3.6.1 Overview and Purpose
The purpose of this tool is to guide SMEs in understanding and paying attention to the most common articles/terms that comprise a contract between an SME and a cloud computing provider. To this end, it lists a set of SLA issues, with emphasis on the ones most commonly debated between customer (i.e. SME) and provider (i.e. cloud computing provider). Accordingly, it provides a brief yet comprehensive overview of these issues in order to assist SMEs in the negotiation of these terms.
3.6.2 Nature
The tool is being implemented as a tree structure of options/decisions/ questions/issues associated with cloud contracts. SMEs will be able to browse or search the tree in order to access information about key issues comprising an SLA and accordingly in order to obtain information/insights about these issues. In this way the tool will allow SMEs to understand the key clauses that they should expect to see as part of a cloud contract, but also to identify important missing clauses and issues that the SME company should discuss/negotiate with the cloud provider. An indicative set of issues that will be addressed as part of the tree structure of SLA issues follows:
Illustration of how contract terms are provided:
Standard click-through terms, which SMEs are prompted to accept before adopting a service. Standard click-through terms can be either:
Negotiable (usually for “paid” services, since fee make providers more willing to negotiate).
Non-Negotiable (usually the case with large mainstream cloud providers.
Through off-line cloud contracts that can be scrutinized by SMEs legal departments, legal experts or owners (depending on the size of the SME).
Illustrate that cloud contracts (to end-users) could be provided by: Cloud Service Provider/Vendor
Cloud Integrators and Solution Providers (including SMEs) Illustration of the SMEs main drivers towards deviating from the
standard terms that cloud providers offer, including:
Commercial issues (e.g., request for higher/better service levels). Risk reduction and sharing issues (e.g., moving risks to provider
on the basis of providers’ liability).
Regulatory issues (i.e. need to comply with rules and regulations).
The involvement of insurance companies, which in several cases provide their services given specific terms in the cloud contract. The fact that “free of charge” or “low cost” does not necessarily
mean “free of risk” or “low risk.”
Contract clauses on exclusion or limitation of liability and remedies (if negotiable). Explanation will be further provided for liabilities
concerning:
Data Loss/ Data integrity / Data corruption Provider could accept liability.
User can implement its own additional solution (e.g., back-up on SME servers).
Outages.
Disaster recovery.
Intellectual Property Rights.
Contract clauses on Service levels, concerning: Resilience and Business Continuity
Uptime percentage (%) Availability.
QoS including:
Number of Users that can be served based on a given response time for each user.
Time it takes to restore data from backups. Mechanisms of Transparency.
SLA Auditing.
Proactive and timely provision of statistics regarding the SLA. Contract Issues relating to security and privacy, notably:
Regulatory issues under the European Union Data Protection Directive.
National data protection law (especially in Europe). Regulations concerning the financial sector. Location of the data.
Processing of the data.
Unauthorized access to the data. Export control laws.
Support for security standards and related policies (e.g., ISO27001).
Notifications about security breaches, data loss etc. Contract issues associated with lock-in and exit, concerning:
Terms about exit.
Termination rights, including:
Keeping data for a certain time after termination and before they are deleted.
Deletion of data, duplicates and backups. Provision of evidence of the deletion of data. Return of data on exit.
Data portability, including:
Availability of data in popular formats that facilitate export/import.
Provision of support by the provider. Duration of contract, including:
Minimum and Maximum duration. Early termination fees.
Fixed term vs. rolling contracts. Termination events, including:
Insolvency. Material breach.
Breach of Acceptable Use Policies (AUPs). Breach of confidentiality.
Breach of security policies.
Breach of Intellectual Property Rights (IPRs). Non-payment.
Provision of notice before termination.
Users/SMEs opportunities to remedy breaches and avoid termination.
Service Suspension, including: Non-payment.
Breach of Acceptable Use Policies (AUPs). Security Incident.
Technical maintenance and support (e.g., upgrades, patches etc.).
Contract clauses associated with the providers’ ability to change service features, including:
Change of service features unilaterally. Provision of prior notifications to end-users.
Right to terminate contract due to changes in service features. Right to reject changes.
Minor changes allowed.
Service improvements allowed and accepted. Intellectual property rights, including:
Most common in SaaS services.
Users retain ownership of cloud processed data.
Rights to applications that SME users develop or deploy on IaaS/PaaS.
Rights to service improvements and bug fixes that are initiated from users.
Coverage of costs associated with software/applications licenses in the cloud.
Licensing terms and charges (e.g., monthly per-user payments, charges based on number of processor cores in the system used).
As part of the tool, some guidelines to ICT SMEs (cloud integrators/solutions providers) could be provided. In particular, ICT SMEs could understand the needs of end-users in terms of contract flexibility and negotiated terms in order to differentiate themselves from large cloud services providers which tend to offer generalized “one size fits all” commodity services. Indeed, ICT SMEs have opportunities of acting as niche providers and integrators, who will be more willing to tailor services to user needs, based on appropriate contract terms or service features. The SLA tool of the CloudingSMEs toolbox could allow them to understand user concerns and gain flexibility in negotiations.
3.6.3 Implementation Status
The implementation of this tool is work in progress. It will be based on the same checklist infrastructure available as part of the data protection guide.