Cloud Service Contracts – Best Practice
The Cloud Industry Forum (CIF), an industry body which was established in 2009 to champion the use of cloud-based services and to develop a Code of Practice for online cloud service providers, has published a White Paper which reports the findings of a study carried out by the CIF into cloud adoption attitudes and trends amongst end users.
Perhaps surprisingly, the study, which polled 450 senior IT and business decision makers in enterprises, small-to medium businesses and public sector organisations, identified that only 52 per cent of end user organisations currently using cloud services negotiated the legal terms of their contract with their cloud service provider (CSP). And 32 per cent stated that their CSP could unilaterally impose changes to their contract simply by posting a new version online.
As the number of businesses using cloud based services increases, the core driver for moving to a cloud based service appears to be shifting, with over 45% of users citing flexibility as the main driver and only 17% stating that financial considerations were the deciding factor.
As well as reporting attitudes and trends amongst end users, the CIF White Paper also focuses on trends in cloud service contracts and identifies some best practice points for both CSPs and end users in relation to the following key issues:
• Contract term
• Termination, migration and transfer of data
• Data security
• Service levels (SLAs)
These best practice points provide useful guidance for customers looking to move to a cloud service and should also assist CSPs in creating a service which addresses the key concerns of end users.
With flexibility being cited as the main driver behind a move to a cloud based service, the duration of the contract is going to be a key issue for end users. Although IT projects are traditionally long-term arrangements, a long-term contract could be seen to reduce the benefits of cloud by limiting flexibility.
When reviewing a cloud contract, an end user should be sure to check the following elements and consider whether these are appropriate for the end user’s requirements:
• Does the contract contain a minimum term or lock in?
• How easy is it for the end user to terminate the service?
• How will the end user’s data be returned (and when)?
• Will the CSP assist in moving data to a new provider?
• Does the contract contain automatic rollover provisions?
Termination, migration and transfer of data
As well as checking whether the contract itself contains lock in provisions, end users should also consider whether the cloud arrangement will give rise to a practical lock in, either because users will become accustomed to the CSP’s proprietary systems and will resist change, or because the effort of migrating to a new system makes terminating the cloud contract particularly onerous. These elements should be considered at the outset and both the CSP and the end user should be clear about what their responsibilities will be upon termination.
In its White Paper, the CIF states that best practice is for a cloud service contract to require the CSP to give the customer sufficient notice to retrieve its data and migrate the service to a new provider, even where the CSP is terminating the contract as a result of the customer’s breach. It also states that the contract should not entitle the CSP to change the terms without the customer’s consent or, at worst, the CSP should give customers notice of those changes allowing the customer to decide whether to terminate if it disagrees with the changes.
With regard to the deletion of customer data upon termination, the CIF considers that best practice is for the customer to have control of when its data is deleted. The CSP should preserve customer data even if it does not make it directly available to the customer. Where a CSP wishes to delete data upon termination, it should notify the customer specifying a time period (which the CIF considers should be at least 30 days) and should assist the customer with migration or allow sufficient time for the customer to migrate the data by itself. The CSP should also have a have clear policy on data retrieval and migration so the customer knows what help it will receive from the CSP and how much this will cost.
A key consideration for any cloud service user will be data security. The CIF report revealed that two thirds of those sampled are looking for greater assurances from CSPs on data access and privacy controls, documented policies on data protection and accredited information management security arrangements.
Rather then simply relying on the provisions of the contract and the CSP’s marketing literature, a cloud customer should be more reliant on pre-contract due diligence and post-contract governance. Factors to be considers during the initial due diligence process include:
• Technical security
• Back-up / failover facilities and procedures
• Physical security
• Previous security breaches
• Location of the data centre
• Access by CSP personnel
The level of due diligence which should be carried out will depend on the nature of the business being moved to the cloud and the importance of the cloud application to the end user’s operations. Customers should ensure that they shop around and consider the services offered by a range of CSPs to assess which offering is most suitable for the customer’s business.
Service Levels (SLAs)
It is very common for a CSP to offer availability SLAs. The table below shows the realities of some of the most commonly used availability SLAs.
It is important that end users do not assume that a service level guarantees service availability as set out in the above table. It is usual for a CSP to exclude certain downtime from the SLA measurement, such as downtime due to scheduled or emergency maintenance. The end user should ensure that they are aware of this excluded downtime and appreciate the effect that this will have on the SLA as, for example, a 99.999% availability SLA will be worthless if the contract allows the CSP to take the system down for an hour each day to perform maintenance.
Cloud contracts often exclude or limit the CSP’s liability, particularly for loss of data. As part of its due diligence process, a customer should consider whether the risks are correctly balanced as between the CSP and the customer, what steps the customer itself can take to protect its business (such as maintaining a secondary data backup) and whether it can obtain insurance to cover against the risks to its business as a result of a failure of the cloud service.
The CIF state that it is best practice for a CSP to specify in the contract in clear, unambiguous language what losses it will cover and whether it will increase the cover it offers if the customer agrees to pay more or agrees to a different package of services.
The customer should investigate the possibility of negotiating the terms of the contract with the CSP (although this may not be possible where the customer is purchasing a standardised cloud service) and perhaps agreeing a higher liability cap in return for paying a higher fee.
As noted above, to reduce the chances of the liability provisions in a contract becoming an issue, when moving to a cloud service, the end user should carry out pre-contract due diligence, considering issues such as resilience, back-up and disaster recovery, to satisfy itself that the CSP has robust processes in place.
Reviewed in 2015