Cloud computing contracts

54 %
46 %
Information about Cloud computing contracts

Published on February 19, 2014

Author: meerakaul31



How cloud computing contracts should be drafted

Meera Kaul 2013

 The use of computing resources (hardware and software) that are delivered as a service over a network (typically the Internet).  There are three types of cloud computing: Infrastructure as a service (IaaS),  Platform as a service (PaaS), and  Software as a service (SaaS).   Using software as a service, users also rent application software and databases. The cloud providers manage the infrastructure and platforms on which the applications run.  End users access cloud-based applications through a web browser or a light-weight desktop or mobile app while the business software and user's data are stored on servers at a remote location. Proponents claim that cloud computing allows enterprises to get their applications up and running faster, with improved manageability and less maintenance, and enables IT to more rapidly adjust resources to meet fluctuating and unpredictable business demand.  Cloud computing relies on sharing of resources to achieve coherence and economies of scale similar to a utility (like the electricity grid) over a network. At the foundation of cloud computing is the broader concept of converged infrastructure and shared services.

— The Risks — Security, Privacy and Compliance Process — Contracting — Contracting lifecycle — Key cloud contracting issues – “Bill of Rights”

 The Benefits  Control Risk  Security Risk  Privacy Risk  Compliance Risk  Subcontractors

What kind of data will be in the cloud?  Where do the data subjects reside?  Where will the data be stored?  How is the data secured?  Where are the servers?  Will the data be transferred to other locations and, if so, when and where?  Will the data be commingled?  Can certain types of data be restricted to particular geographic areas?  Is there a compliance plan for cross-border data transfers? 

Cloud Relationships  Who will be actually storing, processing or transmitting Customer data?  Does the Cloud provider have rights in its subcontracts to permit compliance with the Customer’s contract?  Does the Cloud provider impose obligations on its subcontractors identical or similar to those imposed on it in the direct contract?  How strong is the Cloud provider’s vendor management program/controls? Security Assessment  Written vendor management program/process  Security as extension of internal security (e.g. matching controls; compliance with internal policies)  “Reasonableness” (foreseeability and risk reduction)  Compliance with standards (e.g., general standards; industry & peer standards; internal policies)

Geography  Where is the data being stored/processed?  Legal obligations triggered based on residency of data subjects/location of data Privacy and Security Legal Compliance  Who “owns” the data? How can it be used?  What laws apply?  Do the cloud provider’s practices, policies and systems  comply with applicable laws?  Who has the obligation to incur the expense to comply?

System and Data Availability  Business continuity/disaster recovery plan  Impact to Customer if Cloud unavailable  Scalability (if Customer’s processing needs increase or surge) Data Retention  Backups and recovery  Records retention  Litigation holds  Secure return/deletion

Incident response  Provider incident response plan  Notice of a breach  Cooperation and support  Access and forensic assessment rights  Documentation and reporting from provider Electronic Discovery/Electronic Evidence  “Searchability” and availability of data in cloud  Forensic assessment (identifying, collecting and preserving data) in cloud context  Electronic evidence: data integrity issues; authentication  Metadata

RFP Phase (competition over terms)  Security, Privacy and Compliance due diligence  Contract drafting  Contract negotiation  Contract enforcement  Contract review and renegotiation

Definitions Preventative Contract Terms  Controls in place to prevent data breach  “Reasonable security” – Is the security implemented “legally defensible”?  Specific controls Audit and Enforcement Terms  Assessment/scanning rights  Non-compliance reporting  Credits/damages Incident Response Contract Terms Risk of Loss Contract Terms

Article I – Data Location Transparency  Cloud service providers shall reveal the physical location of the servers that will be processing their cloud customers’ data, and shall provide reasonable advance notice if those physical locations change; cloud service providers shall coordinate with their customers to assure compliance with local laws and any applicable restrictions on the transfer of certain categories of data from one jurisdiction to another

Article II -- Security Transparency  Cloud service providers shall provide full information and access to documentation concerning their security policies and measures, including the ability for cloud customers to conduct periodic security assessments and obtain relevant security-related information and documents from the service provider; this information and documentation should address data integrity and availability as well as the confidentiality of customer data.

Article III -- Subcontractor Transparency  Cloud service providers shall provide cloud customers with notice as to which third parties will have the ability to access customer’s data and for what purposes, including subcontractors, subcontractors of subcontractors and so on.

Article IV -- Subcontractor Due Diligence and Contractual Obligations  Cloud service providers shall conduct reasonable due diligence and security assessments of subcontractors or other third parties that will have access to customers’ data or systems, and shall enter into contracts with such third parties that hold those third parties to substantially similar obligations as in their cloud agreements with their customers; cloud service providers shall manage and similarly limit the ability of their subcontractors to utilize other subcontractors.

Article V – Customer Data Ownership and Use Limited to Services  Cloud customers shall have the right to solely “own” the data they put into a cloud service provider’s cloud, and cloud service providers shall use their customers’ information solely for the purposes of providing services to the customer, unless otherwise explicitly agreed.

Article VI – Response to Legal Process  Cloud service providers shall provide notice (within hours, not days) of the service of any subpoena or other legal process seeking their customers’ data, and shall assist and cooperate with their customers in responding to such legal process

Article VII -- Data Retention and Access  Cloud service providers shall reveal their data search, retention and destruction practices to their cloud customers; and shall develop and enable data search, retention and destruction capabilities in order to allow their customers to implement their own data retention programs, efficiently effectuate litigation holds, and locate, collect and preserve relevant data, including metadata; cloud service providers shall build in processes and controls that allow for the efficient authentication of data (e.g. accurate time-stamping; metadata; chain-ofcustody indicators, etc.)

 Article VIII -- Incident Response In the event a cloud provider suffers a security breach, cloud providers shall provide prompt notice of the security breach to their affected cloud customers, shall coordinate, cooperate and assist their customers with the investigation, containment and mitigation of the breach, and shall allow their cloud customers to conduct their own forensic assessment and investigation of the security breach

Article IX – Indemnification and Limits of Liability  Cloud service providers shall engage their customers in meaningful discussions and negotiations around indemnification and limitations of liability arising of security breaches, including consideration of exceptions to limits of liability for security breaches suffered by the cloud service providers.

 Client Access  Password Security  Data  Shared Responsibilities (With IaaS, for example, the client tends to have more responsibilities, because the vendor typically provides only the raw, underlying computing infrastructure.)

 Research has highlighted that cloud contracts are often governed by the Terms and Conditions (T&Cs) of how the service will be delivered. Interestingly, more often than not it is a set of documents containing the terms that govern the relationship between the customer and the Cloud service provider. These can be relatively short and simple, or lengthy, complex and split over several documents. Generally T&Cs are made up of common documents like Terms of Service (ToS), Service Level Agreement (SLA), Acceptable Use Policy (AUP), Privacy Policy or a mixture of these components.  Once the following statements from leading cloud service providers are examined, the reason for ensuring you truly understand cloud contracts becomes clear.  Cloud Contract -- Facebook "We may also share information when we have a good faith belief it is necessary to prevent fraud or other illegal activity, to prevent imminent bodily harm, or to protect ourselves and you from people violating our Statement of Rights and Responsibilities. This may include sharing information with other companies, lawyers, courts or other government entities."  Cloud Contract -- Amazon Web Services " acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications."  Cloud Contract -- Amazon Web Services "In the event of any termination by us of any Service or any set of Services, or termination of this Agreement in its entirety, other than a for cause termination under Section 3.4.1, (i) we will not take any action to intentionally erase any of your data stored on the Services for a period of thirty (30) days after the effective date of termination; and (ii) your post termination retrieval of data stored on the Services will be conditioned on your payment of Service data storage charges for the period following termination, payment in full of any other amounts due us, and your compliance with terms and conditions we may establish with respect to such data retrieval."

Cloud Contract -- SQL Azure, Microsoft "Upon the expiration of the term or any termination or cancellation of this agreement, your rights to access or use the Services immediately cease, and you must promptly remove from the Services any data, software programs or services (if any) used in connection with your access to or use of the Services. If you do not remove such data, software programs or services from the Services, we reserve the right to remove them in accordance with our normal business practices for the Services." "Upon cancellation, suspension or any termination, your right to use the Services stops right away and you must immediately remove your Data and applications from the Services. You are responsible for taking the steps necessary to back up your Data. Upon any termination of this agreement, all other rights granted to you by this agreement will also automatically terminate."  Cloud Contract -- GoGrid, Microsoft "You bear sole responsibility for any and all data used in connection with the development, operation or maintenance of any software programs or services that you use in connection with your access to or use of the Services, including without limitation taking the steps necessary to back up such data, software programs or services."  Cloud Contract -- DropBox "Dropbox reserves the right to terminate Free Accounts at any time, with or without notice. Without limiting the generality of the foregoing, and without further notice, Dropbox may choose to delete and/or reduce: (i) any or all of Your Files if your Free Account is inactive for 90 days; and (ii) previous versions and/or prior backups of Your Files." 

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

Cloud Computing Contracts - European Commission

"Cloud computing” means accessing computer capacity and programming facilities online or "in the cloud". Customers are spared the expense of purchasing ...
Read more

Cloud computing contracts: Tread carefully

Organizations must be careful with cloud computing contracts, according to a panel of lawyers at the RSA Conference 2011. Cloud computing contracts should ...
Read more

Creating Effective Cloud Computing Contracts for the ...

February 24, 2012 Creating Effective Cloud Computing Contracts for the Federal Government Best Practices for Acquiring IT as a Service A joint publication ...
Read more

Cloud Computing Contracts | Michael E. Casey

Until only a few years ago, most of the software we purchased was installed on servers located in datacenters we owned. Sometimes we managed the software ...
Read more

Cloud Computing Contracts « GRT Lawyers

Cloud Computing Contracts. For most people, cloud computing has now become a part of everyday life. This means that businesses are increasingly pressured ...
Read more

Negotiating Cloud Contracts – Stanford Technology Law Review

Contract terms for cloud computing services are ... very well explained in the paper on negotiating cloud contracts by Stanford Technology Law ...
Read more

How to Negotiate a Better Cloud Computing Contract | CIO

Standard cloud computing contracts are one-sided documents that impose responsibility for security and data protection on the customer, disclaim all ...
Read more

Cloud Computing Contract Issues final - EDUCAUSE Homepage ...

Legal and Quasi-Legal Issues in Cloud Computing Contracts By Steve McDonald, General Counsel, Rhode Island School of Design The following is a brief ...
Read more

Ten key provisions in cloud computing contracts

Learn about cloud computing contracts and 10 key provisions that companies should address. Companies should pay attention to contract terms, security ...
Read more

Cloud Computing Contracts | LinkedIn

View 124 Cloud Computing Contracts posts, presentations, experts, and more. Get the professional knowledge you need on LinkedIn.
Read more