SaaS arrangements and cloud computing are becoming very commonplace and benefits of removing IT from the infrastructure business are becoming more and more obvious. While this technology is maturing rapidly and moving to commodity from novelty, negotiating contracts can be a sort of challenge when it comes to cloud vendors.
Sensitive Customer Data
What about sensitive customer data being stolen from the cloud provider? What happens when lawsuits start flying everywhere?
One of the main concerns when it comes to cloud computing is the security of the data. This is even more important given the current focus on data theft. Even though you might think you are the owner of the data used by your provider, detailing this in the contract with your provider is paramount.
Data encryption; being able to audit security procedures, security breach notifications, and allowing outside auditors to take controls and procedures for transmitting, handling, and storing data all need to be a part of the contract.
Data and Liability
Data ownership shouldn’t be left to assumptions either. Contracts should state clearly that data is owned by the customer and should also contain provisions regarding contract termination, and how a copy of all the data must be delivered to the client with the rest being destroyed permanently.
The liability limitation clause is something seen everywhere from vendor contracts to amusement parks. The cloud shouldn’t be an exception to this. The first iteration is in favor of the party drafting it, and there should be no exception when it comes to cloud vendor contracts.
Providers usually include provisions which limit their liability depending on how much they pay to the provider. If you have to deal with a high-value lawsuit because of a customer data breach, or damages because of a technical problem with your business, this is less than likely to cover damages if the outage or breach was because of negligence by the cloud provider. With SaaS fees reducing, a liability that is only based on the fees paid to the cloud provider could leave you overexposed.
Force majeure clauses could be any unforeseen circumstances which prevent a provider from delivering promised services, many times services which they have paid for in advance.
Such scenarios will range from the mundane like key communications links getting severed to natural disasters, and even terrorist incidents.
Even though you can’t expect your provider to keep running through all unforeseen disaster scenarios, clients should stay protected and not pay for services they can’t use.
Cloud providers shouldn’t be able to claim force majeure where they are in compliance with their backup obligations. The client needs to receive a credit for every day of interruption, and also be allowed to terminate the contract if the force majeure event lasts for longer than the time period agreed.
Basically, the provider shouldn’t be able to claim force majeure if their backup data center can’t handle the demand when the primary center has failed because of something like an earthquake.