DRAFT Notes on the Main Issues of Cloud Computing Contracts (prepared by the UNCITRAL secretariat, 2019): Data localization and other important requirements

 

Data localization requirements

Providers’ standard terms may expressly reserve the right of the provider to store customer data in any country in which the provider or its subcontractors operate. Such a practice will most likely be followed even in the absence of an explicit contractual right, since it is implicit in the provision of cloud computing services that they are provided, as a general rule, from more than one location (e.g., backup and antivirus protection may be remote, and support may be provided in a global “follow-the-sun” model). That practice may not comply with data localization requirements applicable to either or both parties.

Safeguards ensuring compliance with data localization requirements may be included in the contract, such as a prohibition on moving data and other content outside the specified location or a requirement of prior approval of such moves by the other party. For example, an SLA qualitative performance parameter may be included to ensure that the customer data (including any copy, metadata and backup thereof) would be stored exclusively in data centres physically located in the jurisdictions indicated in the contract and owned and operated by entities established in those jurisdictions. Alternatively, the parameter may specify, for example, that data should never be moved outside a specific country or region but may be duplicated in a particular third country or elsewhere, but never in a specific country.

Data integrity

Providers’ standard contracts may contain a general disclaimer that the ultimate responsibility for preserving the integrity of the customer’s data lies with the customer.

Some providers may be willing to undertake data integrity commitments (for example, regular backups), possibly for an additional payment. Regardless of the contractual arrangements with the provider, the customer may wish to consider whether it is necessary to secure access to at least one usable copy of its data outside the provider’s and its subcontractors’ control, reach or influence and independently of their participation.

 

Obligations arising from data breaches and other security incidents

The parties may be required under law or contract or both to notify each other immediately of a security incident of relevance to the contract or any suspicion thereof that becomes known to them. That obligation may be in addition to general notification of a security incident that may be required under law to inform all relevant stakeholders, including data subjects, insurers and State authorities, or the public at large, in order to prevent or minimize the impact of security incidents.

The law may contain specific security incident notification requirements, including the timing of notification, and identify the persons responsible for complying with them. Subject to those mandatory provisions, the parties may specify in the contract the notification period (e.g., one day after the party becomes aware of the incident or threat), the form and content of the security incident notification. The latter usually includes circumstances and the cause of the incident, type of affected data, the steps to be taken to resolve the incident, the time at which the incident is expected to be resolved and any contingency plan to employ while the incident is being resolved. It may also include information on failed breaches, attacks against specific targets (per customer user, per specific application, per specific physical machine), trends and statistics. Any notification requirements normally take into account the need not to disclose any sensitive information that could lead to the compromise of the affected party’s system, operations or network.

The provider, the customer, or both, including by involving a third party, may be required by law or contract to take measures after a security incident (so-called “post-incident steps”), including the isolation or quarantine of affected areas, the performance of root cause analysis and the production of an incident analysis report. The incident analysis report may be produced by the affected party or by the affected party jointly with the other party or by an independent third party. Post-incident steps may vary depending on the categories of data stored in the cloud and other factors.

A serious security incident resulting in, for example, a loss of data may lead to the termination of the contract.

Relevant Glossary terms

Data localization requirements: Requirements relating to the location of data and other content or data centres or the provider. They may prohibit certain data (including metadata and backups) from residing in or transiting into or out of a certain area or jurisdictions or require that prior approval be obtained from a competent State body for that. They are often found in data protection law and regulations, which may in particular prohibit personal data from residing in or transiting into jurisdictions that do not adhere to certain standards of personal data protection. Read more.

Follow-the-sun: A model in which the workload is distributed among different geographical locations to more efficiently balance resources and demand. The purpose of the model may be to provide round-the-clock services and to minimize the average distance between servers and end users in an effort to reduce latency and maximize the speed with which data can be transmitted from one device to another (data transfer rate (DTR) or throughput).

Metadata: Basic information about data (such as author, when the data were created, when they were modified and file size). It makes finding and using the data easier and may be required to ensure the authenticity of the record. It can be generated by the customer or the provider.

Security incident: An event that indicates that the system or data have been compromised or that measures put in place to protect them have failed. A security incident disrupts normal operations. Examples of security incidents include attempts from unauthorized sources to access systems or data, unplanned disruption to a service or denial of a service, unauthorized processing or storage of data and unauthorized changes to system infrastructure.

Data subject: A natural person who can be identified, directly or indirectly, by data, including by reference to such identifiers as name, an identification number, location and any factors specific to the physical, genetic, mental, economic, cultural or social identity of the person. In a number of jurisdictions, data subjects enjoy under data protection or data privacy regulations certain rights with respect to the data that can identify them. Those regulations may trigger the inclusion in the service level agreement (SLA) of data protection-specific performance parameters, such as that the services provided under the contract are certified at least annually by an independent auditor against the data protection/privacy standard identified in the contract. (See also data subject’s rights and personal data).

Service level agreement (SLA): Part of the cloud computing contract between the provider and the customer that identifies the cloud computing services covered by the contract and the level of service expected or to be achieved under the contract. Read more.

To the main page

To the precontractual aspects

To other contractual aspects

To other terms in the Glossary