The explosion of cloud computing is creating new common standards and changing industry contracting practices for access to these services. Cloud services providers tend to provide standard contractual terms that are largely non-negotiable due to the standardized, lower price services they offer, which differs from norms in the outsourcing services industry and from software licensing terms in some key ways. It is important to understand the types of cloud computing services where there are new and evolving terms of cloud services contracts, and how these are similar and different than other agreements.
Types of cloud computing
Cloud computing services are increasing in usage exponentially as users seek to access functionality and storage quickly without building complicated, expensive, and time-consuming infrastructure. Cloud services vendors have grown rapidly in recent years to meet demand, creating an array of services.
We define cloud services as software services that are hosted by a third party vendor, on servers that are remote in location to the customer. The three types of cloud computing services are generally classified as 1) software as a service, 2) platform as a service, and 3) infrastructure as a service, and are further described as follows:
- Software as a service: The cloud services provider offers an all-in-one platform with application and platform functionality running on a cloud infrastructure. Examples are Google Apps for Business and Office 365.
- Platform as a service: The cloud services provider offers base level platform or virtualization services (e.g., a server platform) running on a cloud infrastructure, ready for the customer to install its applications. Examples are Google AppEngine and Windows Azure.
- Infrastructure as a service: The cloud services provider offers equipment, storage, or hardware only, with no server or platform software available. The customer provides its own services, operating layer software, and applications. Examples are Amazon Web Services and Windows Azure.
Customers procuring cloud services often encounter confusion and uncertainty about what terms and standards to apply to such services. As cloud offerings are a cross between software and services, both software and services terms will be relevant and found in these agreements.
UCC vs. contract laws
The Uniform Commercial Code (UCC) applies to the purchase of goods only and does not apply to cloud services; therefore, state contract laws largely govern cloud services contracts. However, given that software industry contracting has historically borrowed from the UCC due to various factors (such as drafting customs and deeming particular software as goods in some case law), many provisions in cloud computing have their origin in the UCC and look familiar. Intellectual property laws apply to the intellectual property licensed and addressed in cloud services agreements, so contract interpretation will be based on a mix of state contract law as well as federal laws.
Cloud providers typically view their cloud offerings as standard services with standard contract terms that cannot be modified for any particular customer. Cloud services providers who take this position often analogize their services to utility services. But customers who purchase cloud platforms often view these services as no different than traditional outsourcing services, and seek flexibility in cloud services and cloud contract terms as they would with any arms-length negotiation. There is an inherent tension between these two views in cloud services negotiations. Whether the contract terms for cloud services are negotiable depends partly on the nature of the service, and partly on the cloud services provider. Cloud providers often take a non-negotiable approach because 1) the price offered for cloud services is often standardized and significantly lower than outsourcing or other customized hosted or ASP services, so that negotiation of terms is not built into the price, and 2) cloud services are usually designed as a breadth offering meeting the needs of most customers, so that resources are not in place to engage in extensive negotiations. Accordingly, purchasers of cloud services may not find the same negotiation flexibility from cloud services providers as they are accustomed to in an outsourcing agreement or other arms-length negotiation. Customers, particularly enterprise customers, may feel that these agreements, which are often modeled on consumer-facing cloud agreements, do not reflect an appropriate risk allocation for their businesses.
We observe the following in drafting and negotiating specific key terms in cloud services agreements:
- License grants. Cloud services providers appear to be split on whether a license grant to use the services is necessary or should be granted. For services, we view this as not strictly necessary as there are usually no intellectual property rights transferred. In the event that there is a transfer of software that the customer will be using, we recommend for both providers and customers that a license grant be drafted into the agreement to set clear rights and responsibilities for code received and handled by a customer.
- Service levels. Most cloud services come with a service level agreement or other set of performance commitments. For cloud services, service providers often reject attempts by customers to customize service levels because the services are only being managed in one standard. Customers who seek different reporting metrics, higher up-time levels, or other variations may consider whether other contractual based remedies might suit their needs, such as early termination rights and greater financial penalties, if obtaining customized service or performance commitments is unsuccessful.
- Service evolution. Sometimes, purchasers of cloud services wish to control, specify, or limit the features in the cloud services that are offered. For customers who have more intensive or specific IT requirements, the fact that a vendor retains flexibility to change features and functionality in the service may be an issue. From the cloud services provider’s perspective, the customer is purchasing a service that evolves with the latest technology and feature improvements. From the customer’s perspective, it may be important that features are not changed or removed given that key portions of the customer’s infrastructure or data may be in the cloud. For a customer with very strong, specific, feature needs, where a cloud provider can offer no special configurations, a hybrid cloud-outsourcing or other alternative approach may be warranted. All customers should investigate options for prior notice of service changes or feature removal, and ramp-down periods and other transition services that may be available from the cloud services provider.
- Privacy and security commitments. Cloud services providers build privacy and security policies based on standardization requirements and operational features of their service. A purchaser of cloud services should evaluate the vendor’s commitments with an initial viewpoint of whether the standard policies allow the purchaser to comply with its own policies and comply with laws. If deficiencies are noted, purchasers may need to try to negotiate customizations in the vendor’s data handling and security policies if any custom terms are available, or modify their own security and data handling procedures. Although cloud services providers are often unable or unwilling to operationally handle customizations, we note that cloud services providers are increasingly offering much more standard and high level assurances around privacy and security, such as ISO certification, SSAE audit reports, Data Processing Agreements, and Model Clauses (for EU customers) than in the past.
- Limitation on liability. Cloud services providers all have caps on their liability in their standard agreements and, in our experience, these caps are often tied to deal value with few exclusions. 12 months’ fees is a typical liability cap. Often this liability limit excludes indemnification obligations, and other exclusions vary. Outsourcing and other customized offerings tend to have higher liability limits and significantly more flexibility in negotiating these limits and exclusions from these limits. The willingness of outsourcing and similar providers to take on more risk generally reflects greater integration between the provider and their customers, and the fact that these vendors are providing custom, tailored solutions, rather than a one-size-fits-all cloud solution.
- Indemnification. In a survey of cloud services provider contracts, we note that nearly all cloud services providers give protection against third party suits for intellectual property infringement. This is common with software license agreements as well. Other indemnification, such as indemnification for violation of laws or for breach of contract, is far less common, and the existence of such a term should be viewed as a beneficial non-industry standard term for the customer. On the flip side, customer indemnifications tend to be broader and may include the actions of customers on the cloud platform. Nearly all providers surveyed required that customers indemnify the cloud services provider from violation of their service’s acceptable use policy. Cloud services providers have concerns about what is being hosted on their platforms, as well as the unmonitored activities of customers on their platforms, and do not want to accept the risk of third party suits that may arise from customers’ use of the services.