FeaturesSecurity ComplianceData managementStrategy

Do boilerplate clauses in cloud service contracts warrant your attention?

Yes, they do.

According to Thomas Shaw (pictured), attorney at law and CEO of CloudRisk Asia, some boilerplate clauses, such as the force majeure clause, should be customized based on the circumstances.

A force majeure clause is a contract provision that releases a party from its contractual obligations during unforeseeable events. For example, if a cloud service provider (CSP) operates a cloud data center in an earthquake-prone zone, then it is questionable that the force majeure clause should apply even for events like earthquake, because the CSP should have a plan in place that addresses the likelihood.

In this second part of an interview with Asia Cloud Forum's Carol Ko (read part I here), Shaw guides us through some of the important clauses in a cloud service contract, and the intricacies of data collection, retention, deletion and delivery on the part of a CSP during the lifetime of a contract.

Asia Cloud Forum: Some cloud service providers offer what they call "financially-backed SLA". Does this exclude their liability for customers' lost businesses resulting from service outages?

Thomas Shaw: Typically, any service provider (not just cloud or IT providers) is not going to expose themselves to what are called consequential damages. This includes damages that could result because my cloud service was not available so, for example I could not process e-commerce orders from my own customers. This is due to the fact that no service provider can realistically forecast what those implications might be in advance. The potential liabilities could be enormous.

The financially-backed SLAs typically commit to meeting specified service levels or require that the customer receive a service credit. For example, a service credit of 20% may be given if service uptime is not at 99.99% during a month, and so on in increasing service credits for decreasing service uptime levels. While intriguing, refer to my prior discussion about the meaning of "uptime." And looking at the exceptions of one such financially-backed SLA from a leading service provider, their list of exceptions is quite long. It includes exceptions for scheduled maintenance, periods of downtime less than 10 minutes, and for things outside the reasonable control of the provider (see next question).

Cloud consumers are aware that the force majeure clause is a commonly used boilerplate clause. When adopted, should it include specific examples of events that enable the clause to take effect?

Shaw: The force majeure clause is not necessarily for unforeseeable events but one that is beyond the reasonable control of the parties. So floods, earthquakes and other "acts of God" are typically included as those that are outside the reasonable control of humankind.

While this is often included as a boilerplate provision, in reality it should be looked at in some amount of detail. For example, if a provider is in an earthquake-prone zone, should they really have an easy out when earthquakes occur or more likely should they have a plan in place that already addresses that? Perhaps unlike some of the other clauses typically included at the end of the agreement under the "Miscellaneous" section, this one deserves customization based on the circumstances.

What other boilerplate clauses can a CSP adopt in a cloud service contract to limit its liability? What are the implications of using these clauses?

Shaw: The provisions in the Miscellaneous or General section of a contract typically are not limiting liability as much as they are about keeping an agreement that the parties have gone to the time and expense to negotiate alive as much as possible if something happens.

An example is the Severability clause, which usually states that if there is a problem with one clause in a contract, the rest of the contract is still valid.

Or the Entire Agreement clause, which does not allow other supposed agreements to override this one that has been negotiated and signed by both parties.

Or the Waivers clause, which means that not acting upon a certain potentially disputed issue does not signify that the party gave up their rights to eventually act upon that contractual right.

While standardly included in all agreements (therefore "boilerplate"), these clauses should still be reviewed by attorneys.

Occasionally clauses get into this section that should be part of standalone sections of a contract and customized based on the circumstances. Liability clauses should not be found here.