Increase in Noise

IT contracts for cloud computing are becoming more important as organisations start moving into the cloud.

Part 1 of this article was written in 2010. In it we mentioned that one of the buzzwords in IT then was “cloud computing”. Many considered it to be the next great wave in the IT industry. And it has. Since then, the  “noise level” in the system has increased. We expect the noise levels to increase even more as cloud computing matures and ‘private cloud’ services and infrastructure as a service (or “Iaas”) are becoming as well known as their close cousin, software as a service (or “SaaS”). As cloud computing begins to turn the systems integrator  model on its  head, the big boys have taken notice and the likes of Dimension Data are beginning to roll out their cloud businesses.

A few days ago, cloud computing was on everyone’s lips again as Google rolled out Google Drive, a cloud based file storage service, as an extension of Google Docs (and largest threat to Dropbox, a service we love and use to run large portions of our law firm and interact with our clients).

As lawyers we need to understand the “signal behind the noise”

As lawyers we need to understand the “signal behind the noise” as we are called upon to draft various cloud computing contracts.

Assessing your cloud service provider

In June 2011 Werkmans attorneys published an interesting article on cloud computing risks. In it they emphasised the need for people and companies to “undertake a comprehensive technical and legal due diligence of cloud service providers before using cloud services”. Yes, it is critical to always identify and manage the legal risks, but sometimes it is not possible to negotiate the service providers’ terms of business, especially with public cloud service providers who use (non negotiable) click-wrap terms of business.  It is also sometimes simply not possible or feasible to undertake such a technical and legal due diligence. Especially when you are dealing with the likes of Google who Computerworld recently called a “800-pound gorilla”. It is important to bear in mind that over the last year, the major cloud players have built substantial infrastructure. The massive data centres being built often contain sealed shipping containers, themselves containing pre-configured servers. Watch this interesting video on Google’s container data centre.

For consumers and SMEs, low levels of contractual protection might not matter, particularly where, for example, the user keeps separate copies or backups of all content used in the cloud computing environment for separate access where needed and where the use is not business critical.

Times have also changed since June 2011. Not only are massive data centres being built, but private clouds are becoming more and more pervasive and attractive to enterprise clients (whether built in the client’s data centre or hosted exclusively for its own use in its service providers data centre). This is especially so where cloud computing is central to the organisations’ business model, and involves significant investments of time and money, or where there are particular risk factors.

As one begins to appreciate the differences between private and public clouds, the different types of cloud computing models, SaaS, IaaS and PaaS, whether the services are paid for (for example Salesforce) or free (for example Google Docs), whether they exist solely for user generated content (for example Facebook), and the different types of customers (consumer, SME and enterprise) one begins to better understand the issues and how to deal with them best contractually.

Most people are familiar with the definition and benefits of cloud computing. For a good definition see the Gartner one we use in Part 1 of this article.

Cloud Computing Contracts

Common to most cloud computing contracts are usually the following set of documents:

  • Terms of Service (ToS): which details the overall relationship between the customer and the service provider. It usually contains the general (or legal) terms.
  • Service Level Agreement (SLA): which specifies the level of service the service provider aims to deliver together with processes for compensating customers if the service falls short of that.
  • Acceptable Use Policy (AUP): which details the permitted (or in practice, forbidden) uses of the service.
  • Privacy Policy: which describes the service providers’ approach to using and protecting the customers’ personal information.
  • Order: which contains the commercial terms (for example, price if a paid for service).

This international trend is in line with our modular approach to contracting.

You can look at the legal aspects either from the customer or the service provider’s perspective. Some of the legal aspects include the following:

Legal aspect Customer Service Provider
Jurisdiction (the forum for settling disputes) Usually where they have their head office. They also usually impose short limitation periods in which the customer must institute legal proceedings
Acceptable Use Imposes the rules
Data integrity Want data placed with the service provider to be secure against loss, be it loss of integrity or availability Avoid giving undertakings or disclaim liability
Data preservation Most customers want to know what will happen to their data on termination Some provide a “grace period” and preserve data or a period of time. Others delete data immediately on termination.
Data location and data transfer Important to both parties as this is where most data protection legislation has something to say, including POPI.

As can be seen privacy and security are the major issues. You can regulate those concerns contractually.  Users are also protected by law, like POPI.

Users of cloud services will be regarded as the “responsible party regards the processing of their PI that resides in the cloud. Section 18 of POPI is relevant and should be considered.

Information security policies become more and more important.

Trust is the keen differentiator for brands in the cloud.

Login processes and passwords are a big issue. People often use passwords that are too easy to guess.  This is easily fixed.

15 Key Considerations

At the end of the day, using a cloud based service is all about risk and managing that risk as long as you appreciate what type of service you want, who your service provider is and what type of service they are providing to you . What are the risks of you storing your confidential, proprietary and personal information in someone else’s house? Maybe it’s worthwhile to “buy your own house” and build or use a private cloud. Managing cloud related risks start with reading the contract, including the ToS, AUP, SLA and Privacy Policy.

Managing cloud related risks start with reading the contract, including the ToS, AUP, SLA and Privacy Policy.

15 other key considerations include:

  1. What data do you want to place in “the cloud”? (confidential? secret? mission critical?)
  2. What type of services do you want?
  3. Do you need them to be provided on a private (dedicated) or public basis, or both (hybrid)?
  4. Who is the service provider?
  5. Does your service provider own its infrastructure or are they merely a reseller of services hosted on someone else’s infrastructure?
  6. From where are they running their services?
  7. Do they provide the services from more than one location?
  8. Where will your data be processed?
  9. Who will own your data?
  10. Who can access your data?
  11. Will your data be backed up?
  12. Will your data be accessible on termination?
  13. How easily can you move your data to another service provider?
  14. Will you service provider give any warranties?
  15. Does your service provider ever exclude liability?