Cloud Computing Service Agreements

Transcription

Cloud Computing Service Agreements
Cloud Computing Service Agreements
By Gavin George
How should you approach your cloud computing service contract?
As a preliminary matter, one would expect that the terms for a free cloud service will
differ greatly from terms for a paid cloud service. Also, one would expect that cloud
For more information,
please contact:
David Burton
[email protected]
972.680.7554
Andy Ehmke
[email protected]
214.651.5116
Bill Kleinman
services offered to hundreds or even thousands of individual users will differ compared
to cloud services marketed to a handful of enterprise customers.
Every cloud computing vendor should have standard “Terms or Use” and “Acceptable
Use Policy” documents for its cloud service, which are often presented to the customer
in an online format. If the cloud service is free or low-cost, the cloud vendor will likely
require agreement to these documents via a mouse click as the preliminary (and often
sole) prerequisite for a customer using its service.
If the cloud service is paid, the cloud vendor will likely have a service level agreement
to supplement its online documents. A very simple service level agreement might state
[email protected]
that the cloud vendor will keep the system available twenty four hours a day, seven
972.680.7565
days a week, excepting planned downtimes and events outside of its reasonable
Andrew J. Lowes
[email protected]
control. Customers generally want more negotiation of such service level agreements.
Cloud vendors may be expected to provide an editable version of the service level
972.680.7557
agreement to facilitate negotiation.
David Oden
Customers should know that a big advantage of the cloud is that downtime can affect
[email protected]
hundreds or thousands of customers. This creates an enormous incentive for the vendor
972.739.6929
to maintain promised service levels, over and above anything in the traditional software
Jason Villalba
model. However, because cloud services must be provided consistently among a
[email protected]
number of customers, most vendors will not be open to enormous movement on service
972.739.6944
level agreements. Similar to utility or telecommunications contracts, a cloud provider’s
ability to serve multiple customers rests on the standardization of its technology and
processes. Pulling too far away from the standard model will affect a cloud vendor’s
ability to provide services through a common architecture.
How will a cloud computing service contract differ from a traditional software
purchase?
Cloud vendors, by definition, retain possession of the software code. All copies of
the software code are made on the vendor’s side (except perhaps for small client-side
3
haynesboone.com
Austin
© 2012 Haynes and Boone, LLP
O r a n g e Co u nt y
Dallas
F o r t Wo r t h
R ic h a r ds o n
Houston
Mexico Cit y
S a n A nt o nio
Moscow
S ilic o n Va ll ey
N e w Yo r k
Washin g t o n, D.C .
programs). Therefore, there is no need for a clause stating “vendor hereby grants a
license to customer to copy and use the software” like a traditional software license
agreement.
In the traditional software model, the customer pays full price upfront for a perpetual
software license. However, a cloud service is almost always sold as a time-based
subscription. When the customer pays for the subscription on an ongoing, periodic
basis, the cloud vendor’s interests should be aligned with the customer’s satisfaction.
Since the customer’s goal in adopting cloud services is often about achieving efficiency,
customers often push for a longer period of service commitment by the vendor while
also asking for the ability to easily exit the relationship if expected efficiencies are
not achieved. However, the cloud vendor will push back against easy exits from the
contract before the designated end of the subscription period, to avoid an unexpected
loss of a revenue stream.
Traditionally, when a customer was running software itself, it had no guarantee that
a third party might hack into the customer’s internal systems and compromise data.
When moving to the cloud, vendors are justifiably unwilling to act as the guarantor of
data security for the mere price of the subscription. But, vendor’s can offer reasonable
assurances, both practical and contractual, of the vendor’s commitment to the security
and privacy of customer’s data. Specifically, a vendor may make some form of
statement about the reasonable efforts that the vendor will take to maintain the security
of the data. There should also be clear contractual boundaries that limit how the
cloud vendor is expected to use the data. In addition, a customer will often ask for
declarations that the customer owns the data it submits to the cloud service, and that a
customer should be able to retrieve its data upon termination of the agreement.
A traditional commercial software contract will ordinarily include a warranty that the
software will perform in accordance with its written specifications. A cloud vendor can
offer similar assurance, although the language may not be structured as a traditional
warranty. The assurance might come in the form of a statement by the vendor that the
functionality of the cloud service will not be materially decreased during the term of
the subscription, and will meet the promised service levels.
Traditional software contracts offer protection for the customer against third party claims
alleging that the software violates a third party’s intellectual property rights. Customers
will often expect a cloud vendor’s agreement to include similar indemnification
4
protection against third party claims for intellectual property infringement caused by
customer’s authorized use of the cloud-based software.
What do your customers want to know about cloud service levels?
Customers will want to know about the cloud vendor. Vendors may be asked to
provide a track record of uptime or to publish uptime statistics. Customers may like to
hear that vendor has other large customers sharing the same infrastructure, which will
increase the vendor’s incentive to keep the service available. Customers may inquire
whether the vendor is financially secure and about what type of redundancy is built
into the cloud service to protect against a disaster. The ideal outcome for a customer
and vendor is never having to worry about service levels penalties because they are
consistently met by a trusted and knowledgeable vendor.
5