Notes on the Main Issues of Cloud Computing Contracts (prepared by the UNCITRAL secretariat, 2019)

Digital image with blue and light-filled colors. A map in the background with a honeycomb overlay and small locks that are unlocked.

180907-N-BK152-003 by NSWC Crane Corporate Communications is in the public domain


Acceptable use policy (AUP)

Data processor

Insolvency representative

Persistency of data storage

Sector-specific regulations


Data subject


Personal data

Security incident

Cloud computing services

Data subjects' rights

Intellectual property (IP) licences

Personal data processing

Service level agreement (SLA)

Cloud computing service partners

Deployment models


Platform as a service (PaaS)

Software as a service (SaaS)

Cloud service-derived data

Downtime or outages

Layered cloud computing services


Standardized commoditized multi-subscriber cloud solutions

Data controller

First response time


Recovery point objectives (RPOs)


Data deletion



Recovery time objectives (RTO)

Written or in writing

Data localization requirements

Infrastructure as a service (IaaS)

Performance parameters




Acceptable use policy (AUP): Part of the cloud computing contract between the provider and the customer that defines the limits of use by the customer and its end users of the cloud computing services covered by the contract.

Audit: The process of examining compliance with contractual and statutory requirements or technical standards. It may cover technical aspects, such as the quality and security of hardware and software; compliance with any applicable industry standards; and the existence of adequate measures, including isolation, to prevent unauthorized access to and use of the system and to assure data integrity. The audit may be internal or external or be done by an independent third party appointed by either the provider, the customer or both. The service level agreement (SLA) may contain specific performance parameters related to audit, e.g., that the services provided under the contract are certified at least annually by an independent auditor against a security standard identified in the contract.

Cloud computing services: online services characterized by:

           (a)      Broad network access, meaning that services can be accessed over the network from any place where the network is available (e.g., through the Internet), using a wide variety of devices, such as mobile phones, tablets and laptops;

           (b)      Metered delivery, allowing usage of the resources to be monitored and charged by reference to level of usage (on a pay-as-you-go basis);

           (c)      Multi-tenancy, meaning that physical and virtual resources are allocated to multiple users whose data are isolated and inaccessible to one another;

           (d)      On-demand self-service, meaning that services are used by the customer as needed, automatically or with minimal interaction with the provider;

           (e)      Elasticity and scalability, meaning the capability for rapidly scaling up or down the consumption of services according to the customer's needs, including large-scale trends in resource usage (e.g., seasonal effects);

           (f)       Resource pooling, meaning that physical or virtual resources can be aggregated by the provider in order to serve one or more customers without their control or knowledge over the processes involved;

           (g)      A wide range of services from the provision and use of simple connectivity and basic computing services (such as storage, emails and office applications) to the provision and use of the whole range of physical information technology infrastructure (such as servers and data centres) and virtual resources needed for the customer to build its own information technology platforms, or deploy, manage and run customer-created or customer-acquired applications or software. Infrastructure as a service (IaaS), platform as a service (PaaS) or software as a service (SaaS) are types of cloud computing services.

Cloud computing service partners (e.g., cloud auditors, cloud service brokers and system integrators): Persons engaged in support of, or auxiliary to, activities of either the provider or the customer or both. Cloud auditors conduct an audit of the provision and use of cloud computing services. Cloud service brokers or system integrators assist parties with a wide range of issues, e.g., with finding the right cloud solution, negotiating acceptable terms and migrating the customer to the cloud.

Cloud service-derived data: Data under the control of the provider that are derived as a result of the use by the customer of the cloud computing services of that provider. It includes metadata and any other log data generated by the provider containing records of who used the services, at what times, which functions and which types of data are involved. It can also include information about authorized users, their identifiers and any configuration, customization and modification.

Data controller: A person that determines the purposes and means of the processing of personal data.

Data deletion: A sequence of operations designed to irreversibly erase data, including its backups and metadata, and other content from the cloud computing infrastructure (physical and virtual). In some cases, data deletion may require the destruction of the physical infrastructure (e.g., the servers) on which the data were stored. The service level agreement (SLA) may contain a specific performance parameter related to data deletion, e.g., that the provider ensures that the customer's data are effectively, irrevocably and permanently deleted wherever requested by the customer within a certain time period identified in the contract and in compliance with the standard or method identified in the contract.

Data localization requirements: Requirements relating to the location of data and other content or data centres or the provider. They may prohibit certain data (including metadata and backups) from residing in or transiting into or out of a certain area or jurisdictions or require that prior approval be obtained from a competent State body for that. They are often found in data protection law and regulations, which may in particular prohibit personal data from residing in or transiting into jurisdictions that do not adhere to certain standards of personal data protection.

Data processor: A person that processes the data on behalf of the data controller.

Data subject: A natural person who can be identified, directly or indirectly, by data, including by reference to such identifiers as name, an identification number, location and any factors specific to the physical, genetic, mental, economic, cultural or social identity of the person. In a number of jurisdictions, data subjects enjoy under data protection or data privacy regulations certain rights with respect to the data that can identify them. Those regulations may trigger the inclusion in the service level agreement (SLA) of data protection-specific performance parameters, such as that the services provided under the contract are certified at least annually by an independent auditor against the data protection/privacy standard identified in the contract. (See also data subject's rights and personal data)

Data subjects' rights: Rights associated with data subjects' personal data. Data subjects under law may enjoy the right to be informed about all significant facts related to their personal data, including data location, use by third parties and data leaks or other data breaches. They may also have the right to access their personal data at any time, the right to erasure of their personal data (pursuant to the right to be forgotten), the right to restrict processing of their personal data and the right to portability of their personal data.

Deployment models: The various ways in which cloud computing services are organized, based on the control and sharing of physical or virtual resources:

           (a)      Public cloud, where cloud computing services are potentially available to any interested customer and resources are controlled by the provider;

           (b)      Community cloud, where cloud computing services exclusively support a specific group of related customers with shared requirements and resources are controlled by at least one member of that group;

           (c)      Private cloud, where cloud computing services are used exclusively by a single customer and resources are controlled by that customer;

           (d)      Hybrid cloud, where at least two different cloud deployment models are used.

Downtime or outages: The time when the cloud computing services are not available to the customer. That time is excluded from the calculation of uptime or availability. Time for maintenance and upgrades is usually included in downtime. It may be defined in the service level agreement (SLA) as a number of permissible outages of a specified time duration for a given period, e.g., not more than one outage of one hour per day and not between 8:00 and 17:00.

First response time: The time between when the customer reports an incident and the provider's initial response to it.

Follow-the-sun: A model in which the workload is distributed among different geographical locations to more efficiently balance resources and demand. The purpose of the model may be to provide round-the-clock services and to minimize the average distance between servers and end users in an effort to reduce latency and maximize the speed with which data can be transmitted from one device to another (data transfer rate (DTR) or throughput).

Infrastructure as a service (IaaS): Types of cloud computing services with which the customer can obtain and use processing, storage or networking resources. The customer does not manage or control the underlying physical or virtual resources, but does have control over operating systems, storage and deployed applications that use the physical or virtual resources. The customer may also have limited ability to control certain networking components (e.g., host firewalls).

Insolvency representative: A person or body authorized in insolvency proceedings to administer the reorganization or the liquidation of the assets of the insolvent debtor that are subject to the insolvency proceedings.

Interoperability: The ability of two or more systems or applications to exchange information and to mutually use the information that has been exchanged.

Intellectual property (IP) licences: Agreements between an IP rights owner (the licensor) and a person authorized to use those IP rights (the licensee). They usually impose restrictions and obligations on the extent and manner in which the licensee or third parties may use the licenced property. For example, software and visual content (designs, layouts and images) may be licensed for specific use, not allowing copying, modification or enhancement, and be restricted to a certain medium. The licences may be limited to a particular market (e.g., national or (sub)regional), a number of users or a number of devices, or may be time-bound. Sub-licensing may not be permitted. The licensor may require reference to be made to the IP rights owner each time the IP rights are used.

Latency: The delay between a user's request and a provider's response to it. It affects how usable the cloud computing services actually are. In the service level agreement (SLA), the latency is usually expressed in milliseconds.

Layered cloud computing services: Where the provider is not the owner of all or any computing resources that it uses for the provision of the cloud computing services to its customers but is itself the customer of all or some cloud computing services. For example, the provider of platform as a service (PaaS) or software as a service (SaaS) types of service may use storage and server infrastructure (data centres, data servers) owned or provided by another entity. As a result, one or more sub-providers may be involved in providing the cloud computing services to the customer. The customer may not know which layers are involved in the provision of services at a given time, which makes identification and management of risks difficult. Layered cloud computing services are common in SaaS in particular.

Lock-in: Where the customer is dependent on a single provider because the costs of switching to another provider are substantial. Costs in this context are to be understood in the broadest sense as encompassing not only monetary expenses but also effort, time and relational aspects.

Metadata: Basic information about data (such as author, when the data were created, when they were modified and file size). It makes finding and using the data easier and may be required to ensure the authenticity of the record. It can be generated by the customer or the provider.

Performance parameters: Quantitative parameters (numerical targets or metrics or a performance range) or qualitative parameters (service quality assurances). They may refer to conformity with applicable standards, including the date of expiry of any conformity certification (e.g., that the provider has implemented a key management policy in compliance with the international standard identified in the contract). To be meaningful, the parameters should allow the customer to measure performance that is important to the customer in an easy and auditable way. They could be different depending on the risks involved and business needs (e.g., the criticality of certain data, services or applications and the corresponding priority for recovery). For example, a non-mission critical system that is designed to use the cloud for archival purposes will not need the same uptime or other service level agreement (SLA) terms as mission critical or real-time operations.

Persistency of data storage: The probability that data stored in the cloud will not be lost during the contract period. It can be expressed in the contract as a measurable target against which the customer will measure steps taken by the provider to ensure persistency of data storage (e.g., intact data/intact data + lost data during an identified period of time (e.g., a calendar month)). The type of data (e.g., files, databases, codes, applications) and the unit of measurement (the number of files, bit length) would need to be defined in that formula.

Personal data: Sensitive and non-sensitive data that can be used to identify the natural person to whom such data relate. The definition of personal data in some jurisdictions may encompass any data or information directly or indirectly linked or relating to an identified or identifiable individual (see the data subject).

Personal data processing: The collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction of personal data.

Platform as a service (PaaS): Types of cloud computing services with which the customer can deploy, manage and run in the cloud customer-created or customer-acquired applications using one or more existing programming languages and execution environments supported by the provider.

Portability: The ability to easily transfer data, applications and other content from one system to another (i.e., at low cost, with minimal disruption and without being required to re-enter data, re-engineer processes or re-program applications). This might be achieved if it is possible to retrieve the data in the format that is accepted in another system or with a simple and straightforward transformation using commonly available tools. The service level agreement (SLA) may contain performance parameters related to portability, e.g., the customer data is retrievable by the customer via a single download link or documented application programming interfaces (API); or the data format is structured and documented in a sufficient manner to allow the customer to re-use it or to restructure it into a different data format if desired.

Recovery point objectives (RPOs): The maximum time period prior to an unplanned interruption of services during which changes to data may be lost as a consequence of recovery. If RPO is specified in the contract as two hours before the interruption of services, that would mean that all data would be accessible after recovery in the form those data existed two hours before the interruption occurred.

Recovery time objectives (RTO): The time period within which all cloud computing services and data must be recovered following an unplanned interruption.

Reversibility: The process for the customer to retrieve its data, applications and other related content from the cloud and for the provider to delete the customer data and other related content after an agreed period.

Sector-specific regulations: Financial, health, public sector or other specific sector or profession regulations (e.g., attorney-client privilege, medical professional secrecy) and rules for handling classified information (broadly understood as information to which access is restricted by law or regulation to particular classes of persons).

Security incident: An event that indicates that the system or data have been compromised or that measures put in place to protect them have failed. A security incident disrupts normal operations. Examples of security incidents include attempts from unauthorized sources to access systems or data, unplanned disruption to a service or denial of a service, unauthorized processing or storage of data and unauthorized changes to system infrastructure.

Service level agreement (SLA): Part of the cloud computing contract between the provider and the customer that identifies the cloud computing services covered by the contract and the level of service expected or to be achieved under the contract (see the performance parameters).

Software as a service (SaaS): Types of cloud computing services with which the customer can use the provider's applications in the cloud.

Standardized commoditized multi-subscriber cloud solutions: Cloud computing services provided to an unlimited number of customers as a mass product or commodity on non-negotiable standard terms of the provider. Broad disclaimers and waivers of the provider's liability are common in this type of solution. The customer may be in a position to compare different providers and their contracts and select among those available on the market the most suitable for its needs, but not to negotiate a contract.

Uptime: The time when the cloud computing services are accessible and usable. It may be expressed as the amount or percentage, a detailed formula or specific dates or days and time when availability of the service of a particular application is critical.

Written or in writing: Information accessible so as to be usable for subsequent reference. It encompasses information on paper and in an electronic communication. "Accessible" means that information in the form of computer data should be readable and interpretable and that the software that might be necessary to render such information readable should be retained. "Usable" covers both human use and computer processing.