Cloud computing contracts in Brazil

Cloud computing contracts

Types of contract

What forms of cloud computing contract are usually adopted in your jurisdiction, including cloud provider supply chains (if applicable)?

There are a few main forms of cloud computing contracts usually adopted in Brazil: infrastructure-as-a-Service (IaaS, where the contracting party seeks to rent IT infrastructure usually for the processing, storing or transferring of data); platform-as-a-Service (PaaS, mainly for developing, delivering and managing software applications); and Software-as-a-Service (SaaS, for a wide range of activities, including communications, collaboration, productivity, customer management, taxing and account activities etc).

Typical terms for governing law

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering governing law, jurisdiction, enforceability and cross-border issues, and dispute resolution?

In B2B contracts, parties are generally free to choose the applicable law and to elect a venue for dispute resolution. When the parties to the contract are all Brazilian entities, the governing law and the venue chosen for dispute resolutions are usually Brazilian.

When the cloud computing provider is not a Brazilian entity (eg, when the provider does not have operations in Brazil or when its local entity is only for marketing, implementation or maintenance), the parties may negotiate different applicable law and dispute resolution clauses, including foreign law and foreign courts or arbitration tribunals.

However, the MCI provides that, in adhesion agreements, where the terms of the agreement are standard and the contracting party is not able to negotiate its clauses, any foreign forum selection clause for disputes arising out of services rendered in Brazil will be null and void.

Under the CDC, a company could be considered a consumer if it acquires the product or service as an end user and it is vulnerable when compared with the supplier of products or services, so the CDC may also apply in B2B contracts. In this case, any provision that limits or impairs the consumer’s pursuit of rights (such as the election of foreign law or foreign courts or arbitration) is likely to be considered null and void by Brazilian courts.

Typical terms of service

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering material terms, such as commercial terms of service and acceptable use, and variation?

In general, cloud computing services are paid for on a monthly basis, and prices can be either a fixed amount or an amount according to the volume of use (eg, the amount of data stored or processed). The agreements may include regular monetary adjustments according to national inflation indexes.

Service level agreements are also common, and they usually provide for minimum efficiency levels and discounts or penalties in case such levels are not met.

Typical terms covering data protection

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering data and confidentiality considerations?

Cloud computing contracts usually cover security measures applicable to data, especially personal data collected by a party. These security measures may comprise data isolation, minimum standards and parameters, encryption and backups.

Some companies provide in their contracts that the data will be kept in servers in Brazilian territory (which may be a requirement for public contracting entities).

After the MCI, companies have been including consent clauses in their agreements to support their collection and processing of personal data. This will be strengthened and more detailed in contracts until August 2020, when the BR GDPA enters into force and the companies’ practices will need to comply with its provisions, so changes to the standard cloud computing agreements are expected by then.

Typical terms covering liability

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering liability, warranties and provision of service?

Parties are generally free to negotiate clauses covering liability, warranties and provision of service. Thus, liability or indemnification caps are common, as well as warranties for the rendered services and service level agreements with a minimum level of service to be met by the provider.

If the clauses are abusive, especially if the contracting party is vulnerable and not able to negotiate the contract terms (eg, in the case of an adhesion contract), they could be considered null and void in litigation. This could be the case for small liability caps that do not cover a substantial amount of the damage caused by a provider to the contracting party.

Finally, the CDC (which may apply to agreements entered into by legal entities) provides that, although any clause that limits the responsibility of the supplier for damage caused to individual consumers will be null, this is not the case for consumer relationships where the consumer is a legal entity and there is justification for the limitation of liability.

Typical terms covering IP rights

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering intellectual property rights (IPR) ownership in content and the consequences of infringement of third-party rights?

Cloud computing agreements usually provide that there will be no transfer of ownership and that all intellectual property will be held by the party who owns it in the first place.

This means that the cloud computing provider will keep all intellectual property related to the provision of services and to the technology related to the services, and the customer will keep all intellectual property on the content that it provides for the services to be rendered (for example, the content uploaded to a cloud storage).

It is also common to include in contracts clauses by which the customer declares that it is responsible for the content that it provides for the rendering of services, and that it shall not infringe any third-party rights (eg, that the customer will not keep infringing material in cloud storage).

In the case of third-party intellectual property infringement, the parties usually agree that the infringing party will indemnify the other in case it is held liable.

Also common is the inclusion of clauses by which the customer declares to be responsible for any content that it uploads to or create in the cloud. This is supported by a safe harbour provision of the MCI according to which an application provider (ie, the cloud provider) will only be liable in the civil sphere for damages caused by content created by third parties (ie, customers) if it fails to remove such content after a specific court order, to the extent technically possible, or after received notice, in case of sexual-related content. Copyright infringement is not explicitly covered by the MCI provision until a specific legal provision is passed.

Typical terms covering termination

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering termination?

Termination clauses depend on the nature of services being rendered. While certain agreements allow for any party to terminate at any time, others may provide for predetermined agreement terms or extension cycles (eg, one-year terms extendable for successive one-year terms) with certain periods for termination notices (eg, at least 30 days before the end of the current term). In this situation, there could be penalties where the agreement is terminated early or not in accordance with the procedure set forth in the termination clause.

Typically, termination clauses cover the return or destruction of the data provided by the customer under the agreement in a safe manner to ensure that no data will be lost or unduly breached by third parties, and confidentiality terms will apply to both parties for an indefinite or limited amount of time.

The MCI obliges all internet application providers (and such definition comprises cloud computing providers) to keep internet application access logs for a minimum of six months, and some companies include this data retention in their agreements to inform their customers about this legal obligation.

The BR GDPA provides that personal data should be deleted after its processing purpose has been reached, with a few exceptions, which include transfer to third parties and exclusive use of anonymised data. This matter can be included in a termination clause in case the cloud computing provider wishes to use data after the termination of the agreement, provided that all limitations under the BR GDPA are met.

Employment law considerations

Identify any labour and employment law considerations that apply specifically to cloud computing in your jurisdiction.

There are no specific labour laws applicable to cloud computing.

If, in a specific contractual situation, cloud computing is considered as not a mere provision of services but as an outsourcing of the workforce for the contracting party, then certain labour laws could apply. In this case, if the cloud computing provider fails to pay its employees their wages and benefits, the contracting party could be held responsible and be obliged to fulfil such labour law obligations.

Register now for your free, tailored, daily legal newsfeed service.

Cloud computing contracts in Brazil

Filed under

Popular articles from this firm

Pensions & Retirement Plans in Brazil *

Spotlight: the regulation of healthcare providers and professionals in Brazil *

First-step analysis: pension & retirement plans in Brazil *

In review: the essentials of insurance and reinsurance law in Brazil *

At a glance: tax law enforcement in Brazil *

Professional development

Related practical resources PRO

Related research hubs

Brazil

IT & Data Protection