drafting complex cloud computing agreementsmedia.straffordpub.com/.../presentation.pdf · 8/8/2012...

Drafting Complex Cloud Computing Agreements Minimizing Risk Through Careful Negotiation of Contract Provisions

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

WEDNESDAY, AUGUST 8, 2012

Presenting a live 90-minute webinar with interactive Q&A

Matthew A. Karlyn, Partner, Foley & Lardner, Boston

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality of

your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory and you are listening via your computer

speakers, you may listen via the phone: dial 1-866-961-8499 and enter your

PIN -when prompted. Otherwise, please send us a chat or e-mail

[email protected] immediately so we can address the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the F11 key on your keyboard. To exit full screen,

press the F11 key again.

Continuing Education Credits

For CLE purposes, please let us know how many people are listening at your

location by completing each of the following steps:

• In the chat box, type (1) your company name and (2) the number of

attendees at your location

• Click the SEND button beside the box

FOR LIVE EVENT ONLY

Conference Materials

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the + sign next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

©2012 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not

clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500

Drafting Complex Cloud Computing Agreements

Matt Karlyn Partner Foley & Lardner LLP (617) 502-3231 [email protected] August 8, 2012

5

mailto:[email protected]

©2012 Foley & Lardner LLP

What is Cloud Computing?

Delivery over the Internet (i.e., the "cloud")

Software, platform or infrastructure resources provided as services

Scalability on-demand

Utility and/or subscription billing (i.e., based on the customer's actual use and/or a period of time)

6


Where Have We Been and Where Are We Going with the Cloud

Where we have been – After the dot-com bubble, Amazon played a key role in the development of cloud computing

by modernizing their data centers, which were using as little as 10% of their capacity at any one time

– Amazon initiated a new product development effort to provide cloud computing to external customers and launched the Amazon Web Services in 2006

– In 2008, Eucalyptus became the first open source, Amazon Web Service API-compatible platform for deploying private clouds

– By mid-2008, Gartner saw an opportunity for cloud computing "to shape the relationship among consumers of IT services, those who use IT services and those who sell them" and observed that "[o]rganisations are switching from company-owned hardware and software assets to per-use service-based models" so that the "projected shift to cloud computing ... will result in dramatic growth in IT products in some areas and significant reductions in other areas."

Where we are going – Historically slow movers such as the federal government, are now quickly adopting the cloud – Last December, U.S. CIO Vivek Kundra established the "cloud first" policy, telling federal CIOs

to move three services to the cloud within 12 to 18 months. – Gartner predicted that by 2013 cloud computing revenue will top an estimated $14 billion

7


Licensing vs. the Cloud Traditional licensing/hardware purchase

– Vendor installs the software or equipment in the customer's environment – Customer has ability to have the software or hardware configured to meet its

needs – Customer retains control of the data

In the cloud… – Software, hardware and customer data are hosted by the provider typically in

a shared environment (e.g., many customers per server) – Software and hardware configuration much more homogeneous across all

customers

Shift of top priorities – From configuration, implementation and acceptance (in the licensing world)

to service availability, performance, service levels, data security and control (in the cloud)

Traditional provisions do retain importance – E.g., insurance, indemnity, intellectual property, limitations of liability,

warranties

8


Cloud Customers Must Make Important Decisions

There are no standard forms that work for every customer, for every product, in every deal

• Some commonly used outsourcing and software licensing terms may be useful, but cannot be uniformly applied to cloud computing transactions

More robust contractual protection and provisions that address issues unique to the cloud are likely needed

• For the "low risk" deals, a low risk solution may outweigh the need for contractual protections

• For "high risk" deals, better to take a closer look and include the provisions that will protect your company

• Note that robust contractual protections may have an impact on price and eliminate certain providers altogether

9


The Focus of Cloud Computing Transactions

Focus should be on:

– The criticality of the software, data and services to the enterprise

– The unique issues presented by a cloud computing environment

– The service levels and pricing offered by different suppliers and for different services

– Outsourcing agreements and traditional licensing agreements are a good starting point, but not a good ending point

10


Pre-Agreement Due Diligence Can the provider meet your company's expectations? Diligence can take many forms: site visits, product demonstrations, discussions with vendor personnel, reference site visits, discussions at user groups, industry groups, as well as due diligence questionnaires Require provider to complete a due diligence questionnaire – Provider's financial condition – Insurance – Existing service levels – Capacity – Physical and logical security – Disaster recovery and business continuity – Redundancy – Ability to comply with applicable regulations

11


Data Sensitivity and the Criticality of the Service

High Risk = mission critical processes utilizing highly sensitive data Medium Risk = generally available data that requires high service levels; non-confidential enterprise data Low Risk = not mission critical and generally available data; can accept outages and variable performance

Solutions must be carefully evaluated to ensure the benefits outweigh the risks; ensure contractual protections and operational precautions are taken

12


Data Sensitivity in Cloud Computing

Recent survey of large companies using cloud services found that nearly half of the respondents experienced a data security lapse or issue in the last twelve months

Example in recent data security incidents in the cloud include – The high-profile security breach of Sony's PlayStation Network

– Reports indicated that personal information of up to 77 million individuals was potentially exposed when an intruder gained access to PSN's systems in April of 2011

– Sony was forced to take the service offline for several weeks in order secure its systems from further intrusions.

13


Key Contractual Issues in Cloud Computing

Note that these slides and this presentation contain several examples of language that is commonly found in cloud computing agreements. These slides and this presentation are not a substitute for legal advice. The language to be used in your transactions depends on a variety of factors and the particular circumstances.

In fact, a draft report prepared by the National Institute of Standards and Technology found that for the typical customer most areas of the cloud contract are "non-negotiable." Therefore, you are strongly advised to engage knowledgeable legal counsel to access and help minimize your legal liabilities based on the particular requirements of your organization. Like any presentation or article, this is not meant to be a substitute for knowledgeable legal counsel.

14


Examples of Cloud Computing Provisions

Google Docs – http://www.google.com/accounts/TOS – Example: "Google is constantly innovating in order to provide the best possible

experience for its users. You acknowledge and agree that the form and nature of the Services which Google provides may change from time to time without prior notice to you. As part of this continuing innovation, you acknowledge and agree that Google may stop (permanently or temporarily) providing the Services (or any features within the Services) to you or to users generally at Google's sole discretion, without prior notice to you. You may stop using the Services at any time. You do not need to specifically inform Google when you stop using the Services.

Amazon Web Services Agreement – http://aws.amazon.com/agreement/ – Example: "You are responsible for properly configuring and using the Service Offerings

and taking your own steps to maintain appropriate security, protection and backup of Your Content, which may include the use of encryption technology to protect Your Content from unauthorized access and routine archiving Your Content. AWS log-in credentials and private keys generated by the Services are for your internal use only and you may not sell, transfer or sublicense them to any other entity or person, except that you may disclose your private key to your agents and subcontractors performing work on your behalf."

15

http://www.google.com/accounts/TOS

http://aws.amazon.com/agreement/


Identifying and Fixing All Contract Documents

All or some portion of the cloud contract may be hosted on the cloud. Therefore contract may not be "fixed" but rather may change at any time the provider changes the relevant Web pages Furthermore, provider may not even provide notice of any changes to the contract Customer should make every effort to "fix" the entire contract in a single document

– Ask that the Web page where an agreement is located be printed and attached as an exhibit to the contract

– Add language to the contract making clear that any future changes in those elements must not (i) material decrease the level of protection, service, performance existing as of the effective date; and (ii) impose any materially new or different obligations on the customer

– Provider should also be required to provide notice to customer of any changes to the agreement

– Include a termination right in the event a later change materially decreases the level of protection, service, performance, etc., existing as of the effective date

16


Definition of Services The definition of "Services" in a cloud computing agreement should be broadly worded to allow the client full use of the services. Example:

"Services" shall mean Provider's provision of software and infrastructure services described in Exhibit A (Services), and any other products, deliverables, and services to be provided by Provider to Client (i) described in a Statement of Work, (ii) identified in this Agreement, or (iii) otherwise necessary to comply with this Agreement, whether or not specifically set forth in (i) or (ii).

Customizations – Identify up front any additional customizations needed – Typically a cloud computing offering may have more limited

customization options, so that the provider can more efficiently manage the services and provide a more scalable solution

17


Service Availability

If the provider stops delivering services, the customer will have no access to the services (which may be supporting a critical business function), and perhaps more importantly, no access to the customer's data stored on the provider's systems

A customer must be able to continue to operate its business and have access to its data at all times

18

The State Code Number is MAK2125-

92011



Provider may stop delivering services to client, due to: – a server being down, – failure of a telecommunications link, – a natural disaster causing damage to the provider's data center, – provider withholding services because of a fee dispute, or – provider closing its business because of financial difficulties

Result: – Client has no access to

the services (which may be supporting a critical business function), and any client data stored on the provider's systems

19


92011



Client needs to be able to

– continue to operate its business, and

– have access to its data at all times.

To mitigate risk client should obtain

– appropriate uptime service level and remedies

– customer data ownership rights and provider's delivery of regular data backups

– disaster recovery and business continuity protections

– provider's agreement not to withhold services

– protections against provider financial instability

20


92011


Include uptime service level to ensure service availability is aligned with the client's expectations

Also, include appropriate remedies to incentivize provider to perform in accordance with service levels (meaningful remedies)

Uptime service level and the corresponding remedies discussed in more detail in later slides

Scenario: Server is down, or failure of a telecommunications link


21


92011


Service Availability – In-House Software Solution

Risk mitigation – Consider requiring the provider to make available or

develop an in-house software solution if provider stops providing "software" services, your operations could be dead in the water

"Software" services are typically unique and more difficult to replace than infrastructure services

Inclusion of an "in-house" solution provision is very dependent on the nature of the software provided as a service

The more critical the application, the more important it is to explore an in-house solution – even if it is escrowed

Scenario: Server is down, or failure of a telecommunications link

22


Service Availability – Disaster Recovery and Business Continuity

Risk mitigation: – Include a provision requiring the provider to continue to make the

services available, even in the event of a disaster, power outage, or similarly significant event.

– Continuity of services should be provided through a secondary server, data center, or provider, as appropriate.

Review any related provider policies and procedures Example:

Example: Provider shall maintain and implement disaster recovery and avoidance procedures to ensure that the Services are not interrupted during any disaster. Provider shall provide Client with a copy of its current disaster recovery plan and all updates thereto during the Term. All requirements of this Agreement, including those relating to security, personnel due diligence, and training, shall apply to the Provider disaster recovery site.

Scenario: Natural disaster is causing damage to the provider's data center

23


92011


Service Availability – Withholding of Services

Include a provision prohibiting the provider's withholding of services Example:

Provided Client continues to timely make all undisputed payments, Provider warrants that during the Term of this Agreement it will not withhold Services provided hereunder, for any reason, including but not limited to a dispute between the parties arising under this Agreement, except as may be specifically authorized herein.

Scenario: Provider is withholding service because of a fee dispute

24


92011


Service Availability – Bankruptcy; Financial Wherewithal

Include a bankruptcy provision

– provides the client the right to terminate the Agreement in the event of a provider bankruptcy

Include a transition assistance services provision

– requires the provider to assist in transition of the services to a 3rd

party provider or to the client, in the event of expiration or termination of the Agreement

However, once the provider has declared bankruptcy, Provider's ability to assist the client may be limited

Scenario: Provider is closing its business because of financial difficulties

25


Service Availability – Bankruptcy; Financial Wherewithal (cont'd.)

If the client is not confident of the provider's financial stability, then consider adding a provision that enables the client to identify provider's financial issues in advance

– Require the provider to deliver periodic reports on its financial condition

Example: Quarterly, during the Term, Provider shall provide Client with all information reasonably

requested by Client to assess the overall financial strength and viability of Provider and Provider's ability to fully perform its obligations under this Agreement. In the event Client concludes that Provider does not have the financial wherewithal to fully perform as required hereunder, Client may terminate this Agreement without further obligation or liability by providing written notice to Provider.

Scenario: Provider is closing its business because of financial difficulties

26


92011


Service Levels Most common service level issues: – uptime – service response time – simultaneous visitors – problem response time and resolution time – data return – remedies

2 main purposes: – assure the client that it can rely on the services in its business and

provide appropriate remedies if the provider fails to meet the agreed service levels

– provide agreed upon benchmarks that facilitate the provider's continuous quality improvement process and provide incentives that encourage the provider to be diligent in addressing issues

27


92011


Service Levels

Why are they so important? – Assure the customer that it can rely on the

services in its business and provide appropriate remedies if the provider fails to meet the agreed service levels

– Provide agreed upon benchmarks that facilitate the provider's continuous quality improvement processes and provide incentives that encourage the provider to be diligent in addressing issues

28


92011


Service Levels – Uptime Service Level

Requires that the services will have an uptime (i.e., availability) of a certain percentage, during certain hours, measured over an agreed upon period. Ensure service availability is aligned with customer's expectations and business needs (e.g. peak season) Example:

Provider will make the Services Available continuously, as measured over the course of each calendar month period, an average of 99.99% of the time, excluding unavailability as a result of Exceptions, as defined below (the "Availability Percentage"). "Available" means the Services shall be available for access and use by Client. For purposes of calculating the Availability Percentage, the following are "Exceptions" to the service level requirement, and the Services shall not be considered Un-Available, if any inaccessibility is due to: (i) Client's acts or omissions; (ii) Client's Internet connectivity; and (iii) Provider's regularly scheduled downtime (which shall occur weekly, Sundays, from 2 am – 4 am central time).

29


92011


Service Levels – Uptime Service Level

Downtime

– Scheduled downtime

– Customers should receive written documentation of a provider's scheduled downtime

– Ensure the schedule creates no issues for the customer's business

– Downtime monitoring

– Provider should be proactive in detecting downtime (e.g., require the provider to constantly monitor the "heartbeat" of all its servers through automated "pinging")

Measurement Window

– Providers tend to want longer measurement periods (e.g., quarterly)

– dilutes the effects of a downtime and thus masks periodic performance issues that may temporarily impact the business and eliminates meaningful remedies

30


92011


Service Levels – Service Response Time Service Level

Services that fail to provide timely responses to its users are effectively "unavailable" Therefore, include a service level that sets forth maximum response times for a customer's use of the Services – a specific service level target depends on the facts and

circumstances in each case (e.g., transaction complexity, processing required, whether services are being accessed over an Internet connection or a leased line)

Example:

The average download time for each page of the Services, including all content contained therein, shall be within the lesser of (a) 0.5 seconds of the weekly Keynote Business 40 Internet Performance Index ("KB40") or (b) two (2) seconds. In the event the KB40 is discontinued, a successor index (such as average download times for all other customers of Provider) may be mutually agreed upon by the parties.

31


32


Service Levels – Simultaneous Visitors

Does customer expect the services to support multiple simultaneous users?

If so, include a service level explicitly specifying a requirement that aligns with customer's expectations

33


92011


Service Levels – Data Return

The client should also consider adding a data return service level, if services involve – a critical business function, or – sensitive client information

Measures the time period between the client's request for data and the provider's return of such data in accordance with the timeframe requirements of the agreement Provides additional assurance that customer will be able to receive its data and continue to operate, in the event that provider stops providing services or concerns of a loss of service arise

34


92011


Service Availability – Client Data

Explicitly specify client's ownership of any

information stored by the provider for the client

Require that provider

– deliver periodic copies of all client data to client, and

– perform regular data backups to an off-site storage facility

35


92011


Service Levels – Problem Response Time and Resolution Time Service Levels

Providers often include only a response time measurement, which typically falls short of what is necessary – Response Time

measures the time period from when the problem is reported to when the provider notifies the client and begins working to address the issue

Also, include a resolution time measurement – Resolution Time

measures the time period from when the problem is reported to when the provider implements a fix or acceptable workaround

36


92011


Service Levels – Remedies Credits – Typically, remedies for failure to hit a service level

start out as credits towards the next period's service Right to Terminate – If repeated failure occurs, the client should have the

right to terminate the agreement without penalty or having to wait for the current term to expire

Example: In the event the Services are not Available 99.99% of the time but are Available at least 95% of the time, then in addition to any other remedies available under this Agreement or applicable law, Client shall be entitled to a credit in the amount of $_____ each month this service level is not satisfied. In the event the Services are not Available at least 95% of the time, then in addition to any other remedies available under this Agreement or applicable law, Client shall be entitled to a credit in the amount of $_____ each month this service level is not satisfied. Additionally, in the event the Services are not Available 99.99% for (a) three (3) months consecutively or (b) any three (3) months during a consecutive six (6) month period, then, in addition to all other remedies available to Client, Client shall be entitled to terminate this Agreement upon written notice to Provider with no further liability, expense, or obligation to Provider.

37


Data – Security, Redundancy, Ownership and Use Rights, Conversion

The security of a customer's data in a cloud computing environment has been recognized as one of the largest areas of concern for a customer – The customer is ultimately responsible for complying with privacy and

security regulations, and data security breaches are costly

To confirm it is able to continue using its data, the customer should confirm ownership of all data stored by the provider – Require regular backups – Require appropriate data conversion

Require provider to maintain confidentiality of data Place appropriate limitations on the provider's ability to use the data and customer information

38



Increased risk of unauthorized disclosure

– Multi-tenancy in the cloud – your data may be stored on a server with other customer's data = increased risk of unauthorized disclosure

39



Due diligence is important – Where is the data going to be located?

Who will have access to the data? Will offshore be permitted?

– Which law governs?

Who is operating the data center – the provider or a third party? – Ensure third party hosts comply with your agreement – Provider should accept all responsibility for the third party host – Provider should be jointly and severally liable with the third party host for any

breach of the agreement by the third party host – Consider entering a separate confidentiality agreement with the third party

host – Advance notice if any change of the host

40



Providers should be required to provide: – Baseline security measures

– Security incident management

– Hardware, software and security policies

Some providers won't show you their security policies but will permit onsite access to them – You should go and review them

Ensure that these policies address security issues particular to cloud computing and services being provided over the internet

41



Provider must notify the customer in the event it is required by law to disclose your company's data

– Written notice sufficiently in advance

– Reasonable efforts not to release data pending the outcome of any measures taken by your company to oppose the required disclosure

42



In the event of a security breach:

– Customer has sole control over the timing, content, and method of customer notification (if it is required)

– If the provider is responsible for the breach, then the provider must reimburse the customer for its reasonable out-of-pocket expenses in providing the notification and otherwise complying with the law

43


Data – Security and Ownership Example:

(a) In General. Provider will maintain and enforce safety and physical security procedures with respect to its access and maintenance of Client Information that are (1) at least equal to industry standards for such types of locations, (2) in accordance with reasonable Client security requirements, and (3) which provide reasonably appropriate technical and organizational safeguards against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access of Client Information and all other data owned by Client and accessible by Provider under this Agreement. (b) Storage of Client Information. All Client Information must be stored in a physically and logically secure environment that protects it from unauthorized access, modification, theft, misuse, and destruction. In addition to the general standards set forth above, Provider will maintain an adequate level of physical security controls over its facility. Further, Provider will maintain an adequate level of data security controls. See Exhibit A for detailed information on Provider's security policies protections (c) Security Audits. During the Term, Client or its third party designee may, but is not obligated to, perform audits of the Provider environment, including unannounced penetration and security tests, as it relates to the receipt, maintenance, use, or retention of Client Information. Any of Client's regulators shall have the same right upon request. Provider agrees to comply with all reasonable recommendations that result from such inspections, tests, and audits within reasonable timeframes.

44


Data – Security and Ownership Data conversion issues – avoid hidden costs, and

– avoid being "locked in" to the provider's solution

Prior to Execution of Agreement – Confirm

customer data can be directly imported into provider's services, or

any data conversion needed will be done at provider's cost

– Consider conducting a test run of provider's mapping scheme

– Ask provider's references about their data migration experiences

Expiration or Termination of the Agreement – Provider should be required to

return the customer's data (both in provider's data format and in a platform-agnostic format) and

destroy all of customer's information on provider's servers

45


Data – Ownership and Use Rights

Ownership – As previously mentioned, clarify that client has ownership of any

data stored by the provider for client In the event that the provider stops providing services and client is requesting the return of its data, there should be no separate dispute as to ownership of the data

Use Rights – Confidentiality

Include specific language regarding the provider's obligations to maintain the confidentiality of client information

– Use Limitations Place appropriate limitations on the provider's use of client information (i.e., provider has no right to use such information except in connection with its performance under the cloud computing agreement)

46


Data – Ownership and Use Rights

Provider's Proposed Use of Client Data – More cloud computing providers want to analyze and use the

client data that resides on their servers for their own commercial benefit

Ex. provider may wish to use (de-identified) client data, aggregated along with other clients' data, to provide data analysis to industry groups or marketers

Client should ask the provider about its uses and add a provider representation about which uses, if any, are permitted Most clients should conclude that the provider should not have any right to use the client's data, beyond what is strictly necessary to provide the services (whether in raw form, aggregated, or de-identified)

47


Data – Conversion

Data conversion must be addressed to – avoid hidden costs, and – avoid being "locked in" to the provider's solution

Prior to Execution of Agreement – Confirm that

client data can be directly imported into provider's services, or any data conversion needed will be done at provider's cost or at client's cost (with client's agreement)

– Consider conducting a test run of provider's mapping scheme – When checking provider's references, ask about data migration

experiences

48


Data – Conversion Expiration or Termination of the Agreement – Include explicit obligations on the part of the provider to

return the client's data, both in provider's data format and in a platform-agnostic format, and destroy all of the client's information on provider's servers

Example:

At Customer's request, Provider will provide a copy of Customer Information to Customer in an ASCII comma-delimited format on a CD-ROM or DVD-ROM. Upon expiration of this Agreement or termination of this Agreement for any reason, Provider shall (a) deliver to Customer, at no cost to Customer, a current copy of all of the Customer Information in the form in use as of the date of such expiration or termination and (b) completely destroy or erase all other copies of the Customer Information in Provider's or its agents' or subcontractors' possession in any form, including but not limited to electronic, hard copy, or other memory device. At Customer's request, Provider shall have its officers certify in writing that it has so destroyed or erased all copies of the Customer Information and that it shall not make any use of the Customer Information.

49


Data - Redundancy Provider is the custodian of customer's data Include explicit provisions regarding – Provider's duty to back up customer data and the

frequency of that back up – Customer's ongoing access to such data or the

delivery of such data to customer on a regular basis Compare the provider's backup policies to customer's own. It should at least as stringent as its own. Example:

Provider will: (i) execute (A) nightly database backups to a backup server, (B) incremental database transaction log file backups every 30 minutes to a backup server, (C) weekly backups of all hosted Customer Information and the default path to a backup server, and (D) nightly incremental backups of the default path to a backup server; (ii) replicate Customer's database and default path to an off-site location (i.e., other than the primary data center); and (iii) save the last 14 nightly database backups on a secure transfer server (i.e., at any given time, the last 14 nightly database backups will be on the secure transfer server) from which Customer may retrieve the database backups at any time.

50


Publicity Customer's reputation and good will are substantial and important assets – Most notably via customer's name and other

trademarks

Consider a provision relating to any announcements and publicity in connection with the transaction – Prohibit provider from making any media

releases or other public announcements relating to the agreement, or otherwise using the customer's name and trademarks without prior written consent

51


Term

The customer should be able to terminate the agreement at any time upon notice (14 to 30 days) and without penalty – The software and infrastructure are being provided as a

service and should be treated as such

– The provider may request a minimum commitment from the customer to recoup the provider's "investment" in securing the customer as a customer

If you agree to this, limit to no more than one year and the provider should be required to provide evidence of its up front costs to justify such a requirement

52


Termination

Termination for Convenience – Client should be able to terminate the agreement at any time without

penalty upon reasonable notice (14 to 30 days) – Minimum Commitment Period

Provider may request a minimum commitment period to recoup the provider's "investment" in securing the client as a customer (i.e., sales expenses and related costs) If the client agrees, the committed term should be no more than 1 year and the provider should provide evidence of its up-front costs to justify such a requirement

53


Indemnification

Third party claims relating to the provider's breach of its confidentiality and security obligations, and claims relating to infringement of third party intellectual property rights – Limitation to copyright is not acceptable

– Limitation to US IP rights may be acceptable, but consider whether use of the services will occur overseas

– Intentional breaches should be fully indemnified

54


Intellectual Property The impact of intellectual property rights on customer's business must be analyzed. – If the provider will be performing significant implementation services

in connection with Services, the intellectual property ownership structure proposed by a provider may not effectively address the customer's business needs

– Consider what if provider's intellectual property is incorporated into work product?

– Customer should obtain ownership of any "work product" and a very broad license to use any provider intellectual property incorporated into any work product

A provider may benefit from customer providing direction as to configurable screens that will be used by the customer. – Consider adding a restriction against the provider using those same

ideas in services being delivered from provider to any of customer's competitors

55


Limitation of Liability

Scrutinize limitation of liability provisions carefully

If you can't eliminate the limitation of liability in its entirety, seek the following protections:

– Mutual protection

– Appropriate carve-outs (e.g., confidentiality, data security, indemnity)

– A reasonable liability cap for direct damages

56


Implementation

When there will be significant implementation services, the customer should consider establishing a broad definition of "services" in the cloud computing agreement – E.g., extensive software or hardware

implementation, configuration, customization)

This is useful in limiting provider claims for "out of scope" activity and request for additional money

57


Warranties

The following warranties are common in these types of agreements: – Conformance to specifications

– Performance of services

– Appropriate training

– Compliance with laws

– No sharing / disclosure of data

– Services will not infringe

– No viruses / destructive programs

– No pending or threatened litigation

– Sufficient authority to enter into agreement

58


Insurance

Customer should self-insure against IT risks by obtaining a cyber-liability policy

Provider should be required to carry:

– Technology errors and omissions liability insurance

– Commercial blanket bond, using Electronic & Computer Crime or Unauthorized Computer Access insurance

Most data privacy and security laws will hold the customer liable for security breaches whether it was the customer's fault or the provider's fault

59


Exclusivity

In order for customers to obtain the best pricing, providers are asking customer to contractually commit to an exclusive arrangement

Before entering into such an arrangement, ensure your company has the proper protections in the agreement – Excellent service levels

– Appropriate exceptions to exclusivity

– Right to transition in anticipation of termination

You don't want to be bound to a poorly performing provider!

Weigh pricing advantages with performance commitments and reliability of the provider

60


Post-Execution Ongoing Provider Assessment

Regular program of evaluating a provider's performance

– Provider required to supply the requisite information to access the services

– Notify the customer of any changes with regard to the provider

– Provide recommendations to improve the services

61


Negotiation Leverage is important – you may not be able to obtain all of the protections you want Evaluate the business risks – Do the services support a critical business function? – Do the services involve sensitive data? – Are the services customer facing?

If you can't get the protections you want in the most significant areas of risk, consider walking away If walking away is not an acceptable option, focus on risk mitigation – For example, if the provider refuses to modify its uptime service level

(arguing that it cannot separately administer an uptime warranty for different customers) focus on improved remedies and exit rights for failure to meet the service level

62


QUESTIONS?

Matt Karlyn

Partner

Foley & Lardner LLP

111 Huntington Avenue

Boston, MA 02199

(617) 502-3231

[email protected]

63

mailto:[email protected]