Notes on the Main Issues of Cloud Computing Contracts (prepared by the secretariat of the United Nations Commission on International Trade Law, 2019)
Part One. Main precontractual aspects
A. VERIFICATION OF MANDATORY LAW AND OTHER REQUIREMENTS
The legal framework applicable to the customer, the provider or both may impose conditions for entering into a cloud computing contract. Such conditions may also stem from contractual commitments, including intellectual property (IP) licences. The parties should in particular be aware of laws and regulations related to personal data, consumer protection, cybersecurity, export control, customs, tax, trade secrets, IP-specific and sector-specific regulation that may be applicable to them and their future contract. Non-compliance with mandatory requirements may have significant negative consequences, including invalidity or unenforceability of a contract or part thereof, administrative fines and criminal liability.
Conditions for entering into a cloud computing contract may vary by sector and jurisdiction. They may include requirements to take special measures for the protection of data subjects' rights, to deploy a particular model (e.g., private cloud as opposed to public cloud), to encrypt data placed in the cloud and to register with State authorities a transaction or a software used in the processing of personal data. They may also include data localization requirements, as well as requirements regarding the provider.
Data localization
Data localization requirements may arise in particular from the law applicable to personal data, accounting data, as well as public sector data and export control laws and regulations that may restrict the transfer of certain information or software to or from particular countries or a region. Compliance with data localization requirements set forth in the applicable law would be of paramount importance for the parties. The contract would not be able to override those requirements.
Data localization requirements may also arise from contractual commitments (e.g., IP licences that require the licensed content to be stored on the user's own secured servers). Data localization may be preferred for purely practical reasons, for example to reduce latency, which may be especially important for real-time operations, such as stock exchange trading. (Read more on contractual data localization safeguards.)
Choice of a contracting party
The choice of a contracting party may be restricted, in addition to market conditions, by statutory requirements. There may be a statutory prohibition on entering into a cloud computing contract with foreign persons, persons from certain jurisdictions or persons not accredited/certified with competent State authorities. There may be a requirement for a foreign person to form a joint venture with a national entity or to acquire local licenses and permissions, including export control permissions, for the provision of cloud computing services in a particular jurisdiction. Data localization requirements (see immediately above) as well as statutory obligations on either party to disclose or provide access to the data and other content to foreign State authorities may also influence the choice of a contracting party.
B. Pre-contractual risk assessment
The applicable mandatory law may require a risk assessment as a precondition to entering into a cloud computing contract. Even in the absence of statutory requirements, the parties may decide to undertake a risk assessment that might help them to identify risk mitigation strategies, including the negotiation of appropriate contractual clauses.
Not all risks arising from cloud computing contracts would be cloud-specific. Some risks would be handled outside a cloud computing contract (e.g., risks arising from online connectivity interruptions) and not all risks could be mitigated at an acceptable cost (e.g., reputational damage). In addition, risk assessment would not be a one-off event before concluding a contract. Risk assessment could be ongoing throughout the duration of the contract, and risk assessment outcomes may necessitate amendment or termination of the contract.
Verification of information about a specific cloud computing service and a selected contracting party
The following information may be relevant to the parties when they consider employing a specific cloud computing service and selecting a contracting party:
(a) IP licenses required for using a specific cloud computing service;
(b) The privacy, confidentiality and security policies in place, in particular as regards prevention of unauthorized access, use, alteration or destruction of the data during processing, transit or transfer using the cloud computing infrastructure;
(c) Measures in place to ensure the ongoing access to metadata, audit trails and other logs demonstrating security measures;
(d) The existing disaster recovery plan and notification obligations in the case of a security breach or system malfunction;
(e) Policies in place as regards migration-to-the-cloud and end-of-service assistance as well as interoperability and portability;
(f) The existing measures for vetting and training of employees, subcontractors and other third parties involved in the provision of the cloud computing services;
(g) Statistics on security incidents and information about past performance with disaster recovery procedures;
(h) Certification by an independent third party on compliance with technical standards;
(i) Information indicating regularity and extent of audit by an independent body;
(j) Financial viability;
(k) Insurance policies;
(l) Possible conflicts of interest;
(m) Extent of subcontracting and layered cloud computing services;
(n) Extent of isolation of data and other content in the cloud computing infrastructure; and
(o) Expected reciprocial roles and shared responsibilities of the parties for security measures.
IP infringement risks
IP infringement risks may arise if, for example, the provider is not the owner or developer of the resources that it provides to its customers, but rather uses them under an IP licence arrangement with a third party. IP infringement risks may also arise if the customer is required, for the implementation of the contract, to grant to the provider a licence to use the content that the customer intends to place in the cloud. In some jurisdictions, storage of the content on the cloud even for backup purposes may be qualified as a reproduction and require prior authorization from the IP rights owner.
It is in the interests of both parties to ensure before the conclusion of the contract that the use of the cloud computing services would not constitute an infringement of IP rights and a cause for the revocation of the IP licences granted to either of them. Costs of IP infringement may be very high. The right to sublicense may need to be arranged, or a direct licence arrangement may need to be concluded with the relevant third-party licensor under which the right to manage the licences will be granted. The use of open source software or other content may necessitate obtaining an advance consent from third parties and disclosing the source code with any modifications made to open source software or other content.
Risks to data security, integrity, confidentiality and privacy
Migration of all or part of data to the cloud leads to the customer's loss of exclusive control over that data and of the ability to deploy the necessary measures to guarantee data integrity and confidentiality or to verify whether data processing and retention are being handled adequately. The extent of the loss of control will depend on the type of cloud computing service.
Inherent features of cloud computing services such as broad network access, multi-tenancy and resource pooling may require from the parties more precautions to prevent interception of communications and other cyberattacks, that may lead to the loss or compromise of credentials for access to cloud computing services, data loss and other security breaches. Adequate isolation of resources and data segregation and robust security procedures are especially important in a shared environment such as cloud computing.
Security measures will be the shared responsibility of the parties in the cloud computing environment regardless of the type of cloud computing services employed. Pre-contractual risk assessment provides a good opportunity for the parties to eliminate any ambiguity in defining their roles and responsibilities related to data security, integrity, confidentiality and privacy. Contractual clauses will play an important role in reflecting the agreement of the parties on the mutual allocation of risks and liabilities related to those and other aspects of the provision of cloud computing services. Those clauses will not be able to override mandatory provisions of law. Read more.
Penetration tests, audits and site visits
Steps may be taken at the pre-contractual stage to verify the adequacy of isolation of resources, data segregation, identification procedures and other security measures. They should aim at identifying possible additional precautions that may need to be taken by the parties to prevent data security breaches and other malfunctions in the provision of the cloud computing services to the customer.
Laws and regulations may require audits, penetration tests and physical inspection of data centres involved in the provision of the cloud computing services, in particular to ascertain that their location complies with statutory data localization requirements. The parties would need to agree on conditions for undertaking those activities, including their timing, allocation of costs and indemnification for any possible damage caused by those activities.
Lock-in risks
Avoiding or reducing lock-in risks, often arising from the lack of interoperability and portability, may be one of the most important considerations for the parties. Higher lock-in risks may arise from long-term contracts and from automatically renewable short- and medium-term contracts.
Risks of application and data lock-ins are especially high in SaaS and PaaS. Data may exist in formats specific to one cloud system that will not be usable in other systems. In addition, a proprietary application or system used to organize data may require adjustment of licensing terms to allow operation in a different network. Programs to interact with the application programming interfaces (API) may need to be rewritten to take into account the new system's API. High switching costs may also arise from the need to retrain end users.
In PaaS, there could also be runtime lock-in since runtimes (i.e., software designed to support the execution of computer programs written in a specific programming language) are often heavily customized (e.g., aspects such as allocating or freeing memory, debugging, etc.). In IaaS, lock-in varies depending on the specific infrastructure services consumed. Like in Paas, some infrastructure services may lead to application lock-in if the service depends on specific policy features (e.g., access controls) or data lock-in if more data are moved to the cloud for storage.
At the pre-contractual stage, tests could be run to verify whether data and other content can be exported to another system and made usable there. Synchronization between cloud and in-house platforms and replication of data elsewhere may be needed. Transacting with more than one party and opting for a combination of various types of cloud computing services and their deployment models (i.e., multi-sourcing), although possibly with cost and other implications, may be an important part of the mitigating strategy against lock-in risks. Contractual clauses may also assist with mitigating lock-in risks. Read more.
Business continuity risks
The parties may be concerned about business continuity risks not only in anticipation of the scheduled termination of the contract, but also of its possible unilateral suspension or earlier termination, including when either party may no longer be in business. The law may require putting in place in advance an appropriate strategy to ensure business continuity, in particular in order to avoid the negative impact of termination or suspension of the cloud computing services on end users. Contractual clauses may also assist with mitigating business continuity risks. Read more.
Exit strategies
For successful exit strategies, parties may need to clarify from the outset: (a) the content that will be subject to exit (e.g., only the data that the customer entered in the cloud or also cloud service-derived data); (b) any amendments that would be required to IP licenses to enable the use of that content in another system; (c) control of decryption keys and access to them; and (d) the time period required to complete the exit. End-of-service contractual clauses usually reflect the agreement of the parties on those issues. Read more.
C. Other pre-contractual issues
Disclosure of information
The applicable law may require the parties to a contract to provide to each other information that would allow them to make an informed choice about the conclusion of the contract. The absence, or the lack of clear communication to the other party, of information necessary to make the object of the obligation determined or determinable prior to contract conclusion may make a contract or part thereof null and void or entitle the aggrieved party to claim damages.
In some jurisdictions, pre-contractual information may be considered an integral part of the contract. In such cases, the parties would need to ensure that such information is appropriately recorded and that any mismatch between that information and the contract itself is avoided. The parties would also need to deal with concerns over the impact of pre-contractually disclosed information on flexibility and innovation at the contract implementation stage.
Confidentiality
Some information disclosed at the pre-contractual stage may be considered confidential, in particular as regards security, identification and authentication measures, subcontractors and the location and type of data centres (which in turn may identify the type of data stored there and access thereto by local or foreign State authorities). The parties may agree that certain information disclosed at the pre-contractual stage should be treated as confidential. Written confidentiality undertakings or non-disclosure agreements may be required also from third parties involved in pre-contractual due diligence (e.g., auditors).
Migration to the cloud
Before migration to the cloud, the customer would usually be expected to classify data to be migrated to the cloud and secure it according to its level of sensitivity and criticality and inform the provider about the level of protection required for each type of data. The customer may also be expected to supply to the provider other information necessary for the provision of the services (e.g., the customer's data retention and disposition schedule, user identity and access management mechanisms and procedures for access to the encryption keys if necessary).
In addition to the transfer of data and other content to the provider's cloud, migration to the cloud may involve installation, configuration, encryption, tests and training of the customer's staff and other end users. Those aspects may be part of the customer contract with the provider or be the subject of a separate agreement of the customer with the provider or third parties, such as cloud computing service partners. Extra costs may arise. Parties involved in the migration would normally agree on their roles and responsibilities during migration, terms of their engagement, the format in which the data or other content is to be migrated to the cloud, timing of migration, an acceptance procedure to ascertain that the migration was performed as agreed and other details of the migration plan.