drafting complex cloud computing agreementsmedia.straffordpub.com/.../presentation.pdf · 8/8/2012...
TRANSCRIPT
Drafting Complex Cloud Computing Agreements Minimizing Risk Through Careful Negotiation of Contract Provisions
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
WEDNESDAY, AUGUST 8, 2012
Presenting a live 90-minute webinar with interactive Q&A
Matthew A. Karlyn, Partner, Foley & Lardner, Boston
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality of
your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory and you are listening via your computer
speakers, you may listen via the phone: dial 1-866-961-8499 and enter your
PIN -when prompted. Otherwise, please send us a chat or e-mail
[email protected] immediately so we can address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
Continuing Education Credits
For CLE purposes, please let us know how many people are listening at your
location by completing each of the following steps:
• In the chat box, type (1) your company name and (2) the number of
attendees at your location
• Click the SEND button beside the box
FOR LIVE EVENT ONLY
Conference Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the + sign next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
©2012 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not
clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500
Drafting Complex Cloud Computing Agreements
Matt Karlyn Partner Foley & Lardner LLP (617) 502-3231 [email protected] August 8, 2012
5
©2012 Foley & Lardner LLP
What is Cloud Computing?
Delivery over the Internet (i.e., the "cloud")
Software, platform or infrastructure resources provided as services
Scalability on-demand
Utility and/or subscription billing (i.e., based on the customer's actual use and/or a period of time)
6
©2012 Foley & Lardner LLP
Where Have We Been and Where Are We Going with the Cloud
Where we have been – After the dot-com bubble, Amazon played a key role in the development of cloud computing
by modernizing their data centers, which were using as little as 10% of their capacity at any one time
– Amazon initiated a new product development effort to provide cloud computing to external customers and launched the Amazon Web Services in 2006
– In 2008, Eucalyptus became the first open source, Amazon Web Service API-compatible platform for deploying private clouds
– By mid-2008, Gartner saw an opportunity for cloud computing "to shape the relationship among consumers of IT services, those who use IT services and those who sell them" and observed that "[o]rganisations are switching from company-owned hardware and software assets to per-use service-based models" so that the "projected shift to cloud computing ... will result in dramatic growth in IT products in some areas and significant reductions in other areas."
Where we are going – Historically slow movers such as the federal government, are now quickly adopting the cloud – Last December, U.S. CIO Vivek Kundra established the "cloud first" policy, telling federal CIOs
to move three services to the cloud within 12 to 18 months. – Gartner predicted that by 2013 cloud computing revenue will top an estimated $14 billion
7
©2012 Foley & Lardner LLP
Licensing vs. the Cloud Traditional licensing/hardware purchase
– Vendor installs the software or equipment in the customer's environment – Customer has ability to have the software or hardware configured to meet its
needs – Customer retains control of the data
In the cloud… – Software, hardware and customer data are hosted by the provider typically in
a shared environment (e.g., many customers per server) – Software and hardware configuration much more homogeneous across all
customers
Shift of top priorities – From configuration, implementation and acceptance (in the licensing world)
to service availability, performance, service levels, data security and control (in the cloud)
Traditional provisions do retain importance – E.g., insurance, indemnity, intellectual property, limitations of liability,
warranties
8
©2012 Foley & Lardner LLP
Cloud Customers Must Make Important Decisions
There are no standard forms that work for every customer, for every product, in every deal
• Some commonly used outsourcing and software licensing terms may be useful, but cannot be uniformly applied to cloud computing transactions
More robust contractual protection and provisions that address issues unique to the cloud are likely needed
• For the "low risk" deals, a low risk solution may outweigh the need for contractual protections
• For "high risk" deals, better to take a closer look and include the provisions that will protect your company
• Note that robust contractual protections may have an impact on price and eliminate certain providers altogether
9
©2012 Foley & Lardner LLP
The Focus of Cloud Computing Transactions
Focus should be on:
– The criticality of the software, data and services to the enterprise
– The unique issues presented by a cloud computing environment
– The service levels and pricing offered by different suppliers and for different services
– Outsourcing agreements and traditional licensing agreements are a good starting point, but not a good ending point
10
©2012 Foley & Lardner LLP
Pre-Agreement Due Diligence Can the provider meet your company's expectations? Diligence can take many forms: site visits, product demonstrations, discussions with vendor personnel, reference site visits, discussions at user groups, industry groups, as well as due diligence questionnaires Require provider to complete a due diligence questionnaire – Provider's financial condition – Insurance – Existing service levels – Capacity – Physical and logical security – Disaster recovery and business continuity – Redundancy – Ability to comply with applicable regulations
11
©2012 Foley & Lardner LLP
Data Sensitivity and the Criticality of the Service
High Risk = mission critical processes utilizing highly sensitive data Medium Risk = generally available data that requires high service levels; non-confidential enterprise data Low Risk = not mission critical and generally available data; can accept outages and variable performance
Solutions must be carefully evaluated to ensure the benefits outweigh the risks; ensure contractual protections and operational precautions are taken
12
©2012 Foley & Lardner LLP
Data Sensitivity in Cloud Computing
Recent survey of large companies using cloud services found that nearly half of the respondents experienced a data security lapse or issue in the last twelve months
Example in recent data security incidents in the cloud include – The high-profile security breach of Sony's PlayStation Network
– Reports indicated that personal information of up to 77 million individuals was potentially exposed when an intruder gained access to PSN's systems in April of 2011
– Sony was forced to take the service offline for several weeks in order secure its systems from further intrusions.
13
©2012 Foley & Lardner LLP
Key Contractual Issues in Cloud Computing
Note that these slides and this presentation contain several examples of language that is commonly found in cloud computing agreements. These slides and this presentation are not a substitute for legal advice. The language to be used in your transactions depends on a variety of factors and the particular circumstances.
In fact, a draft report prepared by the National Institute of Standards and Technology found that for the typical customer most areas of the cloud contract are "non-negotiable." Therefore, you are strongly advised to engage knowledgeable legal counsel to access and help minimize your legal liabilities based on the particular requirements of your organization. Like any presentation or article, this is not meant to be a substitute for knowledgeable legal counsel.
14
©2012 Foley & Lardner LLP
Examples of Cloud Computing Provisions
Google Docs – http://www.google.com/accounts/TOS – Example: "Google is constantly innovating in order to provide the best possible
experience for its users. You acknowledge and agree that the form and nature of the Services which Google provides may change from time to time without prior notice to you. As part of this continuing innovation, you acknowledge and agree that Google may stop (permanently or temporarily) providing the Services (or any features within the Services) to you or to users generally at Google's sole discretion, without prior notice to you. You may stop using the Services at any time. You do not need to specifically inform Google when you stop using the Services.
Amazon Web Services Agreement – http://aws.amazon.com/agreement/ – Example: "You are responsible for properly configuring and using the Service Offerings
and taking your own steps to maintain appropriate security, protection and backup of Your Content, which may include the use of encryption technology to protect Your Content from unauthorized access and routine archiving Your Content. AWS log-in credentials and private keys generated by the Services are for your internal use only and you may not sell, transfer or sublicense them to any other entity or person, except that you may disclose your private key to your agents and subcontractors performing work on your behalf."
15
©2012 Foley & Lardner LLP
Identifying and Fixing All Contract Documents
All or some portion of the cloud contract may be hosted on the cloud. Therefore contract may not be "fixed" but rather may change at any time the provider changes the relevant Web pages Furthermore, provider may not even provide notice of any changes to the contract Customer should make every effort to "fix" the entire contract in a single document
– Ask that the Web page where an agreement is located be printed and attached as an exhibit to the contract
– Add language to the contract making clear that any future changes in those elements must not (i) material decrease the level of protection, service, performance existing as of the effective date; and (ii) impose any materially new or different obligations on the customer
– Provider should also be required to provide notice to customer of any changes to the agreement
– Include a termination right in the event a later change materially decreases the level of protection, service, performance, etc., existing as of the effective date
16
©2012 Foley & Lardner LLP
Definition of Services The definition of "Services" in a cloud computing agreement should be broadly worded to allow the client full use of the services. Example:
"Services" shall mean Provider's provision of software and infrastructure services described in Exhibit A (Services), and any other products, deliverables, and services to be provided by Provider to Client (i) described in a Statement of Work, (ii) identified in this Agreement, or (iii) otherwise necessary to comply with this Agreement, whether or not specifically set forth in (i) or (ii).
Customizations – Identify up front any additional customizations needed – Typically a cloud computing offering may have more limited
customization options, so that the provider can more efficiently manage the services and provide a more scalable solution
17
©2012 Foley & Lardner LLP
Service Availability
If the provider stops delivering services, the customer will have no access to the services (which may be supporting a critical business function), and perhaps more importantly, no access to the customer's data stored on the provider's systems
A customer must be able to continue to operate its business and have access to its data at all times
18
The State Code Number is MAK2125-
92011
©2012 Foley & Lardner LLP
Service Availability
Provider may stop delivering services to client, due to: – a server being down, – failure of a telecommunications link, – a natural disaster causing damage to the provider's data center, – provider withholding services because of a fee dispute, or – provider closing its business because of financial difficulties
Result: – Client has no access to
the services (which may be supporting a critical business function), and any client data stored on the provider's systems
19
The State Code Number is MAK2125-
92011
©2012 Foley & Lardner LLP
Service Availability
Client needs to be able to
– continue to operate its business, and
– have access to its data at all times.
To mitigate risk client should obtain
– appropriate uptime service level and remedies
– customer data ownership rights and provider's delivery of regular data backups
– disaster recovery and business continuity protections
– provider's agreement not to withhold services
– protections against provider financial instability
20
The State Code Number is MAK2125-
92011
©2012 Foley & Lardner LLP
Include uptime service level to ensure service availability is aligned with the client's expectations
Also, include appropriate remedies to incentivize provider to perform in accordance with service levels (meaningful remedies)
Uptime service level and the corresponding remedies discussed in more detail in later slides
Scenario: Server is down, or failure of a telecommunications link
Service Availability
21
The State Code Number is MAK2125-
92011
©2012 Foley & Lardner LLP
Service Availability – In-House Software Solution
Risk mitigation – Consider requiring the provider to make available or
develop an in-house software solution if provider stops providing "software" services, your operations could be dead in the water
"Software" services are typically unique and more difficult to replace than infrastructure services
Inclusion of an "in-house" solution provision is very dependent on the nature of the software provided as a service
The more critical the application, the more important it is to explore an in-house solution – even if it is escrowed
Scenario: Server is down, or failure of a telecommunications link
22
©2012 Foley & Lardner LLP
Service Availability – Disaster Recovery and Business Continuity
Risk mitigation: – Include a provision requiring the provider to continue to make the
services available, even in the event of a disaster, power outage, or similarly significant event.
– Continuity of services should be provided through a secondary server, data center, or provider, as appropriate.
Review any related provider policies and procedures Example:
Example: Provider shall maintain and implement disaster recovery and avoidance procedures to ensure that the Services are not interrupted during any disaster. Provider shall provide Client with a copy of its current disaster recovery plan and all updates thereto during the Term. All requirements of this Agreement, including those relating to security, personnel due diligence, and training, shall apply to the Provider disaster recovery site.
Scenario: Natural disaster is causing damage to the provider's data center
23
The State Code Number is MAK2125-
92011
©2012 Foley & Lardner LLP
Service Availability – Withholding of Services
Include a provision prohibiting the provider's withholding of services Example:
Provided Client continues to timely make all undisputed payments, Provider warrants that during the Term of this Agreement it will not withhold Services provided hereunder, for any reason, including but not limited to a dispute between the parties arising under this Agreement, except as may be specifically authorized herein.
Scenario: Provider is withholding service because of a fee dispute
24
The State Code Number is MAK2125-
92011
©2012 Foley & Lardner LLP
Service Availability – Bankruptcy; Financial Wherewithal
Include a bankruptcy provision
– provides the client the right to terminate the Agreement in the event of a provider bankruptcy
Include a transition assistance services provision
– requires the provider to assist in transition of the services to a 3rd
party provider or to the client, in the event of expiration or termination of the Agreement
However, once the provider has declared bankruptcy, Provider's ability to assist the client may be limited
Scenario: Provider is closing its business because of financial difficulties
25
©2012 Foley & Lardner LLP
Service Availability – Bankruptcy; Financial Wherewithal (cont'd.)
If the client is not confident of the provider's financial stability, then consider adding a provision that enables the client to identify provider's financial issues in advance
– Require the provider to deliver periodic reports on its financial condition
Example: Quarterly, during the Term, Provider shall provide Client with all information reasonably
requested by Client to assess the overall financial strength and viability of Provider and Provider's ability to fully perform its obligations under this Agreement. In the event Client concludes that Provider does not have the financial wherewithal to fully perform as required hereunder, Client may terminate this Agreement without further obligation or liability by providing written notice to Provider.
Scenario: Provider is closing its business because of financial difficulties
26
The State Code Number is MAK2125-
92011
©2012 Foley & Lardner LLP
Service Levels Most common service level issues: – uptime – service response time – simultaneous visitors – problem response time and resolution time – data return – remedies
2 main purposes: – assure the client that it can rely on the services in its business and
provide appropriate remedies if the provider fails to meet the agreed service levels
– provide agreed upon benchmarks that facilitate the provider's continuous quality improvement process and provide incentives that encourage the provider to be diligent in addressing issues
27
The State Code Number is MAK2125-
92011
©2012 Foley & Lardner LLP
Service Levels
Why are they so important? – Assure the customer that it can rely on the
services in its business and provide appropriate remedies if the provider fails to meet the agreed service levels
– Provide agreed upon benchmarks that facilitate the provider's continuous quality improvement processes and provide incentives that encourage the provider to be diligent in addressing issues
28
The State Code Number is MAK2125-
92011
©2012 Foley & Lardner LLP
Service Levels – Uptime Service Level
Requires that the services will have an uptime (i.e., availability) of a certain percentage, during certain hours, measured over an agreed upon period. Ensure service availability is aligned with customer's expectations and business needs (e.g. peak season) Example:
Provider will make the Services Available continuously, as measured over the course of each calendar month period, an average of 99.99% of the time, excluding unavailability as a result of Exceptions, as defined below (the "Availability Percentage"). "Available" means the Services shall be available for access and use by Client. For purposes of calculating the Availability Percentage, the following are "Exceptions" to the service level requirement, and the Services shall not be considered Un-Available, if any inaccessibility is due to: (i) Client's acts or omissions; (ii) Client's Internet connectivity; and (iii) Provider's regularly scheduled downtime (which shall occur weekly, Sundays, from 2 am – 4 am central time).
29
The State Code Number is MAK2125-
92011
©2012 Foley & Lardner LLP
Service Levels – Uptime Service Level
Downtime
– Scheduled downtime
– Customers should receive written documentation of a provider's scheduled downtime
– Ensure the schedule creates no issues for the customer's business
– Downtime monitoring
– Provider should be proactive in detecting downtime (e.g., require the provider to constantly monitor the "heartbeat" of all its servers through automated "pinging")
Measurement Window
– Providers tend to want longer measurement periods (e.g., quarterly)
– dilutes the effects of a downtime and thus masks periodic performance issues that may temporarily impact the business and eliminates meaningful remedies
30
The State Code Number is MAK2125-
92011
©2012 Foley & Lardner LLP
Service Levels – Service Response Time Service Level
Services that fail to provide timely responses to its users are effectively "unavailable" Therefore, include a service level that sets forth maximum response times for a customer's use of the Services – a specific service level target depends on the facts and
circumstances in each case (e.g., transaction complexity, processing required, whether services are being accessed over an Internet connection or a leased line)
Example:
The average download time for each page of the Services, including all content contained therein, shall be within the lesser of (a) 0.5 seconds of the weekly Keynote Business 40 Internet Performance Index ("KB40") or (b) two (2) seconds. In the event the KB40 is discontinued, a successor index (such as average download times for all other customers of Provider) may be mutually agreed upon by the parties.
31
©2012 Foley & Lardner LLP
32
©2012 Foley & Lardner LLP
Service Levels – Simultaneous Visitors
Does customer expect the services to support multiple simultaneous users?
If so, include a service level explicitly specifying a requirement that aligns with customer's expectations
33
The State Code Number is MAK2125-
92011
©2012 Foley & Lardner LLP
Service Levels – Data Return
The client should also consider adding a data return service level, if services involve – a critical business function, or – sensitive client information
Measures the time period between the client's request for data and the provider's return of such data in accordance with the timeframe requirements of the agreement Provides additional assurance that customer will be able to receive its data and continue to operate, in the event that provider stops providing services or concerns of a loss of service arise
34
The State Code Number is MAK2125-
92011
©2012 Foley & Lardner LLP
Service Availability – Client Data
Explicitly specify client's ownership of any
information stored by the provider for the client
Require that provider
– deliver periodic copies of all client data to client, and
– perform regular data backups to an off-site storage facility
35
The State Code Number is MAK2125-
92011
©2012 Foley & Lardner LLP
Service Levels – Problem Response Time and Resolution Time Service Levels
Providers often include only a response time measurement, which typically falls short of what is necessary – Response Time
measures the time period from when the problem is reported to when the provider notifies the client and begins working to address the issue
Also, include a resolution time measurement – Resolution Time
measures the time period from when the problem is reported to when the provider implements a fix or acceptable workaround
36
The State Code Number is MAK2125-
92011
©2012 Foley & Lardner LLP
Service Levels – Remedies Credits – Typically, remedies for failure to hit a service level
start out as credits towards the next period's service Right to Terminate – If repeated failure occurs, the client should have the
right to terminate the agreement without penalty or having to wait for the current term to expire
Example: In the event the Services are not Available 99.99% of the time but are Available at least 95% of the time, then in addition to any other remedies available under this Agreement or applicable law, Client shall be entitled to a credit in the amount of $_____ each month this service level is not satisfied. In the event the Services are not Available at least 95% of the time, then in addition to any other remedies available under this Agreement or applicable law, Client shall be entitled to a credit in the amount of $_____ each month this service level is not satisfied. Additionally, in the event the Services are not Available 99.99% for (a) three (3) months consecutively or (b) any three (3) months during a consecutive six (6) month period, then, in addition to all other remedies available to Client, Client shall be entitled to terminate this Agreement upon written notice to Provider with no further liability, expense, or obligation to Provider.
37
©2012 Foley & Lardner LLP
Data – Security, Redundancy, Ownership and Use Rights, Conversion
The security of a customer's data in a cloud computing environment has been recognized as one of the largest areas of concern for a customer – The customer is ultimately responsible for complying with privacy and
security regulations, and data security breaches are costly
To confirm it is able to continue using its data, the customer should confirm ownership of all data stored by the provider – Require regular backups – Require appropriate data conversion
Require provider to maintain confidentiality of data Place appropriate limitations on the provider's ability to use the data and customer information
38
©2012 Foley & Lardner LLP
Data – Security, Redundancy, Ownership and Use Rights, Conversion
Increased risk of unauthorized disclosure
– Multi-tenancy in the cloud – your data may be stored on a server with other customer's data = increased risk of unauthorized disclosure
39
©2012 Foley & Lardner LLP
Data – Security, Redundancy, Ownership and Use Rights, Conversion
Due diligence is important – Where is the data going to be located?
Who will have access to the data? Will offshore be permitted?
– Which law governs?
Who is operating the data center – the provider or a third party? – Ensure third party hosts comply with your agreement – Provider should accept all responsibility for the third party host – Provider should be jointly and severally liable with the third party host for any
breach of the agreement by the third party host – Consider entering a separate confidentiality agreement with the third party
host – Advance notice if any change of the host
40
©2012 Foley & Lardner LLP
Data – Security, Redundancy, Ownership and Use Rights, Conversion
Providers should be required to provide: – Baseline security measures
– Security incident management
– Hardware, software and security policies
Some providers won't show you their security policies but will permit onsite access to them – You should go and review them
Ensure that these policies address security issues particular to cloud computing and services being provided over the internet
41
©2012 Foley & Lardner LLP
Data – Security, Redundancy, Ownership and Use Rights, Conversion
Provider must notify the customer in the event it is required by law to disclose your company's data
– Written notice sufficiently in advance
– Reasonable efforts not to release data pending the outcome of any measures taken by your company to oppose the required disclosure
42
©2012 Foley & Lardner LLP
Data – Security, Redundancy, Ownership and Use Rights, Conversion
In the event of a security breach:
– Customer has sole control over the timing, content, and method of customer notification (if it is required)
– If the provider is responsible for the breach, then the provider must reimburse the customer for its reasonable out-of-pocket expenses in providing the notification and otherwise complying with the law
43
©2012 Foley & Lardner LLP
Data – Security and Ownership Example:
(a) In General. Provider will maintain and enforce safety and physical security procedures with respect to its access and maintenance of Client Information that are (1) at least equal to industry standards for such types of locations, (2) in accordance with reasonable Client security requirements, and (3) which provide reasonably appropriate technical and organizational safeguards against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access of Client Information and all other data owned by Client and accessible by Provider under this Agreement. (b) Storage of Client Information. All Client Information must be stored in a physically and logically secure environment that protects it from unauthorized access, modification, theft, misuse, and destruction. In addition to the general standards set forth above, Provider will maintain an adequate level of physical security controls over its facility. Further, Provider will maintain an adequate level of data security controls. See Exhibit A for detailed information on Provider's security policies protections (c) Security Audits. During the Term, Client or its third party designee may, but is not obligated to, perform audits of the Provider environment, including unannounced penetration and security tests, as it relates to the receipt, maintenance, use, or retention of Client Information. Any of Client's regulators shall have the same right upon request. Provider agrees to comply with all reasonable recommendations that result from such inspections, tests, and audits within reasonable timeframes.
44
©2012 Foley & Lardner LLP
Data – Security and Ownership Data conversion issues – avoid hidden costs, and
– avoid being "locked in" to the provider's solution
Prior to Execution of Agreement – Confirm
customer data can be directly imported into provider's services, or
any data conversion needed will be done at provider's cost
– Consider conducting a test run of provider's mapping scheme
– Ask provider's references about their data migration experiences
Expiration or Termination of the Agreement – Provider should be required to
return the customer's data (both in provider's data format and in a platform-agnostic format) and
destroy all of customer's information on provider's servers
45
©2012 Foley & Lardner LLP
Data – Ownership and Use Rights
Ownership – As previously mentioned, clarify that client has ownership of any
data stored by the provider for client In the event that the provider stops providing services and client is requesting the return of its data, there should be no separate dispute as to ownership of the data
Use Rights – Confidentiality
Include specific language regarding the provider's obligations to maintain the confidentiality of client information
– Use Limitations Place appropriate limitations on the provider's use of client information (i.e., provider has no right to use such information except in connection with its performance under the cloud computing agreement)
46
©2012 Foley & Lardner LLP
Data – Ownership and Use Rights
Provider's Proposed Use of Client Data – More cloud computing providers want to analyze and use the
client data that resides on their servers for their own commercial benefit
Ex. provider may wish to use (de-identified) client data, aggregated along with other clients' data, to provide data analysis to industry groups or marketers
Client should ask the provider about its uses and add a provider representation about which uses, if any, are permitted Most clients should conclude that the provider should not have any right to use the client's data, beyond what is strictly necessary to provide the services (whether in raw form, aggregated, or de-identified)
47
©2012 Foley & Lardner LLP
Data – Conversion
Data conversion must be addressed to – avoid hidden costs, and – avoid being "locked in" to the provider's solution
Prior to Execution of Agreement – Confirm that
client data can be directly imported into provider's services, or any data conversion needed will be done at provider's cost or at client's cost (with client's agreement)
– Consider conducting a test run of provider's mapping scheme – When checking provider's references, ask about data migration
experiences
48
©2012 Foley & Lardner LLP
Data – Conversion Expiration or Termination of the Agreement – Include explicit obligations on the part of the provider to
return the client's data, both in provider's data format and in a platform-agnostic format, and destroy all of the client's information on provider's servers
Example:
At Customer's request, Provider will provide a copy of Customer Information to Customer in an ASCII comma-delimited format on a CD-ROM or DVD-ROM. Upon expiration of this Agreement or termination of this Agreement for any reason, Provider shall (a) deliver to Customer, at no cost to Customer, a current copy of all of the Customer Information in the form in use as of the date of such expiration or termination and (b) completely destroy or erase all other copies of the Customer Information in Provider's or its agents' or subcontractors' possession in any form, including but not limited to electronic, hard copy, or other memory device. At Customer's request, Provider shall have its officers certify in writing that it has so destroyed or erased all copies of the Customer Information and that it shall not make any use of the Customer Information.
49
©2012 Foley & Lardner LLP
Data - Redundancy Provider is the custodian of customer's data Include explicit provisions regarding – Provider's duty to back up customer data and the
frequency of that back up – Customer's ongoing access to such data or the
delivery of such data to customer on a regular basis Compare the provider's backup policies to customer's own. It should at least as stringent as its own. Example:
Provider will: (i) execute (A) nightly database backups to a backup server, (B) incremental database transaction log file backups every 30 minutes to a backup server, (C) weekly backups of all hosted Customer Information and the default path to a backup server, and (D) nightly incremental backups of the default path to a backup server; (ii) replicate Customer's database and default path to an off-site location (i.e., other than the primary data center); and (iii) save the last 14 nightly database backups on a secure transfer server (i.e., at any given time, the last 14 nightly database backups will be on the secure transfer server) from which Customer may retrieve the database backups at any time.
50
©2012 Foley & Lardner LLP
Publicity Customer's reputation and good will are substantial and important assets – Most notably via customer's name and other
trademarks
Consider a provision relating to any announcements and publicity in connection with the transaction – Prohibit provider from making any media
releases or other public announcements relating to the agreement, or otherwise using the customer's name and trademarks without prior written consent
51
©2012 Foley & Lardner LLP
Term
The customer should be able to terminate the agreement at any time upon notice (14 to 30 days) and without penalty – The software and infrastructure are being provided as a
service and should be treated as such
– The provider may request a minimum commitment from the customer to recoup the provider's "investment" in securing the customer as a customer
If you agree to this, limit to no more than one year and the provider should be required to provide evidence of its up front costs to justify such a requirement
52
©2012 Foley & Lardner LLP
Termination
Termination for Convenience – Client should be able to terminate the agreement at any time without
penalty upon reasonable notice (14 to 30 days) – Minimum Commitment Period
Provider may request a minimum commitment period to recoup the provider's "investment" in securing the client as a customer (i.e., sales expenses and related costs) If the client agrees, the committed term should be no more than 1 year and the provider should provide evidence of its up-front costs to justify such a requirement
53
©2012 Foley & Lardner LLP
Indemnification
Third party claims relating to the provider's breach of its confidentiality and security obligations, and claims relating to infringement of third party intellectual property rights – Limitation to copyright is not acceptable
– Limitation to US IP rights may be acceptable, but consider whether use of the services will occur overseas
– Intentional breaches should be fully indemnified
54
©2012 Foley & Lardner LLP
Intellectual Property The impact of intellectual property rights on customer's business must be analyzed. – If the provider will be performing significant implementation services
in connection with Services, the intellectual property ownership structure proposed by a provider may not effectively address the customer's business needs
– Consider what if provider's intellectual property is incorporated into work product?
– Customer should obtain ownership of any "work product" and a very broad license to use any provider intellectual property incorporated into any work product
A provider may benefit from customer providing direction as to configurable screens that will be used by the customer. – Consider adding a restriction against the provider using those same
ideas in services being delivered from provider to any of customer's competitors
55
©2012 Foley & Lardner LLP
Limitation of Liability
Scrutinize limitation of liability provisions carefully
If you can't eliminate the limitation of liability in its entirety, seek the following protections:
– Mutual protection
– Appropriate carve-outs (e.g., confidentiality, data security, indemnity)
– A reasonable liability cap for direct damages
56
©2012 Foley & Lardner LLP
Implementation
When there will be significant implementation services, the customer should consider establishing a broad definition of "services" in the cloud computing agreement – E.g., extensive software or hardware
implementation, configuration, customization)
This is useful in limiting provider claims for "out of scope" activity and request for additional money
57
©2012 Foley & Lardner LLP
Warranties
The following warranties are common in these types of agreements: – Conformance to specifications
– Performance of services
– Appropriate training
– Compliance with laws
– No sharing / disclosure of data
– Services will not infringe
– No viruses / destructive programs
– No pending or threatened litigation
– Sufficient authority to enter into agreement
58
©2012 Foley & Lardner LLP
Insurance
Customer should self-insure against IT risks by obtaining a cyber-liability policy
Provider should be required to carry:
– Technology errors and omissions liability insurance
– Commercial blanket bond, using Electronic & Computer Crime or Unauthorized Computer Access insurance
Most data privacy and security laws will hold the customer liable for security breaches whether it was the customer's fault or the provider's fault
59
©2012 Foley & Lardner LLP
Exclusivity
In order for customers to obtain the best pricing, providers are asking customer to contractually commit to an exclusive arrangement
Before entering into such an arrangement, ensure your company has the proper protections in the agreement – Excellent service levels
– Appropriate exceptions to exclusivity
– Right to transition in anticipation of termination
You don't want to be bound to a poorly performing provider!
Weigh pricing advantages with performance commitments and reliability of the provider
60
©2012 Foley & Lardner LLP
Post-Execution Ongoing Provider Assessment
Regular program of evaluating a provider's performance
– Provider required to supply the requisite information to access the services
– Notify the customer of any changes with regard to the provider
– Provide recommendations to improve the services
61
©2012 Foley & Lardner LLP
Negotiation Leverage is important – you may not be able to obtain all of the protections you want Evaluate the business risks – Do the services support a critical business function? – Do the services involve sensitive data? – Are the services customer facing?
If you can't get the protections you want in the most significant areas of risk, consider walking away If walking away is not an acceptable option, focus on risk mitigation – For example, if the provider refuses to modify its uptime service level
(arguing that it cannot separately administer an uptime warranty for different customers) focus on improved remedies and exit rights for failure to meet the service level
62
©2012 Foley & Lardner LLP
QUESTIONS?
Matt Karlyn
Partner
Foley & Lardner LLP
111 Huntington Avenue
Boston, MA 02199
(617) 502-3231
63