Cloud Computing Service Agreements
Transcription
Cloud Computing Service Agreements
Cloud Computing Service Agreements By Gavin George How should you approach your cloud computing service contract? As a preliminary matter, one would expect that the terms for a free cloud service will differ greatly from terms for a paid cloud service. Also, one would expect that cloud For more information, please contact: David Burton [email protected] 972.680.7554 Andy Ehmke [email protected] 214.651.5116 Bill Kleinman services offered to hundreds or even thousands of individual users will differ compared to cloud services marketed to a handful of enterprise customers. Every cloud computing vendor should have standard “Terms or Use” and “Acceptable Use Policy” documents for its cloud service, which are often presented to the customer in an online format. If the cloud service is free or low-cost, the cloud vendor will likely require agreement to these documents via a mouse click as the preliminary (and often sole) prerequisite for a customer using its service. If the cloud service is paid, the cloud vendor will likely have a service level agreement to supplement its online documents. A very simple service level agreement might state [email protected] that the cloud vendor will keep the system available twenty four hours a day, seven 972.680.7565 days a week, excepting planned downtimes and events outside of its reasonable Andrew J. Lowes [email protected] control. Customers generally want more negotiation of such service level agreements. Cloud vendors may be expected to provide an editable version of the service level 972.680.7557 agreement to facilitate negotiation. David Oden Customers should know that a big advantage of the cloud is that downtime can affect [email protected] hundreds or thousands of customers. This creates an enormous incentive for the vendor 972.739.6929 to maintain promised service levels, over and above anything in the traditional software Jason Villalba model. However, because cloud services must be provided consistently among a [email protected] number of customers, most vendors will not be open to enormous movement on service 972.739.6944 level agreements. Similar to utility or telecommunications contracts, a cloud provider’s ability to serve multiple customers rests on the standardization of its technology and processes. Pulling too far away from the standard model will affect a cloud vendor’s ability to provide services through a common architecture. How will a cloud computing service contract differ from a traditional software purchase? Cloud vendors, by definition, retain possession of the software code. All copies of the software code are made on the vendor’s side (except perhaps for small client-side 3 haynesboone.com Austin © 2012 Haynes and Boone, LLP O r a n g e Co u nt y Dallas F o r t Wo r t h R ic h a r ds o n Houston Mexico Cit y S a n A nt o nio Moscow S ilic o n Va ll ey N e w Yo r k Washin g t o n, D.C . programs). Therefore, there is no need for a clause stating “vendor hereby grants a license to customer to copy and use the software” like a traditional software license agreement. In the traditional software model, the customer pays full price upfront for a perpetual software license. However, a cloud service is almost always sold as a time-based subscription. When the customer pays for the subscription on an ongoing, periodic basis, the cloud vendor’s interests should be aligned with the customer’s satisfaction. Since the customer’s goal in adopting cloud services is often about achieving efficiency, customers often push for a longer period of service commitment by the vendor while also asking for the ability to easily exit the relationship if expected efficiencies are not achieved. However, the cloud vendor will push back against easy exits from the contract before the designated end of the subscription period, to avoid an unexpected loss of a revenue stream. Traditionally, when a customer was running software itself, it had no guarantee that a third party might hack into the customer’s internal systems and compromise data. When moving to the cloud, vendors are justifiably unwilling to act as the guarantor of data security for the mere price of the subscription. But, vendor’s can offer reasonable assurances, both practical and contractual, of the vendor’s commitment to the security and privacy of customer’s data. Specifically, a vendor may make some form of statement about the reasonable efforts that the vendor will take to maintain the security of the data. There should also be clear contractual boundaries that limit how the cloud vendor is expected to use the data. In addition, a customer will often ask for declarations that the customer owns the data it submits to the cloud service, and that a customer should be able to retrieve its data upon termination of the agreement. A traditional commercial software contract will ordinarily include a warranty that the software will perform in accordance with its written specifications. A cloud vendor can offer similar assurance, although the language may not be structured as a traditional warranty. The assurance might come in the form of a statement by the vendor that the functionality of the cloud service will not be materially decreased during the term of the subscription, and will meet the promised service levels. Traditional software contracts offer protection for the customer against third party claims alleging that the software violates a third party’s intellectual property rights. Customers will often expect a cloud vendor’s agreement to include similar indemnification 4 protection against third party claims for intellectual property infringement caused by customer’s authorized use of the cloud-based software. What do your customers want to know about cloud service levels? Customers will want to know about the cloud vendor. Vendors may be asked to provide a track record of uptime or to publish uptime statistics. Customers may like to hear that vendor has other large customers sharing the same infrastructure, which will increase the vendor’s incentive to keep the service available. Customers may inquire whether the vendor is financially secure and about what type of redundancy is built into the cloud service to protect against a disaster. The ideal outcome for a customer and vendor is never having to worry about service levels penalties because they are consistently met by a trusted and knowledgeable vendor. 5