Notes on the Main Issues of Cloud Computing Contracts (prepared by the secretariat of the United Nations Commission on International Trade Law, 2019)
Part one. Main pre-contractual aspects
B. Pre-contractual risk assessment
The applicable mandatory law may require a risk assessment as a precondition to entering into a cloud computing contract. Even in the absence of statutory requirements, the parties may decide to undertake a risk assessment that might help them to identify risk mitigation strategies, including the negotiation of appropriate contractual clauses.
Not all risks arising from cloud computing contracts would be cloud-specific. Some risks would be handled outside a cloud computing contract (e.g., risks arising from online connectivity interruptions) and not all risks could be mitigated at an acceptable cost (e.g., reputational damage). In addition, risk assessment would not be a one-off event before concluding a contract. Risk assessment could be ongoing throughout the duration of the contract, and risk assessment outcomes may necessitate amendment or termination of the contract.
Verification of information about a specific cloud computing service and a selected contracting party
The following information may be relevant to the parties when they consider employing a specific cloud computing service and selecting a contracting party:
(a) IP licenses required for using a specific cloud computing service;
(b) The privacy, confidentiality and security policies in place, in particular as regards prevention of unauthorized access, use, alteration or destruction of the data during processing, transit or transfer using the cloud computing infrastructure;
(c) Measures in place to ensure the ongoing access to metadata, audit trails and other logs demonstrating security measures;
(d) The existing disaster recovery plan and notification obligations in the case of a security breach or system malfunction;
(f) The existing measures for vetting and training of employees, subcontractors and other third parties involved in the provision of the cloud computing services;
(g) Statistics on security incidents and information about past performance with disaster recovery procedures;
(h) Certification by an independent third party on compliance with technical standards;
(i) Information indicating regularity and extent of audit by an independent body;
(j) Financial viability;
(k) Insurance policies;
(l) Possible conflicts of interest;
(m) Extent of subcontracting and layered cloud computing services;
(n) Extent of isolation of data and other content in the cloud computing infrastructure; and
(o) Expected reciprocial roles and shared responsibilities of the parties for security measures.
IP infringement risks
IP infringement risks may arise if, for example, the provider is not the owner or developer of the resources that it provides to its customers, but rather uses them under an IP licence arrangement with a third party. IP infringement risks may also arise if the customer is required, for the implementation of the contract, to grant to the provider a licence to use the content that the customer intends to place in the cloud. In some jurisdictions, storage of the content on the cloud even for backup purposes may be qualified as a reproduction and require prior authorization from the IP rights owner.
It is in the interests of both parties to ensure before the conclusion of the contract that the use of the cloud computing services would not constitute an infringement of IP rights and a cause for the revocation of the IP licences granted to either of them. Costs of IP infringement may be very high. The right to sublicense may need to be arranged, or a direct licence arrangement may need to be concluded with the relevant third-party licensor under which the right to manage the licences will be granted. The use of open source software or other content may necessitate obtaining an advance consent from third parties and disclosing the source code with any modifications made to open source software or other content.
Risks to data security, integrity, confidentiality and privacy
Migration of all or part of data to the cloud leads to the customer's loss of exclusive control over that data and of the ability to deploy the necessary measures to guarantee data integrity and confidentiality or to verify whether data processing and retention are being handled adequately. The extent of the loss of control will depend on the type of cloud computing service.
Inherent features of cloud computing services such as broad network access, multi-tenancy and resource pooling may require from the parties more precautions to prevent interception of communications and other cyberattacks, that may lead to the loss or compromise of credentials for access to cloud computing services, data loss and other security breaches. Adequate isolation of resources and data segregation and robust security procedures are especially important in a shared environment such as cloud computing.
Security measures will be the shared responsibility of the parties in the cloud computing environment regardless of the type of cloud computing services employed. Pre-contractual risk assessment provides a good opportunity for the parties to eliminate any ambiguity in defining their roles and responsibilities related to data security, integrity, confidentiality and privacy. Contractual clauses will play an important role in reflecting the agreement of the parties on the mutual allocation of risks and liabilities related to those and other aspects of the provision of cloud computing services. Those clauses will not be able to override mandatory provisions of law. Read more.
Penetration tests, audits and site visits
Steps may be taken at the pre-contractual stage to verify the adequacy of isolation of resources, data segregation, identification procedures and other security measures. They should aim at identifying possible additional precautions that may need to be taken by the parties to prevent data security breaches and other malfunctions in the provision of the cloud computing services to the customer.
Laws and regulations may require audits, penetration tests and physical inspection of data centres involved in the provision of the cloud computing services, in particular to ascertain that their location complies with statutory data localization requirements. The parties would need to agree on conditions for undertaking those activities, including their timing, allocation of costs and indemnification for any possible damage caused by those activities.
Avoiding or reducing lock-in risks, often arising from the lack of interoperability and portability, may be one of the most important considerations for the parties. Higher lock-in risks may arise from long-term contracts and from automatically renewable short- and medium-term contracts.
Risks of application and data lock-ins are especially high in SaaS and PaaS. Data may exist in formats specific to one cloud system that will not be usable in other systems. In addition, a proprietary application or system used to organize data may require adjustment of licensing terms to allow operation in a different network. Programs to interact with the application programming interfaces (API) may need to be rewritten to take into account the new system's API. High switching costs may also arise from the need to retrain end users.
In PaaS, there could also be runtime lock-in since runtimes (i.e., software designed to support the execution of computer programs written in a specific programming language) are often heavily customized (e.g., aspects such as allocating or freeing memory, debugging, etc.). In IaaS, lock-in varies depending on the specific infrastructure services consumed. Like in Paas, some infrastructure services may lead to application lock-in if the service depends on specific policy features (e.g., access controls) or data lock-in if more data are moved to the cloud for storage.
At the pre-contractual stage, tests could be run to verify whether data and other content can be exported to another system and made usable there. Synchronization between cloud and in-house platforms and replication of data elsewhere may be needed. Transacting with more than one party and opting for a combination of various types of cloud computing services and their deployment models (i.e., multi-sourcing), although possibly with cost and other implications, may be an important part of the mitigating strategy against lock-in risks. Contractual clauses may also assist with mitigating lock-in risks. Read more.
Business continuity risks
The parties may be concerned about business continuity risks not only in anticipation of the scheduled termination of the contract, but also of its possible unilateral suspension or earlier termination, including when either party may no longer be in business. The law may require putting in place in advance an appropriate strategy to ensure business continuity, in particular in order to avoid the negative impact of termination or suspension of the cloud computing services on end users. Contractual clauses may also assist with mitigating business continuity risks. Read more.
For successful exit strategies, parties may need to clarify from the outset: (a) the content that will be subject to exit (e.g., only the data that the customer entered in the cloud or also cloud service-derived data); (b) any amendments that would be required to IP licenses to enable the use of that content in another system; (c) control of decryption keys and access to them; and (d) the time period required to complete the exit. End-of-service contractual clauses usually reflect the agreement of the parties on those issues. Read more.