Just as the market for cloud-based services is fast developing, so too is the understanding of "best practice" regarding the contract terms to underpin them. From a mishmash of inappropriate adaptations of non-cloud contracts and overly aggressive supplier standard terms, a discernible trend has become apparent as to what "good" looks like in the context of cloud contracts.
It may therefore be instructive to focus on what shouldn't be in such contracts, just as much as what should be.
Firstly, references to "licensing" of a particular solution - whilst still sometimes seen in cloud contracts - is in reality not appropriate. The customer is obtaining outputs from a solution, not a licence to use or operate it themselves.
Secondly, at least in the context of multi-tenanted solutions, the idea of a customer being able to mandate compliance with its own policies or expect to be able to undertake extensive authorisation is not feasible; the customer must generally change to fit in with the operation of the solution, rather than the other way round.
Often, although by no means always, the level of risk to be undertaken by the supplier will often be reduced to a lower level than might have been anticipated under a "traditional" licence and support model; as the supplier's "reward" will be reduced (as cost reduction is invariably a key driver for cloud deals), so they will typically argue that their "risks" should be too.
However, although some of the provisions one might expect to see in a licence agreement are no longer appropriate, others should not so quickly be discarded. Take for example source code escrow; some cloud service providers may argue that this is irrelevant as they are providing "a service" rather than licensing software. However, the reality is that the fact that the customer doesn't have its own copy of the software vis a vis what may be business critical operations makes it more rather than less dependent on the supplier, and on the continued availability of the underlying solution; and the ability to "get hold" of the underlying code if something untoward were to happen to the supplier. Companies such as Iron Mountain have picked up on this fact and now offer bespoke SaaS focused escrow solutions.
Equally, whilst many service providers of Cloud solutions have been quick to "dial down" their liability and risk related provisions to a significant degree, as the size and criticality of such offerings has grown, so has customer attention in respect of such contract provisions and the likelihood that they will be subject to negotiation. Whilst many of the established cloud service providers have been reluctant to move from entrenched and supplier-friendly positions, we have seen a demonstrable trend back towards more balanced risk positions, most notably where the deal value is larger and a competitive procurement process is being run, such that the cloud provider can no longer rely on the argument that "this is the basis of our offering" to bat away proposed contract changes (e.g if there is another service provider who is prepared to make the changes in question).
Other standard form provisions which one would expect now to see included in a cloud services agreement include those surrounding data. From a business continuity perspective, the customer will expect to see a commitment that its data will be kept secure, backed up, and will be returned in agreed formats promptly on request and in any event upon termination or expiry of the contract. From the viewpoint of personal data, undertakings of compliance with the EU Data Protection regime will be required, and this can on occasion be a source of friction, depending on the degree of advance authorisations/consents that the supplier tries to secure vis a vis potential future changes to which sub-processors it may engage, or the locations of its data centres
It is safe to say that we remain far from an end point in terms of any kind of homogeneous or standardised cloud services contract, and indeed it is very doubtful that such a thing could be created (albeit that the EU is making moves in this regard, at least in relation to SLA regimes). However, with far more attention now being given to the negotiation and drafting of such contracts, we can at least say that the parameters of what can be said to be reasonable and/or appropriate are being established, and that can only be a good thing for the further development of the market for cloud services in future.
Kit Burden is partner, and head of technology sector at law firm DLA Piper
Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes
Focus on cost efficiency, simplicity, performance, scalability and future-readiness when architecting your data protection strategy