By Frank Jennings, cloud lawyer at DMH Stallard
Cloud means no software. Cloud offers flexibility and scalability. Cloud is cheaper and more resilient than on-premise IT. We’ve all heard about these – and no doubt other benefits of cloud too.
It’s very easy to start using cloud services and to get these benefits. You can even bypass your CIO by using your credit card to buy a cloud service direct. But do you check what you’re getting before you sign up? All too often, customers ask the really important questions after they have adopted cloud.
Here is our FAQ of risks in cloud contracts that customers should be asking. And guess what? Reputable cloud providers don’t mind you asking.
1. Will the provider negotiate the contract?
This depends upon the type of cloud. For public cloud, probably not as it’s a highly standardised generic service – it either does what you want or you go elsewhere. But with private and hybrid cloud or where you dealing with a reseller, you can and should negotiate.
2. What service guarantees will the provider make?
With public cloud you will generally get a multi-tenanted solution where you and other customers share space on the provider’s infrastructure. It won’t be tailored to your exact requirements so the provider’s promises will be restricted. While the provider may promise that the service will comply with its published specification and SLA, you should expect statements that the service is provided “as is” with exclusions of any useful promises about it being fit for your specific purposes. Or that the quality of the service will be satisfactory for your needs. Again, with private / hybrid / resellers you can specify a greater degree of tailoring and you should negotiate these warranties too.
Reputable cloud providers don’t mind you asking [the right questions]
3. What risks does the customer bear?
Remember, the customer is ultimately responsible for data security and compliance and the Information Commissioner or FSA will fine the customer for breaches. If you want your data kept in the UK or EU, check the location of the provider’s primary and secondary data centres, and don’t forget to ask where their call centre is. If you want back-up or failover, don’t assume these come as standard. If you want your data encrypted, are you responsible for this? If the data is lost, are you responsible for recovering it? Has the provider limited all their liability to the fees you’re paying them (or, as above, to service credits only)?
4. What should I look out for?
Does your provider have a good reputation? Do they have any accreditations, such as ISO27001/9001 or conform to the Cloud Industry Forum’s Code of Practice? These take time, money and effort and show that the provider has an eye on the customer’s interests. Do a credit check on them. Do they own the data centre or buy space from someone else? Is it Tier 3 and above? Can you “step-in” to the contract if your reseller goes bust? Can the provider post new terms or prices on their website by simply emailing you?
5. Can I sue my cloud provider for a service failure?
Typically, the customer will bear the brunt of a public cloud service failure. Check the SLA – it will probably say your “sole and exclusive” remedy is service credits on an hourly or daily basis and you’ll have to claim these as the provider won’t automatically give them to you. If your cloud service is down for a day, service credits generally won’t amount to any use anyway. Again, with private / hybrid / resellers, you can often get better protection. You get what you pay for, after all. Some providers are so certain of their resilience, they will even indemnify the customer for data loss. But, be careful: anyone can set up a cloud service. It doesn’t mean they have any capability. Or money.
6. How do I change provider?
If you’re dissatisfied with their service, you may be able to end the contract for service breaches – but see the warnings above. Otherwise, you’ll have to terminate by giving notice. Often cloud contracts are for a minimum period so check whether this has elapsed. Make sure you give notice in time to avoid an auto-rollover of another 12 months.
7. Is insurance worth getting?
Insurance for cloud outages and data losses is at an early stage, but you should definitely speak to a broker. Of course, even the best insurance cover is never a substitute for taking practical steps to minimise the likelihood of needing to claim on it.
8. Can a lawyer provide any guidance on this?
Of course, but check that your lawyer really knows cloud. For example, make sure they’re familiar with the Cloud Industry Forum’s best practice contract recommendations. You wouldn’t go to your GP for heart surgery, so think carefully before using the same lawyer who drafted your Aunt Mabel’s will.