Notes on the Main Issues of Cloud Computing Contracts (prepared by the secretariat of the United Nations Commission on International Trade Law, 2019)
Part one. Main pre-contractual aspects
C. Other pre-contractual issues
Disclosure of information
The applicable law may require the parties to a contract to provide to each other information that would allow them to make an informed choice about the conclusion of the contract. The absence, or the lack of clear communication to the other party, of information necessary to make the object of the obligation determined or determinable prior to contract conclusion may make a contract or part thereof null and void or entitle the aggrieved party to claim damages.
In some jurisdictions, pre-contractual information may be considered an integral part of the contract. In such cases, the parties would need to ensure that such information is appropriately recorded and that any mismatch between that information and the contract itself is avoided. The parties would also need to deal with concerns over the impact of pre-contractually disclosed information on flexibility and innovation at the contract implementation stage.
Some information disclosed at the pre-contractual stage may be considered confidential, in particular as regards security, identification and authentication measures, subcontractors and the location and type of data centres (which in turn may identify the type of data stored there and access thereto by local or foreign State authorities). The parties may agree that certain information disclosed at the pre-contractual stage should be treated as confidential. Written confidentiality undertakings or non-disclosure agreements may be required also from third parties involved in pre-contractual due diligence (e.g., auditors).
Migration to the cloud
Before migration to the cloud, the customer would usually be expected to classify data to be migrated to the cloud and secure it according to its level of sensitivity and criticality and inform the provider about the level of protection required for each type of data. The customer may also be expected to supply to the provider other information necessary for the provision of the services (e.g., the customer's data retention and disposition schedule, user identity and access management mechanisms and procedures for access to the encryption keys if necessary).
In addition to the transfer of data and other content to the provider's cloud, migration to the cloud may involve installation, configuration, encryption, tests and training of the customer's staff and other end users. Those aspects may be part of the customer contract with the provider or be the subject of a separate agreement of the customer with the provider or third parties, such as cloud computing service partners. Extra costs may arise. Parties involved in the migration would normally agree on their roles and responsibilities during migration, terms of their engagement, the format in which the data or other content is to be migrated to the cloud, timing of migration, an acceptance procedure to ascertain that the migration was performed as agreed and other details of the migration plan.