This article is written by Ritu Aggarwal who is pursuing a Certificate Course in Advanced Civil Litigation: Practice Procedure and Drafting from LawSikho.
In the current world, it has become a necessity for everyone to use the virtual data by using advanced technology so that people can access it from anywhere without being present there. Cloud computing is one of them through which we can share the data, photos, videos, any other file without using the hard disk or physical document to anyone who needs it.
Few examples of Cloud computing are Gmail, Google Drive, One Drive etc.
Cloud computing is defined as providing the service over the internet to the user by using the resources like data, computation, and computing resources etc. The structure of Cloud computing helps and allows others to access the information that persists in the cloud as far as the device being used to access the data is connected with the web. The employees working from home are the best example of this.
The data or information which is required to be accessed can be obtained in the cloud and the user is not required to be at the location to obtain the access of the same. Also, the Companies are not obliged to buy their own servers to provide this service rather, it can be leased from the third party as well. Hence, cloud computing helps the employers or others to reduce the capital expenditure or operational cost.
It can be either Public or private. Cloud computing available to the public gives their service for some charges. On the other hand, Private Cloud computing gives access to only a few people.
Major Service Provider and Users
The major service providers of cloud computing services are Microsoft, Amazon, FlipKart, Google. They use the services of cloud computing in a substantial way. In order to avail the services of these Cloud computing service providers, it is imperative to enter into a contract with them. It could be standardized (e.g. Amazon Web service agreement) or customized (In case, services are being used on a large scale) depending upon the technology being used. In case of a customized contract, negotiation largely depends upon the service provider. In most of the cases, cloud computing contracts are standard in form with pre- decided terms and conditions which should be valid in the eyes of law. Section 10A of the IT act validates the pre-decided terms and conditions if it is defined as per law.
In the cloud computing agreement, users shall determine all the risks entails into the agreement. For that, users are required to conduct the due diligence before signing an agreement with the service provider. On the other hand, if a cloud service provider has followed all certificate standards and provides the same to the user, it may help users to enter into an agreement without harm without getting into due diligence or audit requirements. For E.g. Google needs to comply with various ISO standards to gain credibility in the market.
In this article, we will further discuss the major clauses which are required to negotiate effectively to enter into an agreement with minimum and calculated risk.
Every business shall review and negotiate, if required, the following clauses of Cloud service agreement for effective use of the services to be provided by service providers.
Service level agreements (SLA): Customers need access to the data on cloud all the time. Hence, while signing a Cloud service agreement, it is important for customers to ensure all the risk protection which a contract carries at the service level. Also, it is important to incorporate all the remedies for the customer in case of breach of the contractual obligation by the service provider.
Customer data: In the agreement, it is specifically mentioning the purpose of utilization of the customer data. Every business or user shall assess that the client data which is being transferred or utilized for their services is within the requirement and there is no unauthorized use of the data. Also, a clause related to customer ownership of any data uploaded by service providers should be explicitly mentioned.
Confidentiality and data Security Clause: While entering a contract with a service provider, it is important to ensure that confidential data is used only on the need to know basis. Also, it is important to check what is the encryption policy being followed by the Service provider and what backup obligation has been specified in the agreement.
- The Receiving Party will treat and keep all Confidential Information of the Disclosing Party as secret and confidential and will not, without the Disclosing Party’s written consent, directly or indirectly communicate or disclose (whether in writing or orally or in any other manner) Confidential Information to any other person other than on a need to know basis in accordance with the terms of this Agreement.
- Service Provider understands and acknowledges that Service Provider may learn or otherwise acquire personal, sensitive and/or proprietary data/information of customers to enable Service Provider to effectively perform the services. Therefore, Service Provider warrants and represents that Such data/information shall be used solely for purposes of performance of Services by Service Provider as envisaged in this Agreement, and for no other purpose
Recovery and Continuity of Business: The provision related to continuity of business and the data recovery in case of any disaster or any other triggering event shall be specified in the agreement. The Customer should obtain assurance of continuity and uninterrupted services from the service provider in the agreement.
Example: Service Provider shall ensure business continuity of its mission critical and business critical systems or processes. Service Provider shall submit to Customer any updates to its Resumption Plan certifying that its business processes adequately comply with the Resumption Plan.
Retrieval of the data in case of termination: Some services have the policy to delete the data of customers within 30 days of termination of contract while some keep it for a longer time before deletion. It is mandatory to ensure the policy documents of the service provider and negotiate for the retrieval of the data immediately after termination and delete the copies available with him in order to protect the unauthorized use of the data of the customer.
Eg: Service provider warrant and represent that except to the extent Service Provider is required by law to retain any copies of such data/information, upon the expiry or termination of this Agreement, Service Provider will either return or destroy all data/information, with a confirmation of the same to Customer and no data/information shall be stored by Service Provider in any form.
Withholding the Services: The customer should ensure the provision in the agreement that the service should not be withheld due to disputed fees subject to the customer making the timely payment to the service provider for its services.
Limitation of Liability clause: It is important to understand how much liability and obligation a cloud service provider takes on himself. Major Service providers like Amazon or Microsoft disclaim all their liabilities except financial liability, which is also limited to specified amounts, irrespective of the loss might occur. Generally indirect and consequential damages are not included in the limitation of liability. The limitation of the liability and exclusion therein should be provided to both the parties. The overall cap of the liability should be defined in the agreement which shall not apply to the exclusions.
Under no circumstances shall Customer or the Service Provider be liable for any special, indirect, incidental, exemplary, special or consequential loss or damages, inter alia including, loss of profit, loss of use, loss of revenues or damages to business or reputation arising from the performance or non-performance of any aspect of this agreement even if the party has been advised of the possibility of such damages. Total cumulative liability arising from or relating to these terms will be limited to the actual amount paid by customers to the service provider under the terms of this agreement.
Indemnity: Indemnity is a very important clause in the agreement. In the Cloud Service Agreement, restriction is put on service providers to indemnify the customer in case of claim from the third party for infringement of intellectual property rights. Other than infringement, indemnity for violation of law, death, fraud, theft can also be claimed.
Eg: The service Provider shall indemnify to customer, its directors, partners, officers, employees and agents against all claims, liabilities, losses, expenses (including reasonable attorneys’ fees), fines, penalties, taxes or damages (Collectively “Loss”) on account of bodily injury, death or damage to tangible personal property arising in favor of any person, corporation or other entity (including the Indemnified Party) attributable to the Indemnifying Party’s negligence or willful default in performance or non-performance under this Agreement.
Intellectual property rights (IPR): Customers while entering into the agreement shall ensure the service provider is in compliance with Intellectual property rights and has not breached the rights of ownership. Customers should retain all the work product ownership with them so that they can use it for the sole purpose of business and underlying processes.
- Service Provider warrants that Service provider shall not violate or infringe upon rights of third parties, including any trademark, patent, copyright, or other intellectual property right
- The Service Provider hereby assigns and agrees to assign in the future to customer, ownership of all right, title and interest in and to any and all Work Product
Termination of Agreement: It is important for the customers or business to ensure that they have all the rights to terminate the agreement or change the terms of the agreement, if required. Generally, the standard agreement contains the right of termination limited to Cloud service providers only without any cause or notice. Hence it is important for business to be cautious while entering into the agreement. Similarly, the right of modification should also be there with the business. Hence, it is important to review and enter into such agreements very carefully. To get into such fine agreement, it is important for every business to be thorough with the Contract Act or hire professionals for this purpose.
Eg: Customers may terminate or modify this Agreement or any outstanding Purchase Order or any portion thereof at any time by providing at least 30 days prior written notice.
Renewal Rate: Renewal rate with service provider shall be decided in advance and captured in the agreement. Both the parties while negotiating can decide the maximum cap which shall be provided while renewal of the agreement.
Other than abovementioned clause, it is important for customers to understand the provision related to implementation, fees, terms of the contract and negotiate accordingly which may give the overall benefit to the business.
Risk Assessment: while negotiating the contract, if the customer has the negotiating power, then he should create a safeguard for his business by negotiating above mentioned clauses. However, if a customer is not in position to negotiate, then before entering a contract, he should analyze the overall business risk and threat he is carrying in the contract. If the threat and risk more than the benefit he is going to receive for his business, then walking away from the contract is the better option for the customer.
Nowadays, cloud computing has become the necessity of every business considering the benefit of the same, every business wants to avail the services. Cloud computing has brought the new revolution in the IT industry by removing the old IT issues and restrictions.
However, along with the comfort and quick service, cloud computing carries a lot of risk to the business related to data security, Data protection, retrieval, Intellectual property rights, service levels etc. Hence, before start availing the services of cloud computing, it is important for every business to analyze the risk. It is also important to ensure that all the protection clauses for a business should be well included in the contract and the language of the contract is simple to understand and enforceable so that the purpose for which the services are availed is not defeated.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: