Understanding Your Cloud Agreements

Overview of Legal Agreements and Key Clauses -

Lisa R. Lifshitz, Partner, Torkin Manes LLP

416.775.8821

Llifshitz@torkinmanes.com

LEXPERT Cloud Computing Conference 2013November 28, 2013

Agenda

What is Cloud Computing? Anatomy of a Cloud Computing Agreement Key Contractual Issues Some Additional Business Issues Final Tips for Effective Cloud Computing

1. The Basics – What is Cloud Computing? Gartner defines Cloud computing as “a style of computing where scalable

and elastic IT-enabled capabilities are provided as a service to external customers using Internet technologies”.

Frequently shared among multiple customers. From a security and risk perspective, it is the least transparent externally-

sourced service delivery method. Data is stored and processed by the Provider externally in multiple

unspecified locations, often sourced from other, unnamed providers and containing data from multiple customers.

Very flexible & cost effective for the vendor; avoids specifics about location, staff, technology, processes or subcontractors.

Services may be offered by a chain of providers, each invisibly offering processing/storage services on behalf of the Cloud Provider that may not be controlling the technology, each accessing unencrypted data.

You cannot ‘see’ into the Cloud!

Various Kinds of Clouds

Public Clouds Private Clouds Community Clouds Hybrid Clouds

Public Clouds

This is the more common occurrence in Cloud computing. It is a Cloud run by third parties (i.e., not the customer). Cloud infrastructure is made available to the general public or a large

industry group and is owned by the Cloud Provider. Typically shared, available on a “pay as you go” basis. All components of the Cloud sit outside of the customer’s firewall in a

shared infrastructure. The infrastructure is:

Logically partitioned. Multi-tenanted. Accessed over a secure Internet connection.

Nearly every detail is managed by the Cloud Provider. Very little is required on the customer end.

Private Clouds Some consider private Clouds to intuitively defeat the purpose of Cloud

computing (i.e., that it is a shared infrastructure with multiple tenants). Generally built for the exclusive use of only one customer and behind the

customer’s firewall – dedicated hardware environment. May be managed by the Cloud Provider, a third party or by in-house IT staff

and may exist on or off the premise. Private Clouds may utilize hardware and software owned or licensed by the

customer. This Cloud provides near total control over the data stored in the Cloud, as

well as the security and quality of service provided in the Cloud. Arguably most secure Cloud, depending on the nature of the controls

deployed and the diligence of the operator. Customer has the ability to own the infrastructure and has control over how

applications are deployed on it.

Community Clouds/Hybrid CloudsCommunity Cloud: Cloud infrastructure that is shared by several organizations and supports a specific community

or interest group with shared concerns. Managed by the clients or the Cloud Provider; may exist on premise or off-site.

Hybrid Clouds: Composed of two or more Clouds (public, private or community) that remain unique entities but

are bound together by standardized or proprietary technology that enables data and application portability

Example - Cloud bursting, where an application runs in a private cloud or data center and bursts into a public cloud when the demand for computing capacity spikes for load-balancing between Clouds.

Which type of Cloud works best? A one-off use of the Cloud, or use of the Cloud for only a minor purpose is likely not worth the

investment of creating a private Cloud. This largely depends on the type of project that requires the Cloud. Complicated and highly sensitive business may necessitate a more guarded approach, and thus require

a private Cloud. An organization can use private, public and hybrid Clouds for different tasks within their company.

Service Models (Some Buzzwords…)

SaaS: “Software as a Service” “COTS” example of Cloud computing - i.e. web-based email. Cloud Provider’s applications running on a Cloud infrastructure - customer does not

control or manage the network, servers, operating systems, storage or even individual application capabilities.

Webmail (Hotmail/Gmail), Google Apps

PaaS: “Platform as a Service” The Cloud provides a computing platform (with capabilities such as database

management, security and workflow management) on which the customer can develop and execute its own applications.

Programming languages and tools supported by the Cloud Provider. Customer does not control or manage the underlying network, servers, operating

systems or storage but can control the deployed applications and potentially application hosting environment configurations.

See: Salesforce.com, Amazon Web Services Elastic Beanstalk, Windows Azure

Service Models, continued.IaaS: “Infrastructure as a Service” Cloud Provider supplies the required processing, storage, networks and other fundamental computing

resources and customer can deploy and run any software that it may require, including operating systems and applications.

Customer does not manage or control the underlying Cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (i.e. firewalls).

May include virtual machines. Amazon CloudFormation (and underlying services such as Amazon EC2), Rackspace Cloud,

Terremark, Windows Azure Virtual Machines, Google Compute Engine and Jovent.

STaaS: “Storage as a Service” Cloud Provider supplies online backup data storage, restoration/disaster recovery. Data is usually stored usually on a cost-per-gigabyte and cost-per-data-transferred basis. Cloud Provider maintains and manages its customers’ data and makes that data

accessible over a network, usually the Internet. iCloud, NetApp, Dropbox, EMC and Asigra Inc.

2. Anatomy of a Cloud Computing Agreement In theory, legal agreements should be more important than ever to deal

with the lack of transparency. Many Cloud agreements look simple but are actually much more

complicated/complex than they first appear. Typically very easy to enter into - Cloud Providers allow online sign-up via

credit cards, subject to their standard terms, for immediate use of the service → quick and easy!

However - just because relatively cheap & easy does not mean that they are without legal/business risks.

Different kinds of Cloud Agreements: “click-wrap” contracts confirming acceptance of standard terms to

negotiated agreements akin to traditional outsourcing models.

Analysis of Cloud Agreements

Standard Cloud Agreements: Contract terms (i) always favour the vendor; (ii) are often opaque and easily

changed; and (iii) do not have clear service commitments. Gartner August 2013 – cloud computing agreements are frequently inadequate,

contain ambiguous terms regarding the maintenance of data confidentiality, data integrity and recovery after data loss incidents.

Generally designed for high volume, low cost, standard, commoditized services on shared multi-tenant infrastructure.

Queen Mary University of London School of Law Study on Cloud Computing (September, 2010) surveyed 31 Cloud services offered by 27 discrete Providers targeted towards US and European markets.

Looked at paid/free services, majority SaaS/IaaS with a handful of PaaS, Consumer, Small/Medium Enterprises and Corporate/Public Administration.

Some interesting trends - many were potentially non-compliant, invalid or unenforceable in some countries.

Analysis of Cloud AgreementsCloud Agreements generally include the following: Terms of Service (ToS)

Details the overall relationship between the customer and Cloud Provider. Contains commercial terms, legal clauses, and incorporates other documents by

reference. Service Level Agreement (SLA)

Specifies the level of service the Cloud Provider aims to provide, process of compensation for failure (usually only for paid services).

Acceptable Use Policy (describes permitted, but actually forbidden practices) Superficially varied but very similar in scope and effect. May be used as grounds for termination i.e., “Notwithstanding the foregoing, if the

breach is Customer’s noncompliance with the AUP or with a law or regulation, Consultant may immediately, without liability, interrupt or suspend the Services as necessary to avoid a violation of law or regulation, to prevent a service interruption by an Internet service provider or other network services provider, or to protect the integrity of Consultant’s network or the security of the Services”

Frequently hyperlinked to ever-changing policies.

Analysis of Cloud Agreement

Privacy Policy (Provider’s approach to using and protecting personal

information; may also incorporate terms relating to data protection)

Some Providers fold all documents into the ToS; some paid services do not offer SLAs.

Privacy terms often found in the ToS, AUP as well as the Privacy Policy

Several large Cloud Providers have more than one set of documents for a given service, including T&C’s tailored for local laws.

Beware hyperlinked, contradictory documents!

3. Key Contractual Issues - Some Observations Why should you care what is in one of these agreements? Contracts may continue indefinitely until terminated. Contracts include detailed clauses describing breaches that will result in the

managed termination of the contract (i.e. after one payment period in default) or immediate termination for cause (i.e. because of serious breach of the AUP).

13 of 31 surveyed incorporate a term that states that they may amend their T&Cs by posting an updated version on their websites, and that continued use of the service by the customer is ‘deemed’ as acceptance of the new T&Cs.

Agreements may be cross-referenced, all key terms not visible. Some state that they may vary their agreements with no further notice on

whether the customer will be notified of this or what constitutes acceptance of the change.

Cloud Provider’s standards as described in their agreement may not meet the statutory or regulatory requirements of customer (PIPEDA, PHIPA, OSFI).

Why Should You Care? Governing law is usually that of the Cloud Provider and especially when

the law of a particular U.S. jurisdiction is asserted, the Cloud Provider will include a term stating that claims against it must be brought in the courts of a particular city within that state (likely not enforceable against consumers).

Providers also try to enforce short limitation periods (2 years, 1 year, six months) to bring claims.

Many agreements also try to require mandatory arbitration (illegal under most consumer protection laws in Canada and UK).

Are you awake yet?

Be Aware… St. Mary’s 2010 study revealed:

a distinction between the terms of explicitly paid-for services and those which are free or not funded by direct subscription (i.e. data retention).

a distinction between UK/European and U.S. Providers (warranty, limitation of liability).

SaaS terms vary more than IaaS terms. distinct differences on the questions of customer monitoring,

treatment of data, variation of contract. AUPs, while worded differently, broadly prohibit the same set of

activities. liabilities usually limited to flat amount (total amounts paid by the

customer over a period ranging from the previous month to the last year).

And Now?

Trends from the St Mary’s 2012 Study (conducted between December 2010 - early 2012)

Users still consider that standard Cloud Provider’s contract terms or offerings do not sufficiently accommodate customer needs in various respects.

Many Providers, in standard terms or even in negotiations, would not take into account that users have regulatory or other legal obligations and have to demonstrate compliance to regulators (especially Europe and to a lesser degree, Canada).

Cloud users are seeking changes to make the agreements more balanced and appropriate to their own circumstances. Internal reasons – need for more robust service levels, allocation of risk between user and Provider

(including Provider liability) External reasons – regulatory, compliance with laws/regulations, insurers Demand and supply –governments want better terms

Despite perception that Cloud Providers’ standard terms are non-negotiable, Cloud contracts can be, and have been, negotiated by customers such as financial institutions.

Reluctance at the lower price end of the market where Cloud Providers seem unable or unwilling to accommodate differences.

Integrators are influencing the market. There are some signs of change!

More Interesting Trends… Recent study conducted by St Mary’s found that while 48% of organizations polled were

already using the Cloud, only 52% of those (particularly the larger organizations) had negotiated their contracts, with 45% stating that they had no opportunity (thanks to click-through terms).

Click-through model poses risks to users as IT, IT security specialists, and legal departments are not aware of all Cloud computing resources deployed in their organizations.

Customers are tempted to accept providers’ standard terms online to start using the desired services quickly without considering fully the nature or effect of those terms or going through their organizations’ standard procurement procedures.

Very common for users to discover that their employees had subscribed for Cloud services on providers’ standard terms and as a result have to attempt to negotiate more acceptable terms!

Large providers have departed from their standard terms to secure deals they perceive to be sufficiently worthwhile in terms of financial, strategic or reputation’s ‘trophy’ value (Google Apps SaaS to the City of Los Angeles, Cambridge University).

Some customers trying to force Cloud Providers to sign up to their own standard IT services or outsourcing terms on a take-it-or-leave-it basis, even if the terms do not suit Cloud services (government bodies, financial institutions).

More Interesting Trends… With paid-for Cloud services, Cloud Providers are generally more willing to

accept liability (or greater liability) and agree to other user-requested commitments than with free services.

Resellers, service providers, systems integrators, IT outsourcers, distributors (collectively, Integrators) are better able than end-users (customers) to negotiate improved terms with Cloud Providers May be because they have ongoing relationships with Cloud

Providers; better bargaining position Some end users (customers) received more contractual assurances

from Integrators than from the Cloud Providers themselves (of course Integrators then bear the risks of mismatches in obligations and liabilities).

Hot Areas of Negotiation (St Mary’s 2012)

Top six terms most negotiated were: Exclusion/limitation of liability and remedies, particularly data

integrity and disaster recovery; Service levels, including availability; Security and privacy, particularly regulatory issues under the EU

Data Protection Directive; Lock-in and exit, including term, termination rights and return of

data on exit; Cloud Providers’ ability to change service features unilaterally; and Intellectual Property Rights.

These will all be covered today, but not exactly in this order.

Representations and Warranties Generally speaking, representations and warranties made by Cloud Providers will

attempt to distance themselves as much as possible from any assurances of quality. Cloud Providers routinely deny/disclaim any warranties for performance of the service

that they provide. Cloud computing contracts are famous for being “as is”, “as available” type agreements. Sometimes Providers offer service credits instead! St. Mary’s survey: differing commercial practices between US/European Providers, some

differences for consumer protection. U.S.-based Providers seek to deny liability for direct damages as far as possible, whether

in very general terms for the consequences of inability to access data. European Cloud Providers are less overt about excluding direct liability (difficult to do so),

or exempt implied warranties. Disclaimers against indirect liability (consequential, economic losses) very common.

Still, others push the envelope: In 2009 Apple forced to modify T&Cs for iTunes in the UK, including exclusions of liability for faulty services, unilateral variation of the contract.

Representations and Warranties

Example 1 “[Cloud Provider] properties, the marks, the services and all technology, software,

functions, content, images, materials and other data or information provided by us or our licensors in connection therewith (collectively the “service offerings”) are provided “as is”. We and our licensors make no representations or warranties of any kind, whether express, implied, statutory or otherwise with respect to the service offerings. Except to the extent prohibited by applicable law, we and our licensors disclaim all warranties, including, without limitation, any implied warranties of merchantability, satisfactory quality, fitness for a particular purpose, non-infringement, quiet enjoyment, and any warranties arising out of any course of dealing or usage of trade.”

Comments: Standard contract terms such as the implied warranty of merchantability,

satisfactory quality and fitness for a particular purpose are explicitly disclaimed. No performance expectations; the services being paid for and provided by the

Cloud Provider may not work and as a result the customer still gets nothing.

Representations and Warranties

Example 2 “We and our licensors do not warrant that the service offerings will function as

described, will be uninterrupted or error free, or free of harmful components, or that the data you store within the service offerings will be secure or not otherwise lost or damaged. We and our licensors shall not be responsible for any service interruptions, including, without limitation, power outages, system failures or other interruptions, including those that affect the receipt, processing, acceptance, completion or settlement of any payment services. No advice or information obtained by you from us or from any third party or through the services shall create any warranty not expressly stated in this agreement.”

Comments: This Cloud Provider does not even warrant that their services will function as

described, nor will they be uninterrupted or error-free (which could result in a loss of data or worse).

This Cloud Provider takes no responsibility for a service interruption.

Representations and Warranties

Example 3 OTHER THAN THE EXPLICIT WARRANTIES AND THOSE WHICH CANNOT

BE EXCLUDED BY APPLICABLE LAW, AND ANY WARRANTIES SPECIFICALLY PROVIDED IN AN ORDER, CONSULTANT PROVIDES THE SERVICES “AS IS,” AND DISCLAIMS ALL WARRANTIES AND CONDITIONS, EXPRESSED, IMPLIED AND STATUTORY, INCLUDING THE WARRANTIES OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

Limitations On LiabilityExample 1 “You expressly understand and agree that [Cloud Provider], its subsidiaries and affiliates,

and its licensors shall not be liable to you for: (a) any direct, indirect, incidental, special consequential or exemplary damages which may be

incurred by you, however caused and under any theory of liability. This shall include, but not be limited to, any loss of profit (whether incurred directly or indirectly), any loss of goodwill or business reputation, any loss of data suffered, cost of procurement of substitute goods or services, or other intangible loss;

(b) any loss or damage which may be incurred by you, including but not limited to loss or damage as a result of: (i) any reliance placed by you on the completeness, accuracy or existence of any advertising, or as a result of any

relationship or transaction between you and any advertiser or sponsor whose advertising appears on the services; (ii) any changes which [Cloud Provider] may make to the services, or for any permanent or temporary cessation in

the provision of the services (or any features within the services); (iii) the deletion of, corruption of, or failure to store, any content and other communications data maintained or

transmitted by or through your use of the services; (iii) your failure to provide [Cloud Provider] with accurate account information; (iv) your failure to keep your password or account details secure and confidential”

The limitations on [Cloud Provider’s] liability to you in paragraph XX above shall apply whether or not [Cloud Provider] has been advised of or should have been aware of the possibility of any such losses arising.

Limitations On Liability Most Cloud Agreements limit liability to a level that that is disproportionate to

potential risks/actual losses. Consider actual value of permanently or temporarily lost data, damages related

to data breach, data loss, outages. Famous for:

Exclusion of liability altogether or restricted as much as possible; Exclusions of certain types of losses (i.e. data loss); or types of damages (i.e.

direct); Narrow and limited financial caps.

Liability limited to the amount paid by the customer for the service at issue and/or the amount paid by the customer within a certain time period (often, six-month or twelve-month period before the claim at issue arose-insufficient).

Consider real value of the deal – 24-36 months? Stating that liability is “non-negotiable” and “everyone else accepts it”.

Sometimes this limitation is a ‘deal breaker’.

Limitations On Liability

Example 2

“Limitations of Liability. Neither we nor any of our licensors shall be liable to you for any direct, indirect, incidental, special, consequential or exemplary damages, including, but not limited to, damages for loss of profits, goodwill, use, data or other losses (even if we have been advised of the possibility of such damages) in connection with this agreement, including, without limitation, any such damages resulting from: (i) the use or the inability to use the services; (ii) the cost of procurement of substitute goods and services; or (iii) unauthorized access to or alteration of your content. In any case, our aggregate liability under this agreement shall be limited to the amount actually paid by you to us hereunder for the services. Some jurisdictions do not allow the exclusion of certain warranties or the limitation or exclusion of liability for incidental or consequential damages. Accordingly, some or all of the above exclusions or limitations may not apply to you, and you may have additional rights.”

Indemnities

Very broad (and always in favour of the Cloud Provider!) St Mary’s: 24/31 of the T&Cs required customers to indemnify Cloud Providers against claims arising from

the customer’s use of the service.

Example 1

General. You agree to indemnify, defend and hold us, our affiliates and licensors, each of our and their

business partners (including third party sellers on websites operated by or on behalf of us) and each of

our and their respective employees, officers, directors and representatives, harmless from and against

any and all claims, losses, damages, liabilities, judgments, penalties, fines, costs and expenses (including

reasonable attorneys fees), arising out of or in connection with any claim arising out of (i) your use of the

Services and/or [Cloud Provider] Properties in a manner not authorized by this Agreement, and/or in

violation of the applicable restrictions, AUPs, and/or applicable law, (ii) your Application, Your Content, or

the combination of either with other applications, content or processes, including but not limited to any

claim involving infringement or misappropriation of third-party rights and/or the use, development, design,

manufacture, production, advertising, promotion and/or marketing of your Application and/or Your Content,

(iii) your violation of any term or condition of this Agreement or any applicable Additional Policies,

including without limitation, your representations and warranties, or (iv) you or your employees’ or

personnel’s negligence or wilful misconduct.”

IndemnitiesExample 2 “Notification. We agree to promptly notify you of any claim subject to indemnification; provided that

our failure to promptly notify you shall not affect your obligations hereunder except to the extent that our failure to promptly notify you delays or prejudices your ability to defend the claim. At our option, you will have the right to defend against any such claim with counsel of your own choosing (subject to our written consent) and to settle such claim as you deem appropriate, provided that you shall not enter into any settlement without our prior written consent and provided that we may, at any time, elect to take over control of the defense and settlement of the claim.”

Comments: Here, the Cloud Provider is actually ensuring that the customer will indemnify the Provider should the

Provider be found liable for Content uploaded by the customer; Conduct of the customer or its employees; Any violation of the terms of service; and Any violation of the content created by the data that violates any other individual’s rights. [also IP rights]

Note that the Cloud Provider will notify the customer of a suit where an indemnification may arise, however, the ability for the customer to defend themselves will be at the option of the Cloud Provider.

Seek to minimize these indemnities!

Indemnities Some Cloud Providers do undertake to indemnify customers in certain

circumstances: Claims brought against them for IP infringement arising from use of the Provider’s

service (Google for Apps Premier, Akamai, Salesforce CRM). Clause may be mutual (3Tera).

Customers should seek a broad remedy for any third party claims that the software provided by the Cloud Provider infringes the intellectual property rights (including copyrights and software patents, all “IPR”) of a third party.

Realistically, IPR often limited to direct losses only, and capped. Cloud Providers are excluding liability for IPR infringement relating to open

source software. Some SaaS Providers emphasize that they are providing ‘services’ rather

than licensing software. Indemnity should minimally cover all of the countries in which the customer

uses the software.

Data Integrity Customers want data placed on the Provider’s Cloud to be secure against

loss, whether loss of integrity or availability (i.e. from corruption/deletion) or loss of confidentiality (security breach, unauthorized disclosure).

Most Cloud agreements go the opposite direction, disclaiming liability for it (no contractual commitment).

Ultimate responsibility for preserving the confidentiality, integrity of the data lies with the customer or see it as a “shared responsibility”.

Most Providers include data disclaimers, others recommend that customers encrypt all data that they store on the Cloud, routinely archive their content, keep their applications current with security patches. Even companies that promise to use “best efforts” to preserve data include

disclaimers. Microsoft.Net: tells customers to make separate backup arrangements! Other Providers use terms like ‘appropriate measures to safeguard data.’ Be aware that some backup Providers (Symantec, Iron Mountain) disclaim all liability

for data protection.

Data Ownership Most Cloud agreements now state that the customer owns the data they

upload into the Cloud (good). Some companies do not discuss ownership at all (bad!). Important that the contract clearly affirm the customer’s ownership of

its data. What about ownership of data/work product developed by customer in

the Cloud? No “work for hire” in Canada – payment does not equate ownership or

automatic transfer, just a license. Ownership rights must be proactively addressed in the legal

agreement.

Data Preservation At issue: What happens to the data following termination of the

agreement, whether for cause or otherwise? A potential customer must ask whether its data will be deleted

following termination, kept by the Cloud Provider (locked in), or transferred back in a non-proprietary form to the customer?

Also, does it matter how the agreement was terminated? Providers may: (i) preserve data for a set period of time following the

end of the service agreement; (ii) immediately delete customer data once the relationship between the parties end; or (iii) take a hybrid approach, i.e. stating that they will be under no obligation to preserve data after the end of the relationship but not stating that they will delete it or provide a grace period that may apply at their discretion.

Data Lock-in and Preservation/TerminationExample 1

Data Preservation in the Event of Suspension or Termination. In the Event of Suspension Other Than for Cause. In the event of a suspension by us of your

access to any Service for any reason other than a for cause suspension under Section [x], during the period of suspension, (i) we will not take any action to intentionally erase any of your data stored on the Services and (ii) applicable Service data storage charges will continue to accrue.

In the Event of Termination Other Than for Cause. In the event of any termination by us of any Service or any set of Services, or termination of this Agreement in its entirety, other than a for cause termination under Section [x], (i) we will not take any action to intentionally erase any of your data stored on the Services for a period of thirty (30) days after the effective date of termination; and (ii) your post termination retrieval of data stored on the Services will be conditioned on your payment of Service data storage charges for the period following termination, payment in full of any other amounts due us, and your compliance with terms and conditions we may establish with respect to such data retrieval.

In the Event of Other Suspension or Termination. Except as provided in Sections [x and x] above, we shall have no obligation to continue to store your data during any period of suspension or termination or to permit you to retrieve the same.

Data Ownership and Lock-in/Termination This Cloud Provider will keep your data for 30 days in the event of

termination or suspension (other than for cause). They even go as far as stating they will not take any action to intentionally

erase any data. However, note that no data will be returned unless all fees are paid and up

to date. The data is being locked in, subject to payment. What if fee payment is in dispute?

And what happens to your data if the Cloud Provider terminated the agreement for cause?

Two issues: (i) will there be an opportunity for the customer to gain access to its data once the contract has ended; (ii) is there any guarantee/assurance from the Cloud Provider that the data will not be deleted? Under any circumstances?

Data Lock-in and Ownership/Termination

Some Cloud Providers are worse!Example 2 “We reserve the right to terminate unpaid accounts that are inactive for a continuous

period of 120 days. In the event of such termination, all data associated with such account will be deleted.”

“Termination of [Cloud Provider] Account will include denial of access to all Services, deletion of your Account information such as your e-mail ID and Password and deletion of all data in your [Cloud Provider] Account.”

This Provider will delete all your data upon the termination of an account, or unpaid accounts.

Customers should negotiate that any disputes over fees will never result in deletion of any data. Suspension of use may be a better alternative.

Verify period of time that Cloud Provider will retain/preserve your data (i.e. 30 days). May be able to negotiate larger grace periods, i.e. 90 days, 18 months. Verify whether ‘grace period’ will apply following violations of the AUP, etc.

Data Disposition/Post-termination Customer should confirm and detail process by which its data will be

returned or retrieved by customer following termination of the Cloud agreement.

Should include timeframe within which the Cloud Provider needs to provide access, as well as the process and the format for the data.

Customer should identify appropriate data format depending on what they plan to do with the data (i.e. move it in-house, transfer to another vendor, etc.).

Data in Cloud Provider’s proprietary/inaccessible format will be useless. Cloud Provider should be obliged to destroy customer data after

termination of the contract but some Providers state that deletion is at their discretion. Note that ‘free’ Providers offering storage to private customers may state that

they will delete data in apparently dormant accounts, i.e. inactive for a continuous period.

Loss of Data

Service level agreements should cover what happens when data is lost due to a

service interruption. Most do not!Examples

“The remedies set forth in this SLA are Customer's sole and exclusive remedies for any Failure or other failure of the

Service, including without limitation for any breach of warranty, except as specifically set forth in the Agreement.”

“PERFORMANCE PURSUANT TO PARTS III, VI, VIII, IX, AND X BELOW IS NOT GUARANTEED, AND NEITHER THIS

SLA NOR ANY OTHER PORTION OF THE AGREEMENT PROVIDES CREDITS OR OTHER REMEDIES FOR FAILURES

TO MEET THE STANDARDS LISTED THERE.”

“A Cloud storage Failure occurs when Customer cannot retrieve data because of problems with hardware and software in

[Cloud Provider’s] control. Data retrieval issues caused by problems connecting to the Service, including without limitation

problems on the Internet, do not constitute Failures and so are not covered by this SLA. Under no circumstances will [Cloud

Provider] be responsible for the restoration of any data to Cloud storage or for the loss of any data.”

Comments:

The “Performance” discussed in the second paragraph refers to the Cloud Provider’s storage service which states

that if more than one complex hard disk fails, it is beyond the scope of the agreement to guarantee that the Cloud

Provider will be able to recover any data. Note also that data retrieval issues caused by an inability to access the service provided does not constitute a failure covered

under the service level agreement.

Loss of Data

Example

“The Service Commitment does not apply to any unavailability, suspension or termination of [the Cloud

Provider] , or any other [Cloud Provider] performance issues: (i) that result from Service Suspensions

described in Section X of the [Cloud Provider] Agreement; (ii) caused by factors outside of our

reasonable control, including any force majeure event or Internet access or related problems beyond

the demarcation point of [the Cloud Provider]; (iii) that result from any actions or inactions of you or

any third party; (iv) that result from your equipment, software or other technology and/or third party

equipment, software or other technology (other than third party equipment within our direct control); or

(v) arising from our suspension and termination of your right to use [Cloud Provider] in accordance

with the [Cloud Provider] Agreement … If availability is impacted by factors other than those used

in our calculation of the Error Rate, we may issue a Service Credit considering such factors in

our sole discretion.”

Comments

Part V of the above example explicitly excludes from the service level agreement any

guarantee of access to data or uptime if there has been a suspension or termination of the

customer’s right to use the services provided.

This is bad!

Data Ownership/Loss of Control While you may still own your data, you don’t necessarily control it (at least

in a public Cloud). When you upload data to a Cloud, you necessarily allow the Cloud

Provider to assume a certain amount of control over this data. This leads to security issues (to be discussed later). Certain security measures that the customer would normally take to

protect its own sensitive data are not necessarily guaranteed by the Provider’s service level agreement.

Data Disclosure Note that Cloud Agreements contain a spectrum of approaches under the

circumstances when Cloud Providers will disclose customer data. Most state that they will do so pursuant to a valid court order (with some

procedural safeguards). Others have a much broader approach - accept requests from recognized law

enforcement agencies, public interest, duty to protect life. Now defunct G.ho.st - if they had a ‘good faith’ belief that it would protect its

own interests by doing so. ADrive:

You authorize ADrive to disclose any information about You to law enforcement or other government officials as ADrive, in its sole discretion, believes necessary, prudent or appropriate, in connection with an investigation of fraud, intellectual property infringement, or other activity that is illegal or may expose ADrive to legal liability.

For some Providers, disclosure inherent part of the service (social networking sites - the boundaries are blurring!)

Monitoring By the Cloud Provider Customers may not want their data monitored by the Cloud Provider,

especially if it is confidential. Even monitoring traffic data can reveal considerable amounts of

information about the use of even encrypted services. Typically, Cloud Providers are either: (i) silent but still likely monitoring

(Google, Salesforce); (ii) admitting that they monitor customer use, but only in terms of the nature and pattern of use (i.e. bandwidth consumption) for ensuring ‘good quality of service’ or statistical analysis (Microsoft); or (iii) explicitly monitoring for compliance/enforcement of AUP (Rackspace).

Often vague as to whether this is continuous or in response to a specific disapproved activity; Cloud Provider may not want to assume responsibility for policing content.

Consider nature of data being uploaded to the Cloud and review these provisions carefully!

Applicable Law/Jurisdiction When you have two parties contracting with each other that reside in different

jurisdictions, which country’s laws will apply? Cloud Providers will generally but not always use their principal place of

business as the basis for the legal system and litigation forum governing their T&Cs.

Many Cloud services offered under the law of the U.S., subject to terms that purport to restrict legal disputes to state courts. Usually California, although laws of Massachusetts, Washington, Utah

and Texas also referenced. Others have localized legal frameworks. Agreements need to be reviewed carefully by customers who wish to avoid

travelling to court in another state or country to argue a claim under commercial law with which they may be unfamiliar.

Terms generally void in the EU and some other countries against consumers but unclear re: B2B.

Jurisdiction/Location of Data Different countries have different laws pertaining to data. Which laws apply to my data? Where is my data being stored and processed? Large Cloud Providers have data centres all over the world and it may be

difficult to ensure that your data is being kept in a centre within your home jurisdiction.

Storage Location This can be a problem, not just for the customer, but also for the customers’

customer. If company X has records that include my personal information, I may not want it being stored on servers in different parts of the world.

Also, export control questions - does saving controlled data on a Cloud computing service with a data centre located outside Canada constitute a violation of Canadian export control laws?

Need to identify the geographic location within which the data centre hosting the customer’s data is located.

Jurisdiction/Location of Data Many Cloud Providers (including Google, Microsoft) will confirm location of

where data is stored and processed in a particular jurisdiction (or at least will use ‘commercially reasonable efforts’/or when ‘commercially feasible’).

Certain Providers (Amazon) offer ‘regional zones’ in which a customer may be assured that the data will remain.

If important, ensure that this is incorporated into the T&Cs, as location information is rarely found. St. Mary’s: 15 of 31 T&Cs surveyed made no mention of data location or transit

protection whatsoever. Of those that did, seven asserted compliance with U.S. Safe Harbor procedures,

others said that they would only transfer personal data to locations providing ‘an equivalent or greater level of protection for personal data to that applicable where the data originated’.

Also: consider security of data in transit. Unless the Cloud Provider has built or leased its own secure network and facilities,

transfers between data centres will occur over the Internet, possibly unencrypted.

Service Levels/Service Level Agreements May not always be available as part of standard offerings, especially for commoditized services. Standards are lacking, making it difficult for customers to compare different services. Intended to compensate customers for failure to deliver services to promised/set levels - invariably by

service credit by allowing the customer a rebate against future billing. SLA tends to be a separate document from the primary (or master) agreement. Service credits may be in

an additional document. Not very transparent - often referenced by linking to Cloud Provider’s website which Providers may

amend. Onus is on the customer to monitor the Cloud Provider’s site for changes (ask for notification of

changes!) Cloud providers very reluctant to negotiate customized levels for specific customers, unless large volumes

of services or private Clouds. Important to state specific parameters and minimum levels for each element of the service provided. Service levels can include: uptime, performance and response time, error correction time,

infrastructure/security. Look at the definitions of service levels - some are very narrow.

Typically downtime for maintenance, emergency services excluded from uptime calculations. Intermittent downtime may not count towards downtime calculations.

Consider whether scheduled downtime aligns with customer’s critical access needs. Most Cloud Providers will not take responsibility for factors outside the Cloud Provider’s immediate control, including

Internet routing or traffic issues affecting Internet links.

Service Credits Should be considered in relation to customer-specific needs/service

availability. Specific remedies include receipt of service credits (confirm how and when

these are to be provided). Not unusual for Provider to be the sole arbiter of the eligibility for and extent of

credits, and that they are the “sole remedy available” for service deficiencies.

Generally these are calculated as a percentage of the fees the customer has paid, which are returned back to them should there be a service interruption. The greater the service interruption the greater the reimbursement of the fees.

One Cloud Provider offers customers a “10,000% service credit”, equivalent to 100 times the customer’s fees on the service that failed (this would be the exception, not the rule). This company also guarantees 100% server uptime (unrealistic!). Look for the long

list of carve-outs and exceptions. Can be quite complex, i.e. 5% monthly fee rebate for the first 5 minutes of lost service

then a further 5% for each additional 30 minutes, up to a set maximum.

Service Credits Some Providers disclaim any availability target- ‘as is’, service can be

suspended at ‘any time’. Onus on customer to provide notice of service failure? Ask for right to

audit performance levels, access daily service quality statistics. Practically, often subject to a cap (usually one month’s billing).

Customer who has experienced a serious outage may not wish to continue with a Cloud Provider that has offered poor service.

Credits against future billing will be of little or no benefit to customers that decide to switch Cloud Providers following unsatisfactory service.

Even where service levels are non-negotiable, service credits for SLA breaches may be.

Regardless of pay-out: (i) require Cloud Provider to perform a root cause analysis after any service level failure to determine base cause, prevent future failures; (ii) negotiate termination right for multiple failures or repeated failures.

Cloud Provider Outsourcing/Subcontracting Just to make things more complicated… It is not uncommon for one Cloud computing company to use the services of a

different Cloud computing company to provide their services to customers, expand the breadth of their service offerings. i.e. a SasS contract that uses a third party IaaS for data centre infrastructure.

For example, in order to provide around the clock ‘follow the sun’ services, may Cloud Providers use support staff or sub-contractors outside their jurisdiction who are given access to customer data or metadata - did the customer agree to this kind of data transfer/access?

Will increase the complexity of the Cloud computing agreement, assuming you know about it (always ask questions!).

Look for language that says Cloud Provider “owns or licenses” the services that they are providing. Which vendor is responsible for which action? Cloud Provider may attempt to (i) transfer liability to other provider should a dispute arise

with customer - and no privity of contract; or (ii) avoid liability completely for conduct of the TP provider.

Subcontracting

To mitigate your risk: Carefully review Cloud Agreement regarding sub-contracting provisions. Ask questions if the Cloud Agreement is vague or silent. Obligate Cloud Provider that you are doing business with to identify any

functionality that is being outsourced to TP vendors and to whom. Ask to see the sub-contract agreement if this is important to you or your clients. Include a right to vet/veto sub-contractors. Require Cloud Provider to be liable for the actions and omissions of its TP

providers. Engage in due diligence to ensure that the Cloud Provider actually owns its

software, hardware and other resources and is not merely reselling them.

Final responsibility should remain with the original Cloud Provider who should be directly responsible for (i) ensuring that all TP providers and subcontractors comply with the Cloud Agreement; and (ii) compensating customer for any failures to do so.

4. Additional Business Issues

BUSINESS CONTINUITY Cloud customers must ensure the continuity of their operations and uninterrupted

access to their data. Verify Cloud Provider has in place proper business continuity procedures and

disaster recovery capabilities. Ideally Cloud Provider’s written business continuity procedures/disaster recovery capabilities

procedures should be attached to the Cloud Agreement. Customer should require a contractual right to review and approve any material changes to

these procedures/documents. Cloud Provider may be unwilling to commit to the use of these measures in their agreements. Allow for right of termination by customer if the revised business continuity procedures does

not meet the requirements of the customer’s business continuity policy. Customer can ask to include minimum requirements that the Cloud Provider must meet

throughout the term of the agreement. Customer to include audit rights of Cloud Provider’s business continuity operations or require

the Cloud Provider to conduct its own internal audit and report the results to customer.

Escrow is not usually an appropriate or useful remedy.

Force Majeure

Be wary of “boilerplate” force majeure clauses. May serve to excuse performance by the Cloud Provider for

any event beyond the Cloud Provider’s control. Google Apps for Business Online Agreement:

Neither party will be liable for inadequate performance to the extent caused by a condition (for example, natural disaster, act of war or terrorism, riot, labour condition, governmental action, and Internet disturbance) that was beyond the party’s reasonable control.

Consider whether language in the Cloud Agreement is too broad so as to excuse events that are or should be within the Cloud Provider’s reasonable control and who should bear the risk.

Thinking the Unpalatable What happens if the Cloud Provider goes bankrupt? Or is reorganized? Or

restructures its service portfolio? Customer must specifically provide that it can retrieve its data from the

Cloud Provider’s bankruptcy trustee or receiver. Customer must confirm its access to and ability to retrieve its data

under almost any circumstance. Customers that have a continuing need and obligation to ensure the

protection and availability of their data may not be able to use the Cloud if they need absolute 24/365 access.

Price/Changing Services

Be aware of the hidden fees. Make sure that you truly understand the pricing model. Critical to understand all details of the proposed pricing model to avoid

hidden frees (data retrieval, backup, service failures) or escalating fees (based on usage, time of usage).

If you do not understand the deal, then a judge will not either!

Many standard terms allow providers to change certain or all contract terms unilaterally.

Cloud Providers’ right to change service features, functions or even service description often much negotiated.

Customers generally want longer prior notification of key changes and their impact, of at least 30 days or more, so that they can assess them.

Transition Services Customers must be able to leave the Cloud easily, bringing their data back in-house or migrating to a different

Cloud Provider. Not always simple - the divorce must be carefully planned (and no one wants to talk about it during the

honeymoon phase). Some Cloud Providers in St. Mary’s survey did not offer any assistance, even contracted paid assistance. Exit strategy must be carefully negotiated and agreed-upon in writing. Should include obligation on Cloud Provider to locate and isolate customer’s data (not always easy in multi-

tenancy, shared public Clouds). Specific covenants in the Cloud agreement re:

data preservation in the agreed-upon manner and format; specific transition plan for data including steps to be taken by the Cloud Provider; format that the data must be delivered in; the time period of data transfer; certification by an officer of the Cloud Provider that the customer data has been removed/deleted from

Cloud Provider’s systems; confirmation of no residual data usage; and any costs for such transition services. How long does the Customer need to maintain a production environment?

This issue is often completely ignored to the peril of the customer.

Data Deletion Standard Cloud terms may require Cloud Providers to delete data after

termination or are silent on deletion. However, some customers want extra protection to ensure that data is

deleted from the Provider’s systems (including any duplicates or backups) as well as any data held by any sub-processors.

Data may not actually be deleted - just the ‘pointers’ regarding locations of data fragments are deleted and data is overwritten by fresh data over time – deleting actual data is more complex. Best method is secure destruction of physical storage media but not

usually practical - too expensive for Cloud Providers. If this is important it must be more carefully negotiated, depending on the

nature and sensitivity of the content.

5. Final Tips For Effective Cloud Computing Do not assume that either (i) the Provider’s contract is adequate; or (ii) there is no

room to negotiate. Consider whether standard “click-wrap” contracts are acceptable or whether you

will need to create a more customized agreement. Review standard terms and determine which are the most critical to address in

your Cloud services deal. Endeavour to negotiate some real representations and warranties in your legal

agreement. Consider carefully terms by which the Provider seeks to allow itself to vary the

T&Cs unilaterally, or to impose termination conditions for the contract based on criteria that it solely determines.

Data protection and privacy issues need to be considered in the T&Cs very carefully-look at exclusions, disclaimers.

Ask the main Cloud Provider questions about any underlying service providers. Make sure that the T&Cs cover off all the key terms and features that

business/legal requires.

Final Tips Look at promises regarding service interruption. Make sure your data is taken care of in the event of an interruption, litigation or

bankruptcy. Ensure Provider cannot erase your data on the basis of a disagreement over fees. If it is important to you, control the jurisdiction of your data, i.e. services/servers

located physically in the United States/Europe. Ensure that you can preserve and retrieve your data, regardless of the cause of

termination or expiration of the agreement. Agree in advance regarding format of such data and costs for retrieval.

Ensure data retention and destruction policies match your own. Certain retention timelines may be required by regulating bodies in your own

jurisdiction.

Final Tips Find out as much as you can about the Cloud Provider’s security measures and

infrastructure. How does the Cloud Provider protect virtual environments? What tools do they use?

Demand transparency: do not contract for IT services with a Provider that refuses to provide detailed information on its security, continuity management programs.

All critical features must be mentioned in the ToS - unless the feature is referenced, it may not be actually offered.

Obtain details on disaster recovery plans, backup sites. Consider encrypting your data. If your data is truly sensitive, it may not belong in the

Cloud. Divide responsibilities between your administrators and the Cloud Provider’s

administrator so that no one organization has free access to all security layers. Internally, oversight is still required. Consider appropriate monitoring, reporting to key

stakeholders - CIO, board of directors, Check to see if the Cloud Provider has been accredited with meeting certain standards

(more about this in the next presentation). Go with a high-end Cloud Provider - you get what you pay for!

Finally… Cloud Computing has become more sophisticated and transparent. Providers are

having to become more flexible in their terms. While some Cloud Providers offer generalized ‘one size fits all’ commodity services,

niche Providers and Integrators are emerging that are more willing to tailor services to customer needs.

Even bigger providers are offering different services with different pricing and sets of terms with specific terms for certain market segments of functionality.

Not all data is a good option for Cloud computing. Mission critical applications, strategic services and highly sensitive data may simply

be inappropriate for placement in the Cloud unless you create a private Cloud and appropriate contract terms can be agreed upon. With customized, managed private Cloud services on dedicated infrastructure, Cloud

Providers may be more flexible on contract terms vs. commoditized public Cloud services on shared infrastructure.

Weigh the benefits and risks carefully! It is possible to effectively address/mitigate many of the challenges described in this

presentation by negotiating the legal agreements.

Torkin Manes LLP151 Yonge Street, Suite 1500Toronto, ON M5C 2W7www.torkinmanes.com

Lisa R. Lifshitz416-775-8821llifshitz@torkinmanes.com

Questions? Comments?

Thank You!