Cloud computing contracts

Types of contract

What forms of cloud computing contract are usually adopted in your jurisdiction, including cloud provider supply chains (if applicable)?

Cloud computing contracts in the United States typically are on the cloud service provider’s paper and are comprised of a master service agreement (usually a cloud services agreement, master subscription agreement, or master software as a service agreement) setting out general terms and conditions that govern one or more order forms or ordering documents entered into by the parties that specifically list the services being acquired, any service-specific terms, pricing, payment and other relevant business terms.

Cloud contracts are highly modular and, given the evolutionary nature of cloud services and the right of the provider to modify services to meet market demand, often include and incorporate by reference to myriad online terms via an URL. These online terms usually describe the services, service levels, data processing and data security terms, business continuity and disaster recovery capabilities, any applicable third-party service terms or flow downs and other more detailed terms related to the services. While most cloud providers take the position that the online terms are non-negotiable because the terms are operational in nature, customers with sufficient negotiation leverage often have success in negotiating these terms to address key requirements. 

In a negotiated transaction, it is often the case that the online terms may conflict with the negotiated terms of the master agreement and the order forms. Cloud services customers will seek to have the negotiated terms govern in the event of a conflict, and savvy customers will seek to have the online terms included in the contract or identified by date or version number to set a baseline for the governing terms as of the effective date of the cloud services contract, both generally and for purposes of any warranty against material adverse changes to the services or the governing terms. 

If professional services are required for implementation, deployment, configuration, or training, those professional services are usually governed by a separate professional services agreement, so that issues related to the professional services do not jeopardise the subscription and subscription revenues. With that said, some providers will enter into professional services statements of work or orders under the same master agreement as governs the cloud services subscription, albeit still with separation of remedies for professional services work from any remedies that might permit cancellation or termination of the subscription.

Typical terms for governing law

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering governing law, jurisdiction, enforceability and cross-border issues, and dispute resolution?

Most US contracts, including cloud computing contracts, will specify the state the governing law of which will govern the terms and interpretation of the contract, and it is customary for the parties to choose a forum within the same state for resolution of disputes. Typically, the state where the cloud service provider is located is selected by the provider as its preferred governing law. However, many customers will seek to impose the governing law of a neutral jurisdiction with more broadly known and understood common law outcomes (eg, New York or Delaware). The parties must be careful to ensure that there is some reasonable nexus between the arrangement and the selected state whose law governs in order for the governing law election to be upheld. With that said, New York and Delaware governing law selection will generally be upheld if the value of the contract meets applicable thresholds (currently, $250,000 in New York and $100,000 in Delaware). When drafting a governing law clause, it is customary to disclaim the applicability of the selected state’s principles regarding conflicts of laws, as those principles may subvert the selection made by the parties. Similarly, many contracts will disclaim the applicability of the Uniform Computer Information Transactions Act and the United Nations Convention on Contracts if, and as applicable, as each could also subvert the desired predictability of the selected governing law.

Most cloud computing contracts resort to either litigation or binding arbitration for dispute resolution, although sometimes mediation is a precursor to litigation. While common in other services arrangements, cloud computing contracts less often include informal dispute resolution as a precursor to formal dispute resolution. In all cases, the contracts will often specify the federal and/or state courts for the resolution of litigated disputes, taking into account facts relevant to personal jurisdiction requirements under federal and state law. US customers with foreign-domiciled providers often prefer arbitration, with the preferred arbitral rules and tribunal varying based upon where the parties are domiciled and other factors. If arbitration is chosen, the parties will usually reserve certain matters for litigation (eg, equitable relief, confidentiality, intellectual property).

Typical terms of service

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering material terms, such as commercial terms of service and acceptable use, and variation?

Pricing and payment

Pricing for cloud services is usually expressed as a subscription fee and may be tied to myriad variables that drive utilisation of the cloud service and vary greatly depending upon whether the services is infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), software-as-a-service (SaaS) or other forms of anything-as-a-service (XaaS). The definitions of those variables often require and receive close scrutiny and negotiation in order to align the drivers of cost with the intended usage of the service. 

In some shape or fashion, the subscription fees usually result in a minimum, non-cancellable spend commitment from the customer, whether that takes the form of a minimum commitment, a volume discount, or a set subscription fee for defined services. It is common for subscription fees to be billed in advance, either annually, quarterly or monthly, and sometimes for the full term in advance. Customers will often negotiate pricing for renewal terms, with any inflationary adjustments being both indexed to an inflationary index and also subject to a cap, as well as pricing for additional quantities of services that extend to future purchases (including where true-up is required due to overutilisation). 

Pricing for one-time professional services (eg, installation, implementation, configuration, training etc) may be governed by separate professional services agreements, or under the same agreement that governs the cloud services. In either case, training is usually invoiced with the subscription, and other professional services may be invoiced on a time and materials basis (usually monthly in arrears and sometimes tied in part to acceptance of defined milestones) or on a fixed-fee basis (often tied in whole or in part to acceptance of defined milestones).

Default payment terms on provider paper are most often net 30 from the date of the invoice, although customers will negotiate for longer payment terms (60-90 days) from receipt (as opposed to the date) of the invoice. Whether or not customers have the right to withhold disputed amounts, the period within which disputes must be identified and whether or not interest is payable on late payments are all negotiable items and vary depending upon the complexity of the fee structure and the likelihood of billing errors and disputes. If the customer fails to pay undisputed amounts when due, the service provider has the right to terminate the services and often also has the right to suspend services prior to electing to terminate.  

 

Acceptable use policies

Most cloud services contracts will require the customer and their authorised users to comply with the service provider’s acceptable use policy (AUP), which usually prohibits some or all of the following:  

  • usage by third parties (other than authorised users);
  • usage as a service bureau or to provide services to third parties; 
  • reverse engineering, decompiling or otherwise trying to discover the source code of the services;
  • modifying or creating derivative works of the service;
  • illegal activities of any kind or posting illegal, offensive or libellous or defamatory content;
  • violation of any third-party rights;
  • gaining or attempting to gain unauthorised access to any networks, systems, devices or data, including conducting penetration testing;
  • unauthorised disruption of any networks, systems, devices or data;
  • sending unsolicited messages or marketing; and
  • distributing or uploading malware to the service.

 

It is common for the service provider to have the right to suspend service (and in some cases, terminate the contract) if the customer or its authorised users violate its AUP. Customers will negotiate for notice and the opportunity to cure, which is often granted where practical in view of the impact of the violation in question, and most providers will agree to promptly restore service after the violation is cured.  

 

Variation 

Because many cloud services offerings are mass market, multitenant offers, most providers will reserve the right to unilaterally modify the cloud services, presumably to improve the service to meet the demands of the mass market. Whether notice is required and what recourse the customer has in connection with those modifications are often negotiated. Most negotiated agreements will provide:

  • that the service provider will provide notice of any changes to the service in accordance with its standard service delivery policies (usually via a customer portal); 
  • that the changes will not have a material and adverse impact on the service (sometimes this restriction extends also to the terms of service and the features, functionality and security of the service); and
  • that the service provider must remediate any material adverse change within a defined period (usually 30 days), failing which the customer will have the right to terminate the services (and often the entire agreement) and receive a refund of any prepaid fees for periods following the effective date of termination.

 

Typical terms covering data protection

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering data and confidentiality considerations?

Confidentiality 

Cloud computing contracts will almost often include a mutual confidentiality provision providing that each party’s confidential information is proprietary and restricting each party’s disclosure of, and requiring each part to use reasonable measures to protect, the other party’s confidential information. Disclosures to employees, contractors, attorneys and accountants and sometimes third parties are usually permitted as required to fulfil obligations and exercise rights under the contract, with the receiving party being required to impose equally protective confidentiality terms on downstream recipients and being primarily liable to the disclosing party for the acts and omissions of those recipients.

The definition of confidential information will almost always include the cloud service and will usually require some modification to accommodate customer confidential information. These confidentiality provisions will almost always carve out customer data, which is subject to separate provisions as discussed in more detail immediately below. 

 

Data integrity

The default provider position is that the customer is responsible for the accuracy and quality of its data. Of course, such a general statement does not satisfy many customers’ requirements, and the parties will often agree to bifurcate responsibility such that the customer has responsibility up to the point it is provided to the provider for processing (and for any changes made by the customer), and the provider assumes responsibility at the point the data is provided for processing. Even under that bifurcated structure, the provider will often limit its liability for restoring data to restoring to the latest backup. In addition, cloud computing contracts usually provide that the customer owns its data, with customers often negotiating to include the results of processing of their data within the realm of ownership.   

 

Data preservation 

The architecture of the cloud service will dictate which party is responsible for backing up the customer’s data, with the norm being that data storage and backup is a part of the cloud service, with the service provider being responsible for backups. The frequency of those backups and the resultant recovery point objectives are usually viewed as a feature of the service, with some providers having varying levels of service at different price points. The terms governing backup and recovery are often the subject of a service provider policy or services documentation that is incorporated into the contract by reference to an URL.  

 

Systems, premises and data security 

Terms covering systems, premises and data security usually take the form of:

  • a data processing addendum or agreement that obligates the service provider to implement technical and organisational security measures as required to comply with the standards required by applicable privacy laws;
  • provider disaster recovery and security policies or services documentation that are incorporated into the contract by an URL; and
  • third-party certifications (eg, SOC 2 Type 2, ISO 27001, HITRUST, PCI, etc).  

 

The nature and scope of these terms will vary from provider to provider and also from service to service with a single provider. For example, some providers have designated (higher cost and more secure) environments for processing certain types of data (eg, payment card data) or where the customer requires a more secure or a higher-availability environment. Customers will often require the service provider to complete an information security questionnaire, which the customer will then need to compare with the service provider’s security and disaster recovery commitments in the cloud computing contract.

 

Data usage, disclosure and retention

Usage, disclosure and retention of customer data by the service provider are often limited to only that which is required to provide the service, although exceptions for retention and disclosure required by law and usage of aggregated and/or de-identified data for service improvement and other purposes are becoming more commonplace in today’s big data world.

Exceptions for retention in accordance with industry-standard backup and retention policies are also fairly common, with the data protection terms of the contract continuing to apply during the period of retention. All of these exceptions are often carefully negotiated to avoid triggering unintended or adverse consequences under applicable privacy laws (eg, a resale under the California Consumer Privacy Act).    

 

Location of servers and data

Customers often seek to limit access to and storage of their data to defined jurisdictions, in which case, those limitations must be specified in the contract (usually in the order form or ordering document or in the provider policies or services documentation incorporated into the contract). There may be separate provisions governing where data is stored versus where data may be accessed, especially where the provider leverages support resources in different geographies to provide follow-the-sun support.  

 

Cross-border data transfers

There are no geographic transfer restrictions on personal data generally in the United States. However, there are some limitations on the transfer of certain data in the custody of certain federal and state agencies (eg, federal income tax data). However, many US customers have international operations in jurisdictions that do impose more onerous requirements on cross-border data transfers (eg, in the United Kingdom and the European Union). In most cases, cross-border data transfers will be dealt with in a data processing addendum or agreement that forms part of a cloud computing contract, with the terms being consistent with the cross-border data transfer requirements of the more onerous of the global data privacy regimes (at the moment, the General Data Protection Regulation (GDPR) and its progeny pursuant to the European Court of Justice’s ruling in Schrems II).

Typical terms covering liability

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering liability, warranties and provision of service?

The cloud deployment model has created a fairly standardized (provider-friendly) contracting framework in the United States. The issues that are most negotiated include many of those covered by this question.

 

Provider warranties and customer remedies

Most cloud computing contracts will include a warranty that the service will perform materially or substantially in accordance with the specifications or documentation, and a warranty that changes to the cloud services will not have a material and adverse impact on the service (sometimes this restriction extends also to the terms of service and the features, functionality and security of the service). Often (especially in negotiated contracts), the contract will require that the service provider remediate any breach of either of those warranties within a defined period (usually 30 days), failing which the customer will have the right to terminate the services (and often the entire agreement) and receive a refund of any prepaid fees for periods following the effective date of termination. These remedies are often the customer’s sole and exclusive remedies for a breach of the foregoing warranties, although care should be taken to avoid any conflict between the sole and exclusive remedy warranty remedy and any service level credits or other remedies (as described below).

If the cloud computing contract also covers professional services, it would also be common for the provider to warrant that the services will be performed in a professional and workmanlike manner in accordance with industry standards, that the deliverables will conform to the applicable specifications and/or acceptance criteria, and that any documentation of the deliverables will be sufficient to enable a reasonably qualified IT professional to support, maintain and make use of the deliverables. If the provider breaches these warranties, the remedies usually include no-cost correction or re-performance, and often a refund if the provider is unable to correct or re-perform. The amount of the refund is negotiable, with the provider taking the position the refund is limited to amounts paid for the deficient services or deliverables, while customers often negotiate for a refund of fees paid under the applicable statement of work or the agreement, and the right to terminate the same.

Non-infringement warranties are extremely uncommon for subscription services, but they are more common for related professional services, where the customer would suffer out-of-pocket costs to correct infringing deliverables above and beyond amounts payable to the third-party claimant for the infringement.

 

Customer warranties

Customer warranties are less common in the cloud computing context, although providers will sometimes require that the customer represent and warrant that the customer has the requisite consents to permit the provider to process the customer data as contemplated by the agreement.

 

Warranty disclaimer

Providers will often include broadly worded disclaimers in cloud computing contracts providing that the warranties in the agreement are the sole and exclusive warranties and disclaiming all other warranties, including implied warranties of non-infringement, merchantability, and fitness for a particular purpose. Sometimes these disclaimers provide that the services are provided as-is. Customers frequently revise these disclaimers to avoid any inconsistency with other commitments made in the agreement, including within provider warranties and the service levels.

 

Service availability, reliability and quality

Most cloud computing contracts include or incorporate by reference to an URL leading to the provider’s standard service level commitments and other service descriptions, and support policies that will define the availability, reliability and quality of the services. The service levels almost always include availability and incident response time, although sometimes incident response is dealt with in a separate support policy. For SaaS services, the service levels may also include commitments related to the performance of certain attributes of the software. Credits for service level failure are common but are usually limited to a subset of the service levels offered.

Providers will take the position that these terms are not negotiable, but customers with sufficient negotiation leverage often have success in negotiating custom service levels. The most commonly negotiated improvements are:

  • heightened availability commitments;
  • incident resolution commitments (in addition to incident response);
  • increased credits for service level failures; and
  • a right to terminate for repeated or significant service level failures.

 

Many providers take the position that service level credits are only applied if the customer raises a ticket for the applicable service level failure, although customers often negotiate a more proactive reporting and credit application process.

 

Business continuity and disaster recovery 

Business continuity and disaster recovery commitments made by cloud computing providers are usually viewed as a feature or attribute of the service, with some providers having varying levels of service at different price points. The terms governing business continuity and disaster recovery are often the subject of a service provider policy or services documentation that is incorporated into the contract by reference to an URL. For critical infrastructure and applications, customers will pay close attention to these policies and documentation and will often negotiate to include defined recovery time objectives (setting the minimum period for recovery from a disaster) and recovery point objectives (setting the minimum currency of data restored from backup), if those commitments are not already set forth in the applicable policy or documentation.

 

Limitation of liability 

Most cloud computing contracts, because they are almost always on provider paper, will include a provider-friendly limitation of liability provision that:

  • limits the provider’s liability under the agreement to a monetary cap, which is usually specified in terms of the fees paid by the customer for the affected service for some number of months (usually 12 months, although some providers start as low as three months) prior to the claim; and
  • disclaims indirect, special, consequential and punitive damages, and often lost profits, reputational harm, diminution in value, data loss, costs of cover or replacement services and similar damages.

 

Customers often negotiate improvements to the standard provider liability framework, which customarily include:

  • making the limitations mutual, if not already; and
  • carving out from those limitations:
    • the parties’ indemnification obligations; and
    • liability for breaches of the data privacy and security provisions of the agreement, although these damages are often subject to separate limitations on the amount recoverable (usually two times the general cap, but sometimes expressed as a much higher amount in high leverage or high-risk/low-spend situations), and on the types of damages recoverable (usually limited to some or all of:
      • the cost of providing notice to affected data subjects;
      • credit monitoring and fraud insurance for affected data subjects;
      • the cost of operating a call centre and website to communicate with affected data subjects;
      • the cost of investigation and remediation;
      • attorneys’ and consultants’ fees; and
      • fines, penalties and interest); 
    • damages resulting from a party’s gross negligence, wilful misconduct or fraud; 
    • sometimes, damages resulting from a party’s breach of applicable law; 
    • fees payable by the customer; and 
    • the customer’s breach of the licence or intellectual property terms of the contract.

 

Indemnification

Most cloud computing contracts will include an indemnity from the provider in favour of the customer covering third-party claims that the cloud services infringe the intellectual property rights of the third-party claimant. Sometimes, the scope of the indemnity will be limited to US patents, copyrights and trademarks, although customers will resist those limitations. The indemnity will usually exclude claims arising from the use of the services in breach of the contract, combinations of the services with other software or technology, modifications to the services not made by the provider, and the customer’s requirements and data. Customers will seek to make those exclusions comparative (ie, applicable only ‘to the extent’ the claim is caused by the exclusion) and to exempt from the exclusion use as contemplated by the contract or the applicable specifications or documentation.

 

Other indemnities

Other indemnities may include:

  • a reciprocal infringement indemnity from the customer covering materials and data furnished by the customer;
  • an indemnity in favour of the customer for breach of the data privacy and security provisions of the contract;
  • a mutual indemnity for breaches of applicable law (less common); and 
  • an indemnity in favour of provider for customer’s use of the service (although care should be taken in this instance to avoid overlap and conflict with claims that are subject to indemnification by the provider).  

 

In all cases, these indemnities would be limited to third-party claims and subject to the limitations of liability and applicable exclusions described above.

Typical terms covering IP rights

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering intellectual property rights (IPR) ownership in content and the consequences of infringement of third-party rights?

Intellectual property rights ownership

In most, if not all, cases, the provider will own all rights, titles and interests in and to the cloud computing services and the intellectual property rights therein. The same will usually be true for improvements and modifications made to the cloud computing services, although there are exceptional circumstances where the customer may seek to own, or have an exclusive licence for a period to, improvements and enhancements that are highly proprietary to the customer or funded at the customer’s expense. 

The customer typically owns the customer data and all derivations thereof, with the exception of aggregated and de-identified data, which providers will sometimes seek to carve out from the scope of customer data ownership. The contract may also specify the customer’s ownership of its pre-existing intellectual property.

 

Infringement 

Infringement is most often addressed via indemnification – by the provider for infringement claims related to the cloud computing services and by the customer for infringement claims related to the customer data or other intellectual property furnished by the customer. Non-infringement warranties are almost always disclaimed with regard to cloud computing services but may be negotiated for related professional services.

Typical terms covering termination

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering termination?

Termination rights

Most cloud computing contracts will include a mutual right for each party to terminate the other party’s material breach that remains uncured for more than 30 days following receipt of notice of the breach. The contract may also separately permit termination by the customer for cause for the provider’s uncured breach of the service performance warranty or the warranty against material adverse changes to the services, as well as for defined repeated service level failures. In rarer cases, the contract may permit the customer to terminate for a breach of the privacy and security provisions of the contract that results in a compromise of customer data. 

Termination for convenience is less common in cloud computing contracts, as most cloud subscriptions are non-cancellable. However, some providers reserve the right to terminate the service for convenience if they cease offering the services generally.  

 

Transition and data migration 

The default position in most provider contracts is that the provider will, for a period (usually 30-90 days) following expiration or termination of the contract, make the customer’s data available for download by the customer. Such a limited commitment is often insufficient for customers buying more critical services that might take more time to transition. Accordingly, most customers will negotiate for a period of continued usage of the cloud services (anywhere from 90 days to 24 months depending upon complexity) during which the customer can migrate to a replacement solution. If agreed, any additional provider cooperation required during that period to effect the migration will be separately charged. Finally, savvy customers will negotiate more specificity around the format in which the customer data will be made available upon exist, usually specifying a defined format (eg, CSV) or more generally referring to a format that is usable with generally commercially available off-the-shelf productivity software.

The provider may be permitted to retain customer data beyond expiration or termination of the contract if required by law or in accordance with an industry-standard backup policy, in all cases subject to the data privacy and security terms of the contract.

Employment law considerations

Identify any labour and employment law considerations that apply specifically to cloud computing in your jurisdiction.

There are no US employment law considerations specifically applicable to cloud computing. To avoid any risk of co-employment, most US cloud computing contracts (and most US services contracts generally) will include a provision that provides that the parties are independent contractors and that the agreement does not create any agency, partnership, joint venture, or another form of joint enterprise, employment or fiduciary relationship between the parties.