Contracting for Cloud Computing

April 5th 2011

Geofrey L Master

Partner

+852 2843 4320

[email protected]

Contracting for Cloud Computing

Agenda

• Cloud computing – what is it?

• Tradeoffs with current cloud offerings

• Key contract issues

• Key compliance issues

Cloud Computing — What Is It?

Overview of Cloud Computing and Cloud-Based Offerings

• NIST definition – http://csrs.nist.gov/groups/SNS/cloud- computing/cloud-def-v15.doc

• SaaS – software as a service

• PaaS – platform as a service

• IaaS – infrastructure as a service

Common Attributes of Cloud-Based Offerings

• Pooled Resources

– Delivery model servicing multiple consumers, with physical and virtual resources assigned dynamically

• Rapid provisioning

– On-demand delivery of cloud-based services, requiring latent hardware, software and storage capacity

• Client managed

– Users can configure — sometimes within pre-set limits — services and usage

• Measured Service/Consumption Billing

– Users pay for actual consumption of defined blocks of Cloud-based resources

• Lower Costs

– Users pay for cloud-based services as an operating expense and avoid capital expenditures and maintenance costs

Overview of Cloud Computing Public Cloud

Source: GopikannanParthiban blog, Cloud Computing Use Case Discussion Group v.1

End User To Cloud

Overview of Cloud Computing Private Cloud

Source: GopikannanParthiban blog, Cloud Computing Use Case Discussion Group v.1

Private Cloud

Overview of Cloud Computing Hybrid Cloud

Source: GopikannanParthiban blog, Cloud Computing Use Case Discussion Group v.1

Hybrid Cloud

Tradeoffs with Current Cloud Offerings

Tradeoffs with Current Cloud Offerings Breadth

“Nice to have” business tools Routine, non-sensitive data

Limited scope of business use Mission critical applications

Regulated or business sensitive data Enterprise-wide use

Each end of the spectrum presents different legal

and contractual challenges, options and trade-offs

Tradeoffs with Current Cloud Offerings

In Many Cases, Standard Provider Contracts …

• One-sided contracts, with provider-friendly terms and little or no opportunity to negotiate

• Offer “AS IS” terms with broad disclaimers of liability and essentially no contractual commitments

• Impose sole responsibility for adequate security, data protection and backups on customer

• Incorporate on-line forms, subject to unilateral change or even deletion

Tradeoffs with Current Cloud Offerings Many cloud providers …

• Are relative newcomers, with little outsourcing or even software licensing experience

• Emphasize low cost, standard offerings, leaving little room for robust contractual commitments or customization

• Are heavily dependent on third party software and platform providers and unable to flow down the requested contractual commitments

Tradeoffs with Current Cloud Offerings

Cloud Customers Must Make Informed Tradeoffs

• There is no standard contract “form” that will work for every situation

• Requiring robust protections may increase the price and eliminate certain providers altogether

• Evolving area – many providers are considering ways to offer stronger protections for higher prices

• Architectural and commercial approaches may be available to mitigate many of the risks

Key Contract Issues in Cloud Computing

Key Contract Issues in Cloud Computing Topics

• What customers want

• What cloud computing providers offer in form agreements

• Risks to customers in accepting the cloud providers’ positions

• What to negotiate when you can negotiate

Key Contract Issues in Cloud Computing Services Definition

Customers want …

• Services described in a negotiated SOW

• Additional services that are

inherent, necessary or customary in providing the described services

• No change without customer’s consent

Cloud providers offer …

• Services as described on provider’s web site, which may change from time to time without prior notice (Sales Force, Google, Amazon)

• Unilateral cloud provider right to

“retire” or change Service features (Microsoft)

• Agreement that may be modified by online acceptance (Oracle)]

Key Contract Issues in Cloud Computing Location

Customers want …

• Commitment to provide services only from locations that have been approved by customer

• Right to audit that location at any time

Cloud providers offer …

• No commitment to any location, or even to disclose the location (Sales Force, Google Apps Engine,

Amazon)

• Explicit statements that services may be provided from, or data may be transferred to, locations

worldwide at cloud provider’s discretion (Oracle, Microsoft)

• No right to audit the location

Key Contract Issues in Cloud Computing Performance Guaranty

Customers want …

• Auditable measurements such as service levels and milestones

• Related to business value

• Monthly reporting

• Monetary incentives for

performance (such as service level credits)

Cloud providers offer …

• No commitment (Google, Amazon)

• Non-binding objectives (e.g., performance in accordance with online User Guide subject to change) (Sales Force)

• Service Levels subject to change at renewal (Microsoft)

• Service fee credit (Oracle)

Key Contract Issues in Cloud Computing Continuous Improvement

Customers want …

• Commitment to upgrade to and support new technologies

• Commitment to modify services as required by changes in laws

Cloud providers offer …

• No commitment (Oracle, Sales Force, Amazon)

• Right to eliminate all or any part of Service due to change in law

(Microsoft, Google Apps Engine)

Key Contract Issues in Cloud Computing Customer Control of Services

Customers want …

• Approval rights for Provider Personnel and subcontractors

• Detailed plans (e.g., procedures manuals)

• Right to conduct operational, financial and data security audits

• Access to source code

Cloud providers offer …

• No commitment on personnel or subcontracting

• No detailed documentation of commitments

• Right for provider to audit Customer (Oracle)

• No access to source code

Key Contract Issues in Cloud Computing Intellectual Property Rights

Customers want …

• To own customer’s existing IP

• To own newly developed IP

Cloud providers offer …

• Acknowledgement that the

customer owns its IP (Oracle, Sales Force, Google)

• Provider retains all ownership of

“anything developed and delivered under the agreement” (Oracle)

• Customer owns any IP that

Customer develops in connection with services (Amazon)

Key Contract Issues in Cloud Computing Warranties and Indemnities

Customers want …

• Non-infringement warranty

• Compliance with laws warranty

• Conformity to industry best practices warranty

• Infringement, violations of law, personal injury indemnities

Cloud providers offer …

• Infringement Indemnification (Oracle, Sales Force)

• Product (but not service) warranties, and no indemnities (Microsoft)

• Warranties listed in user guide (Sales Force)

• Policies referenced in order document (Oracle)

Key Contract Issues in Cloud Computing Limitations on Liability

Customers want …

• Broad exceptions to limitations of liability

• Broad exceptions to disclaimer of damages

• 12 or more months of fees at risk for direct damages

Cloud providers offer …

• No exceptions to limitations of liability or disclaimers of damages

• Varying amounts at risk:

– Amounts paid under the Agreement (Amazon)

– Last 12 months of fees (Oracle) – 6 months of fees prior to Security

Incident (Microsoft)

– No amount at risk whatsoever (Google)

Key Contract Issues in Cloud Computing Termination

Customers want …

• Right to terminate at any time without penalty

• Provider to waive termination rights except upon a material payment failure

• Any assistance requested to ensure a smooth transition to a successor provider

Cloud providers offer …

• Six months notice for Customer termination for convenience with termination charge of six months fees (Microsoft)

• Provider rights to terminate for convenience (Amazon) or material breach (Oracle, Sales Force)

• Termination assistance limited to data access for 30, 60, 90 days (Sales Force and Microsoft and Amazon, Oracle, Google,

respectively)

Summary

• Keep your eyes on

– Criticality of the software, data and services

– Unique contract and compliance risks associated with cloud

computing

• Use compliance and contracting

concepts from traditional outsourcing, data use and software license

arrangements as a starting point

Key Compliance Issues in Cloud Computing

Key Compliance Issues with Cloud Computing

Privacy and Security — the Elephant in the Room

• Data transfer issues

(EU and similar jurisdictions)

• Data location issues

• Location of users accessing data

• Movement and storage of data

• Use of subcontractors

• Use of multiple platforms

• Lack of transparency and control

• Data breach issues

• Data destruction issues

• Ability to impose security and privacy requirements

Key Compliance Issues with Cloud Computing Export Control

• Export control laws prevent export or reexport of items subject to export control, including certain technical data, software and information

• Access by a non-US person may be “export” or “reexport” even if the data and the non-US person are in the US

• Transfer by the cloud provider from one country to another may be a reexport

• The U.S.-based customer may be the “exporter” instead of the cloud provider because the U.S.-based customer receives the benefit of the transaction

• Sanctions include penalties and denial of export privileges

Key Compliance Issues with Cloud Computing Software Licenses

• Standard software licenses terms require the customer to:

– Know where copies of the software are located

– Limit the number of instances, servers, chips, cores, etc. where the software is running

– Allow/enable the software licensor to audit compliance

• Cloud model means that software may move from machine to machine without informing cloud customers

• License terms based on hardware metrics may generate surprising results

• Standard cloud agreements offer no protections

Thank You

Questions?

Geofrey Master is a partner in the Business & Technology Sourcing practice at Mayer Brown JSM. He is based in Hong Kong and leads the BTS practice in Asia. Geof represents clients in a broad range of information technology and business process outsourcing and technology transactions, including software license and implementation agreements. Geof has an extensive background in the international delivery of services, having previously served as

international general counsel for one of the world's largest information technology and business process service providers.

About Mayer Brown

Mayer Brown is a global legal services organization comprising legal practices that are separate entities, the Mayer Brown Practices. The Mayer Brown Practices are: Mayer Brown LLP, a limited liability partnership established in the United States; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales; Mayer Brown JSM, a Hong Kong partnership, and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. “Mayer Brown” and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.