More and more businesses are relying on cloud computing - for their own use and to provide their services to end customers. However, cloud computing can be a complex and fast-moving technology, and gives rise to a number of legal issues that parties need to address. While most cloud customers will see data protection and security as an obvious priority, in this article we explore some of the other legal challenges businesses should consider when reviewing a cloud contract.

What is cloud computing?

In broad terms, cloud computing delivers technology as a service on demand, over the internet. In other words, a customer does not need to install stand-alone software or run its own applications and servers. The cloud supplier hosts applications and provides the computing power to many different customers from the supplier’s data centres. This allows each customer to benefit from economies of scale and dramatically lowers the costs of obtaining a range of IT services.

Components of a cloud contract

Many cloud suppliers will include some or all of the following documents in their cloud computing contract bundle. These documents will need to be reviewed in conjunction with each other.

  • Terms of Service: sets out the general legal terms and conditions that govern the use of the service and the relationship between the supplier and the customer. Also known as the ‘Terms of Use’. It may incorporate other documents by reference.
  • Privacy Policy: An extremely important document that sets out the cloud supplier’s approach to collecting, using and protecting personal information.
  • Acceptable Usage Policy (AUP): Often used by social networks and cloud storage providers to specify permitted and prohibited practices when using the cloud service (for example, prohibiting hate speech or forbidding use of the service to deliver spam).
  • Service Level Agreement (SLA): The SLA documents any target levels of service availability and other metrics, and possibly service level rebates, that the cloud supplier offers.

6 Golden Rules

When reviewing the various documents that make up a cloud contract a business should consider the impact of the following six ‘golden rules’ and seek legal advice if necessary:

  1. Liability: When reviewing a cloud contract customers and their legal advisers should carefully consider the issue of liability. Cloud suppliers will often attempt to provide the services “as is” with no warranties regarding service availability or quality. It is also common for suppliers to exclude liability in the event of loss of data or a service outage along with other forms of direct and indirect loss. However, as cloud services are increasingly used, customers are putting more data onto the cloud and their own end-users may be relying on the cloud service. In light of this, the consequences of unavailability or loss or corruption of data could be substantial. A customer should also consider whether it requires unlimited liability on the cloud supplier in certain scenarios, such as the supplier’s breach of the data protection, privacy or confidentiality provisions in the contract.
  2. Intellectual Property Rights (IPR): A typical cloud contract may state that use of applications only provides the customer with exclusive use of the cloud service rather than outright ownership in the IPR created through it. The customer should consider whether it or the cloud supplier should own developed material and use-specific adaptions. The IP clause in the contract should reflect the agreed positions.
  3. Hidden charges: There are generally two types of cloud models that a supplier will offer - premium paid services and free services. Cloud suppliers will usually provide paid cloud services on a utility basis under recurring billing, for example, monthly. The supplier will usually calculate the customer’s charges based on either the number of users or the particular service options that the customer selects. Alternatively, under a “free” cloud model, the customer does not pay any upfront or recurring fee but the cloud supplier may generate revenue by using the customer’s personal data to provide targeted advertising within the service. With either model, customers need to review carefully the cloud contract for any hidden charges, in particular charges incurring where the user exceeds thresholds for storage, set up fees, security/back-up, support and maintenance, upgrades and premium fees.
  4. Termination of the contract: Depending on the type of cloud service, a supplier may impose a minimum service period in the contract. Customers should be aware of the possibility of early termination charges if a fixed term cloud contract is concluded earlier than expected. Equally, customers should err on the side of caution in relation to the notice period in the contract for non-renewal/cancellation. If the cloud supplier only has to provide one month’s notice of non-renewal/cancellation this could leave the customer stranded with insufficient time to engage an alternative supplier.
  5. Governing law and jurisdiction: A cloud customer should check the governing law and jurisdiction clauses to determine where it is able to enforce the terms of the contract, if an issue arises in the future. Some cloud contracts also enforce arbitration on the parties, which may limit the ability of certain customers to make a claim in their local courts.
  6. Lock In/Exit: Customers should be cautious in relation to over-dependence on one cloud supplier. A customer should include a provision in the contract allowing it a grace period after termination or expiry of the contract to recover its data and an obligation on the supplier to make sure user data is adequately deleted afterwards. It is also useful for the contract to state what transition-out assistance the cloud supplier has to provide and whether this will be at an additional cost.

Suitable contractual protections

When a customer is choosing a cloud supplier one of the most important things is to plan ahead and review the contractual and pricing documents well in advance. While many cloud suppliers offer “free” services, this may not always be the best option in the long run. When selecting a cloud supplier a business should not only consider the upfront or monthly service fees but also whether the proposed cloud contract has suitable protections in place. To maximise the benefit it will receive from the cloud service a customer should ensure that the cloud contract suitably addresses the ‘golden rules’ of liability, intellectual property, hidden charges, termination costs, governing law and transition-out requirements.