Here are four legal traps to look out for before signing on the dotted line for a cloud-based service.
1. Intellectual Property Exposure
“When moving trade secrets to the cloud, the customer must ensure the cloud provider has adequate protections in place to maintain the secrecy of the information,” says Todd Fisher, partner in the outsourcing and commercial transactions practice of K&L Gates. The customer needs to fully understand the protections in place to protect its proprietary information, processes and services, and then make a determination as to whether it’s an acceptable amount of risk to accept.
Don’t settle for a provider’s standard contract when there are IP issues at stake, says Fisher. Potential cloud buyers should take care with the contract to make sure they retain ownership of all their own data and the provider uses it only to deliver the service, particularly IP-related information. An explicit provision preventing the vendor from misusing or disclosing customer IP is also a good idea.
In addition, new intellectual property can be created in the course of a cloud computing engagement and the customer may want to add provisions that give them ownership of assets created in the course of the deal. Include a clause to retain ownership of such IP or preclude the vendor from using it with other customers, Fisher explains.
2. Bait and Switch Terms
It may go without saying to never sign a contract before reading it, but always read the contract in front of you, not the vendor web site, says Pamela T. Church, partner and head of the intellectual property group in the New York office of Baker & McKenzie. It’s not uncommon that vendor advertising contradicts their actual agreements.
Equally as troubling is any cloud contract that’s as vague as the vendor’s marketing collateral. Terms that merely require conformity to “industry standards” or performance that is “appropriate,” “sufficient” or “best practice” are red flags. Cloud computing customers should define specific standards of performance such as results, services levels or tasks to be achieved.
3. Weak Disaster Recovery and Business Continuity Processes
There has been no shortage of high-profile cloud computing failures and service disruptions in recent years. Yet business continuity and disaster recovery continue to get short shrift in cloud computing agreements.
Cloud clients can contractually require cloud vendors to meet certain data back up and recovering requirements. They can even specify as a service level a recovery point objective (RPO)—the point in time to which the provider must recover data—and recovery time objective (RTO)—the speed with which the provider must restore the data, says Fisher.
When a service disruption or disaster occurs, many cloud computing clients are surprised to find their contracts silent on disaster recovery and business continuity and the cloud provider operating under a much less stringent RPO and RTO than expected, says Fisher.
4. Pin the Failure on the Customer
“When moving processes and services to the cloud, customers sometimes transfer certain software applications for the cloud provider to run or access,” says Fisher. “The customer should make sure the customer’s license agreement for those applications allows access or use by the cloud provider for the customer’s benefit. Otherwise, the customer could be facing a breach of the license agreement and a subsequent infringement claim.”
As with any services deal, the supplier may blame the customer when a disagreement arises. Cloud computing clients may wish to require the supplier to provide written notice to a specified individual within the client organization if the supplier asserts that the customer is failing to meet its obligations. This makes it easier to identify the true cause of performance problems and solve them before they get too costly or litigious.