Cloud Services Agreement

In this article, we have a look at some of the important aspects that must be kept in mind when building a Cloud Services Agreement

Introduction

Building blocks of a Cloud Services Agreement

What is a Cloud Services Agreement?

A Cloud Services Agreement is a contract between a customer and a cloud service provider that stipulates the terms and conditions for using the provider’s services. It’s like a rule book for using someone else’s computer systems over the internet.

 

Cloud Services can be divided into three main categories: software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS). Here’s a explanation of each type:

 

Software-as-a-Service (SaaS): SaaS provides software applications that you can use over the internet without needing to install them on your own computer. Instead of buying a software license and installing it on your device, you access the software through a web browser and usually pay a subscription fee. Examples of SaaS include Google Workspace (formerly G Suite), Microsoft Office 365, and Salesforce.

 

Platform-as-a-Service (PaaS): PaaS offers a complete environment for developers to build, test, and deploy software applications without worrying about the underlying infrastructure. The service provider takes care of the servers, storage, networking, and other infrastructure components, while the user can focus on writing code and managing the application. Examples of PaaS include Google App Engine, Microsoft Azure App Service, and Heroku.

 

Infrastructure-as-a-Service (IaaS): IaaS provides virtualized computing resources over the internet, such as virtual machines, storage, and networking. Users can rent these resources as needed and scale them up or down according to their requirements. IaaS is like renting a virtual computer and its components instead of buying and maintaining physical hardware. Examples of IaaS include Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform.

 

In summary, SaaS is like renting software applications, PaaS provides a development platform for creating your own applications, and IaaS offers the virtual infrastructure to run your applications and store data.

What is the difference between a Cloud Services Agreement and a Software Licence Agreement?

When you use Cloud Services, you’re generally granted a limited, non-exclusive, and often non-transferable right to access and use the software hosted by the service provider. With a Software License you are provided with a license which provides you with the right to use a specific version of the software, which often includes the rights to make copies for backup purposes or install it on a certain number of devices.

 

Cloud Services are usually provided under a subscription-based model and no copy of the Software is provided to the Customer (therefore, there is no need for a license).

 

Software, however, you generally pay a license fee and you receive a copy of the software.

What are Order Forms and why are they used?

Order Forms typically include the specific details related to a Cloud Services Agreement, such as the negotiated commercial terms, the duration of the agreement, and any other information agreed upon between the Provider and the Customer. By using an Order Form, businesses can streamline their negotiations and focus on the most critical aspects of the agreement.

 

In addition to the Order Form, a Master Cloud Services Subscription Agreement is often referenced, which contains other terms and conditions of a more legal nature. This agreement can be found on the Provider’s website and is presented as their standard terms and conditions for contracting with Customers. This approach gives the impression that the terms within the Master Cloud Services Agreement are non-negotiable, further simplifying the negotiation process.

 

Moreover, Providers prefer using Order Forms and referencing a Master Cloud Services Agreement because it allows them to make amendments to the terms and conditions more efficiently. When an amendment is made to the Master Cloud Services Agreement, the Provider generally notifies Customers via email, giving them the right to object to the changes. If no objections are received, the amendment is considered accepted and automatically incorporated into the Agreement. This method not only saves time but also helps maintain consistency across contracts with multiple customers.

Transaction blocks

Agreement specific blocks for a Cloud Services Agreement

Cloud Services

The first block generally contain a couple of sections. Let’s have a look-

 

Access rights: This section states that the Provider grants the Customer a limited right to access and use the Cloud Services, as long as the Customer pays the required fees and follows the terms and conditions of the agreement. This access is given for the duration of the agreed-upon term.

 

Affiliates: If applicable, the Customer’s affiliated companies can also use the Cloud Services, as long as they follow the terms and conditions set in the agreement and the Order Form.

 

Permitted use: This section clarifies that the Customer, their Affiliates, and their individual users can only use the Cloud Services according to the allowed purposes (Permitted Use – usually stated in the Order Form) and the documentation relating to the Cloud Services.

 

Retained rights: This section emphasizes that the Provider maintains all ownership rights and interests in the Cloud Services, including any software used to provide those services.

 

Users: The Customer is responsible for their users’ actions while using the Cloud Service, and for ensuring that those users comply with the terms of the agreement.

 

Login credentials: This section states that the Customer must ensure their users keep their login credentials confidential. If there is any breach or compromise of user accounts or credentials, the Customer must promptly notify the Provider.

Usage restrictions

Usage restrictions in Cloud Services Agreements are provisions that limit the way customers can use the cloud services provided by the service provider.

 

These restrictions are included to protect the service provider’s interests, ensure legal compliance, maintain the security and integrity of the system, and prevent unauthorized or potentially harmful activities.

 

Common usage restrictions found in Cloud Services Agreements include:

  • Illegal activities: Customers are prohibited from using the cloud services for any unlawful purposes, including activities that violate any applicable local, state, national, or international laws and regulations.

  • Security breaches: Customers are not allowed to use the cloud services to breach the security of any networks, systems, or accounts, including unauthorized access, data theft, or distribution of malware or viruses.

  • Intellectual property infringement: Customers must not use the cloud services to infringe upon the copyrights, trademarks, patents, or trade secrets of others, including unauthorized use, copying, or distribution of protected content.

  • Spam and unsolicited messages: Customers are typically prohibited from using the cloud services to send unsolicited messages, such as spam or other unwanted communications, which can be disruptive or harmful to others.

  • Resource abuse: Customers are often restricted from using the cloud services in a way that consumes excessive resources or disrupts the service for other users, such as initiating DDoS attacks or using automated scripts to consume bandwidth or processing power.

  • Sharing of access credentials: Customers are typically not allowed to share their login credentials with unauthorized users, and they are responsible for maintaining the security and confidentiality of their account information.

  • Reverse engineering and modification: Customers are generally prohibited from reverse engineering, decompiling, or disassembling the cloud services or their underlying software, as well as making any modifications or creating derivative works based on the services or software.

  • Reselling or sublicensing: Customers may be restricted from reselling, sublicensing, or otherwise transferring their rights to use the cloud services to third parties without the service provider’s explicit consent.

Third-party products

Cloud Service Providers often makes available various integrations through the Cloud Services. If this is the case, it is important to provide how the use of these integration (Third Party Products) impacts on the Parties and who takes responsibility for what.

 

Important sections to include from a Provider’s perspective are-

  • Terms and conditions: This section generally provides that the Cloud Services may allow access to products or services from third parties, these third-party products or services have their own terms and conditions, separate from the main Cloud Services Agreement, and if the Customer doesn’t agree with the terms and conditions of the third-party products, they should not install, access, or use them.
  • Liability and indemnification: This section generally provides that the Customer is responsible for any loss, damage, or liability resulting from integrating with third-party products or sharing data with them, and the Customer agrees to indemnify the Provider from any claims or losses resulting from the Customer’s use of third-party products.
  • Data security and privacy: This section generally provides that the Provider is not responsible for the security and privacy of the Customer’s data once it’s transferred to a third-party platform. It is the Customer’s responsibility to ensure that the third-party platform has proper security measures to protect their data.
  • Compliance with laws and regulations: The section generally provides that the Customer is responsible for ensuring their use of third-party products follows all relevant laws and regulations, including those related to data protection and privacy.
  • Termination of integration: This section generally provides that the Provider has the right to terminate any integration with a third-party platform if it deems the platform to be insecure or in violation of any laws or regulations. This decision is at the Provider’s sole discretion.

Suspension rights

By outlining specific scenarios under which the Service Provider can suspend services, the agreement helps to safeguard the provider’s intellectual property, reputation, and legal compliance. This is essential to maintain the provider’s business operations and maintain the security of the overall cloud infrastructure.

 

The sections part of the suspension rights block generally addresses the circumstances under which the Service Provider can temporarily suspend the Customer’s or its users’ access to the Cloud Services. These circumstances generally include:

 

  • Threat or attack on the provider’s intellectual property: If the provider believes there is a threat to its intellectual property, it can suspend access to protect its assets.
  • Issues or security risks caused by customer or users: If the customer or its users are causing problems or security risks while using the provider’s intellectual property, the provider has the right to suspend access.
  • Illegal or fraudulent activities: The provider can suspend access if the customer or its users are using the provider’s intellectual property for illegal or fraudulent purposes.
  • Bankruptcy or similar issues: The provider may suspend access if the customer faces bankruptcy or other financial problems that may affect their ability to use the cloud services.
  • Illegal cloud services: If providing the cloud services is against the law, the provider can suspend access.
  • Vendor issues: The provider can suspend access if any of its vendors stops or ends the supply of services or products necessary for the customer to access the cloud services.

 

The suspension rights block may contain a section that requires the provider to make a reasonable effort to inform the customer about the suspension and give updates on when access to the cloud services will be resumed. This ensures that the customer is informed and can take appropriate action.

 

Also the suspension rights block may contain a section which obligates the Service Provider to attempt to restore access to the cloud services as soon as possible once the issue is resolved. This encourages both parties to address the issue promptly and minimize the impact of the suspension.

 

From a Service Provider’s perspective, you want to be clear that the Service Provider is not liable for any damages or losses the customer may face due to the suspension and add a separate section addressing the liability concerns. This limits the Service Provider’s risk exposure and financial liability in case of suspension.

Review of financial stability

A financial stability block is not often found in Cloud Services contracts. However, if it is impossible to do proper due diligence on the Service Provider and your business will be relying heavily on expensive the Cloud Services, adding a financial stability clause may not be a bad idea.

 

This financial stability block contains a couple of sections, each addressing a different aspect of the financial review process between the Customer and the Provider-

  • Review of financial records: This section states that the Customer has the right to review the Provider’s financial books and records, and the documents the Customer can review (for example, a current balance sheet, a statement of income and losses for the preceding 12 months, and a statement of cash flows for the same period).
  • Place of review: This section specifies that the Customer must conduct the financial review at the Provider’s offices unless they receive written consent from the Provider to conduct the review elsewhere.
  • Termination: This section allows the Customer to terminate the Agreement (including any Statement of Work) without any penalty if they reasonably believe that the Provider’s financial position has materially deteriorated. Generally, the Customer must provide written notice to the Provider to terminate the Agreement in terms of this section.
  • Confidential information: This section emphasizes that all the financial books, records, and information provided during the financial review must be treated as confidential information.

Audits

The purpose of an audit clause is to determine if the Customer is complying with the Agreement, and more specifically, if the Customer is not exceeding any usage limitation (for example, number of users accessing the Cloud Services).

 

An audit block is inserted for the sole benefit of the Service Provider and generally contain the following sections-

  • Audit rights: This section grants the Provider or their authorized representative the right to conduct audits to ensure the Customer is fulfilling their obligations according to the Agreement. The section will also typically provide that the Customer must maintain accurate records, retain them for a specified number of years after termination, and provide reasonable assistance during the audit.
  • Notice: This section regulates the notice requirements relating to audits. Most of the time, the section will provide that the provider Service Provider is required to give the Customer a specified number of hours’ notice before an audit, unless circumstances don’t allow it.
  • Number of allowed audits: This section sets a limit on the number of audits the Service Provider can conduct per year.
  • Confidentiality: The audit block generally also contain a section providing that the Service Provider and their authorized representative must adhere to the Customer’s security and confidentiality requirements during the audit.
  • Adjustments and interest: A section is also required addressing the situation where inaccuracies are found during an audit. The section will need to address how adjustments as an result of the inaccuracies will work and when payment will be due. Lastly, the section generally addresses the aspect of interest and from which date and rate interest will accrue relating to any adjustments made.
  • Fees and costs: This sections provides who will be responsible for the fees and costs of the audit. Most of the time the Provider is responsible for paying the fees and costs associated with the audits, subject thereto that no material inaccuracies are picked up during the audit.
  • Duration of rights: Lastly, a section addressing the duration of the audit rights is also required. Most of the time the Service Provider would want the audit rights to survive termination of the agreement for a specified number of years.
 

Fee benchmarking

A fee benchmark clause is important in a Cloud Services Agreement because it allows the customer to periodically compare the service provider’s fees with those of similar businesses. This helps ensure that the provider’s fees remain competitive and in line with industry standards.

 

From a Service Provider’s perspective, including a fee benchmark clause can be beneficial as it demonstrates transparency and a commitment to fair pricing, which can enhance trust and customer satisfaction. Moreover, it may also provide the service provider with valuable insights into the market and help identify areas where they can improve or adjust their pricing strategy to remain competitive.

 

A fee benchmark block should address the following important aspects-

  • Right to benchmark: This section provides that the Customer has the right to compare the Service Provider’s fees with those of similar businesses, outlining any limits on frequency (e.g., once a year).
  • Independent benchmarking company: This section relates to the independent, industry-recognized company who will conduct the benchmarking and who will choose the benchmarking company.
  • Cooperation with the benchmarking company: This section creates an obligation to cooperate with the benchmarking company and details the requirements relating to access to personnel, records, and any necessary information.
  • Confidentiality: This section relates to the benchmarking company’s obligation to keep all records and information confidential.
  • Benchmarking process: This section describes the process the benchmarking company will follow, including how they will select and adjust data, account for differences in services, and consider requests for changes.
  • Final report and actions: This section detail the actions required if the benchmarking report shows the Service Provider’s fees are significantly higher than the industry average, such as proposing alternative fees, adjusting fees with customer approval, or allowing the customer to terminate the agreement without penalty.

Insurance

The purpose of an insurance clause in a Cloud Services Agreement is to protect both parties (the Customer and the Service Provider) from potential financial losses and liabilities arising from risks and events associated with the provision of Cloud Services.

 

The insurance clause typically needs to address the following-

  • Insurance cover: This section creates the obligation on the Service Provider to obtain and maintain suitable insurance coverage at their own expense. The section may also address certain requirements surrounding the insurance company, for example, the insurance should be from reputable insurers and should address requirements relating to the type of cover required.
  • Increase in cover: This section allows the Customer to require the Service Provider to increase their insurance coverage if the Customer believes the existing coverage is not suitable.
  • Failure to maintain cover: This section addresses the situation if the provider fails to maintain suitable and adequate insurance. Typically, the section will provide that if the Service Providers fails to maintain the required insurance, they will still be liable for all their obligations under the agreement, and the customer will not have any liability towards the provider due to their failure to maintain insurance.
  • Period of cover: This section addresses the duration of the cover and also if the cover must be maintained for a period after the Agreement comes to an end.
  • Primary cover: Often a sectional will be added which provides that the insurance policy must state that it is primary insurance, meaning that the provider’s other insurance policies or self-insurance programs will not be called upon to contribute in the event of a claim.
  • Insurance certificate: A section can also be included providing that the Service Provider must give the Customer proof of the required insurance coverages in the form of insurance certificates before starting the services and upon renewal of any such policy.

Sub-contracting

The subcontracting block provides the requirements related to subcontracting and generally contains the following sections-

  • Subcontracting: This section provides whether or not a Party can subcontract their obligations under the Agreement. Most of the time the section will provide that the Service Provider is not allowed to subcontract any service to a third party without first obtaining written consent from the Customer. The Customer generally has the right to withhold or impose conditions on this consent.
  • Subcontracting requirements: If the Provider is allowed to subcontract, a section can be included providing a requirement that the Service Provider must provide the Customer with all invoices related to the subcontracted services.
  • No benefit: As a further measure, a Customer may also want to include a section that provides that the Service Provider cannot profit from the subcontractor’s fees if they are lower than their own fees. In other words, if the subcontractor charges less, the Customer will benefit from the lower fees instead.
  • Confidentiality: This section creates an obligation on the the Service Provider to ensure that any approved subcontractor agrees to confidentiality terms that are substantially similar to the ones in the main agreement between the Provider and the Customer.
  • Continued obligations: This section provides that regardless of any subcontracting arrangements, the Provider remains responsible for fulfilling their obligations under the main agreement. Subcontracting does not relieve them of these responsibilities.

Core legal provisions blocks

Boilerplate blocks

Schedules

FAQs

Must Acceptance Testing provisions be included in the Cloud Services Agreement?

Generally, Cloud Services provide “out of the box” functionality and Providers do not include any Acceptance Testing provisions.

 

However, there are situations where a Customer may require custom functionality that must be bolted onto the Cloud Services. In such cases, it may be appropriate to include Acceptance Testing provisions.

Must Software Escrow provisions be included in the Cloud Services Agreement?

As discussed above, only usage rights are provided to the Customer and no licence is provided in respect of software.

 

The above being said, there may be a situations where the Cloud Services are “mission critical” to the Customer. Especially in situations where there has been extensive bespoke development done for a Customer to further the available functionality of the Cloud Service, it may be appropriate to provide for certain escrow arrangements in the Agreement.

Are there any other Agreements that must be build with the Cloud Services Agreement?

The following agreements and policies generally determine the rights and obligations between the Parties:

  • Order Form
  • Data Protection Policy
  • Support & Maintenance Policy
  • Service Level Agreement (SLA)
  • Acceptable Use Policy (AUP)

 

Table of Contents