Cloud-based solutions handled by third-party providers have enabled companies to digitally transform their businesses in ways not possible in a world of on-premises servers. In this article, we discuss some key considerations in negotiating contract terms for digital transformation with public cloud providers. By “digital transformation,” we mean the process of moving a revenue-producing and/or consumer-facing business into the cloud, as opposed to back-office or ERP systems. “Public” cloud means cloud services that are offered on a standardized basis, such as platform services offered by AWS, Google and Microsoft.
A recent survey reported that in 2018, 73 percent of businesses had at least one application in the cloud.1 Lawyers need to understand the technical and business benefits as well as drawbacks of public cloud solutions to appropriately structure digital transformation deals in the public cloud. These risks are fundamentally different from back-office cloud deals and licensed solutions because the company’s own terms and services that it offers to its customers are materially dependent on the terms and services that it obtains from its public cloud provider.
Cloud providers prefer to license their services using their own forms, but companies can typically negotiate valuable changes depending on the size and scope of the deal. In addition to issues common to commercial technology contracts, cloud services negotiations for digital transformation also will raise unique operational, risk and compliance issues, including the following:
Changing Nature of Cloud Services
Services, Upgrades, Updates and Deprecation. The cloud provider likely will have the right to change its services offerings from time to time, typically at its sole discretion. While a change is generally an “upgrade” or added features, it may also mean deprecation of a service critical to the company’s business. Additionally, the cloud provider controls the schedule of upgrades, updates and deprecation of services. Try to mitigate these risks in a couple ways: (1) cloud providers may offer product roadmaps and tentative schedules outlining upgrades, updates and patches, and/or (2) cloud providers may offer “guardrails” that define how and when a service may be changed or how much advance notice must be given to the company. Determine the extent to which the company will need similar flexibility to make changes in the services and terms it offers to customers.
Pricing. While the price of cloud computing services has generally decreased over time, companies may wish to protect against potential price increases. Try to lock in a firm pricing structure that also allows the company to realize the benefits of any future price reductions. Also look for a reasonable notice period before a price increase takes place, and consider the impact of these price increases on pricing offered to the company’s own customers.
Service Levels. Cloud providers will typically resist changes to service level agreements (“SLA”), arguing these SLAs are part of their standard offerings. However, stronger service levels may fit deals where the company has higher service levels already in place with its customers or has technical requirements for a higher level of service. If a company is investing in digitally transforming its own products and services, request that cloud SLAs remain fixed or improve through the agreement’s duration. Avoid allowing service level credits as a sole and exclusive remedy for a cloud provider’s breach of the overall agreement because damages may vastly exceed any SLA credits.
Representations and Warranties. Cloud providers may also resist committing to many representations and warranties on the theory that doing so would impede innovation. But, the changing nature of the service offerings does not prevent a cloud provider from making certain representations and warranties common in technology agreements, for example: no viruses; that proper personnel will perform the services; that the cloud services will be rendered with promptness, due care and diligence; and that the services will comply with all applicable laws and will perform in accordance with documentation. Regulated businesses may also request that the cloud provider comply with certain industry-specific laws or obligations.
Provider Rights to Change Terms. Cloud providers increasingly incorporate terms from a URL link into agreements, reserving the right to change those terms. Cloud providers will argue that this is necessary due to the changing nature of cloud services. Possible alternatives include that the agreed terms remain in effect for a fixed period, or alternatively, the company has a right to terminate the cloud agreement following any changes that the company chooses not to accept. In addition, a company may request that the cloud provider agree that any change will not degrade the functionality, performance or security of the services or change fundamental contract terms.
Cloud providers typically limit the amount and types of damages that a company may recover. In cloud provider standard terms, consequential damages are typically entirely excluded, and direct damages are often also excluded or capped at a very low level relative to the damages that the company may incur for cloud provider breaches. Expect to negotiate changes to these exclusions and limits of liability, particularly around special risks like willful misconduct, compliance with laws, data breach and security, indemnities, intellectual property, and other similar heightened risk areas. However, companies are unlikely to receive unlimited recourse for all of these types of claims, and will need to carefully consider how to flow through similar limitations into in the contracts with their own customers.
Users and Use
Look to clearly define “users” and “use” to ensure the agreement allows for the building and delivery of the company’s applications. When companies are building core services or applications on the cloud, the provider will look to make the company responsible for its customers’ use of the service or applications and for the company to ensure that such customers are in compliance with the terms of the provider’s cloud agreement. It is critical that companies flow through important provisions that apply directly to customers and “mirror” use restrictions and limitations from the cloud agreement. Examples of flow through provisions include compliance with the provider’s authorized use policies and usage and licensing restrictions. Examples of “mirroring” terms include rights to change and to suspend services, rights to deprecate services, service levels, limits of liability and disclaimers.
Because the provider is providing infrastructure, the market standard is for the company to own intellectual property rights in any material that it stores, creates, develops or receives using the cloud services and the provider to own all improvements to its platform and services. Use of artificial intelligence (“AI”) tools provided by the cloud provider blurs these lines and raises additional complexities in negotiating who owns (i) advances in the AI tools, machine learning or training data and (ii) outputs, decisions or results of the AI tools. Special consideration and care beyond the scope of this article must be taken in the context of the use of AI tools.
Suspension, Termination and Post-Termination Rights
When a company has moved revenue-producing applications to the cloud, termination by the cloud provider may have a severe adverse impact on the company. The cloud provider will look to contract to suspend the services to ensure the security of its platform; companies will want this right to be in the narrowest terms possible. Additionally, look to have sufficient support and runway to transition the business off the cloud provider’s services in the event of a termination. This means defining a transition period during which: (i) the cloud provider agrees not to erase company data, (ii) the company has a right to make continued use of the platform to perform transition activities, and (iii) the cloud provider agrees to reasonably assist.
Cloud providers operate servers around the world and move data across multiple geographic regions or zones for operational, storage or archiving purposes. Companies must accordingly understand the IP, ownership, compliance and regulatory issues associated with data processing, location and transfers for the data they maintain for their customers. For example, a few, but increasing, number of jurisdictions (e.g., China and Russia) have some form of “data localization” laws that require that data remain within geographic borders. Other jurisdictions, such as countries in the European Union, have strict data processing and transfer laws that restrict the free transfer of data and impose numerous regulatory requirements, which, if ignored, can lead to exorbitant fines.
Data Security and Data Breaches
Data Security. A move to a public cloud often means a company is deploying troves of sensitive data onto cloud provider platforms. Because the cloud provider is unlikely to comply with the company’s data security policies, involve the company’s technical team in diligence of the provider’s security practices to evaluate these risks. Watch out for security “commitments” made by the cloud provider that actually provide little protection because of broad terminology or commitments that are up to the cloud provider’s sole discretion. In addition, evaluate whether the company may mitigate the risk of weaker security commitments from the cloud provider by implementing protections of its own, such as strong encryption of data, making independent and frequent data backups, and other similar protections. Also look to contract for notification of a data breach sufficient to comply with any applicable regulations, state laws or customer agreements. Along with notification, require commitments from the provider to mitigate and minimize the damage resulting from a data breach.
Business Continuity and Disaster Recovery. Cloud providers will generally limit details about their business continuity and disaster recovery (“BC/DR”) processes. Look to define certain recovery time objectives (“RTO”) and recovery process objectives (“RPO”), or request that the cloud provider represent and warrant that it has proper BC/DR processes and procedures that are reasonable and appropriate for the company’s industry.
Audits and Certifications. Cloud providers will generally resist a right to audit their facilities, personnel and systems. Many cloud providers instead offer audit reports and certifications of controls. Request one or more of the following at least annually: (i) copies of an independent third party’s audit reports, (ii) confirmation that the cloud provider has, and will maintain, ISO 27001 and similar certifications and (iii) regular penetration tests. In regulated industries, the provider will need to agree to permit on-site inspections or examinations by the company’s regulator if so required and if audit reports do not satisfy the regulator.
Companies are digitally transforming their products and services by adopting public cloud services as a way to lower infrastructure costs, accelerate software deployment and increase operational flexibility. But, the flexibility that these cloud platforms allow—an abundance of digital services provided at low cost using a “one-to-many” model—poses operational and legal risks unique to public cloud platforms. Companies will achieve better results in negotiations with public cloud providers through understanding this dynamic and its implication on the products, services and customers of the company.