CLOUD CONTRACTS WHAT PROVIDERS AND CUSTOMERS SHOULD DISCUSS

Transcription

1 CLOUD CONTRACTS WHAT PROVIDERS AND CUSTOMERS SHOULD DISCUSS Catalogue of recommended contractual components in General Terms and Conditions of Business (AGB) and Service Level Agreements (SLA) for Cloud Service Providers

2 Catalogue prepared by: EuroCloud.Austria The Vienna Economic Chamber Section for Business Consultancy and Information Technology Austrian Standards Institute Vienna IT Cluster, Vienna Business Agency Also recommended by: ADV, Arbeitsgemeinschaft für Datenverarbeitung Version 1.0 of 1 November

3 index 1 Framework conditions for the cloud service 1.1 Rules on all companies involved in delivering the service 1.2 Rules on changes in the contractual terms and conditions for cloud services 1.3 Rules concerning the contract termination of cloud services 2 Cloud service delivery 2.1 Rules concerning the infrastructure used 2.2 Rules concerning the content of the services 2.3 Rules concerning the implementation of the services 2.4 Rules concerning operations of the services 2.5 Rules concerning the availability of the cloud service 3 Cloud service billing 4 Cloud service security 4.1 Rules relating to data protection 4.2 Rules on IT security 4.3 Rules concerning data backups and data erasure

4 4

5 purpose PURPOSE OF THIS CATALOGUE For the cloud service user, a cloud service is like classic outsourcing of IT Services. Therefore, a cloud services agreement should include some contractual elements that are also part of a standard IT outsourcing contract. This is a catalogue of recommended contractual elements that should be incorporated into the General Terms and Conditions (AGB) and Service Level Agreements (SLA) for cloud service providers. This list does not contain suggested legal wording for provisions as the specific wordings may vary substantially according to the respective cloud service context. For example, cloud services for private photo uploads should certainly contain different contractual provisions than cloud accounting software for enterprises. This list does not claim to be exhaustive. Dr. Tobias Höllwarth EuroCloud.Austri Vienna, November

6 framework 1 FRAMEWORK CONDITIONS FOR THE CLOUD SERVICE List all essential information and necessary regulations important for drawing up the contract and terminating the cloud service agreement in this content area. In particular, this means information about the companies involved in providing the service. 1.1 Rules on all companies involved in delivering the service The following items should be taken into account, confirmed, or stated in sufficient detail in the contract: Pertinent information on the company with which the contract is to be concluded as given by public registers, such as the company register, commercial registers or registers of associations Statement on where the service provider has its registered main office and what national laws may apply to this company (head office and branches) Information on existing certifications of the contracting party. Detailed description of the existing, valid certifications of the data centre Information on businesses involved in providing the service. Also subcontractors, data centre providers or cloud services of third party companies integrated into providing the service. In particular, statements about which subcontractors are used in the local country or in countries with comparable data protection laws. For example: the legal system (even if only partially) to which the subcontractors are subject, what privacy rights the subcontractor must observe, the substantive insolvency laws that apply (access to data, separation rights, mandatory provisions, official receiver, etc.) Commitment that subcontractors are bound by the contractor to the same obligations that the contractor agrees with the customer. 6

7 framework 1.2 Rules on changes in the contractual terms and conditions for cloud services The following items should be taken into account, confirmed and stated in sufficient detail in the contract: Clarification of the form in which the contract will be made available (e.g., electronically signed PDF or printed document) as well as the approach to be taken in case of changes to the contract Confirmation that no unilateral changes to the terms of the contract will be made List of subcontractors whose replacement requires the express consent of the customer. 1.3 Rules concerning the contract termination of cloud services Rules on terminating the contract should be sufficiently taken into account, confirmed and clarified in the contract: Statement of the term of the contract, rules relating to unequivocal reasons for termination and their deadlines for both sides. Contractor s special right of termination if the provider changes important subcontractors (if keeping the current subcontractor is not possible) Statement of the provisions governing the participation of the contractor in providing data after termination Regulations for protecting the customer s data and the availability of the application in the event of insolvency of the contractor, e.g., through preventive measures Sufficiently detailed description of the processes at the end of the contract settlement, technical formats of the data transmission, handover of the electronic keys, etc. 7

8 service delivery 2 CLOUD SERVICE DELIVERY List all essential information and necessary regulations important for providing a cloud service in this content area. In particular, these include all information on the infrastructure used, service provision, its implementation and on operations. 2.1 Rules concerning the infrastructure used The following items should be confirmed or stated in sufficient detail: Explicit listing of all data centres (including their addresses) to be used for the contracted services. The legal consequences of the use of data centres outside of the EU legal framework should be made transparent Statement of how the data centre will handle potential risks (e.g., natural disasters, technical problems, crime, and human errors) and what measures and processes are taken or used to minimise possible consequences Detailed statement of the availability of the infrastructure at the data centre, the connection to one or more Internet carriers, the management documents on operations and emergencies, certifications and the availability of back-up power and cooling. 2.2 Rules concerning the content of the services As an essential element of the contract, sufficient space should be dedicated to a detailed description of the statement of work. The following items should be taken into account, confirmed or stated in the contract in sufficient detail: Sufficiently detailed description of the cloud service itself and the nature of the cloud service, e.g., Infrastructure as a Service (IaaS), etc. 8

9 service delivery Information on the origin, manufacturer and existing certifications of the service Clear statements on provisions relating to the countries in which operation of the services is assured, of the available languages and localisations, of the deployed standards, which browsers and which interfaces are supported Clear description of the available options for management of the customer s own rights, of the authentication options and user management. 2.3 Rules concerning the implementation of the services The following items should be taken into account, confirmed or stated in sufficient detail in the contract: Sufficiently detailed description of trial versions of the service (costs, duration, functions) and presentation of the migration scenarios for migrating to the full versions All service options for implementation and possibilities for customising and their associated costs Training concepts and operational as well as user manuals Acceptance processes and their consequences (e.g., commencement date, warranty, payment obligations). 2.4 Rules concerning operations of the services The following items should be taken into account, confirmed or stated in sufficient detail in the contract: Sufficiently detailed representation of release management process (time, lead time, obligation to update, customer-specific configurations) Sufficiently detailed representation of error or fault management processes (notification, communication strategy, such as ticketing system, telephony services [hotline], escalation processes, patch deadlines, etc.). 9

10 operations of the services Sufficiently detailed statement on the assured availability levels, performance metering and how the purchaser is informed of the service fulfilment status (how are monitoring and reporting handled?) Sufficiently detailed statement of what service levels (SLA) are offered and how compliance with the service levels is controlled, documented and communicated Sufficiently detailed statement on how troubleshooting is organised Sufficiently detailed statement on how capacity planning for the required infrastructure of services is handled Sufficiently detailed statement on all data export options, including the necessary interfaces and programs Rules for electronic documents (invoices and other business-relevant sup porting documents), which lead to obligations on the part of the purchaser vis-à-vis the relevant Tax Authorities. 2.5 Rules concerning the availability of the cloud service1 The following items should be taken into account, confirmed and stated in sufficient detail in the contract: Detailed regulations for communication channels for support to end customers and rules on the available support languages Provisions for 1st and 2nd level support, their respective availability and guaranteed response times Description of customer support and the use of a supporting system, such as a ticketing system. 10

11 service billings 3 CLOUD SERVICE BILLING List in this content area all essential information and necessary regulations that are important for billing a cloud service Detailed report of the content and the form of service measurement and billing and of all possible deviations from these regulations, in particular for value added services that will be billed separately, volume discounts and the price of value added services Clarification of the process for future price adjustments Detailed description of the options in the case of disruptions, such as deductions, penalties and damages Detailed description of the provisions in the event of a dispute on service delivery or delayed payment. Exclusion of rules governing the retention or deletion of the customer s data without the express consent of the customer. 11

12 service security 4 CLOUD SERVICE SECURITY List all essential information and necessary regulations important for the security of the customer s data in a cloud service in this content area. 4.1 Rules relating to data protection The following items should be stated in sufficient detail in the contract to ensure data protection compliance: Description of the service in terms of data protection aspects, description of the scope, nature and purpose of the planned data acquisition, processing or use; the nature of the data and the affected persons; definition of the processing duration and deletion of the data Statement of the rules for control of personal data (register entry or equivalent regulations). In particular, naming of contact persons within the contractor s organisation and for all subcontractors, who are available to to providing support in exercising rights of affected parties (information, permission, deletion of affected parties data) Statement of how the employees of the contractor and all subcontractors who could have access to the data, will be bound to maintain data secrecy and observe other applicable confidentiality regulations Agreement on the responsibilities between the purchaser who bears the fundamental data protection responsibility and the contractor who is responsible for the implementation of data protection instructions from the purchaser and who must establish the technical protection measures, etc. 12

13 service security Definition of cases deemed to be violations on the part of the contractor or the persons employed by him against regulations for the protection of personal data or against the provisions agreed in the order that are subject to mandatory disclosure to the purchaser Rules on legally permissible and mandatory information of the contractor to the purchaser in case of access by law enforcement agencies and other government bodies Rules on the purchaser s right to perform audits on the contractor s or its subcontractors premises, or to assign the right of audit to a third party authorised by the purchaser. Arrangements for (cumulative or as an alternative to audits by the purchaser) periodic checks/audits and certifications that ensure data protection by the contractor and verify and certify its obligations towards the purchaser. Rules governing the contractor s obligation to participate in these activities and the costs associated with this obligation. 4.2 Rules on IT security The following items should be taken into account, confirmed and stated in sufficient detail in the contract: Description of the deployed IT security solutions, such as the use of firewall systems, antivirus scanners for protection against viruses, Trojans, malware, protection against DoS, etc Description of security checks and/or penetration testing to be carried out by the contractor Description of the encryption methods and of key management for the traffic between the purchaser and the contractor, the use of encryption on the storage media and of end-to-end encryption, which completely prevents insights into customer data by the provider s staff. 13

14 IT security Detailed description of secure authentication for the use of the service, of the auditability of login actions (visible to the customer) and the ability to integrate a customer s system for authentication. 4.3 Rules concerning data backups and data erasure The following items should be taken into account, confirmed and stated in sufficient detail in the contract: Sufficiently detailed rules on mirroring of application data, and failover procedures for ensuring permanent data availability. 14

15 IT security Sufficiently detailed provisions on data backups and archiving (e.g., when, how often, how long, duration of the restore, storage of the storage media), rules for the safekeeping of the backup media (e.g., spatial separation, backup encryption schema, and provisions on customer access to data backups),rules for the deletion of the data and returning the data media after the termination of the agreement, provision for demonstrable deletion of customer data. 15

16 address EuroCloud EuroCloud.Austria - gemeinnütziger Verein für Förderung von Cloud Computing Museumstraße 5/ Wien info@eurocloud.at ADV ADV Arbeitsgemeinschaft für Datenverarbeitung Trattnerhof Wien office@adv.at UBIT Professional Association of Management Consultancy and Information Technology Vienna Schwarzenbergplatz 14 A-1041 Vienna T: F: ubit@wkw.at 16

17 address IT Cluster IT-Cluster der Wirtschaftsagentur Wien Ebendorferstraße 2 A-1010 Wien info@wirtschaftsagentur.at Austrian Standards Institute Austrian Standards Institute / Österreichisches Normungsinstitut (ON) Heinestraße Wien office@as-institute.at 17

18