Notes on the Main Issues of Cloud Computing Contracts (prepared by the UNCITRAL secretariat, 2019)

Part two. Drafting a contract

E. Audits and monitoring

Monitoring activities

The parties may need to monitor activities of each other to ensure regulatory and contractual compliance (e.g., compliance of the customer and its end users with AUP and IP licenses and compliance of the provider with SLA and data protection policy). Some monitoring activities, such as those related to personal data processing, may be mandated by law.

The contract may identify periodic or recurrent monitoring activities, together with the party responsible for their performance and the obligations of the other party to facilitate monitoring. The contract may also anticipate any exceptional monitoring activities and provide options for handling them. The contract may also provide for reporting requirements to the other party as well as any confidential undertakings in conjunction with such monitoring activities.

Excessive monitoring may affect performance and increase costs of services. The contract may provide for the requirement to suspend monitoring in certain circumstances, e.g., where monitoring is materially detrimental to the service performance. That concern may be present particularly in case of services requiring near real-time performance.

Audit and security tests

Audit and security tests, in particular to check the effectiveness of security measures, are common. Some audits and security tests may be mandated by law. The contract may include clauses that address the audit rights of both parties, the scope of audits, recurrence, formalities and costs. It may also oblige the parties to share with each other the results of the audits or security tests that they commission. The contractual rights or statutory obligations for audit and security tests may be complemented in the contract with corresponding obligations of the other party to facilitate the exercise of such rights or fulfilment of those obligations (e.g., to grant access to the relevant data centres).

Parties may agree that audits or security tests may be performed only by professional organizations or that the provider or the customer may choose to have the audit or security test performed by a professional organization. The contract may specify qualifications to be met by the third party and conditions for their engagement, including allocation of costs. Special arrangements may be agreed upon by the parties for audits or security tests subsequent to an incident and depending on the severity and type of the incident (for example, the party responsible for the incident may be obliged to partially or fully reimburse costs).

Relevant Glossary terms

Acceptable use policy (AUP): Part of the cloud computing contract between the provider and the customer that defines the limits of use by the customer and its end users of the cloud computing services covered by the contract.

Intellectual property (IP) licences: Agreements between an IP rights owner (the licensor) and a person authorized to use those IP rights (the licensee). They usually impose restrictions and obligations on the extent and manner in which the licensee or third parties may use the licenced property. For example, software and visual content (designs, layouts and images) may be licensed for specific use, not allowing copying, modification or enhancement, and be restricted to a certain medium. The licences may be limited to a particular market (e.g., national or (sub)regional), a number of users or a number of devices, or may be time-bound. Sub-licensing may not be permitted. The licensor may require reference to be made to the IP rights owner each time the IP rights are used.

Personal data: Sensitive and non-sensitive data that can be used to identify the natural person to whom such data relate. The definition of personal data in some jurisdictions may encompass any data or information directly or indirectly linked or relating to an identified or identifiable individual (see the data subject).

Service level agreement (SLA): Part of the cloud computing contract between the provider and the customer that identifies the cloud computing services covered by the contract and the level of service expected or to be achieved under the contract (see the performance parameters).