Hosting as a service is a utility service offering whereby hosting service providers provide dedicated or shared/virtual server capacity to customers for the hosting of data or websites.
Digital transformation, IT estate rationalisation and reduction of costs and data management, are just some of the reasons why more and more customers are moving to hosting as a service solutions.
International Data Corporation (IDC) has predicted that by 2018, at least half of IT spending will be cloud based, reaching 60% of all IT infrastructure and 60% to 70% of all software, services and technology spending by 2020.
In this article, I will identify some of the key legal issues that should be considered when moving to a hosting as a service solution.
Transition is one of the most important issues to consider when moving from a private cloud environment to hosting as a service. Ensuring the integrity of data is maintained during transition is fundamental.
Some hosting service providers will take on the risk of backing up and removing data from the legacy system and then installing it onto the hosting environment. This will of course be at additional cost with an element of contingency inevitably built in.
Alternatively, some hosting service providers will require the customer itself to back up and remove the data. The service provider will only take responsibility for installing the data onto the hosting environment. In the event of any loss of data or data integrity issues, the hosting service provider will tend to limit its responsibility to restoring the data to the back up made by the customer.
The customer should ensure that the allocation of responsibilities during transition is set out in a transition plan with associated timescales and milestones. If transition is not complete within the agreed timescales or in accordance with the agreed milestone criteria then the contract should specify the rights and remedies available to the customer at that point.
As I have mentioned in the transition section above, allocating responsibility for backing up the data for transitioning from the legacy environment to the new hosting environment is important. However, once the data is installed on the new hosting environment, the contract should be clear who bears responsibility for backing up the data going forward. This responsibility quite naturally lies with the hosting service provider.
The contract should specify when the data will be backed up for example, with an hourly or perhaps daily frequency and also how the data will be backed up. For example, data is traditionally backed up onto a tape or external hard drive. However, it is becoming more commonplace for data to be backed up on online back-up systems located off-site (perhaps at a secondary data centre).
The criticality of the data and the speed in which data needs to be recovered in the event of a failure will tend to determine which back up method is the most appropriate. In any event, the service provider’s back up obligations should be clearly set out in the contract.
Security and standards
Allowing business critical, sensitive or personal data into the hands of a third party is not a decision that is taken lightly by Chief Information Officers/Chief Operating Officers.
Therefore customers will want to undertake adequate due diligence before appointing their hosting service provider to ensure that their data will be secure.
Customers may want evidence that their hosting service provider is certified to ISO/BSI or other industry recognised standards.
As the cloud industry grows, so does standardisation of it. There are networks and forums whose members include some of the largest cloud providers, who collaborate to agree on the best standards for customers. Such networks and forums include the Cloud Industry Forum, the National Institute of Standards and Technology and the Cloud Security Alliance.
As a service provider is not required to comply with any of these standards as a matter of law, the customer should therefore ensure that the contract imposes on the service provider a responsibility to comply with the requisite standards.
For larger hosting requirements or where the data to be hosted is particularly business critical or sensitive data, the customer may require more complex and elaborate security arrangements. The customer may have its own security processes and procedures that it wishes to impose on the service provider or the service provider may have its own.
In either case, if the customer wishes to seek a remedy in law for damages suffered as a result of a failure to comply with such security processes and procedures, the customer should ensure that such processes and procedures are adequately set out in the contract.
For the purposes of the Data Protection Act 1998, to the extent that any personal data is being processed on the hosting environment, the hosting service provider is regarded as a data processor and usually, the customer would be regarded as the data controller.
As data processors have no statutory liability under the Act, it is important that appropriate provisions to protect and safeguard data are included in the contract to ensure that the customer is compliant with its statutory data protection obligations.
A key consideration when purchasing hosting as a service is in respect of the data flows. The eighth data protection principle provides that data shall not be transferred outside the EEA unless the country ensures an adequate level of protection. The European Commission has approved certain countries as having an adequate level of protection. It should be noted however that since the judgement by the European Court of Justice in the Schrems case on 6 October 2015, the US is no longer regarded as providing an adequate level of protection for data subject rights.
If data is to be transferred outside of the EEA then there are a number of alternative grounds under which a transfer can occur.
Customers should undertake sufficient due diligence to determine where the data flows are and whether they fall outside of the EEA. It would be prudent to ask for example, where the infrastructure is located, where the back up data is stored, where the primary and secondary data centres are located and whether there are any subcontractors in the supply chain.
It is worth noting here that the Data Protection Act 1998 is to be replaced in due course (likely to be 2018) by the General Data Protection Regulations. The GDPR introduces a single legal framework that applies directly across all members states. There are a number of changes that are likely to impact businesses such as the need for explicit consent from data subjects rather than relying on implied consent. Customers should ensure that their contracts are drafted so as to ensure compliance under the current statutory regime but are also future proofed to deal with new legislation.
With a utility service offering there is little scope to negotiate service levels. However, service providers will generally offer a service level against the amount of time that the hosting environment is available to the customer. Customers should ensure that the service level in the contract is not drafted merely by reference to availability of the service. That is distinct from availability of the hosting environment.
There is usually a support and maintenance service offering as part and parcel of a hosting as a service solution. Customers should ensure that the contract clearly describes what the support and maintenance service entails. It should also include any break/fix and response times which may be drafted as service levels.
A service level agreement usually will have as part of it a service credit mechanism whereby the customer is entitled to offset the cost of failures to meet service levels against future invoices. Service credits should be defined and drafted carefully. If a service credit is determined to be a penalty, a court might determine the provision to be unenforceable.
As with any utility service offering, the charging structure provides for a variable charging mechanism usually linked to the amount of storage or memory utilised by the customer.
Some charging mechanisms are also linked to time ie. how long the customer used the service. The charges tend to be calculated using an hourly rate card.
Fixed price charging models may also be used for a hosting as a service solution however, these may be subject to limitations for example on storage space or memory space. This doesn’t particularly lend itself well to a flexible and scalable solution although the customer may seek to pre-agree the charges should usage increase or decrease.
Whichever charging model is adopted, it should be adequately described and defined in the contract so that there is certainty around what the price is, what is excluded and what is at additional cost and what those additional costs are.
The service provider should be obliged to provide a VAT invoice which clearly sets out the services provided, the period to which the invoice relates and any deductions that the customer is entitled to, for example in respect of service credits. If there is additional tailored information that the customer wishes to see on its invoices, this should also be clearly prescribed in the contract.
If there is a delay in making payment, the service provider may seek certain rights and remedies for example it may wish to terminate the contract or claim interest. The customer should review any provision in this regard carefully to ensure that the triggers are appropriate and not unduly onerous on the customer or which otherwise have the potential of causing a customer business interruption.
Exit is the flip side to transition and should be considered with sufficient importance. Whether exit is due to termination or expiry of the contract the parties acknowledge that the relationship is at an end. The service provider therefore has little incentive to co-operate. The time to negotiate exit terms will have passed. Therefore comprehensive exit provisions should be included in the contract at the outset and the service provider should be required to draft a detailed exit plan which will predominantly revolve around the extent to which it is required to remove and back up customer data from the existing infrastructure and work with the customer or a replacement service provider to transition it to the new hosting environment.
Timescales for exit will be key and exit will need to be seamless ensuring that the customer’s day to day business operations are not interrupted.
The costs for the provision of exit assistance tend to be agreed between the parties at the time or shortly before the assistance is required. The contract therefore needs to contain a mechanism to calculate those costs to avoid the customer having its “back up against the wall”.
Disclaimers and liability limitation
Service provider standard terms and conditions invariably include a number of disclaimers or limitations on their liability. These should be reviewed carefully to ensure that the customer has sufficient protection and redress under the contract. For example, often service providers seek to exclude liability for loss of data. If a customer wants a course of action for this type of loss, it should negotiate a removal of the provision.