Organizations can only reap the advantages of Cloud computing once the contract for such a service has been agreed and is water-tight. This article provides a guide for what contract managers need to consider when negotiating a deal for their organizations’ ‘Cloud’.
Today it is possible to contract for ‘on-demand’ computing which is internet-based whereby shared resources and information are provided, i.e., the phenomenon known as ‘Cloud’ computing. In addition to economies of scale enjoyed by multiple users, one of the big advantages is that work can be allocated depending upon the time zone users are operating in. Thus, entities operating during European business hours would not be operating at the same time that users would be operating in North America. The result is a reduced overall cost of the resources including reduced operating and maintenance expenses. In addition, multiple users can obtain access to a single server without the need to purchase licenses for different applications. Moreover, it has the advantages of a ‘pay-as-you-go’ model as well as a host of other potential advantages which have been referred to as ‘agility’, ‘device and location independence’, ‘scalability and elasticity’, etc. Nevertheless, questions remain and Cloud computing presents potential commercial and contractual pitfalls for the unwary.
It is clear that despite some unanswered questions, computing resources delivered over the internet are here today and here to stay. Analogous to a utility, the advantages of the ‘Cloud’ allow the cost of the infrastructure, platform and service delivery to be shared amongst many users. But does this in any way change basic contracting principles and time honored sound contract management practices? The short answer is “No”. However, this does not detract from the fact that contracting for and managing contracts for Cloud computing services can be a challenge. The complexity associated with such contracts can be reduced by addressing some early threshold questions.
“All wisdom begins by calling things by their proper name.”
Definitions are of vital importance in any contract, including ones for Cloud computing.
A key concern is data security. Thus, it is important to define what is meant by ‘data’ and distinguish between ‘personal data’ and ‘other data’. A distinction can be made between data that is identified to or provided by the customer and information that is derived from the use of that data, e.g., metadata. Careful attention should be paid to how the contract defines ‘consent’ to use derived data. Generally, any such data should be explicit and based upon a meaningful understanding of how the derived data is going to be used.
Security standards might warrant different levels of security depending upon the nature of the data. Likewise, what is meant by ‘security’? The tendency is to define security only in technical terms, but security should be defined to include a broad range of data protection obligations. There are, of course, many other potential key terms that warrant careful definition in contracts for Cloud computing services. However, this is nothing new to the field of good contracting and sound contract management practices.
Naturally, if personal or confidential information is going to be entrusted to a third party, the recipient must comply with appropriate contractual controls and statutory requirements regarding privacy and confidentiality. This is why taking the time to define things carefully is so important. Simply asserting that those security considerations will be ‘reasonable’ or comply with ‘industry standards’ falls short of what is necessary. Abstract promises should be rejected in favor of specific protocols and clear audit requirements as well as the obligation to comply with specific legal requirements. This is true for all transactions.
‘Notice’ provisions are common in contracts. It follows that if you are contracting for computing resources delivered over the internet you’d want clearly defined notice provisions that would require notice of any security breaches as well as any discovery requests made in the context of litigation. ‘Storage’ is also a key concept and term to be addressed and warrants special attention. From a risk management standpoint you’d also want to understand the physical location of the equipment and data storage. Perhaps geographical distance and diversity is both a challenge and an opportunity in terms of risk management.
Defining success is always a challenge in any contract. The enemy of all good contracts is ambiguity. When it comes to ‘availability’, users should avoid notions that the service provider will use its ‘best efforts’ and exercise ‘reasonable care’. Clear availability targets are preferred since there must be a way to measure availability. Usually, availability measured in terms of an expressed percentage ends up being difficult if not impossible to understand let alone enforce. Expressing availability in terms of units of time (e.g., a specified number of minutes per day of down time) is preferable.
“A good beginning makes for a good ending.”
Early on, it makes sense to focus on the deployment model that works best for your organization. These fall into three basic categories: Private Cloud, Public Cloud and Hybrid Cloud. As the name suggests, a Private Cloud is an infrastructure operated for or by a single entity whether managed by that entity or some other third party. A Private Cloud can, of course, be hosted internally or externally. A Public Cloud is when services are provided over a network that is open to the public and may be free. Examples of Public Cloud include Google, Amazon and Microsoft and provide services generally available via the internet. A Hybrid Cloud (sometimes referred to as a ‘Community Cloud’) is composed of both private and/or public entities, but decided to enter into some arrangement.
Consider the type of contractual arrangement. Is the form of contract essentially a ‘service’, ‘license’, ‘lease’ or some other form of contractual arrangement? Service agreements, licenses and leases have different structures. Perhaps the contract for Cloud computing services contains aspects of all these different types of agreements, including ones for IT infrastructure. Best to consider this early. Yet, such considerations are common to all contracting efforts.
A threshold question is whether the data being stored or processed is being sent out of the country and any associated special legal compliance issues. However, essentially all the normal contractual concerns apply to contracts involving the ‘Cloud’. These include termination or suspension as well as the return of data in the case of threats to security or data integrity. Likewise, data ownership, data comingling, access to data, service provider viability, integration risks, publicity, service levels, disaster recovery and changes in control or ownership are all important in all contracts involving personal, sensitive or proprietary information, including contracts involving Cloud computing services.
How such services are taxed at the local or even international levels also presents some interesting questions, the answers to which may vary by jurisdiction and over time. However, the tax implications of cross boarder transactions by multinationals is hardly a new topic.
Although the issues are many, they are closely related to what any good negotiator or contract manager would consider early on. Developing a checklist can often be a useful exercise, especially when dealing with a new topic like Cloud computing.
Such a checklist might include:
It has been said that the true ‘art of the deal’ is living with the deal. Nowhere is this more important than in Cloud computing contracts. There are several reasons for this. First, this is a new area and there will be uncertainty associated with any such transaction. Second, it is unlikely that users will be able to impose unilaterally favorable commercial terms on service providers. Accordingly, a plan and budget for managing the transaction post-execution via a CMP is vitally important.
What is so very interesting is that despite the relative newness and some unanswered questions about the ‘Cloud’, the time honored principles regarding contracting and good contract management practices remain applicable. Once upon a time the abacus was high tech. There were contracts back then applying the same principles we live by today in our commercial transactions. Never lose sight of the basics.
About the author
Paul Humbert is President of The Humbert Group, LLC, a New York City area consulting firm that provides consulting services regarding process improvement and transactional matters. He has co-authored several books for use in contract development and implementation, project management, and process improvement endeavors. They include: Playbook for Managing Supply Chain Transactions with Desktop Tools, References and Sample Forms, Contract and Risk Management for Supply Chain Management Professionals, Model Contract Terms and Conditions with Annotations and Case Summaries.
Reprinted by permission
Acknowledgment: The article was first published in The European Financial Review December/January 2016 edition. December 28, 2015 • Regulation & Governance, STRATEGY & MANAGEMENT, TECHNOLOGY & INNOVATION…Permission to reprint granted by source.