The cloud is everywhere. In just a few years, business use of hosted and distributed solutions has moved from the margins to the mainstream in a wide variety of fields. This growth has created demand for customer-side expertise in negotiating cloud contracts. The nature of cloud solutions and the efficiencies they yield impose limits on customers’ flexibility to address some traditional software licensing concerns while presenting unique, additional risks for customers. Advisors who understand what is on (and off) the table can set informed expectations for their clients, offer meaningful advice about the risks and benefits of choosing the cloud over its alternatives, and run effective, efficient negotiations with cloud vendors.
Cloud service customers contend with issues that arise in traditional software licensing, such as the risk that a solution does not work as anticipated, is not ready by the customer’s deadline, or infringes a third- party’s intellectual property rights. But some of these issues may be handled differently in the cloud. For example, because cloud vendors usually offer a standardized solution to all customers, they rarely agree to terms that would require changes to hardware, software, or processes for a single customer.
Cloud vendors can negotiate over non-operational issues, such as pricing, indemnity, and liability caps. But customers should keep this trade-off in mind: with the lower cost of cloud-based solutions, the customer can expect increased risks, and some loss of flexibility. For example, damage caps in cloud services agreements tend to be lower than in agreements for comparable on-premises software.
Cloud customers also face potential liability that licensees under more traditional software arrangements do not. Cloud customers do not possess a copy of the software, and unlike licensees of on-premises software, the cloud customer’s access to the software could end in a moment. Vendors can use the “on/off switch” to generate leverage over the customer in disputes and renegotiations, so the cloud customer should negotiate terms that specify when it is acceptable for the vendor to terminate or suspend the solution. Or the solution could simply disappear due to a distant force majeure event, a risk that adds new complexity to the customer’s disaster and business continuity planning.
Unlike most traditionally licensed software, cloud solutions also put the customer at risk by transmitting, storing, and processing the customer’s data outside of the customer’s networks.
The vendor is unlikely to customize its data security regime for a single customer, but the parties can establish the privacy and security standards that the cloud solution must meet in the contract, provide for periodic independent certification or security audits to verify that these standards are in place and effective, establish processes that the vendor will follow if there is a security breach, and allocate responsibility for liability stemming from the breach. The customer should also understand when and how it will have access to its data throughout the term and negotiate for the right to receive a complete set of data in a useful format at the end of the term.
Service level commitments with meaningful remedies can help to mitigate some of the unique operational risks presented by cloud services, but customers should be aware that requests for custom service levels are likely to be met with blank stares. Customers should ensure that the service levels include meaningful remedies, allow the customer to terminate for very poor performance, and do not allow the vendor to avoid responsibility for warranty breaches by paying small service level credits.
When business and legal advisors know the cloud playing field, their clients will understand their liability exposure and can contract accordingly.