Insight,

5 key issues in negotiating cloud contracts

AU | EN
Current site :    AU   |   EN
Australia
Belgium
China
China Hong Kong SAR
Germany
Italy
Japan
Singapore
Spain
UAE
United Kingdom
United States
Global

With the promise of cost savings, greater flexibility and ability to scale, it is not surprising that companies are continuing to move their key business applications and data to the cloud.  However it is important to consider potential concerns.  In this article we look at 5 key issues you should consider when negotiating cloud contracts.

Introduction

While the cloud is hardly a new phenomenon, we have seen the transition to the cloud accelerate in recent years as the continued growth in the digital economy puts older business models under pressure, with particular challenges for companies who are unable to respond in an agile manner.

Having acted for many clients on strategic cloud transactions, there are a number of issues that we have seen cropping up with increasing regularity.  In this article we look at a number of these issues and share some insights into how negotiations on these issues typically play out.

In particular, customers should ensure that the cloud vendor’s right to access and use data is limited to:

  • use for the vendor’s internal business purposes, ideally for the sole purpose of improving the vendor’s service offerings (and not for any commercialisation or other external use); and
  • data about the customer’s interaction with the vendor’s service (and does not extend to the customer’s own data) in a form that is anonymised and aggregated and not capable of identifying the customer or its clients.

Of course, a customer may not relish the prospect of additional compliance-related costs above the vendor’s ordinary service charges.  In order to strike a fair balance, the customer should consider:

  • applying a materiality threshold so that niggling or incidental costs are not passed through;
  • requiring that the vendor substantiate any costs for which they are seeking recovery along with an express commitment to mitigate those costs where possible; and
  • imposing a limitation on recovery of costs for changes that should be considered an ordinary cost of business for the vendor.  The customer should not be subsidising costs that the vendor would have had to incur even if they weren’t providing services to the customer.  For example, if there are changes that are necessary for the vendor to comply with a new law, or with a new industry standard or regulation, or simply in order to maintain alignment with industry practice, then the cost of those changes should be absorbed by the vendor rather than passed through to the customer.

Often the compromise is for the parties to agree on a separate ‘super cap’ or ‘sub cap’ where specific categories of liability are dealt with separately from other liabilities under the cloud contract.  These separate caps may be either set by reference to a fixed dollar amount or to a proportionate measure, such as a multiple of fees paid or payable under the agreement or an applicable SOW, either over the life of the engagement or over a specific time period.  The drafting of these liability arrangements, including the interaction with general liability caps, can be complex and will need to be carefully reviewed.  As well as being wary of drafting traps, the customer will need to take care to ensure that:

  • the caps that are specified are sufficient to provide meaningful protection for the customer in a ‘worst case’ breach scenario and if not, whether the customer’s own insurance can make up for the shortfall; and
  • any exclusions in the contract do not present a bar to the customer recovering the most common types of loss that are likely to arise from a privacy or data-related breach, such as regulatory fines, customer claims, and costs of notifying end users and undertaking remedial works (e.g. restoring lost or corrupted data).

More mature vendors may even have their own pre-prepared contractual addenda that are designed to address regulatory concerns in specific sectors that they are targeting.  In other cases, the customer may have a greater role to play in educating the vendor about the particular regulatory challenges they face.  Either way, regulated customers need to take care that by engaging with a cloud vendor they will not be creating an insurmountable compliance gap. 

LATEST THINKING
Insight
In fulfilment of key Labor election promises, legislation was introduced into the Federal Parliament today to make unfair contract terms illegal and raise maximum penalties for breach of competition and consumer laws.

28 September 2022

Insight
The Federal Government has today introduced a bill to implement a further seven of the recommendations of the [email protected] Report (Bill), as well as making a number of other changes.

27 September 2022

Insight
Nearly 2 years of record-breaking public M&A activity in Australia has put pressure on Boards to respond to changing tactics from increasingly aggressive bidders.

27 September 2022