Contracting for Cloud Computing Geofrey L Master Mayer Brown JSM Partner +852 2843 4320 geofrey.master@mayerbrownjsm.com April 5th 2011 Mayer Brown is a global legal services organization comprising legal practices that are separate entities ("Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP, a limited liability partnership established in the United States; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales; Mayer Brown JSM, a Hong Kong partnership, and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
Agenda Cloud computing what is it? Tradeoffs with current cloud offerings Key contract issues Key compliance issues 1
Cloud Computing What Is It? 2
Overview of Cloud Computing and Cloud-Based Offerings NIST definition http://csrs.nist.gov/groups/sns/cloudcomputing/cloud-def-v15.doc SaaS software as a service (e.g., Google Gmail, Google Docs, Facebook and Zoho) PaaS platform as a service (e.g., Microsoft Azure, Force.com, Google App Engine) IaaS infrastructure as a service (Amazon, Google, Rackspace, IBM computing on demand) 3
Common Attributes of Cloud-Based Offerings Pooled Resources Delivery model servicing multiple consumers, with physical and virtual resources assigned dynamically Rapid provisioning On-demand delivery of cloud-based services, requiring latent hardware, software and storage capacity Client managed Users can configure sometimes within pre-set limits services and usage Measured Service/Consumption Billing Users pay for actual consumption of defined blocks of Cloud-based resources Lower Costs Users pay for cloud-based services as an operating expense and avoid capital expenditures and maintenance costs 4
Overview of Cloud Computing Public Cloud End User To Cloud Source: GopikannanParthiban blog, Cloud Computing Use Case Discussion Group v.1 5
Overview of Cloud Computing Private Cloud Private Cloud Source: GopikannanParthiban blog, Cloud Computing Use Case Discussion Group v.1 6
Overview of Cloud Computing Hybrid Cloud Hybrid Cloud Source: GopikannanParthiban blog, Cloud Computing Use Case Discussion Group v.1 7
Tradeoffs with Current Cloud Offerings 8
Tradeoffs with Current Cloud Offerings Breadth Nice to have business tools Routine, non-sensitive data Limited scope of business use Mission critical applications Regulated or business sensitive data Enterprise-wide use Each end of the spectrum presents different legal and contractual challenges, options and trade-offs 9
Tradeoffs with Current Cloud Offerings In Many Cases, Standard Provider Contracts One-sided contracts, with provider-friendly terms and little or no opportunity to negotiate Offer AS IS terms with broad disclaimers of liability and essentially no contractual commitments Impose sole responsibility for adequate security, data protection and backups on customer Incorporate on-line forms, subject to unilateral change or even deletion 10
Tradeoffs with Current Cloud Offerings Many cloud providers Are relative newcomers, with little outsourcing or even software licensing experience Emphasize low cost, standard offerings, leaving little room for robust contractual commitments or customization Are heavily dependent on third party software and platform providers and unable to flow down the requested contractual commitments 11
Tradeoffs with Current Cloud Offerings Cloud Customers Must Make Informed Tradeoffs There is no standard contract form that will work for every situation Requiring robust protections may increase the price and eliminate certain providers altogether Evolving area many providers are considering ways to offer stronger protections for higher prices Architectural and commercial approaches may be available to mitigate many of the risks 12
Key Contract Issues in Cloud Computing 24
Key Contract Issues in Cloud Computing Topics What customers want What cloud computing providers offer in form agreements Risks to customers in accepting the cloud providers positions What to negotiate when you can negotiate 25
Key Contract Issues in Cloud Computing Services Definition Customers want Services described in a negotiated SOW Additional services that are inherent, necessary or customary in providing the described services No change without customer s consent Cloud providers offer Services as described on provider s web site, which may change from time to time without prior notice (Sales Force, Google, Amazon) Unilateral cloud provider right to retire or change Service features (Microsoft) Agreement that may be modified by online acceptance (Oracle)] 26
Key Contract Issues in Cloud Computing Location Customers want Commitment to provide services only from locations that have been approved by customer Right to audit that location at any time Cloud providers offer No commitment to any location, or even to disclose the location (Sales Force, Google Apps Engine, Amazon) Explicit statements that services may be provided from, or data may be transferred to, locations worldwide at cloud provider s discretion (Oracle, Microsoft) No right to audit the location 27
Key Contract Issues in Cloud Computing Performance Guaranty Customers want Auditable measurements such as service levels and milestones Related to business value Monthly reporting Monetary incentives for performance (such as service level credits) Cloud providers offer No commitment (Google, Amazon) Non-binding objectives (e.g., performance in accordance with online User Guide subject to change) (Sales Force) Service Levels subject to change at renewal (Microsoft) Service fee credit (Oracle) 28
Key Contract Issues in Cloud Computing Continuous Improvement Customers want Commitment to upgrade to and support new technologies Commitment to modify services as required by changes in laws Cloud providers offer No commitment (Oracle, Sales Force, Amazon) Right to eliminate all or any part of Service due to change in law (Microsoft, Google Apps Engine) 29
Key Contract Issues in Cloud Computing Customer Control of Services Customers want Approval rights for Provider Personnel and subcontractors Detailed plans (e.g., procedures manuals) Right to conduct operational, financial and data security audits Access to source code Cloud providers offer No commitment on personnel or subcontracting No detailed documentation of commitments Right for provider to audit Customer (Oracle) No access to source code 30
Key Contract Issues in Cloud Computing Intellectual Property Rights Customers want To own customer s existing IP To own newly developed IP Cloud providers offer Acknowledgement that the customer owns its IP (Oracle, Sales Force, Google) Provider retains all ownership of anything developed and delivered under the agreement (Oracle) Customer owns any IP that Customer develops in connection with services (Amazon) 31
Key Contract Issues in Cloud Computing Warranties and Indemnities Customers want Non-infringement warranty Compliance with laws warranty Conformity to industry best practices warranty Infringement, violations of law, personal injury indemnities Cloud providers offer Infringement Indemnification (Oracle, Sales Force) Product (but not service) warranties, and no indemnities (Microsoft) Warranties listed in user guide (Sales Force) Policies referenced in order document (Oracle) 32
Key Contract Issues in Cloud Computing Limitations on Liability Customers want Broad exceptions to limitations of liability Broad exceptions to disclaimer of damages 12 or more months of fees at risk for direct damages Cloud providers offer No exceptions to limitations of liability or disclaimers of damages Varying amounts at risk: Amounts paid under the Agreement (Amazon) Last 12 months of fees (Oracle) 6 months of fees prior to Security Incident (Microsoft) No amount at risk whatsoever (Google) 33
Key Contract Issues in Cloud Computing Termination Customers want Right to terminate at any time without penalty Provider to waive termination rights except upon a material payment failure Any assistance requested to ensure a smooth transition to a successor provider Cloud providers offer Six months notice for Customer termination for convenience with termination charge of six months fees (Microsoft) Provider rights to terminate for convenience (Amazon) or material breach (Oracle, Sales Force) Termination assistance limited to data access for 30, 60, 90 days (Sales Force and Microsoft and Amazon, Oracle, Google, respectively) 34
Summary Keep your eyes on Criticality of the software, data and services Unique contract and compliance risks associated with cloud computing Use compliance and contracting concepts from traditional outsourcing, data use and software license arrangements as a starting point 35
Key Compliance Issues in Cloud Computing 13
Key Compliance Issues with Cloud Computing Privacy and Security the Elephant in the Room Data transfer issues (EU and similar jurisdictions) Data location issues Location of users accessing data Movement and storage of data Use of subcontractors Use of multiple platforms Lack of transparency and control Data breach issues Data destruction issues Ability to impose security and privacy requirements 15
Key Compliance Issues with Cloud Computing Export Control Export control laws prevent export or reexport of items subject to export control, including certain technical data, software and information Access by a non-us person may be export or reexport even if the data and the non-us person are in the US Transfer by the cloud provider from one country to another may be a reexport The U.S.-based customer may be the exporter instead of the cloud provider because the U.S.-based customer receives the benefit of the transaction Sanctions include penalties and denial of export privileges 22
Key Compliance Issues with Cloud Computing Software Licenses Standard software licenses terms require the customer to: Know where copies of the software are located Limit the number of instances, servers, chips, cores, etc. where the software is running Allow/enable the software licensor to audit compliance Cloud model means that software may move from machine to machine without informing cloud customers License terms based on hardware metrics may generate surprising results Standard cloud agreements offer no protections 23
Thank You 41
Questions? Geofrey Master is a partner in the Business & Technology Sourcing practice at Mayer Brown JSM. He is based in Hong Kong and leads the BTS practice in Asia. Geof represents clients in a broad range of information technology and business process outsourcing and technology transactions, including software license and implementation agreements. Geof has an extensive background in the international delivery of services, having previously served as international general counsel for one of the world's largest information technology and business process service providers. About Mayer Brown Mayer Brown is a global legal services organization comprising legal practices that are separate entities, the Mayer Brown Practices. The Mayer Brown Practices are: Mayer Brown LLP, a limited liability partnership established in the United States; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales; Mayer Brown JSM, a Hong Kong partnership, and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. Mayer Brown and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions. 42