Cloud-based Services Agreements: Legal Q&A

Cloud services are becoming more important than ever in business. Many organisations across the globe use at least one type of cloud service. This article answers some frequently asked questions in relation to cloud service offerings and some of the key provisions which are most likely to be discussed and negotiated in cloud-based contracts.

What is software as a service?
Software as a service (SaaS) is the delivery of a service by an IT provider that remotely hosts and manages software for its customers. In addition, the software service provider usually offers initial and ongoing support services as part of a SaaS contract. True cloud computing services follow a “one-to-many” model. In essence, there is a standard software product, of which a service provider allows many customers to access the same version. The software is not tailored for specific client requirements, although in practise many SaaS offerings will allow a degree of configuration to suit individual business needs.

What is infrastructure as a service?
Infrastructure as a service (IaaS) is the delivery of computing resources such as servers, central processing unit (CPU), network equipment, memory, disk space and data centre facilities over the internet. IaaS enables an organisation to outsource their hardware or infrastructure to a service provider that hosts the equipment in a secure data centre and access it via the internet. One of the advantages of this model is that it avoids upfront capital expenses for hardware, ongoing maintenance costs and the expense of office space to store the equipment. It also reduces the time the IT staff must spend on fixing problems related to the infrastructure and allows them to focus on more strategic issues for their organisation.

What is platform as a service?
Platform-as-a-service (PaaS) is a type of cloud computing offering via which a service provider allows the customer to host their software application or app on the service provider’s platform in order to distribute them to their clients. This allows the customer to avoid the significant costs of large-scale data centre purchases and provide a channel to clients, thereby reducing the cost to market for new cloud applications. Google App Engine is an example of PaaS.

What is the difference between each of the main categories of cloud services?
In short, the main categories of cloud services can be differentiated as follows:

  • SaaS is a method by which software is made available, on a service-based model, to users over the Internet.
  • IaaS offers cloud infrastructure services, for example storage, payments, networking, virtualization, that are used to run other services.
  • PaaS provides tools and platforms that are available over the internet.

What are some of the key elements of a cloud-based contract?
Depending on the nature of the cloud service(s) that are subject of the relevant contract, some or all of the below might be relevant:

Service scope:
Most cloud-based services agreements will include a provision which sets out the specific service lines / service applications which the customer may use and what those service lines / applications comprise in terms of service offering – for example the features and functionality of a SaaS product or the technical specification of a IaaS service. The agreement may also specify the number of authorised users or other defined extent of permitted access or use, and the locations at which they may access the product / service from. For example, the agreement may only permit specifically identified users to use the service or it may allow the entire customer organisation to use the service.

Service Levels:
These provide objective and measurable assessments of key elements of the software service. Service levels will not always be included in a service provider’s standard form contract, so customers should ask for service levels to be included as it is an important way of gauging the performance of the service provider in delivering the contracted services. Failure to achieve the service levels is often linked to a financial consequence for the service provider. This is typically achieved through the inclusion of a service credit regime where the service provider will pay or credit the customer an agreed amount which should act as an incentive for improved performance. Customers will also often seek to include a right to terminate the contract for critical or persistent breaches of service levels.

Response times & resolution efforts:
More often than not, service levels will establish time frames during which the service provider must respond to customer complaints about performance and / or issues being experienced with the service, and also the level of effort that they must go to in order to resolve the issue. The response times usually correlate to the seriousness of the reported problem, so the more serious the problem (usually measured as a “severity level”), the quicker the response time. Resolution times and effort levels may depend on the nature of the relevant services.

Data Protection & Security:
One of the main customer concerns will be the level of security the provider uses to protect customer data and applications. In addition to conducting technical and operational due diligence, the customer may seek a suite of contractual protections from the supplier – for example a warranty from the supplier which states that the supplier will comply with any laws, regulations, codes, industry standards etc which are applicable to the customer or an authorised user relating to data protection, security of network and information systems and security breaches.

Where personal data will be processed under the agreement, the parties will need to consider the impact of any applicable data protection legislation and both parties will want to ensure compliance and that their position is sufficiently protected. Technical and operational due diligence will play an important part in this analysis. Contractual provisions may also assist – for example, customers will therefore want to ensure that the supplier is obliged to comply with relevant data protection laws and cooperates in the event of a security incident – the customer may seek an indemnity from the supplier in the event of a breach by the supplier of their data protection obligations. Customers will also wish to place parameters around the locations at which their data can be stored at rest, and from which their data can be access (e.g. in connection with support).

Intellectual property:
It is common for the cloud service provider to provide customers with an indemnity in the event that that a third-party claims that the use of the service by the customer infringes the intellectual property rights (IPR) of a third party. Where arrangements are established on an international basis, customers should ensure that the IPR indemnity is sufficiently broad to protect its business in all jurisdictions in which the software will be used. Consideration should also be given to how the indemnity interacts with any caps on liability and exclusions of liability contained within the contract.

Each cloud-based contract should clearly set out the service charges and the basis of their calculation, such as limits on the number of users (and the cost of additional users as the customer’s business grows in size). Consideration should also be given to whether the contract price covers the costs of any additional storage space required (where relevant) and whether the price covers any configuration assistance which may be needed to adapt the software / service to any specific business needs of the customer.

Cloud based agreements may offer discounts in order to encourage customers to sign up for longer contractual terms. Customers should therefore give careful consideration as to whether it makes sense commercially to be tied down to a long-term contract in order to enjoy the benefit of the discount. Customers may guard against becoming tied to a long-term arrangement as over time, the service may no longer meet their changing business needs or match developments in other software / service offerings. However, a long-term contract may not be an issue if the termination clause enables the customer to terminate the agreement for convenience whether at will or at an agreed point during the contract term.

Cloud-based agreements present potential risks and rewards to both suppliers and customers as well as a broad range of legal and commercial considerations. It is therefore essential that businesses understand each cloud-based offering and that experienced lawyers are instructed to carefully review and negotiate the underlying contract.

How can we help?
If you need assistance or support with drafting or negotiating your cloud-based contracts, please contact our commercial team.

Mark Chapman
Partner, Commercial
View profileContact Us

This reflects the law and market position at the date of publication and is written as a general guide. It does not contain definitive legal advice, which should be sought in relation to a specific matter.

Latest Legal Insights

Best Law Firms 2024

Herrington Carmichael has once again been named in the Times Best Law Firms. We were first listed in 2023 and have once again made the Best Law Firms list for 2024.

Best Law Firm 2024