The typical cloud computing contract can look downright simple to an experienced IT outsourcing customer accustomed to inking pacts hundreds of pages long that outline service levels and penalties, pricing and benchmarks, processes and procedures, security and business continuity requirements, and clauses delineating the rights and responsibilities of the IT services supplier and customer.
And that simplicity, say IT outsourcing experts, is the problem with cloud computing.
"Failure to understand the true meaning of the cloud and to address the serious legal and contractual issues associated with cloud computing can be catastrophic," says Daniel Masur, a partner in the Washington, D.C. office of law firm Mayer Brown. "The data security issues are particularly challenging, and failure to address them in the contract can expose a customer to serious violations of applicable privacy laws."
If a cloud services contract (whether it's for software-, infrastructure- or platform-as a service) seems less complex, that's because it's designed to offer products and services "as is"—without any vendor representations or warranties, responsibility for adequate security or data protection, or liability for damages, says Masur. (See Cloud-Computing Services: "Fine Print" Disappointment Forecasted.)
Cloud service providers will tell you the simplicity is precisely the point. They can offer customers low-cost, instantly available, pay-per-use options for everything from infrastructure on-demand to desktop support to business applications only by pooling resources and putting the onus for issues like data location or disaster recovery on the client. Adding more robust contractual protections erodes their value proposition.
"It is reasonable for vendors, particularly those who provide both traditional and cloud-type services, to point out that the further they are getting away from standard contracts—and, by implication, standard services—the more difficult it is for them to close the business case," says Doug Plotkin, head of U.S. sourcing for PA Consulting Group. "Much of the economic benefit that the cloud can deliver is predicated on the services—and the agreements—being standard."
Thus, the average cloud contract on the street is a one-sided document with little room for customer-specific protection or customization, says Masur. The question for new cloud computing customers is, Should you sign on that dotted line?
And the frustrating answer is, Sometimes.
"More robust contractual protection may or may not be the correct answer," says Masur. "It depends."
When to Negotiate a Better Cloud Services Contract
Prospective cloud customers should take into account the criticality of the software, data or services in question, the unique issues associated with cloud computing, and the availability and price of various alternatives, says Masur.
For non-core business tools or services involving routine, non-sensitive data, it often makes sense for customers to accept looser contract terms for that lower price.
But when you're considering a cloud-related option involving mission critical systems, regulated personal data or sensitive business intelligence, it's time to call legal and get the red pens ready. "A customer may opt to require a private cloud, data encryption, geographic restrictions, and other such terms," says Masur.
The biggest mistake new cloud services customers can make is either assuming the vendor's contract provides adequate customer protection or presuming there's no room to negotiate at all. "Many prospective customers assume incorrectly that cloud contracting is very similar to traditional IT contracting and either fail to address the issues unique to cloud computing, such as data privacy and compliance issues, or do so in a manner that increases their price without delivering commensurate value," says Masur.
While many cloud providers have been reluctant to deviate from their standard contracts whether due to their own restrictive business models or industry inexperience, that's beginning to change in this quickly evolving market.
For would-be cloud consumers looking to beef up the standard vendor agreement, the traditional IT outsourcing contract can be a good model. While there are no standard best practices in cloud contracting and no one-size-fits-all document capable of covering the spectrum of services available in the cloud, it can help to peruse a list of standard outsourcing provisions: privacy and security standards, regulatory and compliance issues, service level requirements and penalties, change management processes, business continuity, mandatory flow-down of all terms to subcontractors, termination rights.
Determine which are critical to address in your cloud services deal. After all, cloud computing is just another way to purchase software or infrastructure services, says Masur. Traditional outsourcing contract terms offer useful guidelines for cloud computing engagements, particularly infrastructure-as-a-service transactions involving sensitive data. And software licensing terms offer useful precedent for SaaS deals.
When Los Angeles and its IT outsourcing provider CSC signed a three-year Google Apps contract, the city was able to incorporate a surprising number of customer-friendly terms into the deal: a private cloud for sensitive data, mandatory data encryption, U.S.-only data storage and access, service levels with meaningful penalties, e-discovery functionality, a four-hour service restoration requirement, clearly defined exit rights, mandatory subcontractor flow-down, and broad indemnification obligation with unlimited liability for certain breaches.
The average cloud services customer may not be so lucky. You may find no cloud computing vendors willing to agree to your must-have terms—an indication you're not ready to send that particular IT service into the cloud.
But watch out for the converse, as well—an overeager provider that agrees to everything.
"A provider can agree to anything, and if the service level penalty for failing to deliver is insignificant, it can be cheaper to fail than in fact to deliver," says Plotkin. "This is a danger for all service providers. But it is probably a bit more of an issue because many of the cloud providers are less mature and have not gone through the crucible of having to keep promises as the larger, traditional providers have over many years."