“Cloud computing” has been around for decades, but has mushroomed in recent years due to the improvements in our communications infrastructure and the growing utility of managed service offerings to businesses of all sizes. But how does the average SMB achieve a good working relationship with their cloud provider, given the huge differences across this booming industry? Cloud providers can differentiate their services only to a limited degree, so businesses should be open to finding a good balance between the service offerings and the service terms.
Big Players Lead the Market, but Don’t Define It Completely
The major cloud providers include IBM Microsoft, Amazon, Google and Salesforce.com. Their Terms of Service (ToS) are generally standardized for single and small users — however, major customers can and do negotiate their arrangements.
Most users won’t have the leverage or opportunity to negotiate terms and conditions, particularly with the largest national providers, who tend to use boilerplate “click-wrap” terms and conditions that cannot be modified. They have to agree to terms that are likely confusing without a lawyer’s help. For example, the standard terms and conditions for Microsoft or Amazon will contain multiple bundled documents that are present for you to accept or deny, with no chance to negotiate or modify the ToS. Some typical terms and conditions may include:
- Acceptable Use Policy
- Customer Agreement
- Service Terms
- Trademark Guidelines
However, when the opportunity presents itself with small- and medium-sized cloud vendors, take every chance to negotiate on the terms vital to your situation. Don’t bicker or haggle just for sake of argument. Understand your own needs and communicate them to your business partners, which is generally the most effective way of realizing that each party has some legitimate objectives in the contracting process.
Consider the Important Legal Issues
If your company is using the cloud to store or access business data, and if you have the clout to negotiate, there are a few key issues you should address:
How can I ensure seamless and efficient return of data when I cease using the cloud?
Inevitably, each cloud customer will stop using its cloud provider at some point for some reason. When that happens, options are limited to: 1) moving the processing back in-house and off the cloud; or 2) moving to another cloud provider. Diligent customers need to negotiate with their cloud providers to clearly define closure and termination issues, including the data format and the cost for migration of the data to another location. Failure to address this could result in an expensive and painful migration, or a business decision to be stuck without the practical ability to change, similar to the days when changing cell carriers meant losing your cellphone number, making customers reluctant to switch.
How do you confirm and ensure your sensitive data has been appropriately deleted upon termination of your cloud services?
It is vital that the old cloud provider not retain the customer’s business data, such as financial documents, accounting records, customer data, or other business records. Deletion is particularly important because of laws and regulations related to privacy (including credit card information and/or HIPAA personal health information). The cloud provider agreement must obligate the cloud provider to delete data from its system (including backups) after the customer has migrated away. Additionally, the cloud provider should be bound to protect all confidential data at all times.
Understand data backup obligations.
Speaking of backups, companies routinely create data backups, and cloud providers are no different. Therefore, cloud provider agreements must clearly delineate how customer data and systems are protected from disaster, including sharing where customer data is stored and how the customer can access that data if and when it is needed.
Ensure protection of trade secrets.
If the cloud customer has trade secrets, such as proprietary customer data or software, that customer must properly protect its data or software and have tangible evidence to prove in a lawsuit that it made appropriate efforts to protect those trade secrets. One of the best ways to prove that a trade secret has been properly protected is to show that only the trade secret owner can access the protected information. One solid way to do that is to have the ability to audit.
Establish the right to audit cloud IT operations.
The Sarbanes-Oxley Act (SOX) requires publicly traded companies to comply with laws of the Securities and Exchange Commission (SEC) including the ability to audit and verify accounting data. In order to conduct a SOX audit of IT/Internet services, customers need audit rights in the agreement. For companies not covered by SOX, but for which a formal CPA opinion is required by stockholders, the right to audit the cloud provider is essential. Even if your provider is not so large to be covered by these scenarios, a responsible small or medium sized firm should still have some reasonable means and methods for customers to conduct audit and assurance functions, so don’t expect less from the little guys.
Each business has its unique requirements for using cloud services. Signing the standard cloud provider agreements may be convenient, but risky. Any company using the cloud needs to properly protect its IT and data with a well defined cloud services agreement that is clear and specific to the customer’s own requirements.