Cloud Agreements: Do s, Don ts, and Cautions 4 th Annual Grand Rapids IT Symposium June 11, 2015 Nate Steed & Ken Coleman 2015 Warner Norcross & Judd LLP. All rights reserved. WNJ.com
Disclaimer 2015 Warner Norcross & Judd LLP. All rights reserved. Page 2
2015 Warner Norcross & Judd LLP. All rights reserved. Page 3
Outline/Summary Top 9 Issues in Cloud Agreements (in no particular order) 1. Pricing 2. Changes 3. Service Level Agreements 4. Termination/Suspension 5. Disaster Recovery / Data Backups 6. Security Obligations 7. Warranties 8. Indemnification 9. Limitation of Liability 2015 Warner Norcross & Judd LLP. All rights reserved. Page 4
Pricing Service Provider Style Service Provider reserves the right to modify its fees, effective as of the end of the then-current Term upon at least thirty (30) days prior notice to you, which notice may be provided by e-mail. 2015 Warner Norcross & Judd LLP. All rights reserved. Page 5
Pricing Do s Limited number and timing Hard cap Advance notice Allow for services to become less expensive 2015 Warner Norcross & Judd LLP. All rights reserved. Page 6
Pricing - Compromise Service Provider may increase the price for the Services no more than once annually upon at least sixty (60) days written notice prior to the end of Customer s present billing cycle; provided, however, that: (1) any such increase shall not exceed the lesser of X% or the increase in CPI for the 12 month period immediately preceding such increase; and (2) such increase will not become effective until the start of Customer s next billing cycle. 2015 Warner Norcross & Judd LLP. All rights reserved. Page 7
Modifications Service Provider Style We may change, discontinue, or deprecate any of the Service Offerings (including the Service Offerings as a whole) or change or remove features or functionality of the Service Offerings from time to time. We may modify the Terms upon notice to you at any time through a service announcement or by sending email to your primary email address. 2015 Warner Norcross & Judd LLP. All rights reserved. Page 8
Service Modifications How Customer may see it No desire for unexpected changes, or changes that result in a loss of functionality Counting on certain functionality, especially for business critical aspects of the Service Significant time in transitioning to new service provider if we have to How Vendor may see it: Beneficial to the Customer to allow us to add new functionality Ever-evolving nature of the cloud prevents us from guaranteeing every aspect of functionality for the service as a whole 2015 Warner Norcross & Judd LLP. All rights reserved. Page 9
Terms Modifications Really? No provision of this Agreement may be modified except by a written document signed by duly authorized representatives of the parties. 2015 Warner Norcross & Judd LLP. All rights reserved. Page 10
Modifications of the Service Customer acknowledges that during the Term, Service Provider may need and/or desire to make modifications to the Service. Such modifications are permitted provided that any modification may not result in or cause a material degradation to the Service or a loss of any functionality then being utilized by Customer and Service Provider shall provide Customer at least sixty (60) days advance written notice of any material change to the Service. 2015 Warner Norcross & Judd LLP. All rights reserved. Page 11
Service Level Agreements The Service will be available 100% of the time, excluding scheduled or emergency maintenance. Service downtime exists when Customer is unable to transmit and receive data with the Service, but does not include the effects of any Internet, Customer network or other connectivity issues not within the control of Service Provider, and is measured from the time the trouble ticket is opened by the Customer. Upon receiving a report of downtime from the Customer, for each full hour of downtime, Service Provider will credit the Customer two percent (2%) of the monthly fee, up to fifty percent (50%) of Customer's monthly fee for the affected Service. 2015 Warner Norcross & Judd LLP. All rights reserved. Page 12
Service Level Agreements Beware the standard SLA of the vendor Consider multiple measures (i.e. system availability commitment & system response time commitment) Get an uptime commitment Take into account the nature of the service Clearly define what qualifies as downtime Limit the amount of any permitted downtime Make clear who monitors uptime Address remedies Termination right for severe or chronic failures 2015 Warner Norcross & Judd LLP. All rights reserved. Page 13
Service Level Agreements - Rethought Scheduled Downtime means up to four (4) hours of planned and scheduled maintenance performed during the relevant month to perform necessary hardware, OS, network, database, application software maintenance, repair, upgrades, and updates and for which Customer has at least seventy-two (72) hours advance written notice. Service Provider will use best efforts to ensure that Scheduled Downtime takes place during non-business hours. In the event: (a) system availability falls below 99.9% in (i) two (2) consecutive calendar months or (ii) any three (3), or more, non-consecutive months in any twelve (12) month period; or (b) system availability falls below 90% in any given month, then, notwithstanding anything in the Agreement to the contrary, Customer may terminate the Agreement upon written notice to Service Provider and without early termination liability. 2015 Warner Norcross & Judd LLP. All rights reserved. Page 14
Termination/Suspension Service Provider may suspend or terminate Customer s right to access or use any portion or all of the Service Offerings immediately and without notice if Service Provider determines, in its sole discretion, that (a) Customer s use of Service Offerings (i) poses a security risk to the Service Offerings or any third party, (ii) may adversely impact the Service Offerings or the systems or Content of any other Service Provider customer, (iii) may subject Service Provider, its affiliates, or any third party to liability, or (iv) may be fraudulent; (b) Customer is in breach of this Agreement, including if Customer is delinquent on its payment obligations for more than 15 days; or (c) Customer has ceased to operate in the ordinary course, made an assignment for the benefit of creditors or similar disposition of Customer s assets, or become the subject of any bankruptcy, reorganization, liquidation, dissolution or similar proceeding. 2015 Warner Norcross & Judd LLP. All rights reserved. Page 15
Termination/Suspension Vendor Style If you are putting the security of our system at risk, we are going to suspend your access immediately. 2015 Warner Norcross & Judd LLP. All rights reserved. Page 16
Termination/Suspension Do s Notice Separate suspension and termination Express good faith requirement Limited Scope Limited Duration 2015 Warner Norcross & Judd LLP. All rights reserved. Page 17
Termination/Suspension Service Provider may suspend Customer s or an Authorized User s access to the Service, in the event Service Provider determines in good faith that such party s use of Service (i) poses a security risk to the Service, (ii) is or is reasonably likely to adversely and immediately impact the Service or the systems or Content of any other Service Provider customer, or (iii) is in material breach of this Agreement. Service Provider shall provide Customer with prior notice of any such suspension, provided that if prior notice is not possible, Service Provider will notify Customer as soon as reasonably possible following such suspension. Any such suspension will be limited in both scope and duration as necessary to address the event or cause giving rise to the suspension. 2015 Warner Norcross & Judd LLP. All rights reserved. Page 18
Disaster Recovery/Data Backup Responsibilities and Carve-Outs Sample You are provision responsible for properly configuring and using the Service Offerings and taking your own steps to maintain appropriate security, protection and backup of Your Content, which may include the use of encryption technology to protect Your Content from unauthorized access and routine archiving Your Content. You acknowledge that you are solely responsible for taking steps to maintain appropriate security, protection and backup of Customer Data. 2015 Warner Norcross & Judd LLP. All rights reserved. Page 19
Disaster Recovery/Data Backup Responsibilities and Carve-Outs Backups Who? When? Where? Disaster recovery Does the Service Provider have a disaster recovery plan? Is it adequate? Who s allowed to declare a disaster? 2015 Warner Norcross & Judd LLP. All rights reserved. Page 20
Disaster Recovery/Data Backup Responsibilities and Carve-Outs Compromise? Clarity In the contract Does it satisfy customer s organizational requirements? 2015 Warner Norcross & Judd LLP. All rights reserved. Page 21
Security Obligations Service Provider will operate in conformance with its operating, security and privacy policies, and will act promptly to address any nonconformance therewith identified by Service Provider or any other party. Service Provider will make available to Customer its annual SSAE-16 (or successor type) audit report covering its operations and shall take prompt action to address any exception identified in such reports. 2015 Warner Norcross & Judd LLP. All rights reserved. Page 22
Security Obligations Issues to consider Type of data being put in the cloud Legal requirements for securing data Industry specific requirements for securing data Common area of disagreement: Who takes financial responsibility for a breach of security? What level of attack triggers notice to Customer? Locking in to specific security standards 2015 Warner Norcross & Judd LLP. All rights reserved. Page 23
Security Obligations - Compromise Without limiting the Disclaimer of Warranties, or Customer s obligations under this Agreement, Service Provider will implement (or ensure the implementation of), commercially reasonable administrative, physical and technical measures designed to secure Customer Data against accidental or unlawful loss, access or disclosure. To the extent that Service Provider processes any Personal Data on behalf of Customer, Service Provider shall process such Personal Data strictly in accordance with the terms of this Agreement and Customer's instructions from time to time. Accordingly and in all such cases, Service Provider shall be the data processor and Customer shall be data controller under the applicable law. The transfer of any EU Personal Data or Australian Personal Data to territories outside the EU or Australia, respectively, is not contemplated by this Agreement. Customer shall obtain any consents from Users or anyone else whose Personal Data will be processed by the Services. 2015 Warner Norcross & Judd LLP. All rights reserved. Page 24
Warranties THE SERVICES ARE PROVIDED ON AN AS IS, AS AVAILABLE BASIS WITHOUT ANY REPRESENTATIONS OR WARRANTIES. SERVICE PROVIDER DOES NOT REPRESENT OR WARRANT THAT THE SERVICES WILL BE AVAILABLE, ACCESSIBLE, UNINTERRUPTED, TIMELY, SECURE, ACCURATE, COMPLETE, OR ENTIRELY ERRORFREE. CUSTOMER MAY NOT RELY UPON ANY REPRESENTATION OR WARRANTY REGARDING THE SERVICES BY ANY THIRD PARTY IN CONTRAVENTION OF THE FOREGOING STATEMENTS. EXCEPT AS EXPRESSLY SET FORTH IN SECTION 11.2.1, SERVICE PROVIDER SPECIFICALLY DISCLAIMS ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS OR IMPLIED, ARISING BY STATUTE, OPERATION OF LAW, USAGE OF TRADE, COURSE OF DEALING, OR OTHERWISE, INCLUDING BUT NOT LIMITED TO, WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR TITLE WITH RESPECT TO THE SERVICES, OR OTHER SERVICES OR GOODS PROVIDED UNDER THIS AGREEMENT. 2015 Warner Norcross & Judd LLP. All rights reserved. Page 25
Warranties Common areas of disagreement Service Level Warranties Security Obligations Remedies for Breach 2015 Warner Norcross & Judd LLP. All rights reserved. Page 26
Warranties and the Trouble of Sole & Exclusive Language Service Provider should provide the following warranties: Service Level Agreement Security Operation in accordance with the specifications Good and workmanlike fashion for services Sole and exclusive remedy Customer What if repair/replace or reperformance of services is inadequate? What if repair/replace doesn t work? 2015 Warner Norcross & Judd LLP. All rights reserved. Page 27
Warranties and the Trouble of Sole & Exclusive Language Vendor response: Well what other remedy would you want? 2015 Warner Norcross & Judd LLP. All rights reserved. Page 28
Warranties and the Trouble of Sole & Exclusive Language Areas of compromise SLA sole and exclusive remedy in the SLA. As long as SLA provides for termination right Specifications repair or replace Good and workmanlike fashion reperform 2015 Warner Norcross & Judd LLP. All rights reserved. Page 29
Indemnification Subject to the terms of this Agreement, Provider shall indemnify Licensee and its employees, agents, successors and assigns from and against any and all loss, damage, liability, and expense arising from any claim brought against any such indemnified party by a third party to the extent (a) alleging that the API Services, as provided by Service Provider and used in accordance with the terms of this Agreement, infringes upon any valid U.S. patent, copyright, trademark, trade secret, or other proprietary right of such third party. 2015 Warner Norcross & Judd LLP. All rights reserved. Page 30
Indemnification Service Provider liable instead of Customer for certain claims brought against Customer, or certain losses sustained by Customer Common areas of disagreement: Security breach Data breach notification Failure to timely provide services 2015 Warner Norcross & Judd LLP. All rights reserved. Page 31
Indemnification - Compromise Service Provider shall indemnify and hold harmless Customer and its Affiliates, and their respective officers, directors, shareholder, employees, agents and representatives against all liability, loss, damage, claims, actions, and expenses (including attorneys fees) based upon or arising out of: Service Provider s breach of its security obligations found in the Agreement Encompass data breach investigation, notification, and mitigation costs Compromise if legally required Third party claims alleging that Customer s use of the Service in accordance with the terms of the Agreement infringes such third party s intellectual property rights property damage, including loss or destruction of data, or personal injury, including death, directly caused by or sustained in connection with the Service Provider s performance under this Agreement 2015 Warner Norcross & Judd LLP. All rights reserved. Page 32
Limitations of Liability, Carve-Outs, and Uncapped Damages Unless stated in the Additional Terms, we are not liable to you or anyone else for: (a) any loss of use, Sample data, goodwill, vendor profits, provision whether or not foreseeable; and (b) any special, incidental, indirect, consequential, or punitive damages whatsoever (even if we have been advised of the possibility of these damages), including those (x) resulting from loss of use, data, or profits, whether or not foreseeable, (y)based on any theory of liability, including breach of contract or warranty, negligence or other tortious action, or (z) arising from any other claim arising out of or in connection with your use of or access to the Services or Software. Nothing in these terms limits or excludes our liability for gross negligence, for our (or our employees ) intentional misconduct, or for death or personal injury. Our total liability in any matter arising out of or related to these terms is limited to US $100 or the aggregate amount that you paid for access to the Service and Software during the threemonth period preceding the event giving rise to the liability, whichever is larger. This limitation will apply even if we have been advised of the possibility of the liability exceeding the amount and notwithstanding any failure of essential purpose of any limited remedy. 2015 Warner Norcross & Judd LLP. All rights reserved. Page 33
Uncapped Damages Two schools of thought Because the risk is hard to quantify, and because it would arise as a result of Service Provider s failures, certain damages should be uncapped. If Service Provider uncaps damages, and suffers a security breach compromising the data of all of its customers, none of its customers will be made whole in the end. 2015 Warner Norcross & Judd LLP. All rights reserved. Page 34
Limitations of Liability, Carve-Outs and Uncapped Damages Compromise? 2015 Warner Norcross & Judd LLP. All rights reserved. Page 35
Limitations of Liability, Carve-Outs and Uncapped Damages Potential areas of compromise Uncapped for specific claims (i.e. breach of confidentiality, claims arising out of or related to Service Provider s breach of its security obligations, etc.) If not uncapped for these claims consider super cap (i.e. 3-5 times fees paid under the agreement) Can the organization mitigate potential risk from capped liability? Who has the leverage? 2015 Warner Norcross & Judd LLP. All rights reserved. Page 36
Questions & Answers 2015 Warner Norcross & Judd LLP. All rights reserved. Page 37
Thank you! Nate Steed (616) 752-2723 nsteed@wnj.com Ken Coleman (616) 752-2708 kcoleman@wnj.com These materials are for educational use only. This is not legal advice and does not create an attorney-client relationship. 2015 Warner Norcross & Judd LLP. All rights reserved. Page 38