5 KEY ISSUES IN CLOUD COMPUTING CONTRACTS

Defining the Scope of Cloud Services 

This statement may seem so obvious that it wastes precious reader attention, but I will make it nonetheless: SaaS (software-as-a-service) and IaaS (infrastructure-as-a-service) relationships require thinking through different technological, business and legal issues.

Purchasers of SaaS will want to ensure their contracts include detailed documentation on software functionality (a feature matrix is quite useful); scheduling software functionality can have a direct impact on your wallet (vendors can't charge you for "new features" you were already promised), and provide a great ability to enforce legal rights in the event of a dispute. Software-as-a-service is an intangible asset in most ways, and functionality documentation provides the "substance" of what is being purchased.

IaaS contracts must address an increasingly broad array of cloud services ranging from simple storage to elastic computing power to virtualization and more. Service level agreements and related credits for failure to meet on-demand standards may apply.

Intellectual Property Rights

Consumers of SaaS development, infrastructure virtualization and other cloud-deployments must have a strategic approach to ownership of the intellectual property utilized in the cloud offering. Depending on the economics of the relationship, software developers and purchasers  may co-own or otherwise share intellectual property rights. Given the precise and infinite ways in which intellectual property can be carved up, careful attention must always be given to IP ownership rights as they often have a fundamental impact on the a company's product strategy.

Indemnification

The negotiation of indemnification coverage for third party law suits relating to intellectual property infringement, data/privacy breaches and other key items provide important risk allocation mechanisms in a contract. The parties must realistically assess the commercial value of the contract and nature of cloud services in negotiating when, and to what monetary extent, each party will take responsibility for harm caused to third parties whether for breaching IP rights, disclosing personal information or some other unforeseen harm. Given the increasing cost companies face when experiencing a data breach, ensuring appropriate indemnification coverage in a contract has real significant financial consequences.

Information Security

While movement into the cloud by both enterprise and government is inevitable and happening, regulators and consumer advocacy groups will ensure a bright spotlight is shone upon information security.

To that end, in order for company officers to discharge compliance obligations, and to ensure the security of a company's important information assets, organizations deploying cloud solutions must conduct thorough technical due diligence to understand the cloud provider's information security infrastructure and related protocols, and these must be memorialized in the contract.

Consider whether industry standards, like the ISO/IEC 27000 series, are useful. While it may not be realistic to request audit rights, the contract can require cloud providers to produce the results of third party security audits.

Compliance with Laws

In the United States a patchwork of Federal, State and even local laws govern the use of personal information, medical information and other classes of protected information. Add to this an additional layer of complexity when you consider the global presence of many companies.

International data security and privacy standards range from Europe's extremely protective regime, to more open standards in developing countries. Business must navigate this increasingly complex web of regulation.

Shared computing resources, often times bouncing information among data centers in disparate parts of the globe, underscores the brilliance of cloud computing but also its legal complexity; consider that many countries restrict the exportation of personal information outside their borders and the challenge becomes apparents. Separately, sharing of customer personal information may require the cloud provider to agree to comply with the laws of certain jurisdictions.

Making sure that a contract appropriately memorializes each party's legal compliance obligations can serve all well in creating a fruitful working relationship accomplishing all organizational goals.