Welcome to the United Nations
Language:
  1. Home
  2. DRAFT Notes on the Main Issues of Cloud Computing Contracts (prepared by the UNCITRAL secretariat, 2019): Main pre-contractual aspects

DRAFT Notes on the Main Issues of Cloud Computing Contracts (prepared by the UNCITRAL secretariat, 2019): Main pre-contractual aspects

Part one. Main pre-contractual aspects

A. Verification of mandatory law and other requirements

The legal framework applicable to the customer, the provider or both may impose conditions for entering into a cloud computing contract. Such conditions may also stem from contractual commitments, including intellectual property (IP) licences. The parties should in particular be aware of laws and regulations related to personal data, cybersecurity, export control, customs, tax, trade secrets, IP-specific and sector-specific regulation that may be applicable to them and their future contract. Negative consequences of non-compliance with mandatory requirements may be significant, including invalidity or unenforceability of a contract or part thereof, administrative fines and criminal liability.

Conditions for entering into a cloud computing contract may vary by sector and jurisdiction. They may include requirements to take special measures for the protection of data subjects' rights, to deploy a particular model (e.g., private cloud as opposed to public cloud), to encrypt data placed in the cloud and to register with State authorities a transaction or a software used in the processing of personal data. They may also include data localization requirements, as well as requirements regarding the provider.

Data localization

Data localization requirements may arise in particular from the law applicable to personal data, accounting data and public sector data and export control laws and regulations that may restrict the transfer of certain information or software to or from particular countries or a region. Compliance with data localization requirements set forth in the applicable law would be of paramount importance for the parties. The contract would not be able to override those requirements.

Data localization requirements may also arise from third party contractual commitments, e.g., IP licences that require the licensed content to be stored on the user's own secured servers. Data localization may be preferred for purely practical reasons, for example to reduce latency, which may be especially important for real-time operations, such as stock exchange trading. (Read more on contractual data localization safeguards.)

Choice of a contracting party

The choice of a contracting party may be restricted, in addition to market conditions, by statutory requirements. There may be a statutory prohibition on entering into a cloud computing contract with foreign persons, persons from certain jurisdictions or persons not accredited/certified with competent State authorities. There may be a requirement for a foreign person to form a joint venture with a national entity or to acquire local licenses and permissions, including export control permissions, for the provision of cloud computing services in a particular jurisdiction. Data localization requirements (see paras. 10–11 above) as well as statutory obligations on either party to disclose or provide access to the data and other content to foreign State authorities may also influence the choice of a contracting party.

B. Pre-contractual risk assessment

The applicable mandatory law may require a risk assessment as a precondition to entering into a cloud computing contract. Even in the absence of statutory requirements, the parties may decide to undertake a risk assessment that might help them to identify risk mitigation strategies, including the negotiation of appropriate contractual clauses.

Not all risks arising from cloud computing contracts would be cloud-specific. Some risks would be handled outside a cloud computing contract (e.g., risks arising from online connectivity interruptions) and not all risks could be mitigated at an acceptable cost (e.g., reputational damage). In addition, risk assessment would not be a one-off event before concluding a contract. Risk assessment could be ongoing throughout the duration of the contract, and risk assessment outcomes may necessitate amendment or termination of the contract.

Verification of information about a specific cloud computing service and a selected contracting party

The following information may be relevant to the parties when they consider employing a specific cloud computing service and selecting a contracting party:

(a)     IP licenses required for using a specific cloud computing service;

(b)      The privacy, confidentiality and security policies in place, in particular as regards prevention of unauthorized access, use, alteration or destruction of the data during processing, transit or transfer using the cloud computing infrastructure;

(c)      Measures in place to ensure the ongoing access to metadata, audit trails and other logs demonstrating security measures;

(d)      The existing disaster recovery plan and notification obligations in the case of a security breach or system malfunction;

(e)      Policies in place as regards migration-to-the-cloud and end-of-service assistance as well as interoperability and portability;

(f)       The existing measures for vetting and training of employees, subcontractors and other third parties involved in the provision of the cloud computing services;

(g)      Statistics on security incidents and information about past performance with disaster recovery procedures;

(h)      Certification by an independent third party on compliance with technical standards;

(i)       Information indicating regularity and extent of audit by an independent body;

(j)       Financial viability;

(k)      Insurance policies;

(l)       Possible conflicts of interest;

(m)     Extent of subcontracting and layered cloud computing services; and

(n)      Extent of isolation of data and other content in the cloud computing infrastructure.

IP infringement risks

IP infringement risks may arise if, for example, the provider is not the owner or developer of the resources that it provides to its customers, but rather uses them under an IP licence arrangement with a third party. IP infringement risks may also arise if the customer is required, for the implementation of the contract, to grant to the provider a licence to use the content that the customer intends to place in the cloud. In some jurisdictions, storage of the content on the cloud even for backup purposes may be qualified as a reproduction and require prior authorization from the IP rights owner.

It is in the interests of both parties to ensure before the conclusion of the contract that the use of the cloud computing services would not constitute an infringement of IP rights and a cause for the revocation of the IP licences granted to either of them. Costs of IP infringement may be very high. The right to sublicense may need to be arranged, or a direct licence arrangement may need to be concluded with the relevant third party licensor under which the right to manage the licences will be granted. The use of open source software or other content may necessitate obtaining an advance consent from third parties and disclosing the source code with any modifications made to open source software or other content.

Risks to data security, integrity, confidentiality and privacy

Migration of all or part of data to the cloud leads to the loss of exclusive control by the customer over that data and ability to deploy the necessary measures to guarantee data integrity and confidentiality or verify whether data processing and retention are being handled adequately. The extent of the loss of control will depend on the type of cloud computing service.

Inherent features of cloud computing services such as broad network access, multi-tenancy and resource pooling may require from the parties more precautions to prevent interception of communications and other cyberattacks, which may lead to the loss or compromise of credentials for access to cloud computing services, data loss and other security breaches. Adequate isolation of resources and data segregation and robust security procedures are especially important in a shared environment such as cloud computing.

Security measures will be the shared responsibility of the parties in the cloud computing environment regardless of the type of cloud computing services employed. Pre-contractual risk assessment provides a good opportunity for the parties to eliminate any ambiguity in defining their roles and responsibilities related to data security, integrity, confidentiality and privacy. Contractual clauses will play an important role in reflecting the agreement of the parties on allocation of risks and liabilities between them related to those and other aspects of the provision of cloud computing services. Those clauses will not be able to override mandatory provisions of law. Read more.

Penetration tests, audits and site visits

Steps may be taken at the pre-contractual stage to verify the adequacy of isolation of resources and data segregation, identification procedures and other security measures. They should aim at identifying possible additional precautions that may need to be taken by the parties to prevent data security breaches and other malfunctions in the provision of the cloud computing services to the customer.

Laws and regulations may require audits, penetration tests and physical inspection of data centres involved in the provision of the cloud computing services, in particular to ascertain that their location complies with statutory data localization requirements. The parties would need to agree on conditions for undertaking those activities, including their timing, allocation of costs and indemnification for any possible damage caused by those activities.

Lock-in risks

Avoiding or reducing lock-in risks, often arising from the lack of interoperability and portability, may be one of the most important considerations for the parties. Higher lock-in risks may arise from long-term contracts and from automatically renewable short- and medium-term contracts.

Risks of application and data lock-ins are especially high in SaaS and PaaS. Data may exist in formats specific to one cloud system that will not be usable in other systems. In addition, a proprietary application or system used to organize data may require adjustment of licensing terms to allow operation in a different network. Programs to interact with the application programming interfaces (API) may need to be rewritten to take into account the new system's API. High switching costs may also arise from the need to retrain end users.

In PaaS, there could also be runtime lock-in since runtimes (i.e., software designed to support the execution of computer programs written in a specific programming language) are often heavily customized (e.g., aspects such as allocating or freeing memory, debugging, etc.). IaaS lock-in varies depending on the specific infrastructure services consumed but may also lead to application lock-in if there is dependence on specific policy features (e.g., access controls) or data lock-in if more data are moved to the cloud for storage.

At the pre-contractual stage, tests could be run to verify whether data and other content can be exported to another system and made usable there. Synchronization between cloud and in-house platforms and replication of data elsewhere may be needed. Transacting with more than one party and opting for a combination of various types of cloud computing services and their deployment models (i.e., multi-sourcing), although possibly with cost and other implications, may be an important part of the mitigating strategy against lock-in risks. Contractual clauses may also assist with mitigating lock-in risks. Read more.

Business continuity risks

The parties may be concerned about business continuity risks not only in anticipation of the scheduled termination of the contract, but also of its possible unilateral suspension or earlier termination, including when either party may no longer be in business. The law may require putting in place in advance an appropriate strategy to ensure business continuity, in particular in order to avoid the negative impact of termination or suspension of the cloud computing services on end users. Contractual clauses may also assist with mitigating business continuity risks. Read more.

Exit strategies

For successful exit strategies, parties may need to clarify from the outset: (a) the content that will be subject to exit (e.g., only the data that the customer entered in the cloud or also cloud service-derived data); (b) any amendments that would be required to IP licenses to enable the use of that content in another system; (c) control of decryption keys and access to them; and (d) the time period required to complete the exit. End-of-service contractual clauses usually reflect the agreement of the parties on those issues.  Read more.

C. Other pre-contractual issues

Disclosure of information

The applicable law may require the parties to a contract to provide to each other information that would allow them to make an informed choice about the conclusion of the contract. The absence, or the lack of clear communication to the other party, of information necessary to make the object of the obligation determined or determinable prior to contract conclusion may make a contract or part thereof null and void or entitle the aggrieved party to claim damages.

In some jurisdictions, pre-contractual information may be considered an integral part of the contract. In such cases, the parties would need to ensure that such information is appropriately recorded and that any mismatch between that information and the contract itself is avoided. The parties would also need to deal with concerns over the impact of pre-contractually disclosed information on flexibility and innovation at the contract implementation stage.

Confidentiality

Some information disclosed at the pre-contractual stage may be considered confidential, in particular as regards security, identification and authentication measures, subcontractors and the location and type of data centres, which in turn may identify the type of data stored there and access thereto by local or foreign State authorities. The parties may agree that certain information disclosed at the pre-contractual stage should be treated as confidential. Written confidentiality undertakings or non-disclosure agreements may be required also from third parties involved in pre-contractual due diligence (e.g., auditors).

Migration to the cloud

Before migration to the cloud, the customer would usually be expected to classify data to be migrated to the cloud and secure it according to its level of sensitivity and criticality and inform the provider about the level of protection required for each type of data. The customer may also be expected to supply to the provider other information necessary for the provision of the services (e.g., the customer's data retention and disposition schedule, user identity and access management mechanisms and procedures for access to the encryption keys if necessary).

In addition to the transfer of data and other content to the provider's cloud, migration to the cloud may involve installation, configuration, encryption, tests and training of the customer's staff and other end users. Those aspects may be part of the customer contract with the provider or be the subject of a separate agreement of the customer with the provider or third parties, such as cloud computing service partners. Extra costs may arise. Parties involved in the migration would normally agree on their roles and responsibilities during migration, terms of their engagement, the format in which the data or other content is to be migrated to the cloud, timing of migration, an acceptance procedure to ascertain that the migration was performed as agreed and other details of the migration plan.

Relevant Glossary terms

Audit: The process of examining compliance with contractual and statutory requirements or technical standards. It may cover technical aspects, such as the quality and security of hardware and software; compliance with any applicable industry standards; and the existence of adequate measures, including isolation, to prevent unauthorized access to and use of the system and to assure data integrity. The audit may be internal or external or be done by an independent third party appointed by either the provider, the customer or both. The service level agreement (SLA) may contain specific performance parameters related to audit, e.g., that the services provided under the contract are certified at least annually by an independent auditor against a security standard identified in the contract.

Cloud computing services: online services characterized by:  (a) Broad network access, meaning that services can be accessed over the network from any place where the network is available (e.g., through the Internet), using a wide variety of devices, such as mobile phones, tablets and laptops; (b) Metered delivery, allowing usage of the resources to be monitored and charged by reference to level of usage (on a pay-as-you-go basis); (c) Multi-tenancy, meaning that physical and virtual resources are allocated to multiple users whose data are isolated and inaccessible to one another; (d) On-demand self-service, meaning that services are used by the customer as needed, automatically or with minimal interaction with the provider; (e) Elasticity and scalability, meaning the capability for rapidly scaling up or down the consumption of services according to the customer’s needs, including large-scale trends in resource usage (e.g., seasonal effects); (f) Resource pooling, meaning that physical or virtual resources can be aggregated by the provider in order to serve one or more customers without their control or knowledge over the processes involved; (g) A wide range of services from the provision and use of simple connectivity and basic computing services (such as storage, emails and office applications) to the provision and use of the whole range of physical information technology infrastructure (such as servers and data centres) and virtual resources needed for the customer to build its own information technology platforms, or deploy, manage and run customer-created or customer-acquired applications or software. Infrastructure as a service (IaaS), platform as a service (PaaS) or software as a service (SaaS) are types of cloud computing services.

Cloud computing service partners (e.g., cloud auditors, cloud service brokers and system integrators): Persons engaged in support of, or auxiliary to, activities of either the provider or the customer or both. Cloud auditors conduct an audit of the provision and use of cloud computing services. Cloud service brokers or system integrators assist parties with a wide range of issues, e.g., with finding the right cloud solution, negotiating acceptable terms and migrating the customer to the cloud.

Cloud service-derived data: Data under the control of the provider that are derived as a result of the use by the customer of the cloud computing services of that provider. It includes metadata and any other log data generated by the provider containing records of who used the services, at what times, which functions and which types of data are involved. It can also include information about authorized users, their identifiers and any configuration, customization and modification.

Data localization requirements: Requirements relating to the location of data and other content or data centres or the provider. They may prohibit certain data (including metadata and backups) from residing in or transiting into or out of a certain area or jurisdictions or require that prior approval be obtained from a competent State body for that. They are often found in data protection law and regulations, which may in particular prohibit personal data from residing in or transiting into jurisdictions that do not adhere to certain standards of personal data protection.

Data subjects’ rights: Rights associated with data subjectspersonal data. Data subjects under law may enjoy the right to be informed about all significant facts related to their personal data, including data location, use by third parties and data leaks or other data breaches. They may also have the right to access their personal data at any time, the right to erasure of their personal data (pursuant to the right to be forgotten), the right to restrict processing of their personal data and the right to portability of their personal data.

Deployment models: The various ways in which cloud computing services are organized, based on the control and sharing of physical or virtual resources:  (a)  Public cloud, where cloud computing services are potentially available to any interested customer and resources are controlled by the provider;  (b) Community cloud, where cloud computing services exclusively support a specific group of related customers with shared requirements and resources are controlled by at least one member of that group;  (c) Private cloud, where cloud computing services are used exclusively by a single customer and resources are controlled by that customer; (d) Hybrid cloud, where at least two different cloud deployment models are used.

Interoperability: The ability of two or more systems or applications to exchange information and to mutually use the information that has been exchanged.

Intellectual property (IP) licences: Agreements between an IP rights owner (the licensor) and a person authorized to use those IP rights (the licensee). They usually impose restrictions and obligations on the extent and manner in which the licensee or third parties may use the licenced property. For example, software and visual content (designs, layouts and images) may be licensed for specific use, not allowing copying, modification or enhancement, and be restricted to a certain medium. The licences may be limited to a particular market (e.g., national or (sub)regional), a number of users or a number of devices, or may be time-bound. Sub-licensing may not be permitted. The licensor may require reference to be made to the IP rights owner each time the IP rights are used.

Latency: The delay between a user’s request and a provider’s response to it. It affects how usable the cloud computing services actually are. In the service level agreement (SLA), the latency is usually expressed in milliseconds.

Layered cloud computing services: Where the provider is not the owner of all or any computing resources that it uses for the provision of the cloud computing services to its customers but is itself the customer of all or some cloud computing services. For example, the provider of platform as a service (PaaS) or software as a service (SaaS) types of service may use storage and server infrastructure (data centres, data servers) owned or provided by another entity. As a result, one or more sub-providers may be involved in providing the cloud computing services to the customer. The customer may not know which layers are involved in the provision of services at a given time, which makes identification and management of risks difficult. Layered cloud computing services are common in SaaS in particular.

Lock-in: Where the customer is dependent on a single provider because the costs of switching to another provider are substantial. Costs in this context are to be understood in the broadest sense as encompassing not only monetary expenses but also effort, time and relational aspects.

Metadata: Basic information about data (such as author, when the data were created, when they were modified and file size). It makes finding and using the data easier and may be required to ensure the authenticity of the record. It can be generated by the customer or the provider.

Personal data: Sensitive and non-sensitive data that can be used to identify the natural person to whom such data relate. The definition of personal data in some jurisdictions may encompass any data or information directly or indirectly linked or relating to an identified or identifiable individual (see the data subject).

Portability: The ability to easily transfer data, applications and other content from one system to another (i.e., at low cost, with minimal disruption and without being required to re-enter data, re-engineer processes or re-program applications). This might be achieved if it is possible to retrieve the data in the format that is accepted in another system or with a simple and straightforward transformation using commonly available tools. The service level agreement (SLA) may contain performance parameters related to portability, e.g., the customer data is retrievable by the customer via a single download link or documented application programming interfaces (API); or the data format is structured and documented in a sufficient manner to allow the customer to re-use it or to restructure it into a different data format if desired.

Sector-specific regulations: Financial, health, public sector or other specific sector or profession regulations (e.g., attorney-client privilege, medical professional secrecy) and rules for handling classified information (broadly understood as information to which access is restricted by law or regulation to particular classes of persons).

Security incident: An event that indicates that the system or data have been compromised or that measures put in place to protect them have failed. A security incident disrupts normal operations. Examples of security incidents include attempts from unauthorized sources to access systems or data, unplanned disruption to a service or denial of a service, unauthorized processing or storage of data and unauthorized changes to system infrastructure.

To the main page

To the contractual aspects

To other terms in the Glossary