From the beginning of the cloud trend, legal questions have swirled around cloud and the contracts signed between cloud providers, solution providers and even end users. Recently, researchers nailed down some of those elusive legal concerns and published their findings in the Stanford Technology Law Review. Thankfully, the folks at Forbes actually read that document, so we don’t have to, and I’ve read the Forbes article so YOU don’t have to. Here is the gist of it (thanks, Forbes!):
1. Who’s liable for damages from interruptions in service? Most cloud providers refuse to accept liability for damages and downtime, but the legal eagles strongly encourage pushing back on that, especially around long outages.
2. What about service level agreements? SLAs are often highly negotiable and tied to pricing — the more you pay, the better performance you get. Try tying SLAs to key performance indicators, starting with those already stipulated by the cloud vendor.
3. Does availability extend to data? Every cloud provider talks about how redundant and fault-tolerant their cloud is, but you still need to do your due diligence. Often the cloud provider will rebuild the structure but not compensate the customer for the damaged contents – so beware of that.
4. Where is the data actually going to be physically located? The European Union’s Data Protection Directive prohibits storing of data outside the boundaries of the EU and that is perhaps the most defined area of data security and privacy concern at this time. Be sure to find out where your provider’s data centers are located.
5. How can users avoid vendor lock-in and exit if needed? Contracts often require “notice of nonrenewal within a set period before expiry,” causing users to miss the window to exit the arrangement, but don’t be afraid to negotiate those renewal provisions out – settle on more user-friendly language.
6. Who maintains data for legal or compliance purposes, and what happens to it when contracts are terminated? There’s been little negotiation around data retention for legally required purposes, such as litigation e-discovery, so there isn’t much data here. However, what has been negotiated is your ability to demand prompt data return if a contract is terminated.
7. What happens when providers decide to change their service? Users pretty much have to accept providers’ rights to change features with the exception of those able to negotiate advance notifications of changes to PaaS engagements.
8. What are the grounds for service termination? Reasons providers pull their services include material breach, breach of acceptable use policies, or upon receiving third-party complaints regarding breach of their intellectual property rights, according to the article. The main issue is that the actions of one customer may trigger termination of the whole service. For instance, an IaaS provider may not be able to locate and terminate the offending VM instance, and therefore need to terminate the entire service. Know the process for that scenario.