Going to the cloud? Get a lawyer

Thinking about shifting business to the cloud, or signing a deal with a cloud services provider? Bernice Karn has one piece of advice: get a lawyer.

Actually, Karn has a lot of advice, and the lawyer with Cassels Brock shared some of it with attendees recently at the Canadian Channel Chiefs Council’s (C4) first education seminar – From Cloud Illusions to Cloud Realities: Cutting through the Hype.

Much of Karn’s practice revolves around reviewing cloud service contracts that major companies are considering signing with service providers, and she identified a “dirty dozen” contentious things about cloud computing that customers – and service providers – would be wise to heed.

While the pros of Cloud include that it’s cheap, simple, flexible and scalable, Kearns points to a few important cons: the customer loses control and oversight, becomes dependent on third parties, loses the practical ability to bring the service back in house, and local laws can also prove to be an impediment depending on where the servers – and the service provider – are physically located.

Karn’s “dirty dozen” are 12 fundamental issues that customers should consider when negotiating a contract with a cloud service provider.

1. Scope of services: This should be clearly defined, with the client understanding what they’re getting and not getting.
2. Service level agreements: Savvy customers will want this to be meaningful, speaking to the responsiveness of the solution, the resolution, and arrangements for sunsetting and the return of data. “As a customer, I’d look very closely at SLAs for what’s included and what’s excluded, and make sure it’s meaningful to your business,” said Karn.
3. Privacy and confidentiality: There should be provisions for confidential information such as financial statements and trade secrets and applicable laws for personal information should be followed.
4. Securities and other compliance issues: There are a number of laws and regulations, such as Sarbanes-Oxley, that may apply. “If you have compliance requirements you should bake those into the contract,” said Karn.
5. Disaster recovery and business continuity: What the service provider will do to ensure service continuity should be addressed, including system breakdowns, natural disasters and other reasonably foreseeable events. Covenants should be obtained around regular testing and remedial actions.
6. Record keeping: In addition to basic good business practices, Canada has several laws that require certain records to be kept. Customers should know what record keeping will be undertaken.
7. Inspection and audit rights: The customer’s right to audits and the scope of such auditsshould be specified.
8. Subcontractors: The contract should specify when subcontracting is allowed and within what scope, and ensure subcontractors provide IP rights, warranties and indemnities to the customer.
9. Default and Termination: Everything should be clearly specified including default situations, remedies and cure periods and termination for convenience. Service level credits can’t be the sole and exclusive remedy for service interruption or termination.
10. Limits of liability: The cloud provider’s risk allocation technique must make the business viable – if it doesn’t, it may speak to the soundness of their business.
11. Indemnities: Another risk allocation device, this should be limited to 3^rd party claims and might typically include IP indemnity, 3^rd party privacy breaches and any other sensitive issues.
12. Transition issues: “Transition issues are one of the most overlooked things in a cloud deal,” said Karn. “As a user, you can’t just have the switch turned off one day. You need lead time.” Provisions should be included for knowledge transfer and, if it’s a critical application, transition services should be required even in the case of a termination for default.

“Don’t just use a cloud agreement you found on the web,” warns Karn. “Service providers that give customers a harder time on their contracts are the ones I feel better about. Those that I mark up their contract and they just say OK, they worry me. It says they’re not paying attention.”