In the second of this two-part series, we look at:
- ensuring quality of the Cloud service;
- exit strategies and switching suppliers;
- key intellectual property rights (IPR) issues; and
- due diligence of a Cloud Computing company.
Ensuring quality of the Cloud service
In a Cloud Computing arrangement, customers are highly dependent upon suppliers as service outages may result in customers being unable to access data or software necessary to operate their businesses. Building customer confidence will require suppliers to address the following service quality issues:
- Service Level Agreements (SLAs): suppliers should consider what SLA options they can offer customers. Large corporate or public sector customers, in particular, may only adopt a Cloud Computing solution if they can receive service credits for below-standard performance;
- Disaster Recovery and Business Continuity (DRBC): suppliers must prove to customers they have adequate DRBC processes in place to recover quickly from events such as earthquakes, fires, explosions and floods; and
- Audit Rights: as with outsourcing, customers may request or require an effective means of auditing the supplier to verify compliance with service agreement terms and any applicable regulations. However, conventional rights to access premises, books and records may be ineffective where
Customers in regulated industries (such as banking) will need to ensure that the DRBC provisions and audit rights being offered by the supplier mean that the customer can meet its own regulatory obligations – for example, do the DRBC procedures meet the regulator's requirements? Does the customer's regulator also require audit rights?
Exit strategies and switching suppliers
Customers will naturally wish to avoid being 'locked in' to one supplier and will want to retain the ability to transfer their data into and out of the supplier's Cloud in response to market changes and, if necessary, switch suppliers (e.g. due to poor performance).
Sophisticated customers will therefore require an effective workable exit strategy in the service agreement which imposes contractual obligations on the supplier to:
- transfer data in a stipulated form within a fixed period of time;
- cooperate with any replacement supplier designated by the customer; and
- maintain the confidentiality of any customer data the supplier is required to retain post-termination.
Physical barriers to transferring customer data (e.g. incompatible data storage formats), or unwillingness by suppliers to cooperate with replacement suppliers, will discourage customers from adopting Cloud Computing, particularly in regulated sectors. Similarly to DRBC procedures and audit rights, financial institutions may be under a regulatory obligation to ensure that any outsourcing arrangement may be terminated without detriment to the continuity and quality of the financial institution's service.
Key IPR issues
In the course of storing, organising and rearranging the customer's data, the supplier may create new copyright and/or database rights ("New IPR"). In many jurisdictions the supplier will own any New IPR unless the parties expressly agree otherwise. Customers will, however, want the ongoing right to use any New IPR created in relation to their data.
It is therefore important for suppliers and customers expressly to agree at the outset of the Cloud Computing arrangement which party will own any New IPR and the terms upon which the other (non-owning) party may continue to use New IPR during and after the term of the service agreement.
Due diligence of a Cloud Computing company
Consolidation within the Cloud Computing industry is gathering pace as suppliers seek to increase market share and technology through acquisitions. When considering the purchase of a Cloud Computing company, key issues to confirm during due diligence include the following:
- Hardware, software and networks: what are the target's ownership rights? Does the target own IPR in developed software and have access to the source code for key software? Are these assets subject to financing/security obligations?; • Information security: what are the target’s current data security/back-up policies and procedures? Have there been any breaches/incidents in the last 6 years?;
- Data protection/regulation: does the target comply with applicable data protection legislation? What compliance monitoring procedures have been implemented? Have any cross-border data transfers taken place?;
- Open source software (OSS): has the target used any OSS? If so, has it been integrated with proprietary software? What are the applicable OSS licence terms?; and
- Performance/DRBC: what performance issues have occurred over the preceding 6 years? What are the target's current DRBC policies and procedures?
- Building confidence in Cloud Computing requires suppliers to anticipate and address key customer concerns in relation to: (i) information security; (ii) compliance with data protection legislation; and (iii) ensuring service quality in the Cloud.
- Targeting large corporate and public sector customers may mean that suppliers have to be willing to negotiate standard terms (particularly for customers in regulated sectors) and take on more risk in the event of service failure.
- The provision of Cloud services may be a regulated activity requiring a licence or an approval – this should be checked in each jurisdiction where Cloud services are being offered.