Protecting Yourself in the Cloud: Seven Tips for Building a More Customer-Friendly Cloud Computing Contract | Article
The cloud computing business model is one based on conformity. In exchange for that largely standard approach to technical delivery and service levels, customers can gain access to cost-effective solutions for everything from desktop support to infrastructure to business applications with minimal capital investment or ongoing management. “The vast majority of providers will leverage a common set of terms and service level agreements (SLAs) across all of their clients,” explains Rick Sizemore, director of the cloud computing practice at outsourcing consultancy Alsbridge. “This is one of the ways the provider can dramatically lower their cost model to deliver services.”
Yet high-profile outages at big name cloud computing vendors—from infrastructure-as-a-service providers Amazon and Rackspace to software-as-a-service vendors like Google and Intuit—may have some customers wondering if the one-size-fits-all approach affords them enough protection against spotty service or system failures. “Cloud providers generally do not offer adequate protections in their standard form contracts,” says Shawn C. Helms, attorney in the technology transactions and outsourcing practice at Jones Day. “In fact, most cloud providers offer up a contract that can fit on the back of a napkin. These simple documents often do not address the critical operational, business and legal issues that need to be addressed if the customer is using cloud services for business critical applications or is storing sensitive data in the cloud.”
While there is less wiggle room at the negotiating table when inking a cloud computing deal than, say, a traditional outsourcing arrangement, the customer does have the power to push for some custom terms or service levels. “Virtualization and other technologies allow for flexibility, customization and customer specific cloud service, monitoring and performance measurements,” says Helms. “If cloud computing providers are sufficiently motivated, they can offer customer customized solutions and related non-standard terms and conditions. It is not a matter of ability, but a matter of desire.”
Here are some contractual terms and negotiating tactics to consider—and a few to avoid—in your next cloud computing contract.
- Spell out specific service levels. The basic service levels offered up by the average cloud computing vendor are severely lacking, says Helms. A simple availability service level, for example, does not take into account potential degradation in network or software performance. “The system may be available, but it could be running at such a slow speed that it is not really usable,” says Helms. Customers should push for comprehensive service level definitions that address response times for various severity levels of reported errors—for example, the provider must respond to the customer within 15 minutes if there is a level one error, and the error must be resolved in two hours.
- Anticipate vendor changes. “Difficult issues arise from the cloud provider’s desire to update and change its pricing, services, and the customer’s need to maintain some measure of predictability and continuity to enable the customer to integrate the cloud services into their own enterprise systems,” says Paul Roy, partner in the business, technology and sourcing group at Mayer Brown. Even the most heavyweight customer can’t prevent such progress. But you should insist on sufficient advance notice of major changes and the right to exit if the change creates an unacceptable burden or risk, Roy advises.
- Work out remedies for poor performance. Plan now for that inevitable missed service level or outage. An influential customer may be able to insist that service level defaults result in service level credits, says Roy. Others may request termination rights in the event of a major outage or subpar service. As an alternative, some cloud agreements contain step-in rights, which allow the customer literally to step into the provider’s facilities and run their cloud offering in the event of a certain trigger, such as chronic failure of service levels). “However, such step-in rights are an extraordinary remedy for the customer,” says Helms, “and are most often strongly resisted by cloud providers.”
- Be willing to pay more. “Constraints are sometimes unavoidable, such as with the case of personal data protections and other legal compliance obligations,” says Roy. “In one case, the customer’s personal data protection requirements limited the jurisdictions in which the cloud provider could process the customer’s data, resulting in the customer paying higher charges to limit processing to the provider’s infrastructure in local jurisdictions.” The customer had to pay a little more for the custom arrangement, but the business case was still favorable.
- Never lock in. Avoid any language that will limit the enterprise’s ability to shift from one provider to another, advises Sizemore. That means avoiding vendor lock-in in any form—from multi-year contracts to a platform that makes it difficult to migrate data to another vendor. “Ideally, this would mean a pay-per-user or use contract, where data is stored in either an open systems format or an industry wide standard,” says Sizemore. Termination assistance rights—although a rarity in standard cloud contracts—are also worth fighting for, says Helms. They require that the provider continue performing its services for a specified period of time post-termination and help with the orderly transition of the service to a new vendor or back to the customer.
- Let some things go. Customers accustomed to standard outsourcing terms will have to adjust. “The traditional outsourcing provisions that concern the customer’s right to control solution details, including architecture, key personnel, security processes, service level standards, location, can be detrimental by imposing costs on a cloud provider, which translates to reduced savings for the customer,” says Roy.
- Consider the private cloud. If you can’t figure out the right balance between customization and standardization, the private cloud might be a better option. Typically delivered by large systems integrators, “it merges some of the technical innovations of a pure public cloud offering, with some levels of customization you get with traditional outsourcing,” says Sizemore. “The cost model is typically more expensive than public cloud options, but does allow some flexibility in terms of SLAs and contracts.”