The European Commission’s (“EC”) cloud computing strategy, which launched in 2012, identified three “key actions” to encourage the use of cloud computing. The second of these key actions, developing model contract terms, led to the recent release of the Cloud Service Level Agreement Standardisation Guidelines (“Guidelines”). The Guidelines were drafted by the Cloud Select Industry Group – Subgroup on Service Level Agreements (“C-SIG-SLA”), which was initially convened by the EC in February 2013 and is comprised of government representatives, such as the National Institute of Standards and Technology, and business members of the cloud services industry, such as Amazon, Microsoft, and Oracle.
The guidelines provide a set of Service Level Objectives (“SLOs”), essentially a set of provisions and measurements for services that should be included in all service level agreements between cloud service providers and their customers, which would make it easier for customers to compare cloud service providers. Note that “customers” does not include “consumers” for the purposes of these Guidelines. The four broad categories of SLOs delineated in the Guidelines, and some examples of what measurements or objectives they suggest for inclusion in Service Level Agreements are as follows:
- Performance Service Level Objectives, including such SLOs as the percentage of uptime vs. downtime for the service (Availability), the maximum number of connections that can be made to the service at one time (Capacity), and the hours a service provider provides customer support (Support);
- Security Service Level Objectives, including such SLOs as the ability of the cloud service provider to function correctly for some specified time period (Service Reliability), the strength of cryptographic protections (Cryptography); and a list of certifications held by the cloud service provider (Auditing and Security Verification);
- Data Management Service Level Objectives, including such SLOs as a description of what data the cloud service provider creates based on customer data (Data Classification), the period of time backups are available to restore data (Cloud Service Customer Data Mirroring, Backup & Restore), and the format in which data can be transferred to and accessed from the cloud service (Data Portability); and
- Personal Data Service Level Objectives, including such SLOs as a list of the purposes which personal data will be processed beyond those requested by the customer (Purpose Specification), the maximum time that temporary data is retained (Data Minimization), and a description of the cloud service provider’s data breach policy (Accountability).
The C-SIG-SLA indicated in a letter accompanying the release of the guidelines that it intends to submit these guidelines on behalf of Europe to the International Organization for Standardization/ International Electrotechnical Commission JTC1 Working Group on Cloud Computing, which is currently preparing a set of international standards for cloud Service Level Agreements.