Notes on the Main Issues of Cloud Computing Contracts (prepared by the secretariat of the United Nations Commission on International Trade Law, 2019)

Part two. Drafting a contract

A. General considerations

Freedom of contract

The widely recognized principle of freedom of contract in business transactions allows parties to enter into a contract and to determine its content. Restrictions on freedom of contracts may stem from legislation on non-negotiable terms applicable to particular types of contract or rules that sanction abuse of rights and harm to public order, morality and so forth. The consequences of non-compliance with those restrictions may range from unenforceability of a contract or part thereof to civil, administrative or criminal liability.

Contract formation

The concepts of offer and acceptance have traditionally been used to determine whether and when the parties have reached an agreement as regards their respective legal rights and obligations that will bind them over the duration of the contract. The applicable law may require certain conditions to be fulfilled for a proposal to conclude a contract to constitute a final binding offer (e.g., the proposal is to be sufficiently definite as regards the covered cloud computing services and payment terms).

The contract is concluded when the acceptance of the offer becomes effective. There could be different acceptance mechanisms (e.g., for the customer clicking a check box on a web page, registering online for a cloud computing service, starting to use cloud computing services or paying a service fee; for the provider starting or continuing to provide services; and for both parties signing a contract online* or on paper). Material changes to the offer (e.g., as regards liability, quality and quantity of the cloud computing services to be delivered or payment terms) may constitute a counteroffer that requires acceptance by the other party for a contract to be concluded.

*For UNCITRAL texts addressing electronic signatures, see the United Nations Convention on the Use of Electronic Communications in International Contracts (New York, 2005), the UNCITRAL Model Law on Electronic Commerce (1996) and the UNCITRAL Model Law on Electronic Signatures (2001). See also an explanatory text prepared by the UNCITRAL secretariat entitled “Promoting confidence in electronic commerce: legal issues on international use of electronic authentication and signature methods (2007).

Standardized commoditized multi-subscriber cloud solutions are as a rule offered through interactive applications (e.g., "click-wrap" agreements). There may be no or very little room for negotiating and adjusting the standard offer. Clicking "I accept", "OK" or "I agree" is the only step expected to be taken to conclude the contract. Where negotiation of a contract is involved, contract formation may consist of a series of steps, including preliminary exchange of information, negotiations, delivery and acceptance of an offer and the contract's preparation.

Contract form

Cloud computing contracts are typically concluded online. They may be called differently (a cloud computing service agreement, a master service agreement or terms of service (TOS)) and may comprise one or more documents such as an acceptable use policy (AUP), a service level agreement (SLA), a data processing agreement or data protection policy, security policy and license agreement.

The legal rules applicable to cloud computing contracts may require that the contract be in writing, especially where personal data processing is involved, and that all documents incorporated by reference be attached to the master contract. Even when written form is not required, for ease of reference, clarity, completeness, enforceability and effectiveness of the contract, the parties may decide to conclude a contract in writing with all ancillary agreements incorporated thereto.

The signing of a contract on paper may be required under the applicable law for specific purposes such as tax purposes, although that type of requirement is becoming rare in an increasingly paperless environment.

Definitions and terminology

Due to the nature of cloud computing services, cloud computing contracts contain by necessity many technical terms. The glossary of terms may be included in the contract, as may definitions of main terms used throughout the contract, to avoid ambiguities in their interpretation. The parties may wish to consider using the internationally established terminology for the purpose of ensuring consistency and legal clarity.

Usual contract content

A contract normally: (a) identifies the contracting parties; (b) defines the scope and object of the contract; (c) specifies rights and obligations of the parties, including payment terms; (d) establishes the duration of the contract and conditions for its termination and renewal; (e) identifies remedies for breach and exemptions from liability; and (f) specifies the effects of termination of the contract. It also usually contains clauses on dispute resolution and choice of law and choice of forum.The content, style and structure of contracts may vary significantly, reflecting various legal traditions, drafting styles, legal requirements and parties' needs and preferences.

Relevant Glossary terms

Acceptable use policy (AUP): Part of the cloud computing contract between the provider and the customer that defines the limits of use by the customer and its end users of the cloud computing services covered by the contract.

Personal data: Sensitive and non-sensitive data that can be used to identify the natural person to whom such data relate. The definition of personal data in some jurisdictions may encompass any data or information directly or indirectly linked or relating to an identified or identifiable individual (see the data subject).

Service level agreement (SLA): Part of the cloud computing contract between the provider and the customer that identifies the cloud computing services covered by the contract and the level of service expected or to be achieved under the contract (see the performance parameters).

Standardized commoditized multi-subscriber cloud solutions: Cloud computing services provided to an unlimited number of customers as a mass product or commodity on non-negotiable standard terms of the provider. Broad disclaimers and waivers of the provider's liability are common in this type of solution. The customer may be in a position to compare different providers and their contracts and select among those available on the market the most suitable for its needs, but not to negotiate a contract.

Written or in writing: Information accessible so as to be usable for subsequent reference. It encompasses information on paper and in an electronic communication. "Accessible" means that information in the form of computer data should be readable and interpretable and that the software that might be necessary to render such information readable should be retained. "Usable" covers both human use and computer processing.

Cloud computing services: online services characterized by:

  1.       Broad network access, meaning that services can be accessed over the network from any place where the network is available (e.g., through the Internet), using a wide variety of devices, such as mobile phones, tablets and laptops;
  2.       Metered delivery, allowing usage of the resources to be monitored and charged by reference to level of usage (on a pay-as-you-go basis);
  3.       Multi-tenancy, meaning that physical and virtual resources are allocated to multiple users whose data are isolated and inaccessible to one another;
  4.       On-demand self-service, meaning that services are used by the customer as needed, automatically or with minimal interaction with the provider;
  5.       Elasticity and scalability,meaning the capability for rapidly scaling up or down the consumption of servicesaccording to the customer's needs, including large-scale trends in resource usage (e.g., seasonal effects);
  6.       Resource pooling,meaning that physical or virtual resources can be aggregated by the provider in order to serve one or more customers without their control or knowledge over the processes involved;
  7.       A wide range of services from the provision and use of simple connectivity and basic computing services (such as storage, emails and office applications) to the provision and use of the whole range of physical information technology infrastructure (such as servers and data centres) and virtual resources needed for the customer to build its own information technology platforms, or deploy, manage and run customer-created or customer-acquired applications or software. Infrastructure as a service(IaaS), platform as a service (PaaS) or software as a service (SaaS) are types of cloud computing services.

Deployment models: The various ways in which cloud computing services are organized, based on the control and sharing of physical or virtual resources:

  1.       Public cloud, where cloud computing services are potentially available to any interested customer and resources are controlled by the provider;
  2.       Community cloud, where cloud computing services exclusively support a specific group of related customers with shared requirements and resources are controlled by at least one member of that group;
  3.       Private cloud, where cloud computing services are used exclusively by a single customer and resources are controlled by that customer;
  4. Hybrid cloud, where at least two different cloud deployment models are used.