Cloud computing contracts

Types of contract

What forms of cloud computing contract are usually adopted in your jurisdiction, including cloud provider supply chains (if applicable)?

Given the strong penetration of cloud solutions in the Dutch market, cloud providers and customers are entering into cloud computing contracts for a variety of cloud solutions. Services offered by cloud providers typically fall into the following groups of service models: software-as-a-service, platform-as-a-service, infrastructure-as-a-service and anything-as-a-service. Public cloud contracts are usually standard contracts and adopt a ‘take it or leave it’ approach, unless the customer has considerable bargaining power. Given the digital infrastructure in the Netherlands, there are a large number of data centres established in the Netherlands, resulting in high volumes of co-location agreements being entered into.

Typical terms for governing law

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering governing law, jurisdiction, enforceability and cross-border issues, and dispute resolution?

In B2B public cloud computing contracts, providers of cloud services will typically (try to) include the laws and courts of the country where they are established as a standard. Article 3(1) of the European Regulation (EC) 593/2008 on the law applicable to contractual obligations (Rome I) specifies that a contract will be governed by the law chosen by the parties in a B2B contractual relationship. The same holds true for clauses dealing with the applicable courts. This ensues from the European Regulation (EU) 1215/2012 on jurisdiction and the recognition and enforcement of judgements in civil and commercial matters (Brussels I-bis). Thus, Dutch courts generally respect choices of law and venue (ie, agreements governed by the laws and courts of foreign jurisdictions). In some cloud computing contracts (ie, the more complex contracts), alternative dispute resolution procedures may be included and be more detailed.

Typical terms of service

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering material terms, such as commercial terms of service and acceptable use, and variation?

Most public cloud computing contracts are based on a subscription model or pay-per-use model. They are usually offered under a one-to-many service model. With the subscription model, users pay the monthly, quarterly or annual fee upfront. In the pay-per-use model, the user usually pays at the end of the month or in another determined time frame for the used services. Payment terms vary but are usually between 30 to 45 days. Subscription fees may be – unilaterally – increased on a periodic basis. Generally, the user has the right to terminate the agreement within a number of days (eg, 30) in the case of disagreement with the changed terms (eg, in the case of a price increase).

Usually, public cloud computing contracts contain a standard acceptable use policy or some terms relating to acceptable use.

The provider usually has the right to unilaterally change the services and terms and conditions as long as it doesn’t materially reduce the quality of the services. If it does, the customer may have the right to terminate the agreement within a certain time after it has become aware of the change.

Variation clauses or modification clauses are usually included as standard clauses in (public cloud computing) contracts. As the prevailing principle under Dutch contract law is the freedom of contract, these clauses will generally be accepted in a B2B context.

Typical terms covering data protection

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering data and confidentiality considerations?

In B2B public cloud computing contracts, a question that arises is whether any personal data is processed. Generally, this is at least the case for employee data, but customer data is also often subject to processing.

A general clause in a B2B cloud computing contract could entail the following wording:


Parties shall ensure that they treat the personal data received from the other Party in accordance with the requirements of the General Data Protection Regulation (2016/679/EU) and any other applicable laws and/or regulations. More in particular, each Party shall not process, transfer, modify or amend the personal data received from the other Party, nor use it for any other purpose than for the purpose it has been disclosed. Each Party shall treat the personal data confidential, limit access only to those persons who need access to the data, and shall not store or save the personal data any longer than necessary to carry out the purposes for which the data was disclosed to that Party.


The second question that arises is whether the provider of the public cloud services acts as a data processor or a data controller.

When the public cloud service provider acts a data processor, the supplier and the public cloud service provider should enter into a data processing agreement (DPA), for which the requirements are set forth in article 28 of the General Data Protection Regulation (GDPR). To avoid any language inconsistencies, it is best practice to match the terms in the contract to the terms that are used in article 28 of the GDPR. A DPA can be either part of the B2B contract itself or be attached as an annex. The following clause is often used to make reference to the (attached) DPA: ‘To the extent either Party processes personal data on behalf of the other Party, Parties shall enter into a Data Processing Agreement.’

It is also possible that the public cloud service provider acts as a controller and thus determines the purpose and the means of the processing of the personal data itself. In this regard, a controller to controller agreement needs to be concluded. Terms that are often used in this regard are ‘The recipient shall notify . . . of any data breach’, ‘cooperate’, ‘personal data transfer’ or ‘standard contractual clauses’ (please bear in mind the Schrems II case), ‘data subjects’, ‘permitted purposes’, ‘categories of personal data’, ‘sensitive data’, ‘recipients’, ‘security level’, ‘security and confidentiality’, ‘transparency’, ‘encryption’ and ‘unauthorised or unlawful processing’.

Typical terms covering liability

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering liability, warranties and provision of service?

Limitation of liability provisions are included as a standard in public cloud computing contracts for the benefit of the service provider. Contracts generally include an exclusion of liability for consequential or indirect damages, or both. These are not well defined terms under Dutch law and are therefore subject to interpretation issues. The same holds true for ‘direct’ damages. Parties would do well to clarify which type of damages qualify as consequential or indirect and which damages qualify as direct. Limitations of liability are usually included, either limiting it to a certain preset amount, depending on the contract value, or the amounts paid in a number of months preceding the event that gave rise to the liability. Where a party’s liability for certain damages cannot be excluded under mandatory law, an exception to the liability cap exists (eg, wilful intent or deliberate recklessness on the part of one of the parties or their executives). Indemnification against third-party claims based on intellectual property right infringements are often uncapped. Data breaches are often excluded from the general liability cap, either being uncapped or having a specific cap (usually higher than the general liability cap).

Providers usually warrant that the services are provided substantially in conformity with the agreed service descriptions and with use of reasonable care and skill. All further warranties are generally expressly disclaimed, to the extent permitted by law.

Generally, service-level agreements are offered as well. Often, these service-level agreements also provide for a service credit mechanism. Providers often stipulate that a service credit constitutes a sole remedy for the customer. Customers would do well to stipulate that a service credit should be without prejudice to any other rights available to the customer, including the right to claim the actual damages incurred.

Typical terms covering IP rights

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering intellectual property rights (IPR) ownership in content and the consequences of infringement of third-party rights?

First and foremost, there are no specific intellectual property rights dealing solely with cloud computing in the Netherlands.

Although buyers of cloud services have matured in recent years, providers of cloud solutions still tend to adopt a ‘take it or leave it’ attitude, also in terms of applicable IP rights.

Cloud computing agreements covered by Dutch law will usually contain a clear demarcation in terms of which party owns which intellectual property rights. The cloud services provider will usually retain ownership of the solution, including updates and customisations developed for the customer. The intellectual property rights vested in any content created through the use of the cloud solution or stored on the cloud solution will typically remain with the customer. Cloud computing agreements often contain licences from the customer to the cloud services provider allowing the cloud services provider to use certain intellectual property of the customer to provide the cloud services or make the cloud solution available to the customer.

Cloud computing agreements often contain fairly restrictive licensing conditions, limiting use of the cloud solution in terms of scope, commercial exploitation, duration, type of users, right to make copies, the right to create derivative works assignability, sub-licensing, etc.

Most cloud computing contracts contain an IP indemnity mechanism that needs to be applied in the event of an infringement of third-party rights. In such a case, the infringing party will defend, indemnify and hold harmless the other party. Specifically in relation to public cloud computing providers, often an obligation is included to purchase a licence to continue using the infringing components or to replace them with a non-infringing component, in the absence of which the contract may be terminated. It is often stated that these remedies are the sole and exclusive remedies of the customer, excluding the right for the customer to claim damages.

Typical terms covering termination

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering termination?

The typical duration of public cloud computing contracts is relatively short (eg, one year, tacitly renewable unless terminated by either party before the expiration date of the contract), but we see a trend of moving towards longer contracts of up to three to five years for public cloud solutions that are used for business-critical applications by the customer. On the other hand, cloud computing contracts aimed at consumers often may be terminated by the consumer at any time (or monthly).

The notice period for termination will vary in respect of the termination ground. For instance, termination for convenience nearly always implies a reasonable, or observance of a contractual, notice period (between one month up to three or six months). However, in the case of a termination for cause (eg, material breach or bankruptcy) generally no notice period is to be respected; although, in some situations, a prior notice of default granting a remedy period may still be required.

Following expiry or termination of the contract, most public cloud computing providers commit themselves to making the customer data available for a limited period of time (eg, 30 to 60 days) in which the customer can retrieve its data, and after which it is deleted by the cloud computing provider. To avoid discussions, it is recommended to make sure that the data is made available in a data format and structure that is easily readable by the customer.

The typical exit assistance to help migration to the customer or a replacement supplier, as seen in IT outsourcing agreements, is often not included, but some providers offer to provide this assistance on a time-and-material basis.

Employment law considerations

Identify any labour and employment law considerations that apply specifically to cloud computing in your jurisdiction.

Outsourcing IT-related tasks may in some instances be considered as a ‘transfer of undertaking’ and should be assessed on a case-by-case basis, conforming with article 7:662 of the Dutch Civil Code. This legal base in Dutch employment law follows from the European Directive 2001/23/EG on the harmonisation of legislation on the preservation of employees' rights in the event of a transfer of undertaking. The consequence of a transfer of undertaking is that the employees who work at (the part of) the undertaking that is being transferred will automatically transfer to the 'new' employer.

Law stated date

Correct on

Give the date on which the information above is accurate.

25 September 2020.