In this blog post, Varun Sen, a student pursuing a Diploma in Entrepreneurship Administration and Business Laws by NUJS, provides an overview of cloud computing agreements. 

What is Cloud Computing?

Cloud computing is defined as the use of computing resources, including data, software, and computation, which are delivered to users as a remote service over a network. The name comes from the cloud-shaped symbol utilized to represent the complex infrastructure it contains in system diagrams.download-4

Increasingly, cloud computing[1] has become a new means of delivering information technology services. By adopting cloud technologies, businesses can leverage cost-effective, scalable and integrated IT resources to remove geographical or cost limitations upon their workflows and service delivery mechanisms. Many companies are capable of providing purely internet-based services or can maximize the efficiency of their intra-corporate processes through cloud computing services, simply by outsourcing the storage, collection and provision of data to servers or processes running on the cloud.

Download Now

 

Cloud Computing Agreements

Companies such as Google, Microsoft, Amazon, etc., are all major providers and users of cloud computing services.

However, adopting such technologies requires businesses to enter into contractual agreements with cloud service providers, which could either be standardized (such as the Amazon Web Services Customer Agreement) or tailored to customers (especially if the customer is availing cloud services on a large scale). Negotiation of such agreements does depend on the service provider. download-6However, most cloud computing contracts tend to be standard form contracts, with pre-decided terms. These are also legal, thanks to Section 10A of the Information Technology Act granting them validity.

There are several risks and concerns with cloud computing agreements, which require businesses to conduct appropriate audits before entering into them. Often, checking certification standards adopted by the Cloud Service Provider (CSP) is helpful and allows clients to enter into agreements safely without having to conduct audits themselves. Amazon Web Services, for instance, complies with several ISO/IEC standards, allowing it to gain credibilities in the market, such as ISO 27001, or ISO 27017.

 

Aspects of Cloud Computing Agreements

Nonetheless, any business must look into certain aspects of CSP agreements like the ones discussed below.

Data Security and Confidentiality: Checking to see that their data security and confidentiality standards are actually adhering to industry standards, ensuring that data protection policies and controls are periodically reviewed, ensuring that clients are aware of third party dependency contracts entered to by the CSP, ensuring that confidential data is utilised on a need-to-know, and need-to-use basis is essential to ensuring that a business does not have its data comprised by a CSP’s faulty processes. This also requires understanding the encryption standards followed, the backup obligations stipulated by the contract, etc. download-5

Liability of the CSP: This requires also understanding the liability and responsibility a CSP is willing to take upon itself. CSPs such as Amazon[2] or Salesforce[3] often completely disclaim all liability and limit their financial liability to specified quantum, irrespective of how much an actual loss might be.

Change of Services Terms/Termination by CSP: Businesses must also look into the discretion of a service provider to terminate services or change terms and the portability clauses that a CSP is willing to enter into. Often standardized service agreements allow for CSPs to end agreements, without adequate notice period unilaterally. It is important for a business to be careful of such clauses, so as to not be suddenly denied services later on by the CSP. Similarly, the scope of modification that a CSP allows itself to exercise is also important; businesses must make sure that key commercial clauses of contracts are not impacted. Also, a business must be aware of the law, as the Indian Contract Act does indicate the notion of novation wherein modifications of a contract is seen as amounting to fresh agreements requiring fresh multilateral or bilateral consent of all parties. Businesses must also be aware of the portability facilities of the CSP, to ensure that if things go south, the business is capable of transferring its data and CSP dependent processes to another CSP smoothly without interruption of business.images-1

Disputes, Governing Law and Jurisdictions: Given geography does not limit that cloud computing in its service provision; agreements often end up specifying laws of the country required to be followed in resolving a contractual dispute. Indian entities, for instance, would want Indian law to be applicable, but a foreign CSP may want its home country’s laws to apply. Amazon and Salesforce both indicate that their CSP agreements adhere to the laws of the US, for instance, which could make enforcement for an Indian business very difficult. This is particularly important, when considering contributory liability for copyright infringement, where CSPs to prevent their liability and ensure that they can avail of safe harbor provisions, may limit services for businesses.

Data retention and transfer: while portability is one aspect, termination also involves concerns of data retention and transfer which must be assessed carefully by any business to ensure control over its data is maintained post-termination of services.

Negotiating service delivery levels: Certain aspects of CSP agreements, such as understanding latency times, level of consistency of access of data, uptime percentages, the notion of downtime of service delivery, scheduled down times, etc. requires a company to establish key performance indicators, unique to its requirements, that allow it to ensure CSPs can meet its business requirements. Understanding the policy for failure to provide services is equally important for business as a part of basic due diligence.

images-2Fee model and licensing structure: Finally, understanding the fee structure is also essential, as CSP agreements often follow a “pay as per use” basis of fee structuring, rather than a fixed or recurring fee mechanism. CSPs also follow a limited license right based model, wherein a business utilizes software that remains on a CSP’s premises, in a limited license format, which is not how traditional software licenses work. Thus, businesses need to be wary of all non-traditional clauses that come with such software agreements.

Since click-wrap CSP agreements tend to be very vendor-friendly, it is important for businesses entering into CSP agreements to be careful of the obligation being hosted upon them, and weigh these appropriately against the benefits of cloud computing technology.

 

 

 

 


 

References: 

[1]http://www.nishithdesai.com/fileadmin/user_upload/pdfs/Cloud_Computing.pdf

[2] See Clause 9.2, Amazon Web Services Customer Agreement available at https://aws.amazon.com/agreement/

[3]Salesforce.com Master Subscription Agreement available at http://www.sfdcstatic.com/assets/pdf/misc/salesforce_MSA.pdf

LEAVE A REPLY

Please enter your comment!
Please enter your name here