Cloud-based Services Agreements: Legal Q&A

Apr 19, 2021

Cloud services are becoming more important than ever in business. Many organisations across the globe use at least one type of cloud service. This article answers some frequently asked questions in relation to cloud service offerings and some of the key provisions which are most likely to be discussed and negotiated in cloud-based contracts.

What is software as a service?

Software as a service (SaaS) is the delivery of a service by an IT provider that remotely hosts and manages software for its customers. In addition, the software service provider usually offers initial and ongoing support services as part of a SaaS contract. True cloud computing services follow a “one-to-many” model. In essence, there is a standard software product, of which a service provider allows many customers to access the same version. The software is not tailored for specific client requirements, although in practise many SaaS offerings will allow a degree of configuration to suit individual business needs.

What is infrastructure as a service?

Infrastructure as a service (IaaS) is the delivery of computing resources such as servers, central processing unit (CPU), network equipment, memory, disk space and data centre facilities over the internet. IaaS enables an organisation to outsource their hardware or infrastructure to a service provider that hosts the equipment in a secure data centre and access it via the internet. One of the advantages of this model is that it avoids upfront capital expenses for hardware, ongoing maintenance costs and the expense of office space to store the equipment. It also reduces the time the IT staff must spend on fixing problems related to the infrastructure and allows them to focus on more strategic issues for their organisation.

What is platform as a service?

Platform-as-a-service (PaaS) is a type of cloud computing offering via which a service provider allows the customer to host their software application or app on the service provider’s platform in order to distribute them to their clients. This allows the customer to avoid the significant costs of large-scale data centre purchases and provide a channel to clients, thereby reducing the cost to market for new cloud applications. Google App Engine is an example of PaaS.

What is the difference between each of the main categories of cloud services?

In short, the main categories of cloud services can be differentiated as follows:

  • SaaS is a method by which software is made available, on a service-based model, to users over the Internet.
  • IaaS offers cloud infrastructure services, for example storage, payments, networking, virtualization, that are used to run other services.
  • PaaS provides tools and platforms that are available over the internet.

What are some of the key elements of a cloud-based contract?

Depending on the nature of the cloud service(s) that are subject of the relevant contract, some or all of the below might be relevant:

Service scope:
Most cloud-based services agreements will include a provision which sets out the specific service lines / service applications which the customer may use and what those service lines / applications comprise in terms of service offering – for example the features and functionality of a SaaS product or the technical specification of a IaaS service. The agreement may also specify the number of authorised users or other defined extent of permitted access or use, and the locations at which they may access the product / service from. For example, the agreement may only permit specifically identified users to use the service or it may allow the entire customer organisation to use the service.

Service Levels:
These provide objective and measurable assessments of key elements of the software service. Service levels will not always be included in a service provider’s standard form contract, so customers should ask for service levels to be included as it is an important way of gauging the performance of the service provider in delivering the contracted services. Failure to achieve the service levels is often linked to a financial consequence for the service provider. This is typically achieved through the inclusion of a service credit regime where the service provider will pay or credit the customer an agreed amount which should act as an incentive for improved performance. Customers will also often seek to include a right to terminate the contract for critical or persistent breaches of service levels.

Response times & resolution efforts:
More often than not, service levels will establish time frames during which the service provider must respond to customer complaints about performance and / or issues being experienced with the service, and also the level of effort that they must go to in order to resolve the issue. The response times usually correlate to the seriousness of the reported problem, so the more serious the problem (usually measured as a “severity level”), the quicker the response time. Resolution times and effort levels may depend on the nature of the relevant services.

Data Protection & Security:
One of the main customer concerns will be the level of security the provider uses to protect customer data and applications. In addition to conducting technical and operational due diligence, the customer may seek a suite of contractual protections from the supplier – for example a warranty from the supplier which states that the supplier will comply with any laws, regulations, codes, industry standards etc which are applicable to the customer or an authorised user relating to data protection, security of network and information systems and security breaches.

Where personal data will be processed under the agreement, the parties will need to consider the impact of any applicable data protection legislation and both parties will want to ensure compliance and that their position is sufficiently protected. Technical and operational due diligence will play an important part in this analysis. Contractual provisions may also assist – for example, customers will therefore want to ensure that the supplier is obliged to comply with relevant data protection laws and cooperates in the event of a security incident – the customer may seek an indemnity from the supplier in the event of a breach by the supplier of their data protection obligations. Customers will also wish to place parameters around the locations at which their data can be stored at rest, and from which their data can be access (e.g. in connection with support).

Intellectual property:
It is common for the cloud service provider to provide customers with an indemnity in the event that that a third-party claims that the use of the service by the customer infringes the intellectual property rights (IPR) of a third party. Where arrangements are established on an international basis, customers should ensure that the IPR indemnity is sufficiently broad to protect its business in all jurisdictions in which the software will be used. Consideration should also be given to how the indemnity interacts with any caps on liability and exclusions of liability contained within the contract.

Each cloud-based contract should clearly set out the service charges and the basis of their calculation, such as limits on the number of users (and the cost of additional users as the customer’s business grows in size). Consideration should also be given to whether the contract price covers the costs of any additional storage space required (where relevant) and whether the price covers any configuration assistance which may be needed to adapt the software / service to any specific business needs of the customer.

Cloud based agreements may offer discounts in order to encourage customers to sign up for longer contractual terms. Customers should therefore give careful consideration as to whether it makes sense commercially to be tied down to a long-term contract in order to enjoy the benefit of the discount. Customers may guard against becoming tied to a long-term arrangement as over time, the service may no longer meet their changing business needs or match developments in other software / service offerings. However, a long-term contract may not be an issue if the termination clause enables the customer to terminate the agreement for convenience whether at will or at an agreed point during the contract term.


Cloud-based agreements present potential risks and rewards to both suppliers and customers as well as a broad range of legal and commercial considerations. It is therefore essential that businesses understand each cloud-based offering and that experienced lawyers are instructed to carefully review and negotiate the underlying contract.

How can we help?

If you need assistance or support with drafting or negotiating your cloud-based contracts, please get in touch with Alex Collinson or Mark Chapman on 01276 686222 or via email: alex.collinson@herrington-carmichael.com or mark.chapman@herrington-carmichael.com.


This reflects the law and market position at the date of publication and is written as a general guide. It does not contain definitive legal advice, which should be sought in relation to a specific matter.

Cesare McArdle

Cesare McArdle

Senior Solicitor, Commercial and Construction Law

Legal Director, Commercial and Construction Law
 0118 989 9709
e: cesare.mcardle@herrington-carmichael.com

Alex Collinson

Alex Collinson

Paralegal, Corporate and Commercial Law

Sign up

Enter your email address for legal updates on Corporate and Commercial law.

Please see our privacy policy regarding use of your data.

Contact us

    The information you submit will be handled in accordance with our privacy policy.

    Latest Insights - sign up to our Emailers

    Our Emailers will bring you the latest news and insights from our legal teams as we look at the key talking points in life and in law.

    Our insights will include articles, podcast discussion and information about our events and services.

    You can sign up to as many as you wish and you can opt out at any time.

    Sign up to our Emailers

    Please see our privacy policy regarding use of your data.

    Latest News & Insights

    Top Legal Insights


    Contract Law

    Material Breach of Contract

    What is a ‘material’ breach of contract by a party to a commercial contract? This is a critical issue regularly considered by the courts. What constitutes a material breach and what are the remedies?

    Property Law

    Commercial Lease: The Financial impact on Landlord and Tenant

    Coronavirus (COVID-19) and the restrictions now in place to control its spread, are having a significant effect on many business sectors.

    Divorce and Family Law

    Divorce in Lockdown: Can I get some discreet legal advice?

    We have spoken to clients who are unfortunately experiencing some family issues, and would like to obtain expert legal advice, yet don’t know how...

    Land & Property Dispute

    Restrictive Covenants – The Price of Modification

    Having identified that your land is burdened by a restrictive covenant and for the purposes of this article the covenant in question will be that only one residential building can be erected on the land. What do you do next?

    Wills, Trusts and Probate

    Why is having a will so important?

    It is entirely up to you if and when you want to create a Will, but it is important to be aware of the consequences of not having a Will.

    Award winning legal advice

    We are solicitors in Camberley, Wokingham and London. In 2019, Herrington Carmichael won ‘Property Law Firm of the Year’ at the Thames Valley Business Magazines Property Awards, ‘Best Medium Sized Business’ at the Surrey Heath Business Awards and we were named IR Global’s ‘Member of the Year’. We are ranked as a Leading Firm 2022 by Legal 500 and Alistair McArthur is ranked in Chambers 2021.


    60 St Martins Lane, Covent Garden, London WC2N 4JS 

    +44 (0) 203 755 0557



    Building 2  Watchmoor Park, Riverside Way, Camberley, Surrey  GU15 3YL

    +44 (0)1276 686 222


    Wokingham (Appointment only)

    4 The Courtyard, Denmark Street, Wokingham, Berkshire RG40 2AZ

    +44 (0)118 977 4045


    © 2020 Herrington Carmichael LLP. Registered in England and Wales company number OC322293.

    Herrington Carmichael LLP is authorised and regulated by the Solicitors Regulation Authority.

    Privacy   |   Legal Notices, T&Cs, Complaints Resolution   |   Cookies   |   Client Feedback