Notes on the Main Issues of Cloud Computing Contracts (prepared by the secretariat of the United Nations Commission on International Trade Law, 2019)

Part one. Main pre-contractual aspects

B. Pre-contractual risk assessment

The applicable mandatory law may require a risk assessment as a precondition to entering into a cloud computing contract. Even in the absence of statutory requirements, the parties may decide to undertake a risk assessment that might help them to identify risk mitigation strategies, including the negotiation of appropriate contractual clauses.

Not all risks arising from cloud computing contracts would be cloud-specific. Some risks would be handled outside a cloud computing contract (e.g., risks arising from online connectivity interruptions) and not all risks could be mitigated at an acceptable cost (e.g., reputational damage). In addition, risk assessment would not be a one-off event before concluding a contract. Risk assessment could be ongoing throughout the duration of the contract, and risk assessment outcomes may necessitate amendment or termination of the contract.

Verification of information about a specific cloud computing service and a selected contracting party

The following information may be relevant to the parties when they consider employing a specific cloud computing service and selecting a contracting party:

(a)     IP licenses required for using a specific cloud computing service;

(b)      The privacy, confidentiality and security policies in place, in particular as regards prevention of unauthorized access, use, alteration or destruction of the data during processing, transit or transfer using the cloud computing infrastructure;

(c)      Measures in place to ensure the ongoing access to metadata, audit trails and other logs demonstrating security measures;

(d)      The existing disaster recovery plan and notification obligations in the case of a security breach or system malfunction;

(e)      Policies in place as regards migration-to-the-cloud and end-of-service assistance as well as interoperability and portability;

(f)       The existing measures for vetting and training of employees, subcontractors and other third parties involved in the provision of the cloud computing services;

(g)      Statistics on security incidents and information about past performance with disaster recovery procedures;

(h)      Certification by an independent third party on compliance with technical standards;

(i)       Information indicating regularity and extent of audit by an independent body;

(j)       Financial viability;

(k)      Insurance policies;

(l)       Possible conflicts of interest;

(m)     Extent of subcontracting and layered cloud computing services;

(n)      Extent of isolation of data and other content in the cloud computing infrastructure; and

(o)      Expected reciprocial roles and shared responsibilities of the parties for security measures.

IP infringement risks

IP infringement risks may arise if, for example, the provider is not the owner or developer of the resources that it provides to its customers, but rather uses them under an IP licence arrangement with a third party. IP infringement risks may also arise if the customer is required, for the implementation of the contract, to grant to the provider a licence to use the content that the customer intends to place in the cloud. In some jurisdictions, storage of the content on the cloud even for backup purposes may be qualified as a reproduction and require prior authorization from the IP rights owner.

It is in the interests of both parties to ensure before the conclusion of the contract that the use of the cloud computing services would not constitute an infringement of IP rights and a cause for the revocation of the IP licences granted to either of them. Costs of IP infringement may be very high. The right to sublicense may need to be arranged, or a direct licence arrangement may need to be concluded with the relevant third-party licensor under which the right to manage the licences will be granted. The use of open source software or other content may necessitate obtaining an advance consent from third parties and disclosing the source code with any modifications made to open source software or other content.

Risks to data security, integrity, confidentiality and privacy

Migration of all or part of data to the cloud leads to the customer's loss of exclusive control over that data and of the ability to deploy the necessary measures to guarantee data integrity and confidentiality or to verify whether data processing and retention are being handled adequately. The extent of the loss of control will depend on the type of cloud computing service.

Inherent features of cloud computing services such as broad network access, multi-tenancy and resource pooling may require from the parties more precautions to prevent interception of communications and other cyberattacks, that may lead to the loss or compromise of credentials for access to cloud computing services, data loss and other security breaches. Adequate isolation of resources and data segregation and robust security procedures are especially important in a shared environment such as cloud computing.

Security measures will be the shared responsibility of the parties in the cloud computing environment regardless of the type of cloud computing services employed. Pre-contractual risk assessment provides a good opportunity for the parties to eliminate any ambiguity in defining their roles and responsibilities related to data security, integrity, confidentiality and privacy. Contractual clauses will play an important role in reflecting the agreement of the parties on the mutual allocation of risks and liabilities related to those and other aspects of the provision of cloud computing services. Those clauses will not be able to override mandatory provisions of law. Read more.

Penetration tests, audits and site visits

Steps may be taken at the pre-contractual stage to verify the adequacy of isolation of resources, data segregation, identification procedures and other security measures. They should aim at identifying possible additional precautions that may need to be taken by the parties to prevent data security breaches and other malfunctions in the provision of the cloud computing services to the customer.

Laws and regulations may require audits, penetration tests and physical inspection of data centres involved in the provision of the cloud computing services, in particular to ascertain that their location complies with statutory data localization requirements. The parties would need to agree on conditions for undertaking those activities, including their timing, allocation of costs and indemnification for any possible damage caused by those activities.

Lock-in risks

Avoiding or reducing lock-in risks, often arising from the lack of interoperability and portability, may be one of the most important considerations for the parties. Higher lock-in risks may arise from long-term contracts and from automatically renewable short- and medium-term contracts.

Risks of application and data lock-ins are especially high in SaaS and PaaS. Data may exist in formats specific to one cloud system that will not be usable in other systems. In addition, a proprietary application or system used to organize data may require adjustment of licensing terms to allow operation in a different network. Programs to interact with the application programming interfaces (API) may need to be rewritten to take into account the new system's API. High switching costs may also arise from the need to retrain end users.

In PaaS, there could also be runtime lock-in since runtimes (i.e., software designed to support the execution of computer programs written in a specific programming language) are often heavily customized (e.g., aspects such as allocating or freeing memory, debugging, etc.). In IaaS, lock-in varies depending on the specific infrastructure services consumed. Like in Paas, some infrastructure services may lead to application lock-in if the service depends on specific policy features (e.g., access controls) or data lock-in if more data are moved to the cloud for storage.

At the pre-contractual stage, tests could be run to verify whether data and other content can be exported to another system and made usable there. Synchronization between cloud and in-house platforms and replication of data elsewhere may be needed. Transacting with more than one party and opting for a combination of various types of cloud computing services and their deployment models (i.e., multi-sourcing), although possibly with cost and other implications, may be an important part of the mitigating strategy against lock-in risks. Contractual clauses may also assist with mitigating lock-in risks. Read more.

Business continuity risks

The parties may be concerned about business continuity risks not only in anticipation of the scheduled termination of the contract, but also of its possible unilateral suspension or earlier termination, including when either party may no longer be in business. The law may require putting in place in advance an appropriate strategy to ensure business continuity, in particular in order to avoid the negative impact of termination or suspension of the cloud computing services on end users. Contractual clauses may also assist with mitigating business continuity risks. Read more.

Exit strategies

For successful exit strategies, parties may need to clarify from the outset: (a) the content that will be subject to exit (e.g., only the data that the customer entered in the cloud or also cloud service-derived data); (b) any amendments that would be required to IP licenses to enable the use of that content in another system; (c) control of decryption keys and access to them; and (d) the time period required to complete the exit. End-of-service contractual clauses usually reflect the agreement of the parties on those issues.  Read more.

Relevant Glossary terms

Cloud computing services: online services characterized by:

  1.       Broad network access, meaning that services can be accessed over the network from any place where the network is available (e.g., through the Internet), using a wide variety of devices, such as mobile phones, tablets and laptops;
  2.       Metered delivery, allowing usage of the resources to be monitored and charged by reference to level of usage (on a pay-as-you-go basis);
  3.       Multi-tenancy, meaning that physical and virtual resources are allocated to multiple users whose data are isolated and inaccessible to one another;
  4.       On-demand self-service, meaning that services are used by the customer as needed, automatically or with minimal interaction with the provider;
  5.       Elasticity and scalability,meaning the capability for rapidly scaling up or down the consumption of servicesaccording to the customer's needs, including large-scale trends in resource usage (e.g., seasonal effects);
  6.       Resource pooling,meaning that physical or virtual resources can be aggregated by the provider in order to serve one or more customers without their control or knowledge over the processes involved;
  7.       A wide range of services from the provision and use of simple connectivity and basic computing services (such as storage, emails and office applications) to the provision and use of the whole range of physical information technology infrastructure (such as servers and data centres) and virtual resources needed for the customer to build its own information technology platforms, or deploy, manage and run customer-created or customer-acquired applications or software. Infrastructure as a service(IaaS), platform as a service (PaaS) or software as a service (SaaS) are types of cloud computing services.

Cloud service-derived data: Data under the control of the provider that are derived as a result of the use by the customer of the cloud computing services of that provider. It includes metadata and any other log data generated by the provider containing records of who used the services, at what times, which functions and which types of data are involved. It can also include information about authorized users, their identifiers and any configuration, customization and modification.

Interoperability: The ability of two or more systems or applications to exchange information and to mutually use the information that has been exchanged.

Layered cloud computing services: Where the provider is not the owner of all or any computing resources that it uses for the provision of the cloud computing services to its customers but is itself the customer of all or some cloud computing services. For example, the provider of platform as a service (PaaS) or software as a service (SaaS) types of service may use storage and server infrastructure (data centres, data servers) owned or provided by another entity. As a result, one or more sub-providers may be involved in providing the cloud computing services to the customer. The customer may not know which layers are involved in the provision of services at a given time, which makes identification and management of risks difficult. Layered cloud computing services are common in SaaS in particular.

Lock-in: Where the customer is dependent on a single provider because the costs of switching to another provider are substantial. Costs in this context are to be understood in the broadest sense as encompassing not only monetary expenses but also effort, time and relational aspects.

Portability: The ability to easily transfer data, applications and other content from one system to another (i.e., at low cost, with minimal disruption and without being required to re-enter data, re-engineer processes or re-program applications). This might be achieved if it is possible to retrieve the data in the format that is accepted in another system or with a simple and straightforward transformation using commonly available tools. The service level agreement (SLA) may contain performance parameters related to portability, e.g., the customer data is retrievable by the customer via a single download link or documented application programming interfaces (API); or the data format is structured and documented in a sufficient manner to allow the customer to re-use it or to restructure it into a different data format if desired.