Shifting to the cloud offers organisations compelling benefits, including reduced capital expenditure, increased operational agility and faster innovation. However, the move also comes with contracting risks that – unless deftly negotiated – could leave a business facing significant legal and commercial harm.

Against this backdrop, what are the key issues that organisations and their legal teams need to look out for as they embark on procuring cloud services? And what specific contracting concerns should they address to ensure they remain in a secure position?

To answer these questions, MinterEllison hosted a webinar with some of its most experienced practitioners in cloud services procurement: Partners Paul Kallenbach (Technology Law and Cyber Risk, Melbourne), Nick Pascoe (Technology Law, Sydney), Jonathon Blackford (Technology Consulting, Brisbane) and Senior Associate Margaret Gigliotti.

What we’re seeing is that clients are continuing to push in this particular space. The complexity is going up, the level of spend is constantly going up and the savvy of the counterparties when it comes to the negotiations is increasing as well.”

Jonathon Blackford

Whether entering an agreement with a hyperscale provider or a niche vendor, there are specific concerns that must be addressed to ensure the company remains in a secure position. Here we explore some of these concerns, and how to address them.

Avoid ‘lock-in’

Organisations should employ competitive tension in the early stages of procurement, particularly with specific products and niche providers. It’s possible to start with client terms if settings favourable to the client have been created during the request for tender (RFT) process.

The best negotiator doesn’t only start when they walk in the room; they start in the RFT process. We see clients getting some really great results from cloud providers using their own terms for a niche product, using competitive tension.”

Nick Pascoe

Negotiations with hyperscale providers, however, tend to start on the vendor’s terms. One tactic that may help in this situation is to include a set of legal requirements the vendor must respond to (by stating that they can or cannot comply with them) in the RFT documents. This approach can assist in comparing positions offered by different vendors and focus attention on key legal risks.

Navigate incorporated terms

Another issue when signing up to cloud services is that general and specific terms, such as product terms and service level agreements, are often referred to on the order form by URL. The danger is that vendors can and do change those terms, making the conditions of the agreement dynamic rather than static. Our panellists’ advice is to make these static by appending the terms to the order form, or by cross-referencing to a specific version of the terms and conditions.

The documents that you sign up to may not be static documents. They could be dynamic. The risk here is that the vendor can change those terms at any time.”

Paul Kallenbach

In some cases, however, it may not be in the client’s best interest to make product descriptions on the order form static, as cloud services are constantly evolving and improving. Here, the panellists’ advice is to add a provision stating that the supplier cannot materially reduce the functionality, performance and security of the service, and that doing so will give rise to a right for the customer to terminate the agreement.

Allocate and mitigate risk

The panellists also noted that as clients tend to rely heavily on their cloud services providers for both technical and commercial support, it is important that rights and obligations be allocated fairly between the parties when it comes to liability, suspension and termination.

Vendors typically exclude liability for loss of profit, revenue, goodwill and savings in agreements, but some also exclude liability for data loss. This can sometimes be addressed directly in the contract by removing any exclusions for loss of data, but the panellists’ advice is to mitigate the risk of data loss in other ways, such as by implementing a robust backup strategy.

It’s important to seek appropriate termination rights within the contract. This is typically less of an issue with hyperscale vendors, as clients can either choose to leave at the end of their subscription or forfeit their prepayment. When entering into larger contracts with niche cloud providers, however, organisations should consider including a specific termination for convenience clause. That’s because it’s typically difficult to meet the material breach threshold for terminating an agreement. Therefore, to cover instances when the client is dissatisfied with the service, the panellists recommended including a termination for convenience clause, even if there is an early termination fee attached.

Similarly, it is important to ensure that the triggers for suspension rights are appropriately calibrated such that the vendor is only permitted to suspend access to a service if there is a material breach of contract by the customer or a significant threat to the system. Customers should also ensure that the suspension’s scope is as limited as reasonably possible (for example, limited to relevant user accounts), and that the vendor is required to re-establish services promptly after the issue has been resolved.

Another key issue to consider is the limited warranty and sole remedy construct that is often included in cloud service contracts. Cloud service contracts often include a warranty that the service will substantially conform with its product description or specifications. However, vendors will seek to limit their liability for a breach of this warranty to repair or refund. Customers should attempt to resist this position and retain all their rights and remedies, including their right to terminate for cause.

Ensure regulatory compliance

Hyperscale vendors typically include privacy provisions within their standard contracts calibrated to comply with the European Union’s General Data Protection Regulation (GDPR) standard. These may need to be tailored to suit the Australian context. There are three main things to look out for in these negotiations.

The first is to ensure that Australian regulatory requirements are met by adding necessary provisions that address regulatory gaps. An example is the Australian Prudential Regulation Authority (APRA) 72-hour notification requirement for information security incidents that applies in the financial services industry. This requirement is usually not addressed in GDPR-based data protection addendums.

Second, data sovereignty is an important consideration. While most hyperscale vendors now have data centres in Australia and can assure customers that data is stored locally, there is still a risk that the providers’ support personnel outside Australia may access this data for support or other reasons. To mitigate this risk, our panellists recommend ensuring that, at a minimum, the vendor provides transparency around its support processes. Where it is critical for data to remain in Australia, and only be accessed from here, customers may be able to elect to receive only onshore support (during reduced support hours).

Third, vendors sometimes include clauses stating that customers must not upload particular ‘sensitive’ data to the service. Under Australian law, sensitive data is broadly defined, and a client may technically and inadvertently breach this provision. This can occur, for example, if a job applicant uploads their CV containing health information to the cloud service. If a customer will in fact be uploading sensitive information, this should be noted in the order form as a special condition that overrides the relevant prohibition.

Other potential compliance issues include the Australian Government’s new Security of Critical Infrastructure (SOCI) requirements. These may require specific provisions to be included in the contract, including to require cooperation from vendors in complying with security incident notification and management obligations.

Our panellists advised raising regulatory compliance issues early in the procurement process, as these can sometimes require a targeted, high-level escalation process to procure vendor compliance. The key is to present these requirements early, clearly and consistently.

A complex cloud services landscape

The cloud services landscape is becoming increasingly complex, particularly in a quickly evolving regulatory environment. Companies should enter the cloud services procurement process armed with a clear understanding of their regulatory requirements and risk settings.

Contact us to find out more about how we have successfully procured cloud services for many of our clients, and how we can help you achieve optimal outcomes.