Notes on the Main Issues of Cloud Computing Contracts (prepared by the UNCITRAL secretariat, 2019)
Part two. Drafting a contract
M. End-of-service commitments
End-of-service commitments may raise not only contractual but also regulatory issues. The parties may be concerned about achieving a balance between the customer's interest in continuous access to its data and other content, including during the transition period, and the provider's interest in ending any obligation towards the former customer as soon as possible.
End-of-service commitments may be the same regardless of the cause of termination of the contract or may be different depending on whether termination is for breach of contract or other reasons. The following paragraphs discuss issues that parties may wish to address in the contract.
Time frame for export
The parties may specify in the contract a time frame for export, which may need to be sufficiently long to ensure a smooth export by the customer of its data and other content to another system.
Customer access to the content subject to export
The contract would specify data and other content subject to export and ways of gaining customer access thereto, including any decryption keys that may be held by the provider or third parties (read more). To facilitate the export of the customer's data with the minimal involvement of the provider, the parties may agree on an escrow arrangement (i.e., involvement of a third party authorized to automatically release to the customer the source code, decryption keys or other elements allowing access to the customer data and other content upon occurrence of certain events, such as termination of the contract (see also above under Termination in case of insolvency)). The contract may also specify export options, including their formats and processes, to the extent possible, recognizing that they may change over time.
Export assistance by the provider
The provider may not always agree to be actively involved in assisting the customer with exporting its data to another system, but it may be expected under law to ensure that such export is possible and simple. Where the parties agreed on the provider's involvement in the export of customer data to another system, the contract may specify details, such as the extent, procedure and time period for export assistance. The provider may require separate payment for the provision of export assistance. In such case, the parties may fix the amount of the payment in the contract or agree to refer to the provider's price list at a given time. Alternatively, the parties may agree that such assistance is included in the contract price or that no extra payment will be charged if the contract termination follows the provider's breach of contract.
Data deletion
The contract may need to specify rules for data deletion from the provider's cloud infrastructure upon export or expiration of the period specified in the contract for export. The data deletion may be done automatically by the provider, for example, upon occurrence of certain events, expiration of time periods that were agreed upon by the parties or as required by law. Alternatively, data may be deleted only upon a specific customer's request and instructions. The parties may agree that the customer will be notified about the upcoming data deletion and will be served with an attestation, report or statement of data deletion, including data deletion from third parties' systems.
Post-contract retention of data
The provider might be required to retain customer data by law, in particular a data protection law, which may also address a time period during which the data must be retained.Specific issues and requirements may arise from the need to retain and store digital signature certificates, especially in the cross-border context. The parties may agree on the retention of customer data by the provider after the termination of the contract. Some providers may offer a post-contract retention period at additional cost.
The parties may include special requirements as regards data that are not or cannot be returned to the customer and whose deletion would not be possible. For example, the contract may specify that all personal information must be de-identified and that the data are to be retained in an encrypted form or in a usable and interoperable format to allow its retrieval when required. The parties may also agree on their respective responsibilities for post-contractual retention of the data in the specified format.
Post-contract confidentiality clause
The parties may agree on a post-contract confidentiality clause. Confidentiality obligations may survive the contract for a specified number of years after the contract is terminated (e.g., five or seven years), or may continue indefinitely, depending on the nature of the customer data and other content that was placed in the provider's cloud infrastructure.
Post-contract audits
Post-contract audits may be agreed by parties or imposed by law. The parties may agree on terms for carrying out such audits, including the time frame and allocation of costs.
Leftover account balance
The parties may agree on conditions for the return to the customer of leftover amounts on its account or for the offset of those amounts against any additional payments that the customer would need to make to the provider, including for end-of-service activities or to compensate damage.