAVENTION OF THE FOREGOING STATEMENTS. SERVICE PROVIDER SPECIFICALLY DISCLAIMS ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS OR IMPLIED, ARISING BY STATUTE, OPERATION OF LAW, USAGE OF TRADE, COURSE OF DEALING, OR OTHERWISE, INCLUDING BUT NOT LIMITED TO, WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR TITLE WITH RESPECT TO THE SERVICES, OR OTHER SERVICES OR GOODS PROVIDED UNDER THIS AGREEMENT.

Common areas of disagreement Warranties Common areas of disagreement Service level warranties Security obligations Remedies for breach

Warranties and the Trouble of “Sole & Exclusive” Language Service Provider should provide the following warranties: Service Level Agreement Security Operation in accordance with the specifications Good and workmanlike fashion for services Sole and exclusive remedy: Customer – What if repair/replace or reperformance of services is inadequate? What if repair/replace doesn’t work?

Warranties and the Trouble of “Sole & Exclusive” Language Vendor response: “Well what other remedy would you want?”

Warranties and the Trouble of “Sole & Exclusive” Language Areas of compromise: SLA – sole and exclusive remedy in the SLA As long as SLA provides for termination right Specifications – repair or replace Good and workmanlike fashion – re-perform

Indemnification – Service Provider Version Subject to the terms of this Agreement, Provider shall indemnify Licensee and its employees, agents, successors and assigns from and against any and all loss, damage, liability, and expense arising from any claim brought against any such indemnified party by a third party to the extent (a) alleging that the API Services, as provided by Service Provider and used in accordance with the terms of this Agreement, infringes upon any valid U.S. patent, copyright, trademark, trade secret, or other proprietary right of such third party.

Common areas of disagreement: Indemnification Service Provider liable instead of Customer for certain claims brought against Customer or certain losses sustained by Customer Common areas of disagreement: Security breach Data breach notification Failure to timely provide services

Indemnification – Compromise Service Provider shall indemnify and hold harmless Customer and its Affiliates, and their respective officers, directors, shareholder, employees, agents and representatives against all liability, loss, damage, claims, actions and expenses (including attorneys’ fees) based upon or arising out of: Service Provider’s breach of its security obligations found in the Agreement Encompass data breach investigation, notification, and mitigation costs Compromise – if legally required Third party claims alleging that Customer’s use of the Service in accordance with the terms of the Agreement infringes such third party’s intellectual property rights property damage, including loss or destruction of data, or personal injury, including death, directly caused by or sustained in connection with the Service Provider’s performance under this Agreement

Sample vendor provision Limitations of Liability, Carve-Outs, and Uncapped Damages – Service Provider Version Unless stated in the Additional Terms, we are not liable to you or anyone else for: (a) any loss of use, data, goodwill, or profits, whether or not foreseeable; and (b) any special, incidental, indirect, consequential, or punitive damages whatsoever (even if we have been advised of the possibility of these damages), including those (x) resulting from loss of use, data or profits, whether or not foreseeable, (y)based on any theory of liability, including breach of contract or warranty, negligence or other tortious action, or (z) arising from any other claim arising out of or in connection with your use of or access to the Services or Software. Nothing in these terms limits or excludes our liability for gross negligence, for our (or our employees’) intentional misconduct or for death or personal injury.   Our total liability in any matter arising out of or related to these terms is limited to US $100 or the aggregate amount that you paid for access to the Service and Software during the three-month period preceding the event giving rise to the liability, whichever is larger. This limitation will apply even if we have been advised of the possibility of the liability exceeding the amount and notwithstanding any failure of essential purpose of any limited remedy. Sample vendor provision

Two schools of thought: Uncapped Damages Two schools of thought: Because the risk is hard to quantify, and because it would arise as a result of Service Provider’s failures, certain damages should be uncapped. If Service Provider uncaps damages and suffers a security breach compromising the data of all of its customers, none of its customers will be made whole in the end.

Limitations of Liability, Carve-Outs and Uncapped Damages Compromise?

Limitations of Liability, Carve-Outs and Uncapped Damages Potential areas of compromise: Uncapped for specific claims (i.e. breach of confidentiality, claims arising out of or related to Service Provider’s breach of its security obligations, etc.) If not uncapped for these claims – consider super cap (i.e. 3-5 times fees paid under the agreement) Can the organization mitigate potential risk from capped liability? Who has the leverage?

Bonus Round: No Overriding Terms No statement, representation, warranty, covenant or agreement of any kind, including without limitation, any terms included in or located on a purchase order, invoice, or website, accessed through a URL, provided as an end user license agreement, or provided in a click-wrap, shrink-wrap or other similar format, not expressly set forth in this Agreement shall affect, or be used to interpret, change or restrict, the express terms and provisions of this Agreement.

Questions & Answers

Thank You! Kelly Hollingsworth (616) 752-2714 khollingsworth@wnj.com These materials are for educational use only. This is not legal advice and does not create an attorney-client relationship.