How to Negotiate a Better Cloud Computing Contract
Standard cloud computing contracts are one-sided documents that impose responsibility for security and data protection on the customer, disclaim all liability, offer no warranties, and give the vendor the right to suspend service at will. So why would you bother to sign on the dotted line?
Wed, April 21, 2010
CIO — The typical cloud computing contract can look downright simple to an experienced IT outsourcing customer accustomed to inking pacts hundreds of pages long that outline service levels and penalties, pricing and benchmarks, processes and procedures, security and business continuity requirements, and clauses delineating the rights and responsibilities of the IT services supplier and customer.
And that simplicity, say IT outsourcing experts, is the problem with cloud computing.
"Failure to understand the true meaning of the cloud and to address the serious legal and contractual issues associated with cloud computing can be catastrophic," says Daniel Masur, a partner in the Washington, D.C. office of law firm Mayer Brown. "The data security issues are particularly challenging, and failure to address them in the contract can expose a customer to serious violations of applicable privacy laws."
If a cloud services contract (whether it's for software-, infrastructure- or platform-as a service) seems less complex, that's because it's designed to offer products and services "as is"—without any vendor representations or warranties, responsibility for adequate security or data protection, or liability for damages, says Masur. (See Cloud-Computing Services: "Fine Print" Disappointment Forecasted.)
Cloud service providers will tell you the simplicity is precisely the point. They can offer customers low-cost, instantly available, pay-per-use options for everything from infrastructure on-demand to desktop support to business applications only by pooling resources and putting the onus for issues like data location or disaster recovery on the client. Adding more robust contractual protections erodes their value proposition.
"It is reasonable for vendors, particularly those who provide both traditional and cloud-type services, to point out that the further they are getting away from standard contracts—and, by implication, standard services—the more difficult it is for them to close the business case," says Doug Plotkin, head of U.S. sourcing for PA Consulting Group. "Much of the economic benefit that the cloud can deliver is predicated on the services—and the agreements—being standard."
Thus, the average cloud contract on the street is a one-sided document with little room for customer-specific protection or customization, says Masur. The question for new cloud computing customers is, Should you sign on that dotted line?
And the frustrating answer is, Sometimes.
"More robust contractual protection may or may not be the correct answer," says Masur. "It depends."
When to Negotiate a Better Cloud Services Contract
Prospective cloud customers should take into account the criticality of the software, data or services in question, the unique issues associated with cloud computing, and the availability and price of various alternatives, says Masur.