Notes on the Main Issues of Cloud Computing Contracts (prepared by the UNCITRAL secretariat, 2019)
Part two. Drafting a contract
B. Identification of contracting parties
The correct identification of contracting parties may have a direct impact on the formation and enforceability of the contract. The applicable law would specify the information needed to ascertain the legal personality of a business entity and its capacity to enter into a contract. The law may require additional information for specific purposes, for example, an identification number for tax purposes or power of attorney to ascertain the power of a natural person to sign and commit on behalf of a legal entity.
C. Defining the scope and the object of the contract
Objects of cloud computing contracts vary substantially in their type and complexity given the range of cloud computing services. Within the duration of a single contract, the object may change: some cloud computing services may be cancelled and other services may be added. The object of the contract may comprise the provision of core, ancillary and optional services.
The description of the object of the contract usually includes a description of a type of cloud computing services (SaaS, PaaS, IaaS or a combination thereof), their deployment model (public, community, private or hybrid), their technical, quality and performance characteristics and any applicable technical standards. Several documents comprising the contract may be relevant for determining the object of the contract (read more).
Service level agreement
The service level agreement (SLA) contains performance parameters against which the delivery of the cloud computing services, the extent of the contractual obligations and possible contractual breaches of the provider will be measured. Information technology specialists are normally involved in the formulation of the performance parameters.
Quantitative performance parameters usually relate to capacity (a specified capacity of data storage or specified amount of memory available to the running program), downtime or outages, latency, persistency of data storage, uptime, support services (e.g., during the customer's operating hours or 24/7), and incident and disaster management and recovery plans. The latter may include the maximum incident resolution time, the maximum first response time, recovery point objectives and recovery time objectives.
Qualitative performance parameters may relate to data deletion, data localization requirements, portability, security and data protection/privacy. Some aspects of service may be measured against both qualitative and quantitative performance parameters. For example, elasticity and scalability may be defined with reference to both the maximum available resources within a specified minimum period and the quality and security of the measures that may need to be adapted to the varying degrees of sensitivity of the stored customer data. Encryption may be expressed as a defined bit value at rest, in transit and in use. In addition to or instead of such a quantitative parameter, encryption may be measured against a qualitative parameter (e.g., the provider is to ensure that customer data are encrypted whenever they are transported over a public communication network and whenever they are at rest in data centres used by the provider).
Different commitments (i.e., obligations of result or of best efforts) could be agreed upon depending in particular on the terms of payment and whether standardized commoditized multi-subscriber solutions are provided. The type of commitment would have implications, including for the burden of proof in case of dispute.
The parties may include in the contract a measurement methodology and procedures, specifying in particular a reference period for the measurement of services (daily, weekly, monthly, etc.), service delivery reporting mechanisms (i.e., the frequency and form of such reporting), the role and responsibilities of the parties and metrics to be used (e.g., metrics at the point of provision or at the point of consumption of services). The parties may agree on an independent measurement of performance and how the related costs are to be allocated.
The customer is normally interested in measuring services during peak hours, i.e., when they are most needed. The customer is usually able to measure (or verify the measurements provided by the provider or third parties) only those metrics that are based on performance at the point of consumption, but not those based on system performance at the point of provision of services. The customer may be able to evaluate the performance at the point of provision of services based on reports provided by the provider or third parties. The provider may agree to provide the customer with performance reports on demand, either periodically (daily, weekly, monthly, etc.) or following a particular incident. Alternatively, the provider may agree to grant the customer the right to review the provider's records related to the service-level measurements. Some providers enable customers to monitor data on service performance in real time.
The contract may oblige either or both parties to maintain records about the provision and consumption of services for a certain time. Such information may be useful in negotiating any amendments to the contract and in case of disputes.
Acceptable use policy
An acceptable use policy (AUP) sets out conditions for use by the customer and its end users of the cloud computing services covered by the contract. It aims at protecting the provider from liability arising out of the conduct of their customers and customers' end users. Any potential customer is expected to accept such a policy, which will form part of the contract with the provider. The vast majority of standard AUPs prohibit a consistent set of activities that providers consider to be improper or illegal uses of cloud computing services. The AUP may restrict not only the type of content that may be placed on the cloud but also the customer's right to give access to data and other content placed on the cloud to third parties (e.g., nationals of certain countries or persons included in sanctions lists). The parties may agree to remove some prohibitions to accommodate specific business needs of the customer to the extent that such removal would be permissible under law.
It is usual for provider's standards terms to require that customer's end users also comply with AUP and to oblige the customer to use its best efforts or commercially reasonable efforts to ensure such compliance. Some providers may require customers to affirmatively prevent any unauthorized or inappropriate use by third parties of the cloud computing services offered under the contract. The parties may agree on limited obligations, for example, that the customer will communicate AUP to known end users, not authorize or knowingly allow such uses, and notify the provider of all unauthorized or inappropriate uses of which it becomes aware.
In a few jurisdictions, the law could impose duties on the provider as regards the content hosted on its cloud computing infrastructure, e.g., the duty to report illegal material to public authorities. Those duties may be non-transferrable to the customer or to end users by the AUP or otherwise. They might have privacy and other ramifications and would be among factors considered in choosing a suitable provider (read more).
Security of the system, including customer data security, involves shared responsibilities of the parties. The contract would need to specify reciprocal roles and responsibilities of the parties as regards security measures, reflecting obligations that may be imposed by mandatory law on either or both parties.
Usually, the provider will follow its security policies. In some cases, although not in standardized commoditized multi-subscriber solutions, it might be possible to reach an agreement that the provider will follow the customer's security policies. The contract may specify security measures (e.g., requirements for sanitization or deletion of data in the damaged media, the storage of separate packages of data in different locations, the storage of the customer's data on specified hardware that is unique to the customer). Excessive disclosure of security information in the contract may, however, be risky.
Some security measures do not presuppose the other party's input but rely exclusively on the relevant party's routine activities, such as inspections by the provider of the hardware on which the data is stored and on which the services run, and effective measures to ensure controlled access thereto. In other cases, allowing the party to perform its duties or evaluate and monitor the quality of security measures delivered may presuppose the input of the other party. The customer, for example, would be expected to update lists of users' credentials and their access rights and inform the provider of changes in time to ensure the proper identity and access management mechanisms. The customer would also be expected to inform the provider about the level of security to be allocated to each category of data.
Some threats to security may be outside the contractual framework between the customer and the provider and may require the terms of the cloud computing contract to be aligned with other contracts of the provider and the customer (e.g., with Internet service providers).
Providers' standard contracts may contain a general disclaimer that the ultimate responsibility for preserving the integrity of the customer's data lies with the customer.
Some providers may be willing to undertake data integrity commitments (for example, regular backups), possibly for an additional payment. Regardless of the contractual arrangements with the provider, the customer may wish to consider whether it is necessary to secure access to at least one usable copy of its data outside the provider's and its subcontractors' control, reach or influence and independently of their participation.
The provider's willingness to commit to ensuring the confidentiality of customer data depends on the nature of services provided to the customer under the contract, in particular whether the provider will be required to have unencrypted access to data for the provision of those services. Some providers may not be in a position to offer a confidentiality or non-disclosure clause and may expressly waive any duty of confidentiality regarding customer data. Other providers may be willing to assume liability for confidentiality of data disclosed by the customer during contract negotiations, but not for data processed during service provision. Some standard confidentiality clauses offered by providers may not be sufficient to ensure compliance with applicable law.
In the absence of contractual commitments and statutory obligations on the provider to maintain confidentiality, the customer may have full responsibility for keeping data confidential (e.g., through encryption). Where it is not possible to negotiate a general confidentiality clause applicable to all customer data placed in the cloud, the parties may agree on confidentiality commitments as regards some sensitive data (with a separate liability regime for breach of confidentiality of such data). The customer may in particular be concerned about its trade secrets, know-how and information that it is required to keep confidential under law or commitments to third parties. The parties may agree to restrict access to such data to a limited set of personnel and to require individual confidentiality commitments from them, in particular from those with high-risk roles (e.g., system administrators, auditors and persons dealing with intrusion detection reports and incident response). In those cases, the customer would normally specify to the provider such information, the required level of protection, any applicable law or contractual requirements and any changes affecting such information, including any changes in the applicable law.
In some cases, the disclosure of customer data may be necessary for the fulfilment of the contract. In other cases, the disclosure may be mandated by law, for example, under the duty to provide information to competent State authorities (see below under D. Rights to customer data and other content, Provider actions as regards customer data upon State orders or for regulatory compliance). Appropriate exceptions to confidentiality clauses would thus be warranted.
The provider may in turn impose on the customer the obligation not to disclose information about the provider's security arrangements and other details of services provided to the customer under the contract or law.
Personal data are subject to special protection by law in many jurisdictions. Law applicable to personal data processing may be different from the law applicable to the contract. It will override any non-compliant contractual clauses.
The contract may include a data protection or privacy clause, data processing agreement or similar type of agreement, although some providers may agree only to the general obligation to comply with applicable data protection laws. In some jurisdictions, such general commitment may be insufficient: the contract would need to stipulate at a minimum the subject matter and the duration, nature and purpose of the personal data processing, the type of personal data and categories of data subjects and the obligations and rights of the data controller and the data processor. Where it is not possible to negotiate a data protection clause in the contract, the customer may wish to review standard terms to determine whether the provisions give the customer sufficient guarantees of lawful personal data processing and adequate remedies for damages.
The customer will likely be the data controller and will assume responsibility for compliance with the data protection law in respect of personal data collected and processed in the cloud. The parties may agree on contractual clauses aimed at ensuring compliance with the applicable data protection regulations, including requests related to the data subjects' rights. The parties may also agree on separate remedies should those clauses be breached, including unilateral termination of the contract and compensation for damages.
Providers' standard contracts usually stipulate that the provider does not assume any data controller role. The provider will likely act as the data processor only when it processes the customer's data according to instructions of the customer for the sole purpose of providing the cloud computing services. In some jurisdictions, the provider may, however, be regarded as the data controller, regardless of contractual clauses, when it further processes data for its own purposes or upon instructions of State authorities and could thus assume full responsibility for personal data protection in respect of that further personal data processing (see below under J. Liability, Statutory limitations to contractual freedom).
Obligations arising from data breaches and other security incidents
The parties may be required under law or contract (or both) to notify each other immediately of a security incident of relevance to the contract or any suspicion thereof that becomes known to them. That obligation may be in addition to general notification of a security incident that may be required under law to inform all relevant stakeholders (including data subjects, insurers and State authorities, or the public at large) in order to prevent or minimize the impact of security incidents.
The law may contain specific security incident notification requirements, including the timing of notification, and identify the persons responsible for complying with them. Subject to those mandatory provisions, the parties may specify in the contract the notification period (e.g., one day after the party becomes aware of the incident or threat), the form and content of the security incident notification. The latter usually includes circumstances and the cause of the incident, type of affected data, the steps to be taken to resolve the incident, the time at which the incident is expected to be resolved and any contingency plan to employ while the incident is being resolved. It may also include information on failed breaches, attacks against specific targets (per customer user, per specific application, per specific physical machine), trends and statistics. Any notification requirements normally take into account the need not to disclose any sensitive information that could lead to the compromise of the affected party's system, operations or network.
The provider, the customer, or both, including by involving a third party, may be required by law or contract to take measures after a security incident (so-called "post-incident steps"), including the isolation or quarantine of affected areas, the performance of root cause analysis and the production of an incident analysis report. The incident analysis report may be produced by the affected party or by the affected party jointly with the other party or by an independent third party. Post-incident steps may vary depending on the categories of data stored in the cloud and other factors.
A serious security incident resulting in, for example, a loss of data may lead to the termination of the contract.
Data localization requirements
Providers' standard terms may expressly reserve the right of the provider to store customer data in any country in which the provider or its subcontractors operate. Such a practice will most likely be followed even in the absence of an explicit contractual right, since it is implicit in the provision of cloud computing services that they are provided, as a general rule, from more than one location (e.g., backup and antivirus protection may be remote, and support may be provided in a global "follow-the-sun" model). That practice may not comply with data localization requirements applicable to either or both parties (read more).
Safeguards ensuring compliance with data localization requirements may be included in the contract, such as a prohibition on moving data and other content outside the specified location or a requirement of prior approval of such moves by the other party. For example, an SLA qualitative performance parameter may be included to ensure that the customer data (including any copy, metadata and backup thereof) would be stored exclusively in data centres physically located in the jurisdictions indicated in the contract and owned and operated by entities established in those jurisdictions. Alternatively, the parameter may specify, for example, that data should never be moved outside a specific country or region but may be duplicated in a particular third country or elsewhere, but never in a specific country.