Notes on the Main Issues of Cloud Computing Contracts (prepared by the UNCITRAL secretariat, 2019)
Part two. Drafting a contract
E. Audits and monitoring
Monitoring activities
The parties may need to monitor activities of each other to ensure regulatory and contractual compliance (e.g., compliance of the customer and its end users with AUP and IP licenses and compliance of the provider with SLA and data protection policy). Some monitoring activities, such as those related to personal data processing, may be mandated by law.
The contract may identify periodic or recurrent monitoring activities, together with the party responsible for their performance and the obligations of the other party to facilitate monitoring. The contract may also anticipate any exceptional monitoring activities and provide options for handling them. The contract may also provide for reporting requirements to the other party as well as any confidential undertakings in conjunction with such monitoring activities.
Excessive monitoring may affect performance and increase costs of services. The contract may provide for the requirement to suspend monitoring in certain circumstances, e.g., where monitoring is materially detrimental to the service performance. That concern may be present particularly in case of services requiring near real-time performance.
Audit and security tests
Audit and security tests, in particular to check the effectiveness of security measures, are common. Some audits and security tests may be mandated by law. The contract may include clauses that address the audit rights of both parties, the scope of audits, recurrence, formalities and costs. It may also oblige the parties to share with each other the results of the audits or security tests that they commission. The contractual rights or statutory obligations for audit and security tests may be complemented in the contract with corresponding obligations of the other party to facilitate the exercise of such rights or fulfilment of those obligations (e.g., to grant access to the relevant data centres).
Parties may agree that audits or security tests may be performed only by professional organizations or that the provider or the customer may choose to have the audit or security test performed by a professional organization. The contract may specify qualifications to be met by the third party and conditions for their engagement, including allocation of costs. Special arrangements may be agreed upon by the parties for audits or security tests subsequent to an incident and depending on the severity and type of the incident (for example, the party responsible for the incident may be obliged to partially or fully reimburse costs).