Cloud Service Agreements: Negotiation Best Practices
The cloud services agreement is a complex issue. Many such agreements are effectively nonnegotiable, and you should use caution trusting vendors with mission-critical functions or sensitive company data. If pushed, many vendors will negotiate their agreements, and your efforts should be focused on addressing the entire data life cycle. Among the points your contract should expressly provide:
- that the customer data is owned by your company and shall be deemed your company's confidential information;
- specifying for what limited purpose and where the data is processed and stored, and for how long it will be retained; and
- expressly providing that the data will be made available to your company on demand, regardless of whether there is a dispute between the parties or any amount is then outstanding.
Further, the agreement should provide that the cloud vendor will cooperate with your company and with any new vendor in migrating the data when the contract has been terminated or has expired. The cloud services agreement should also specify the frequency of data backups as well as the pricing for any additional data backups and storage.
Care should be taken to detail the vendor's information security practices and to negotiate in a duty to defend and otherwise make the company whole (indemnity) if a claim is asserted by a third party (e.g., one of your company's customers) against the company based on a security breach caused by the vendor. Note that the indemnity should be carved out from the limitation-of-liability provision, which will usually limit damages to 12 months' fees.
An important component of risk management is insurance, including a "no-fault" policy for security breaches, to which your company should be named as an additional insured. In terms of intellectual property, there is, as in the case of a traditional on-site deployment, the possibility that a third party may assert an infringement claim against your company. As in the case of a claim based on a security breach, an indemnity is a common protective measure and remedy.
Even where your cloud vendor agreement is nonnegotiable (or minimally negotiable), certain measures may be implemented to reduce risk. For example, if the vendor will not agree to make certain representations and warranties (promises) regarding information security, perhaps the implementation can be structured so that personal or other sensitive or valuable information (such as trade secrets) will not be submitted to the vendor.
Other basic good practices of IT system management can also help reduce risk. Install antivirus software on connected mobile devices, laptops or desktops accessing a particular cloud service through a Web browser to reduce the likelihood of a security breach. Implement redundant Internet connections. Create a remediation plan in case there is a security breach. Develop a contingency plan if the cloud service is suspended or unavailable beyond the window stated in the SLA.
Moving to the cloud is hardly ever an all-or-nothing proposition. A company may start with an application that is not mission-critical, and then as added measure build in redundancy for some time. As an intermediate step, a company can try a private cloud solution before moving certain applications to a public cloud. In sum, understand the risk profile of the particular cloud service and plan accordingly.
About the Author
John Pavolotsky's practice focuses on technology transactions and other intellectual property matters at Greenberg Traurig, where he is Of Counsel. He works primarily with clients in the software, hardware, Internet, mobile, wireless and life-sciences industries. All views expressed herein are solely those of the author and should not be attributed to Greenberg Traurig.