What’s negotiable, what’s not in a cloud computing arrangement? Cloud computing may be highly virtualized and digitized, but it is still based on a relationship between two parties consisting of human beings. And since it is still the new kid on the block, both providers and users are still trying to get their footing — and best advantage — in this evolving type of relationship.
A few months back, researchers affiliated with the QMUL Cloud Legal Project at the University of London spoke to cloud providers and consumers, identifying the major points of discussion — or disagreement — that have been coming up in negotiations for cloud engagements. The researchers, W. Kuan Hon, Christopher Millard and Ian Walden, documented their findings in a recent issue Stanford Technology Law Review. They found that some things are negotiable in a cloud computing engagement, other things are not. Here are the top nine points of contention that have been arising:
1. Who’s liable for damages from interruptions in service? For the most part, cloud providers refuse to accept liability for issues, the researchers report. “Providers state liability is non-negotiable, and ‘everyone else accepts it.’ Even large users had difficulty getting providers to accept any monetary liability, with one global user stating that generally it ‘had to lump it,’ and another saying, ‘they won’t move.’” Some users pushed back in some deals, however, stating that refusal to accept any liability was as a “deal breaker.”
2. What about service level agreements? Service level agreements — commitments on availability levels and performance – are another important piece of the cloud contract, and come in many flavors, since standards are lacking in this area. Hon, Millard and Walden note that SLAs are often highly negotiable, as they can be adjusted through pricing — the more you pay, the better performance you are guaranteed. Larger cloud customers prefer to tag SLAs to key performance indicators, while smaller customers tend to get 5-10 key performance metrics, usually already stipulated by the cloud provider.
3. Does availability extend to data? While providers tend to emphasize how redundant and fault-tolerant their clouds are, cloud customers still need to do their due diligence. Like fire insurance for an apartment, the provider will rebuild the structure but not compensate the renter for the damaged contents. “While some will undertake to make the necessary number of backups, most will not warrant data integrity, or accept liability for data loss,” the researchers note.
4. Where is the data actually going to be physically located? The European Union’s Data Protection Directive — which prohibits storing of data outside the boundaries of the EU — is the greatest area of data security and privacy concern at this time, Hon, Millard and Walden state. “Users were not concerned about colocation within a third party’s data center, so much as geographical location of data centers.” The problem is, they continue, “some providers will not disclose data center locations. Verifying that data are actually processed in the data centers claimed by providers is difficult, technically. One provider noted that some providers were misleadingly labeling servers as ‘EU’ when they could process data elsewhere.”
5. How can users avoid vendor lock-in and exit if needed? Exit strategies need to be carefully thought out before committing to a cloud engagement. Vendor lock-in typically results from long-term initial contracts, the authors say. “Some providers wanted early termination fees (which may be ‘huge’) if users terminated a fixed-term contract earlier for convenience, as recovery of fixed set-up costs were designed to be spread over the term.” Often, contracts require “notice of non-renewal within a set period before expiry,” causing users to miss the window to exit the arrangement, they add, but such onerous automatic renewal provisions can be negotiated out up front. Another way to avoid lock-in, Hon, Millard and Walden add, is encouraging enterprise users to actually use several providers, “to avoid over-reliance on one provider’s service and its (possibly proprietary) application programming interfaces.”
6. Who maintains data for legal or compliance purposes, and what happens to it when contracts are terminated? The authors observe there hasn’t been a lot of negotiation yet around data retention for legally required purposes, such as litigation e-discovery or preservation as evidence upon law enforcement request. “We think it will become more important in future,” they add, but question how much assistance providers will give users — such as providing long-term storage. One area that is being negotiated with increasing urgency is users’ ability to have data returned upon contract termination, Hon, Millard and Walden add. “There are several aspects here: data format, what assistance (if any) providers will give users, what if anything providers charge for such assistance, and data retention period.” Another question that comes up, they add, is how long after termination users have to recover data before deletion. “Many providers delete all data immediately or after a short period (often thirty days), but some users obtained longer grace periods, for example two months, perhaps requiring notice to users before deletion,” the researchers add.
7. What happens when providers decide to change their service? Unfortunately for cloud customers, “many standard terms allow providers to change certain or all contract terms unilaterally,” the researchers have determined. Enterprise cloud providers are more likely to negotiate these provisions up front, as are infrastructure providers. But for the bulk of businesses using more commoditized Software as a Service applications, “users might have to accept providers’ rights to change features.” Customers are able to negotiate advance notifications of changes to Infrastructure Platform as a Service engagements, however, as these reach deeper into enterprises, and could result in users “having to rewrite application code created to integrate with proprietary provider application programming interfaces.”
8. How maintains intellectual property rights? Intellectual property rights issues are a frequently cited issue, the authors state. “Providers’ terms may specify they own deliverables, for example documentation. “However, the line is sometimes unclear between a user’s application and the provider’s platform and integration tools. Where integrators develop applications for their own customers, customers might require intellectual property rights ownership, or at least rights to use the software free after contract termination or transfer. Another issue of contention concerned ownership rights to service improvements arising from user suggestions or bug fixes, say the authors. “Providers may require users to assign such rights. Yet users may not want their suggested improvements to be made available to competitors.”
9. What are the grounds for service termination? Non-payment is the leading reason providers terminate contracts with users, but there are many other issues that crop up, which may or may not be users’ fault. Other reasons providers pull their services include material breach, breach of acceptable use policies, or upon receiving third-party complaints regarding breach of their intellectual property rights. The main issue is that the “actions of one end user customer may trigger rights to terminate the whole service,” the authors point out. “However, many services lack granularity. For instance, an IaaS provider may not be able to locate and terminate the offending VM instance, and therefore need to terminate the entire service. Providers, while acknowledging this deficiency, still refused to change terms, but stated they would take a commercial approach to discussions should issues arise.”