When purchasing cloud computing services, here are nine practical considerations to manage your business and legal risks to ensure successful adoption of this emerging compute model.
Mr. Karamali first suggested that if click-through terms do not fully meet your needs, writing the initial cloud contract to “factor in your business realities, compliance requirements and expectations” is the best way to ensure that your unique needs are met.
While cloud services vendors usually offer one-size-fits-all terms, be sure to negotiate all ways to mitigate your risk.
The following checklist of nine practical tips can help you do that.
Service level agreements usually include uptime, service availability, and even quality or accuracy of deliverables. Exceptions are made for emergencies, routine maintenance and force majeure events like acts of God. Remedies often include service credits. But depending upon service or data loss and its impact on your business, actual damages might be a better option. Requesting root cause analysis can help determine and prevent future breaches. And termination rights need to be outlined as a final arbiter.
2. Data Security
Terms should consider outside attacks, malicious insiders and human errors. Sometimes a breach from a disgruntled employee might be worse than one from an outside attack and needs to be considered.
3. Data Privacy
Terms should consider the nature of the data and where collected, stored and processed, relative to your specific needs and compliance requirements. It is also important to know which laws govern your data privacy and what the vendor obligations are. Example of laws governing data privacy include:
- In U.S.: Electronic Communications Privacy Act (ECPA), Health Information Privacy (HIPAA) and HITECH Acts, Gramm-Leach-Bliley Act, FTC Act, state data breach notification laws.
- In European Union: EU Data Protection Directive
4. Force Majeure and Disaster Planning
Force majeure is an “event that is a result of the elements of nature, as opposed to one caused by human behavior.” This term is used to protect parties when “a segment of the contract cannot be performed due to causes that are outside the control of the parties, such as natural disasters ….” Force majeure should be defined and addressed in your cloud contract terms. And every cloud services vendor should have a disaster recovery plan. But there are rarely any “guarantees!”
In sourcing multiple cloud vendors for the same services, ensure coverage for post-termination transfer of data and clarify the vendor obligation. Data transfer between clouds can be labor-intensive per the absence of uniform data standards. It is most important to ensure reliable and timely access to your data and clarify your versus your vendor’s responsibilities.
6. Liability and Indemnification
Limits on liability will address the type and amount of liability, with exceptions. Remedies for liability must also be outlined, with an insurance policy covering privacy or security breaches.
7. Audit Rights
Contract terms should include audits to evaluate billing procedures, security systems and legal compliance over the life of a cloud services agreement.Vendors typically offer the Service Organization Control (SOC) 2 Report under SSAE 16 Auditing standard. The SOC 2 report evaluates a service provider’s controls with respect to system security, availability, processing integrity, confidentiality, and privacy.
8. Long Term Issues
When choosing a cloud services provider, consider stability, possibility for acquisition, termination of service and any other transition that will affect or end your service relationship.
9. Intellectual Property Ownership
In a Software as a Service model, intellectual property ownership is clear in that the vendor owns the application and you own your data. But with other cloud service types, customization of applications and other contributions which you as the user build into the solution must be factored in.
Follow @JacquelnVanacek for how to launch and optimize your cloud computing investment.