Negotiating cloud contracts - check fine print for liability

Are cloud service providers seeking to exclude all risks and are customers taking on greater risks than they need to?

In the first part of this feature, we offered some advice on the best practice recommendations including local law for local customers, identifying location of data centres and having documented management systems, processes and resources.  In this part, we conclude our best practice recommendations:

Clear SLAs showing average availability times
Service providers will point out that their cloud solutions are often more resilient than the average on-premise solution.  Simply put, not all on-premise solutions come with promises of service availability or the same sophisticated level of back-up or failover that a Virtual Cloudsvider can offer. 

The provider will specify its promise of availability and resilience in its SLA and the customer should check this. For example, what is the service provider’s record like – any recent headline-grabbing stories for the wrong reason?  Does the provider publish average availability times?  Does the provider offer service credits for not meeting the promised levels of service?

Clear statements of what losses a cloud service provider will cover
Every business seeks to increase reward while reducing risk and the cloud sector is no different. 

In a recent Cloud Industry Forum survey, just over half of the customer sample, 54 percent, stated their cloud service provider sets limits on its liability and 34 percent, reported that their provider excludes liability for data loss in their contracts. 

54% of service providers set limits on liability

Without doubt, the best protection is for a customer to evaluate practical issues to avoid liability becoming an issue in the first place, such as resilience, failover and disaster recovery options available from the provider.

Again, for those customers seeking cheap, standardised public cloud solutions, the provider is unlikely to take on a great level of risk, so the customer must choose carefully.  However, a customer looking for a bespoke or private cloud solution will have a greater opportunity to negotiate this balance. 

Cloud service providers will at least offer a minimum level of service that it is of "satisfactory quality" and "fit for the purpose" described in the published specification.  Customers should consider whether they can buy a Gold or Platinum service to get a better service and a more acceptable share of risk by the provider.  A cloud service provider might even consider offering higher liability coverage in return for the customer paying a higher fee.

Changing and terminating the contract
Cloud service providers are entitled to terminate the service for non-payment, customer insolvency or breach.  Probably the most high profile example of this is where the provider stopped hosting Wikileaks on the basis that it had breached its terms of use. 

While a customer should acknowledge that the provider can terminate the contract in certain circumstances, at the least the provider should specify and honour minimum periods where appropriate before terminating and give the customer the opportunity to retrieve its data and migrate the service to a new provider.  Moreover, in a negotiated relationship, it is unreasonable for the provider to change the contract simply by giving the customer notice but at the least the provider should give the customer advance warning of the changes allowing the customer to move to a new provider if it does not agree with the changes.

Adequate opportunity for customers to retrieve their data
Where the cloud service ends, for whatever reason, the service provider will not want to hold on to the customer’s data than is absolutely necessary. 

Generally a customer should have control over its data and should have the opportunity to export its data before a provider deletes it.  A provider may want to delete data straight away where that data infringes third party rights or is in breach of data protection legislation.  The provider should retain the data for a time, even if it "quarantines" while it resolves a dispute with the customer.  The customer should be able to access and migrate its data during an agreed period, even if the provider levies an additional charge for this.

Migration assistance to a replacement provider
No customer wants to be locked in to a cloud service provider indefinitely.  Most customers will accept minimum or rolling periods and will accept that familiarity with a particular software package or simply the hassle factor of migrating to a new provider will act as a form of lock-in. 

But, customers will want to be able to migrate at some point.  Migrating data outside the EU may give rise to data protection implications and the customer may have to indemnify the outgoing provider if it breaches data protection legislation by following the customer’s orders.

A service provider offering a flexible cloud service should specify (if it is not already obvious) whether its systems are proprietary and not interoperable with recognised industry standards.  It should also offer a migration service to customers with a clear charging structure. 

Best practice recommendations include:

  • Local law for local customers
  • Identifying location of data centres Documented management systems, processes and resources 
  • Clear SLAs showing average availability times
  • Clear statements of what losses a cloud service provider will cover
  • Changing and terminating the contract
  • Adequate opportunity for customers to retrieve their data 
  • Migration assistance to a replacement provider

Frank Jennings is chair of the code governance board of the Cloud Industry Forum and partner in law firm DMH Stallard LLP. The CIF and DMH Stallard recently collaborated on a White Paper on contracting cloud services.

Frank focuses on tech law, including cloud.

Sign up for our free newsletter