Cloud Services and SAAS Agreements: Clickwrap vs. Custom

Photo Courtesy NASA

Many businesses are attracted by the economic advantages of cloud computing, yet at the same time wary of the risks of putting their data and business in the hands of a stranger.

The advantages of cloud computing include: eliminating the need for a major upfront investment in equipment that is then utilized only part-time; ability to ramp up quickly (scalability); ability to add functions quickly (modularity); paying only for what you use on a “utility model.” On other hand, the worst case scenario is that a cloud vendor could lose all of the customer’s data, as happened to many users of Sidekick mobile phones, who were notified in late 2009 that their e-mails, photographs, contacts, and other data stored in the cloud had been lost due to an equipment failure.

A well-drafted contract, that defines and allocates the risks between the parties, is therefore essential.

But most newcomers go the clickwrap route. Let’s take a look at a representative clickwrap cloud services agreement– the Amazon Elastic Cloud Compute (EC2) agreement, which is actually somewhat more customer-friendly than most– and how it could be improved from a customer’s point of view.

Uptime: Amazon’s goes further than most clickwrap agreements, offering concrete service levels that guarantee 99.95% uptime. Sounds good, right? But what happens if Amazon flunks its SLAs? The customer gets a service credit of 10% per month against future invoices, but note that Section 11 says that Amazon has no responsibility to pay for violation of SLAs, and in any event, total damages from all causes are limited to fees paid, not much comfort if your e-commerce site is down Christmas season. As a customer, you would want contractual provisions allowing you to receive more than token damages, and to require the vendor to insure you against loss. If the vendor is providing applications or services in addition to raw computing power, then service levels should be crafted that define and quantify the vendor’s success—uptime alone is not a sufficient metric.

Data Protection and Data Loss: major concerns for a cloud customer are loss of data security or integrity due to equipment failure or malicious third party actions such as hacking. Section 3.1 of the agreement says only that Amazon will implement reasonable measures to prevent loss, and puts the burden on the customer to back up data and to secure it against hacking. As a customer, you would want: contractual provisions guaranteeing that the vendor will implement certain safeguards and comply with certain security protocols; provide backup against data loss; allow customer audits; require vendor reporting, especially in case of security breaches, in which case you would also want a defined incident response, including requiring the vendor to provide any third party notifications required by law. And if all else fails, you would want the ability to recoup damages against the vendor, especially if a third party is making claims against you arising from actions of the vendor.

Regulatory Issues: location of the vendor’s equipment could impact what regulations a customer is subject to. In Section 3.2, Amazon allows customers to choose the physical location where their data is stored and used, and offers safe harbor programs to ensure compliance with the regulations of the relevant jurisdictions. That’s a good start, but Amazon puts the burden on customers to determine whether data will ever be stored or transmitted outside the requested location. Customers should review the provisions of the myriad state, federal, and foreign data privacy and security laws, to assess which might apply and how to the customer’s business model, then negotiate appropriate provisions with the vendor to ensure compliance. For example, the EU has a strict regulatory scheme to protect personally identifiable information of its residents, and has determined that US standards generally are non-compliant. So if there is any chance that such data will flow through the US, the agreement should require the vendor to comply with the EU-US Safe Harbor program of the US Department of Commerce.

Data Portability: clickwrap cloud services agreements are often silent about what happens to the customer’s data and content at the end of the contract. In the Amazon agreement, for 30 days after voluntary termination, Amazon promises not to erase data, and to offer reasonable assistance to transfer data back to the customer. That’s pretty good by clickwrap standards, but the agreement should also address other common scenarios where data access is a concern: if the vendor becomes insolvent, or is acquired by another vendor, or in a disaster recovery scenario.

Update, 4/25/11: This just in from our I Don’t Want To Say I Told You So Dept.: Amazon’s EC2 service went down last Thursday, and did not return to normal until Sunday, knocking out or seriously impairing thousands of websites, including Reddit and Foursquare, and resulting in permanent data loss for a small number of EC2 customers. But surely the 10% credit against next month’s bill will make up for the downtime…

Tags: , ,

3 Responses to “Cloud Services and SAAS Agreements: Clickwrap vs. Custom”

  1. jiah kim says:

    Great post that makes us realize lawyers have to stay on top of tech development to protect consumer rights. Thank you!

  2. Oliver W. Holmes says:

    Truly brilliant post. Vital knowledge delivered in a style that even non-techies can understand. Great work, blogger.

  3. Richard R. Bergovoy says:

    Thanks, Oliver W. You have a way with words yourself.

Leave a Reply