Notes on the Main Issues of Cloud Computing Contracts (prepared by the UNCITRAL secretariat, 2019)

Part two. Drafting a contract

I. Subcontractors, sub-providers and outsourcing

Identification of the subcontracting chain

Subcontracting, layered cloud computing services and outsourcing are common in cloud computing environment. The providers' standard terms may explicitly reserve the provider's right to use third parties for the provision of the cloud computing services to the customer, or that right may be implicit because of the nature of services to be provided. The provider may be interested in retaining as much flexibility as possible in that respect.

The law may require the parties to identify in the contract any third parties involved in the provision of the cloud computing services. Such identification may also be beneficial to the customer for verification purposes, in particular of compliance of third parties with security, confidentiality, data protection and other requirements arising from the contract or law and of the absence of conflicts of interest on the part of third parties.

That information may also be used for mitigation of risks of non-performance of the contract by the provider due to failures of third parties. For example, the customer may opt to contract directly with third parties instrumental to the performance of the cloud computing contract, in particular on such sensitive issues as confidentiality and personal data processing. The customer may also try to negotiate with key third parties obligations to step in if the provider fails to perform under the contract, including in case of the provider's insolvency.

The provider may be in a position to identify those third parties playing key roles but not all third parties. The pool of third parties involved in the provision of cloud computing services may change during the contract (see immediately below).

Changes in the subcontracting chain

Unilateral changes in the subcontracting chain are common. The contract may specify whether changes in the subcontracting chain are permitted and if so, under which conditions (e.g., the customer may reserve the right to vet and veto any new third party involved in the provision of the cloud computing services to the customer before the change is implemented). Alternatively, the contract may include the list of third parties pre-approved by the customer, from which the provider can choose when the need arises. Another option is to subject the change to subsequent approval by the customer, in the absence of which services would need to continue with the previous or other pre-approved third party or with another third party to be agreed by the parties. Otherwise, the contract may be terminated.

Mandatory applicable law may stipulate circumstances in which changes in a provider's subcontracting chain may require termination of the contract.

Alignment of contract terms with linked contracts

The law or the contract may require the parties to align the terms of the contract with existing or future linked contracts to ensure confidentiality and compliance with data localization and data protection requirements. The contract may oblige parties to supply each other with copies of linked contracts for verification purposes.

Liability of subcontractors, sub-providers and other third parties

Although third parties instrumental to the performance of the cloud computing contract may be listed in the contract, they would not be parties to the contract between the provider and the customer. They would be liable for obligations under their contracts with the provider. The creation of third party beneficiary rights for the benefit of the customer in linked contracts, or making the customer a party to linked contracts would allow the customer's direct recourse against the third party in case of that third party's non-performance under a linked contract.

Under applicable law or contract, the provider may be held liable to the customer for any issue within the responsibility of any third party whom the provider involved in the performance of the contract. In particular, the joint liability of the provider and its subcontractors may be established by law for any issues arising from personal data processing, depending on the extent of subcontractors' involvement in processing.

Relevant Glossary terms

Data localization requirements: Requirements relating to the location of data and other content or data centres or the provider. They may prohibit certain data (including metadata and backups) from residing in or transiting into or out of a certain area or jurisdictions or require that prior approval be obtained from a competent State body for that. They are often found in data protection law and regulations, which may in particular prohibit personal data from residing in or transiting into jurisdictions that do not adhere to certain standards of personal data protection.

Layered cloud computing services: Where the provider is not the owner of all or any computing resources that it uses for the provision of the cloud computing services to its customers but is itself the customer of all or some cloud computing services. For example, the provider of platform as a service (PaaS) or software as a service (SaaS) types of service may use storage and server infrastructure (data centres, data servers) owned or provided by another entity. As a result, one or more sub-providers may be involved in providing the cloud computing services to the customer. The customer may not know which layers are involved in the provision of services at a given time, which makes identification and management of risks difficult. Layered cloud computing services are common in SaaS in particular.

Personal data processing: The collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction of personal data.