KG LEGAL \ INFO
BLOG

Blog home > IT, NEW TECHNOLOGIES, MEDIA AND COMMUNICATION TECHNOLOGY LAW > Practical legal guidance on contracts in cloud business

Practical legal guidance on contracts in cloud business

publication date: February 17, 2023

The article presents practical guidelines and recommendations on selected aspects of cloud services agreements and answers to the very problematic question of how to prepare effective agreement protecting due performance of cloud services.

Main pre-contractual aspects

  1. VERIFICATION OF MANDATORY LAW AND OTHER REQUIREMENTS – The parties to the cloud services agreement should in particular be aware of laws and regulations related to personal data, consumer protection, cybersecurity, export control, customs, tax, trade secrets, IP-specific and sector-specific regulations that may be applicable to them and their future contract.

DATA LOCALIZATION – Data localization requirements may arise in particular from the law applicable to personal data or contractual commitments (e.g., IP licences).

CHOICE OF A CONTRACTING PARTY – may be restricted in certain procedures, like in public procurement process – There may be a statutory prohibition on entering into a cloud computing contract with foreign parties, persons from certain jurisdictions or persons not accredited/certified with competent State authorities. There may be a requirement for a foreign entity to form a joint venture with a national entity or to acquire local licences and permissions, including export control permissions, for the provision of cloud computing services in a particular jurisdiction.

  1. PRE-CONTRACTUAL RISK ASSESSMENT – it may be required by applicable mandatory law or may be undertaken by the parties in order to identify risk mitigation strategies.

Verification of information about a specific cloud computing services and a selected contracting party – information that can be useful in this respect is, e.g., IP licences required, privacy issues, confidentiality and security policies in place, measures in place to ensure the ongoing access to metadata, audit trails and other logs demonstrating security measures, the existing disaster recovery plan, policies in place as regards migration-to-the-cloud and end-of-service assistance as well as interoperability and portability, certification by an independent third party on compliance with technical standards financial viability, insurance policies, possible conflicts of interest, extent of subcontracting and layered cloud computing services.

IP infringement risk – may arise in case of third party use of IP licence or if the customer is required to grant to the provider a licence to use the content that the customer intends to place in the cloud. The right to sublicense may need to be arranged, or a direct licence arrangement may need to be concluded with the relevant third party licensor. The use of open source software or other content may necessitate obtaining an advance consent from third parties.

Risks to data security, integrity, confidentiality and privacy – Adequate isolation of resources and data segregation and robust security procedures are especially important. Contractual clauses will play an important role in reflecting the agreement of the parties on the mutual allocation of risks and liabilities related to aspects of the provision of cloud computing services – those clauses will not be able to override mandatory provisions of law.

Penetration tests, audits and site visits – Laws and regulations may require audits, penetration tests and physical inspection of data centres involved in the provision of the cloud computing services, in particular to ascertain that their location complies with statutory data localization requirements.

Lock-in risks – Risks of application and data lock-ins are especially high in SaaS and PaaS. Data may exist in formats specific to one cloud system that will not be usable in other systems. At the pre-contractual stage, tests could be run to verify whether data and other content can be exported to another system and made usable there. Synchronization between cloud and in-house platforms and replication of data elsewhere may be needed – it may be assisted with contractual clauses.

Business continuity risks – The law may require putting in place in advance an appropriate strategy to ensure business continuity, in particular in order to avoid the negative impact of termination or suspension of the cloud computing services on end users.

Exit strategies – parties may need to clarify from the outset:

  • the content that will be subject to exit;
  • any amendments that would be required to IP licences to enable the use of that content in another system;
  • control of decryption keys and access to them;
  • the time period required to complete the exit.
  1. OTHER PRE-CONTRACTUAL ISSUES

Disclosure of information – The applicable law may require the parties to a contract to provide to each other information that would allow them to make an informed choice about the conclusion of the contract.

Confidentiality – The parties may agree that certain information disclosed at the pre-contractual stage should be treated as confidential. Written confidentiality undertakings or non-disclosure agreements may be required also from third parties involved in pre-contractual due diligence.

Migration to the cloud – the customer would usually be expected to classify data to be migrated to the cloud and secure it according to its level of sensitivity and criticality and inform the provider about the level of protection required for each type of data. The customer may also be expected to supply to the provider other information necessary for the provision of the services. In addition to the transfer of data and other content to the provider’s cloud, migration to the cloud may involve installation, configuration, encryption, tests and training of the customer’s staff and other end users. Those aspects may be part of the customer contract with the provider or be the subject of a separate agreement of the customer with the provider or third parties, such as cloud computing service partners.

Drafting the cloud services agreement

  1. GENERAL CONSIDERATIONS

Freedom of contracts – the principle of freedom of contracts in business transactions allows parties to enter into a contract and to determine its content.

Contract formation – the contract is concluded when the acceptance of the offer becomes effective. Standardized commoditized multi-subscriber cloud solutions are as a rule offered through interactive applications (e.g., “click-wrap” agreements). There may be no or very little room for negotiating and adjusting the standard offer. Clicking “I accept”, “OK” or “I agree” is the only step expected to be taken to conclude the contract.

Contract form – Cloud computing contracts are typically concluded online. The legal rules applicable to cloud computing contracts may require that the contract be in writing, especially where personal data processing is involved. Even when written form is not required, for ease of reference, clarity, completeness, enforceability and effectiveness of the contract, the parties may decide to conclude a contract in writing with all ancillary agreements incorporated thereto.

Definitions and terminology – The glossary of terms may be included in the contract, as may definitions of main terms used throughout the contract, to avoid ambiguities in their interpretation. The parties may wish to consider using internationally established terminology for the purpose of ensuring consistency and legal clarity.

Standard contract content

  • identifies the contracting parties;
  • defines the scope and object of the contract;
  • specifies rights and obligations of the parties, including payment terms;
  • establishes the duration of the contract and conditions for its termination and renewal;
  • identifies remedies for breach and exemptions from liability;
  • specifies the effects of termination of the contract;
  • clauses on dispute resolution and choice of law and choice of forum.
  1. IDENTIFICATION OF CONTRACTING PARTIES – The correct identification of contracting parties may have a direct impact on the formation and enforceability of the contract. The applicable law would specify the information needed to ascertain the legal personality of a business entity and its capacity to enter into a contract. The law may require additional information for specific purposes, for example, an identification number for tax purposes or power of attorney to ascertain the power of a natural person to sign and commit on behalf of a legal entity.
  2. DEFINING THE SCOPE AND THE OBJECT OF  THE  CONTRACT – The description of the object of the contract usually includes a description of a type of cloud computing services (SaaS, PaaS, IaaS or a combination thereof), their deployment model (public, community, private or hybrid), their technical, quality and performance characteristics and any applicable technical standards.

Service level agreement – The service level agreement (SLA) contains performance parameters against which the delivery of the cloud computing services, the extent of the Main Issues of Cloud Computing Contracts contractual obligations and possible contractual breaches of the provider will be measured. Information technology specialists are normally involved in the formulation of the performance parameters. There are two types of performance parameters:

  • Quantitative,
  • Qualitative.

Performance measurement – The parties may include in the contract a measurement methodology and procedures, specifying in particular a reference period for the measurement of services, service delivery reporting mechanisms, the role and responsibilities of the parties and metrics to be used. The parties may agree on an independent measurement of performance and how the related costs are to be allocated.

Acceptable use policy – it sets out conditions for use by the customer and its end users of the cloud computing services covered by the contract. It aims at protecting the provider from liability arising out of the conduct of their customers and customers’ end users. Any potential customer is expected to accept such a policy, which will form part of the contract with the provider. The vast majority of standard AUPs prohibit a consistent set of activities that providers consider to be improper or illegal uses of cloud computing services. The AUP may restrict not only the type of content that may be placed in the cloud but also the customer’s right to give access to data and other content placed in the cloud to third parties (e.g., nationals of certain countries or persons included in sanctions lists). The parties may agree to remove some prohibitions to accommodate specific business needs of the customer to the extent that such removal would be permissible under law.

Security policy – involves shared responsibilities of the parties. Usually, the provider will follow its security policies. In some cases, although not in standardized commoditized multi-subscriber solutions, it might be possible to reach an agreement that the provider will follow the customer’s security policies. The contract may specify security measures. Some security measures do not presuppose the other party’s input but rely exclusively on the relevant party’s routine activities, such as inspections by the provider of the hardware on which the data is stored and on which the services run, and effective measures to ensure controlled access thereto. In other cases, allowing the party to perform its duties or evaluate and monitor the quality of security measures delivered may presuppose the input of the other party. Some threats to security may be outside the contractual framework between the customer and the provider and may require the terms of the cloud computing contract to be aligned with other contracts of the provider and the customer (e.g., with Internet service providers).

Data integrity – Providers’ standard contracts may contain a general disclaimer that the ultimate responsibility for preserving the integrity of the customer’s data lies with the customer, although some providers may be willing to undertake data integrity commitments (e.g., regular backups), possibly for an additional payment. Regardless of the contractual arrangements with the provider, the customer may wish to consider whether it is necessary to secure access to at least one usable copy of its data outside the provider’s and its subcontractors’ control, reach or influence and independently of their participation.

Confidentiality clause -The provider’s willingness to commit to ensuring the confidentiality of customer data depends on the nature of services provided to the customer under the contract, in particular whether the provider will be required to have unencrypted access to data for the provision of those services. In the absence of contractual commitments and statutory obligations on the provider to maintain confidentiality, the customer may have full responsibility for keeping data confidential. Where it is not possible to negotiate a general confidentiality clause applicable to all customer data placed in the cloud, the parties may agree on confidentiality commitments as regards some sensitive data (with a separate liability regime for breach of confidentiality of such data). The customer may in particular be concerned about its trade secrets, know-how and information that it is required to keep confidential under law or commitments to third parties. In some cases, the disclosure of customer data may be necessary for the fulfilment of the contract. In other cases, the disclosure may be mandated by law, for example, under the duty to provide information to competent State authorities.

Data protection/privacy policy or data processing agreement – Personal data is subject to special protection by law in many jurisdictions. Law applicable to personal data processing may be different from the law applicable to the contract. The contract may include data protection or privacy clause, data processing agreement or similar type of agreement, although some providers may agree only to the general obligation to comply with applicable data protection laws. In some jurisdictions, such general commitment may be insufficient: the contract would need to stipulate at a minimum the subject matter and the duration, nature and purpose of the personal data processing, the type of personal data and categories of data subjects and the obligations and rights of the data controller and the data processor. The customer will likely be the data controller and will assume responsibility for compliance with the data protection law in respect of personal data collected and processed in the cloud. Providers of standard contracts usually stipulate that the provider does not assume any data controller role. The provider will likely act as the data processor only when it processes the customer’s data according to instructions of the customer for the sole purpose of providing the cloud computing services. In some jurisdictions, the provider may, however, be regarded as the data controller, regardless of contractual clauses, when it further processes data for its own purposes or upon instructions of State authorities and could thus assume full responsibility for personal data protection in respect of that further personal data processing.

Obligations arising from data breaches and other security incidents – The parties may be required under law or contract (or both) to notify each other immediately of a security incident of relevance to the contract or any suspicion thereof that becomes known to them. That obligation may be in addition to general notification of a security incident that may be required under law to inform all relevant stakeholders. The law may contain specific security incident notification requirements, including the timing of notification, and identify the persons responsible for complying with them. Any notification requirements normally take into account the need not to disclose any sensitive information that could lead to the compromise of the affected party’s system, operations or network. The provider, the customer, or both, including by involving a third party, may be required by law or contract to take measures after a security incident (so-called “post-incident steps”), including the isolation or quarantine of affected areas, the performance of root cause analysis and the production of an incident analysis report. The incident analysis report may be produced by the affected party or by the affected party jointly with the other party or by an independent third party. Post-incident steps may vary depending on the categories of data stored in the cloud and other factors. A serious security incident resulting in, for example, a loss of data may lead to the termination of the contract.

Data localization requirements – Providers of standard terms may expressly reserve the right of the provider to store customer data in any country in which the provider or its subcontractors operate. Such a practice will most likely be followed even in the absence of an explicit contractual right, since it is implicit in the provision of cloud computing services that they are provided, as a general rule, from more than one location, which may not comply with data localization requirements applicable to either or both parties. Safeguards ensuring compliance with data localization requirements may be included in the contract, such as a prohibition on moving data and other content outside the specified location or a requirement of prior approval of such moves by the other party.

  1. RIGHTS TO CUSTOMER DATA AND OTHER CONTENT

Provider’s rights to customer data for the provision of services – Providers usually reserve the right to access customer data on a “need-to-know” basis. Certain rights to access customer data can be considered to be implicitly granted by the customer to the provider by requiring a certain service or feature: without those rights, the provider would not be able to perform the services. The contract may explicitly indicate which are the rights concerning data required for the performance of the contract that the customer grants to the provider, whether and to what extent the provider is entitled to transfer those rights to third parties (e.g., its subcontractors) and the geographical and temporal extent of the granted or implied rights. Contracts typically state whether the customer is able to revoke granted or implied rights and if so, under what conditions. Since the ability to provide the services at the required level of quality may depend on the rights granted by the customer, the direct impact of revocation of certain rights could be the amendment or termination of the contract.

Provider’s use of customer data for other purposes – The provider may request use of customer data for purposes other than those linked to the provision of the cloud computing services under the contract (e.g., for advertising, generating statistics, analytical or predictions reports, engaging in other data mining practice). Where the contract gives the provider rights to use the customer data for the provider’s own purposes, the contract may also list permissible grounds for such use, include obligations regarding de-identification and anonymization of customer data to ensure compliance with any applicable data protection and other regulations and impose limits on reproduction of content and communication to public. It is common to permit the provider to use customer data for its own purposes only as anonymized open data or in aggregated and deidentified form during the term of the contract or beyond.

Provider’s actions as regards customer data upon State orders or for regulatory compliance – The providers’ standard terms may reserve the right for the provider, at its discretion, to disclose, or provide access to, customer data to State authorities. They also usually provide for the right of the provider to remove or block customer data immediately after the provider gains knowledge or becomes aware of illegal content or when it has to enforce the right of data subjects to be forgotten, in order to avoid liability under law. The parties may agree to narrow down the circumstances in which the provider can perform those actions. The parties may agree, at a minimum, that the customer will be notified without delay of State orders or the provider’s own decisions as regards customer data with a description of the data concerned, unless such notification would violate law. The parties may also agree on provisions as regards keeping and providing customer access to and logs of all orders, requests and other activities as regards customer data.

Rights to cloud service-derived data – The parties may agree on customer rights to cloud service-derived data and how such rights can be exercised during the contractual relationship and upon termination of the contract.

IP rights protection clause – The contract may contain an express IP clause that will determine which party to the contract owns IP rights to various objects deployed or developed in the cloud and the use that the parties can make of such rights. Where no option to negotiate exists, the customer may wish to review any IP clauses to determine whether the provider offers sufficient guarantees and allows the customer appropriate tools to protect and enjoy its IP rights and avoid lock-in risks.

Interoperability and portability – The onus might be completely on the customer to create compatible export routines, unless the contract provides otherwise. The contract may require the use of common, widely used standardized or interoperable export formats for data and other content or provide choice among available formats. Contractual clauses may also be included to address rights to joint products and applications or software, without which the use of the data and other content in another system may be impossible.

Data retrieval for legal purposes – Customers may need to be able to search and find data placed in the cloud in its original form in order to meet legal requirements (e.g., in investigations). The electronic records may need to meet auditing and evidentiary standards.

Data deletion – The provider’s standard terms may contain only statements to delete customer data from time to time. The parties may agree on the deletion of data, its backups and metadata immediately, effectively, irrevocably and permanently, in compliance with the data retention and disposition schedules or other form of authorization or request communicated by the customer to the provider. The contract may address the time period and other conditions for data deletion, including obligations as regards a confirmation of the data deletion upon its completion and access to audit trails of the deletion activities. Particular standards or techniques for deletion may be specified, depending on the nature and sensitivity of the data.

  1. AUDITS AND MONITORING

Monitoring activities – The parties may need to monitor each other’s activities to ensure regulatory and contractual compliance (e.g., compliance of the customer and its end users with AUP and IP licences and compliance of the provider with SLA and data protection policy). The contract may identify periodic or recurrent monitoring activities, together with the party responsible for their performance and the obligations of the other party to facilitate monitoring. The contract may also anticipate any exceptional monitoring activities and provide options for handling them. The contract may also provide for reporting requirements to the other party as well as any confidential undertakings in conjunction with such monitoring activities.

Audit and security tests – The contract may include clauses that address the audit rights of both parties, the scope of audits, recurrence, formalities and costs. It may also oblige the parties to share with each other the results of the audits or security tests that they commission. The contractual rights or statutory obligations for audit and security tests may be complemented in the contract with corresponding obligations of the other party to facilitate the exercise of such rights or fulfilment of those obligations. Parties may agree that audits or security tests may be performed only by professional organizations or that the provider or the customer may choose to have the audit or security test performed by a professional organization.

  1. PAYMENT TERMS

Pay-as-you-go – It is common for the contract to specify the price per unit for the agreed volume of supply of the cloud computing services (e.g., for a specified number of users, number of uses or time used). Price scales or other price adjustments, including volume discounts, may be designed as incentives or penalties for either of the parties. Free trials are common. It is also common not to charge for some services.

Licensing fees – The licensing fees may be calculated on a per-seat or per instance basis and fees may vary depending on the category of users. The contract may identify the total number of potential users of software covered by the licence arrangement, the number of users in each category and the rights to be granted to each category of users. The contract may also identify access and use rights that will be included in the scope of the licence and cases of access and use by the customer and its end users that may lead to an expanded scope of the licence and consequently to increased licensing fees.

Additional costs – The price may cover also one-off costs (e.g., configuration and migration to the cloud). There could also be additional services offered by the provider against separate payment (e.g., support after business hours charged per time or provided for a fixed price).

Other payment terms – Payment terms may cover invoicing modalities (e.g., e-invoicing) and the form and content of the invoice, which may be important for tax compliance. The parties may wish to include, among other payment terms, payment due date, currency, the applicable exchange rate, manner of payment, sanctions in case of late payment and procedures for resolving disputes over payment claims.

  1. CHANGES IN SERVICE

Changes in price – The provider may reserve the right to unilaterally modify the price or price scales. The parties may agree to specify in the contract the pricing methodology. The prices may be capped to a specific consumer price index, to a set percentage or to the provider’s price list at a given moment. The contract may provide for advance notice of a price increase and the consequences of nonacceptance of the price increase by the customer.

Upgrades – The parties may agree on advance notification to the customer of pending upgrades and the implications thereof and that upgrades, as a rule, will take place during periods of little or no demand for the customer. The contract may also provide for procedures for reporting and solving possible problems. The contract may provide for the allocation of the costs arising from upgrades. The parties may also agree that the older version of the provided service should be retained in parallel with the new version for an agreed period of time in cases where significant changes are to be made to the previous version, in order to ensure the customer’s business continuity. The contract may also address assistance that may be offered by the provider with changes to customer applications or information technology systems and with retraining of the customer’s end users, when required.

Degradation or discontinuation of services – Technological developments, competitive pressure or other causes may lead to the degradation of some cloud computing services or their discontinuation with or without their replacement by other services. The provider may reserve in the contract the right to adjust the service portfolio offering. The contract may provide for an advance notification of those changes to the customer, the customer’s right to terminate the contract in the case of unacceptable changes and an adequate retention period to ensure the timely reversibility of any affected customer data or other content.

Notification of changes – The providers’ standard terms may contain an obligation on the provider to notify the customer about changes in the terms of services. If not, customers may be required to check regularly whether there have been any changes in the contract. Since the continued use of services by the customer is deemed to be acceptance of the modified terms, the parties may agree that the customer will be notified of changes in the terms of services sufficiently in advance of their effective date. The parties may also agree that the customer will have access to audit trails concerning the evolution of services and that all agreed terms and the definition of the services by reference to a particular version or release will be preserved.

  1. SUSPENSION OF SERVICES – The providers’ standard terms may contain the right of the provider to suspend services, at its discretion, at any time. “Unforeseeable events” is a common justification for unilateral suspension of services by the provider. The parties may agree that suspension of services may occur only in limited cases identified in the contract (e.g., in case of fundamental breach of the contract by the customer, for example, non-payment).
  1. SUBCONTRACTORS, SUB-PROVIDERS AND  OUTSOURCING

Identification of the subcontracting chain – Subcontracting, layered cloud computing services and outsourcing are common in cloud computing environment. The providers’ standard terms may explicitly reserve the provider’s right to use third parties for the provision of the cloud computing services to the customer, or that right may be implicit because of the nature of services to be provided. The provider may be interested in retaining as much flexibility as possible in that respect. The law may require the parties to identify in the contract any third parties involved in the provision of the cloud computing services. Such identification may also be beneficial to the customer for verification purposes, in particular of compliance of third parties with security, confidentiality, data protection and other requirements arising from the contract or law and of the absence of conflicts of interest on the part of third parties. That information may be used for mitigation of risks of non-performance of the contract by the provider due to failures of third parties.

Changes in the subcontracting chain – The contract may specify whether changes in the subcontracting chain are permitted and if so, under which conditions. Alternatively, the contract may include the list of third parties pre-approved by the customer, from which the provider can choose when the need arises. Another option is to subject the change to subsequent approval by the customer, in the absence of which services would need to continue with the previous or other pre-approved third party or with another third party to be agreed by the parties. Otherwise, the contract may be terminated.

Alignment of contract terms with linked contracts – The law or the contract may require the parties to align the terms of the contract with existing or future linked contracts to ensure confidentiality and compliance with data localization and data protection requirements. The contract may oblige parties to supply each other with copies of linked contracts for verification purposes.

Liability of subcontractors, sub-providers and other third parties – Third parties would be liable for obligations under their contracts with the provider. The creation of third party beneficiary rights for the benefit of the customer in linked contracts, or making the customer a party to linked contracts, would allow the customer’s direct recourse against the third party in case of that third party’s non-performance under a linked contract. Under applicable law or contract, the provider may be held liable to the customer for any issue within the responsibility of any third party whom the provider involved in the performance of the contract.

  1. LIABILITY

Statutory limitations to contractual freedom – The data protection law of certain jurisdictions imposes more liability on the data controller than on data processors of personal data. Notwithstanding contractual provisions, the factual handling of such data will generally determine the legal regime to which the party would be subject under applicable law. Data subjects who have suffered loss resulting from unlawful processing of personal data or any act incompatible with domestic data protection regulations may be entitled to compensation directly from the data controller. Some types of limitation clauses, such as waiver of liability by the provider for security incidents in cases where the customer has no control or ability to effect security, may be found to be “abusive” and therefore invalid.

Other considerations for drafting liability clauses – The amount, if any, charged for the cloud computing services and the risks involved in the provision of the services would all be considered in negotiating the allocation of risks and liabilities. Although parties generally tend to exclude or limit liability as regards factors that they cannot control or can control only to a limited extent (e.g., behaviour of end users, actions or omissions of subcontractors), the level of control would not always be a decisive consideration. A party may be prepared to assume risks and liability for elements that it does not control in order to distinguish itself in the market place. It is nevertheless likely that the party’s risks and liabilities would increase progressively in proportion to the components under its control.

Provider’s standard terms – Providers’ standard terms may exclude any liability under the contract and take the position that liability clauses are non-negotiable. Alternatively, the provider may be willing to accept liability, including unlimited liability, for breaches controllable by the provider but not for breaches that may occur for reasons beyond the provider’s control. Providers’ standard terms generally exclude liability for indirect or consequential loss. Providers’ standard terms usually impose liability on the customer for non-compliance with the AUP.

Possible variations of standard terms – Some events could expose either party to the potentially high liability to third parties or give rise to regulatory fines. It is common to agree on a more stringent liability regime (unlimited liability or higher compensation) when those events occur due to the fault or negligence of the other party. Liability of the parties for actions of third parties that they cannot foresee or control may be limited or excluded by contract or law.

Liability insurance – The contract may contain insurance obligations for both or either party, in particular as regards quality requirements for an insurance company and the minimum amount of insurance coverage sought. It may also require parties to notify changes to the insurance coverage or provide copies of current insurance policies to each other.

  1. REMEDIES FOR BREACH OF THE CONTRACT

Types of remedies – The parties are free to select remedies within the limits of applicable law. The contract could differentiate between types of breaches and specify corresponding remedies.

  • in-kind remedies (e.g., replacement of the defective hardware),
  • monetary remedies (e.g., service credits),
  • termination of the contract.

Suspension or termination of services – it is a usual remedy of the provider for the customer’s breach of a contract or violation of the AUP by the customer’s end users. The contract may include safeguards against broad suspension or termination rights.

Service credits – they take the form of a reduced fee for the services to be provided under the contract in the following measured period. Providers may limit the circumstances in which service credits are given to. Some providers may be willing to offer a refund of fees already paid or an enhanced service package in the following measured period. Providers’ standard terms may stipulate that any remedy for provider non-performance will be at the choice of the provider. Fixing service credits as the sole and exclusive remedy against the provider’s non-performance of its contractual commitments may limit the customer’s rights to other remedies, including suing for damages or terminating the contract.

Formalities to be followed in case of the breach of the contract – The contract may set forth procedures to be followed in cases of breach. For example, the contract could require a party to notify the other party when any terms of the contract are deemed to be violated and to provide a chance to remedy such asserted violation.

  1. TERM AND TERMINATION OF THE CONTRACT

Effective start date of the contract – The effective start date of the contract may be different from the signature date, the date of acceptance of the offer or the date of acceptance of configuration and other actions required for the customer to migrate to the cloud. The date when the cloud computing services are made available to the customer by the provider, even if they are not actually used by the customer, may be considered the effective start date of the contract. The date of the first payment by the customer for the cloud computing services, even if they are not yet made available to the customer by the provider, may also be considered the effective start date of the contract.

Duration of the contract -The duration of the contract could be short, medium or long. It is common in standardized commoditized multi-subscriber cloud solutions to provide for a fixed initial duration (short or medium), with automatic renewals unless terminated by either party.

Earlier termination – The contract may provide modalities for earlier termination, including requirements for a sufficiently advance notice, reversibility and other end-of-service commitments.

Termination of the contract for convenience – Providers’ standard terms usually reserve the right of the provider to terminate the contract at any time without customer default. The parties may agree to limit the circumstances under which such a right could be exercised and oblige the provider to serve the customer with sufficiently advance notice of termination. The customer’s right to terminate the contract for convenience is especially common in public contracts.

Termination for breach – usually justifies termination of the contract. To avoid ambiguities, the parties should define in the contract the events that constitute a fundamental breach of the contract. Fundamental breach of the contract by the provider may include data loss or misuse, personal data protection violations, recurrent security incidents, confidentiality leaks and non-availability of services at certain time points or for a certain period of time. Non-payment by the customer and violation of the AUP by the customer or its end users are among the most common reasons for termination of the contract by the provider.

Termination due to unacceptable modifications of the contract – modifications might include modifications to data localization requirements or subcontracting terms, also the contract may provide for the customer’s right to terminate the entire contract if modifications to the contract due to the restructuring of the provider’s service portfolio lead to termination or replacement of some services.

Termination in case of insolvency – Clauses allowing termination of the contract in the event of insolvency of either party are common – an insolvent customer may need to continue using the cloud computing services while resolving its financial difficulty. The parties may specify in the contract, or the law may provide for, mechanisms for the retrieval of customer data in case of the provider’s insolvency (e.g., an automatic release of the source code or key escrow allowing access to the customer data and other content).

Termination in case of change of control – The applicable law may require termination of the contract if as a result of the change of control, mandatory requirements of law cannot be fulfilled. Public contracts may, in particular, be affected by statutory restrictions on the change of control. In addition, the parties may agree about termination of the contract in case of change of control, in particular if, as a result of such change, the provider or the contract is taken over by the customer’s competitor or if the takeover leads to discontinuation of, or significant changes in, the service portfolio. Requiring an advance notice of an upcoming change of control and its expected impact on the contract is common.

Inactive account clause – Customer inactivity for a certain time period specified in the contract may be a ground for unilateral termination of the contract by the provider.

  1. END-OF-SERVICE COMMITMENTS

Time frame for export – the parties may specify in the contract a time frame for export, which may need to be sufficiently long to ensure a smooth export by the customer of its data and other content to another system.

Customer access to the content subject to export – The contract would specify data and other content subject to export and ways of gaining customer access. To facilitate the export of the customer’s data with the minimal involvement of the provider, the parties may agree on an escrow arrangement. The contract may also specify export options, including their formats and processes, to the extent possible, recognizing that they may change over time.

Export assistance by the provider – It may be expected under law to ensure that such export is possible and simple. Where the parties agreed on the provider’s involvement in the export of customer data to another system, the contract may specify details, such as the extent, procedure and time period for export assistance. The provider may require separate payment for the provision of export assistance.

Data deletion – The contract may need to specify rules for data deletion from the provider’s cloud infrastructure upon export or expiration of the period specified in the contract for export. The data deletion may be done automatically by the provider or, alternatively, data may be deleted only upon a specific customer’s request and instructions.

Post-contract retention of data – The provider might be required to retain customer data by law, in particular a data protection law. The parties may agree on the retention of customer data by the provider after the termination of the contract. The parties may include special requirements as regards data that is not or cannot be returned to the customer and whose deletion would not be possible.

Post-contract confidentiality clause – Confidentiality obligations may survive the contract for a specified number of years after the contract is terminated or may continue indefinitely.

Post-contract audits – The parties may agree on terms for carrying out such audits, including the time frame and allocation of costs.

Leftover account balance – The parties may agree on conditions for the return to the customer of leftover amounts on its account or for the offset of those amounts against any additional payments that the customer would need to make to the provider, including for end-of-service activities or to compensate damage.

  1. DISPUTE RESOLUTION

Arbitral proceedings – The parties may wish to verify the arbitrability of their disputes before opting for arbitration. An arbitration clause in a contract would usually refer to a set of arbitration rules to govern arbitral proceedings. A contract can include a standard dispute resolution clause referring to the use of internationally recognized rules for the conduct of dispute resolution proceedings. Not all issues may, however, be referred to arbitration; some may be reserved by law for adjudication by a court.

Online dispute resolution – The parties may opt for an ODR mechanism for some or all categories of disputes arising from their contract subject to limitations imposed by law. The contract may specify the scope of issues subject to ODR and the ODR platform and rules to be used in the proceedings. In some cases, ODR could be embedded in the cloud service package offered by the provider with an opt-out possibility.

Judicial proceedings – If judicial proceedings are to take place, due to the nature of cloud computing services, several States might claim jurisdiction. Where possible, parties may agree on a jurisdiction clause under which they are obligated to submit disputes to a specific court.

Retention of data – The contract may specifically provide that, in case of disputes between the parties, the customer’s data will be retained by the provider and the customer will have access to its data for a reasonable period of time, regardless of the nature of the dispute. The parties may also agree on an escrow arrangement.

Limitation period for complaints – The parties may specify in the contract the limitation period within which claims may be brought.

  1. CHOICE OF LAW AND CHOICE OF FORUM CLAUSES

Mandatory law and forum – The law and the forum of a particular jurisdiction may be mandatory on various grounds:

  • The accessibility of the cloud computing services in the territory of a particular State may be sufficient for the application of the data protection law of that State;
  • The nationality or residence of the affected data subject or the contracting parties, in particular the data controller, may trigger the application of the law of that data subject or the party;
  • The law of the place in which the activity originated (the location of the equipment) or to which the activity is directed for the purpose of extracting benefits may trigger the application of the law of that place.

Provider or customer home law and forum – Contracts for standardized commoditized multi-subscriber cloud solutions often specify that they are governed by the law of the provider’s principal place of business or place of establishment. Providers that operate in multiple jurisdictions may be flexible as regards accepting the choice of the law and forum of the country where the customer is located.

Multiple options – The parties may also specify various choice of law and forum options for different aspects of the contract.

No choice of law or forum – The parties may prefer no choice of law or forum clause in their contract, leaving the question open for later discussion if and when needed.

  1. NOTIFICATIONS – Notification clauses usually address the form, language, recipient and means of notification, as well as when the notification becomes effective (upon delivery, dispatch or acknowledgment of receipt). The parties may agree on the deadlines, keeping in mind reversibility and business continuity needs. The contract may contain references to any notifications and deadlines imposed by law.
  1. MISCELLANEOUS CLAUSES – Parties often group under miscellaneous clauses provisions that do not fall under other parts of the contract. Some of them may contain a standard text appearing in all types of commercial contracts (so called “boilerplate provisions”). Examples include a severability clause allowing the removal of invalid provisions from the contract or a language clause identifying a certain language version of the contract as prevailing in case of conflicts in interpretation of various language versions. Placing contractual clauses among miscellaneous provisions does not diminish their legal significance. Some of them may be tailored by the parties to the specifics of cloud computing services.
  1. AMENDMENT OF THE CONTRACT – The contract would address the procedure for introducing amendments and making them effective. The contract may also need to address the consequences of rejection of amendments by either party. In the light of the nature of cloud computing services, it might be difficult to differentiate changes that would constitute amendment of the contract from those changes that would not. For example, the customer’s use of any options made available from the outset in the contract would not necessarily constitute an amendment of the initial contract, nor would changes in services resulting from routine maintenance and other activities of the provider covered by the contract. The addition of features not covered by the originally agreed terms and thus justifying changes in price may, on the other hand, constitute amendment of the contract. Any updates leading to material changes to previously agreed terms and policies may also constitute an amendment of the contract.

Main source: https://uncitral.un.org/en/cloud/subcontracting

UP