FeaturesSecurity Compliance

The CFO slashes your IT budget and cloud computing seems to be the only way out. Marketing says there is no time to waste to get their campaigns start and you must buy server capacities fast. You are now about to sign up for a cloud service. Are the contract terms the first or last thing you would worry about? Will you study every single provision to hunt for devils, or are you going to scribble your name on the dotted line, secretly hoping the vendor will act in good faith and nothing bad happens?

"Read the SLAs!" This is what the cloud strategists tell us to do. How exactly can your organization get trapped by cloud contract provisions? Specifically, what are some of the vaguely-defined terms to watch out for? Does a cloud service contract necessarily spell out data ownership? Do cloud service providers (CSPs) owe a duty of data protection to their customers? 

In an interview with Asia Cloud Forum (Read part II here), Gigi Cheah (pictured, left), a partner and Jeremy Tan (pictured, right), an associate of law firm Norton Rose's Asia IP & Technology Group, examine the issues and dangers to avoid cloud service contracts, which are often seen as "one-sided" and "favoring the vendors." 

Norton Rose: Most cloud service providers contract on standard terms which are supplier-centric and usually contain very limited warranties and disclaim liabilities for data loss or data corruption. For example, the standard terms made available by cloud service providers on their website often do not contain provisions guaranteeing any particular level of service or providing any credits should such levels not be met.

Although most jurisdictions have statutory provisions that restrict unduly onerous or "unfair" contract terms, it is advisable to negotiate key provisions in advance rather than rely on statutory provisions. This is especially the case as most statutory provisions that restrict unduly onerous or "unfair" contract terms may only apply to customers who sign up for consumer cloud contracts such as iCloud. 

Norton Rose: In addition to "downtime" and "up-time", "availability", "resolution time" and "response time" are examples of often ambiguously worded terms that are used in cloud service contracts. The danger of not defining terms clearly is the same with any other contractual term, namely that it leads to uncertainty and may allow the cloud service provider to avoid liability should a contingency event occur. From a customer's point of view, it creates a high level uncertainty as to exactly what the customer is paying for.

Norton Rose: The right to access and use the cloud service is usually granted through a licence arrangement between the cloud service provider and the customer. A customer would not automatically gain ownership of the intellectual property in the custom built applications through accessing the cloud service -- in fact, this would be extremely rare unless the customer had engaged the cloud service provider to develop a private cloud infrastructure for it.

There may be instances where a customer gains rights over certain intellectual property in the cloud computing service, but this is often limited to the interface modules or access portals and where the customer is heavily involved in and pays for the customization of the cloud computing service. Such rights need to be explicitly provided for in the cloud service contract and the usual default position is that the cloud service provider will own rights to all such intellectual property.

A customer will not lose ownership of data through the use of the cloud service and cloud service providers are unlikely to require ownership of a customer's data. The scope of the cloud service provider's access to and use of the customer's data is usually limited to processing and storing on the customer's behalf.