Notes on the Main Issues of Cloud Computing Contracts (prepared by the UNCITRAL secretariat, 2019)
Part two. Drafting a contract
I. Subcontractors, sub-providers and outsourcing
Identification of the subcontracting chain
Subcontracting, layered cloud computing services and outsourcing are common in cloud computing environment. The providers' standard terms may explicitly reserve the provider's right to use third parties for the provision of the cloud computing services to the customer, or that right may be implicit because of the nature of services to be provided. The provider may be interested in retaining as much flexibility as possible in that respect.
The law may require the parties to identify in the contract any third parties involved in the provision of the cloud computing services. Such identification may also be beneficial to the customer for verification purposes, in particular of compliance of third parties with security, confidentiality, data protection and other requirements arising from the contract or law and of the absence of conflicts of interest on the part of third parties.
That information may also be used for mitigation of risks of non-performance of the contract by the provider due to failures of third parties. For example, the customer may opt to contract directly with third parties instrumental to the performance of the cloud computing contract, in particular on such sensitive issues as confidentiality and personal data processing. The customer may also try to negotiate with key third parties obligations to step in if the provider fails to perform under the contract, including in case of the provider's insolvency.
The provider may be in a position to identify those third parties playing key roles but not all third parties. The pool of third parties involved in the provision of cloud computing services may change during the contract (see immediately below).
Changes in the subcontracting chain
Unilateral changes in the subcontracting chain are common. The contract may specify whether changes in the subcontracting chain are permitted and if so, under which conditions (e.g., the customer may reserve the right to vet and veto any new third party involved in the provision of the cloud computing services to the customer before the change is implemented). Alternatively, the contract may include the list of third parties pre-approved by the customer, from which the provider can choose when the need arises. Another option is to subject the change to subsequent approval by the customer, in the absence of which services would need to continue with the previous or other pre-approved third party or with another third party to be agreed by the parties. Otherwise, the contract may be terminated.
Mandatory applicable law may stipulate circumstances in which changes in a provider's subcontracting chain may require termination of the contract.
Alignment of contract terms with linked contracts
The law or the contract may require the parties to align the terms of the contract with existing or future linked contracts to ensure confidentiality and compliance with data localization and data protection requirements. The contract may oblige parties to supply each other with copies of linked contracts for verification purposes.
Liability of subcontractors, sub-providers and other third parties
Although third parties instrumental to the performance of the cloud computing contract may be listed in the contract, they would not be parties to the contract between the provider and the customer. They would be liable for obligations under their contracts with the provider. The creation of third party beneficiary rights for the benefit of the customer in linked contracts, or making the customer a party to linked contracts would allow the customer's direct recourse against the third party in case of that third party's non-performance under a linked contract.
Under applicable law or contract, the provider may be held liable to the customer for any issue within the responsibility of any third party whom the provider involved in the performance of the contract. In particular, the joint liability of the provider and its subcontractors may be established by law for any issues arising from personal data processing, depending on the extent of subcontractors' involvement in processing.