The building blocks of a Cloud Services Agreement

In this article, we have a look at some of the important aspects that must be kept in mind when building a Cloud Services Agreement

The Cloud Services Agreement determines the rights and obligations of the Provider and the Customer relating to the Cloud Services.


Cloud services fall into three primary categories: software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS).

A Software Licence is, in essence, a copyright licence.


Cloud Services are usually provided under a subscription-based model where access to the Software is provided to the Customer through an online login. No copy of the Software is provided to the Customer, and there is no need for a licence.

Order Forms will generally contain the variable information relating to the Cloud Services Agreement. In other words, the commercials to the Agreement, the Term of the Agreement and other information the Provider negotiates with the Customer.


The Order Form then incorporates various other terms and conditions by way of reference - For example, the Master Cloud Services Subscription Agreement hosted on its website.


This Master Cloud Services Subscription Agreement may contain other terms and conditions that are generally more of a legal nature.


A Provider would want to use the Order Form approach to focus the negotiations on the Order Form and not negotiate a 30 to 50-pager contract.


Also, the Master Cloud Services Agreement is presented as the “standard Ts and Cs” the Provider contracts with its Customers creating the impression that the terms and conditions within the Master Cloud Services Agreement are not “negotiable”.


Another reason may be that the Master Cloud Services Agreement may be subject to amendment by the Provider from time to time. An amendment to the Master Cloud Services Agreement will then generally entail an email notifying Customers of the amendment and their right to object to it. The amendment will be deemed made to the Agreement if no objection is received.

Building blocks

building blocks of a cloud services agreement

The scope will generally address:

  • Specific usage limitations (users / territory / industry etc.), the Permitted Use of the Cloud Services (for example, the Cloud Services must be used for internal business purposes only)
  • Commercials (implementation charges / pricing structure / third party expenses / invoicing and payment period)
  • Start date, Term of the Agreement and autorenewal


The scope of the Cloud Services stipulates the access rights provided to the Customer and, if applicable, the Customer's Affiliates.


The scope of the Cloud Services may also refer to certain retained rights of the Provider and usage limitations imposed on the Customer.


Examples often imposed by Providers include restrictions:

  • Not to disassemble, reverse engineer, modify, or create derivate works of the Cloud Services
  • Not to use the Cloud Services in violation of applicable laws
  • Not to circumvent or disable any security features or other aspect of the Cloud Services
  • Not to attempt to gain unauthorised access to the source code of the Cloud Services
  • Not to use the Cloud Services to transmit unlawful material, or to store or transmit material in violation of third-party privacy rights
  • Not to use the Cloud Services to store or transmit any material that may infringe the software or other rights of third parties
  • Not to knowingly or negligently use the Cloud Services in a way that abuses or disrupts servers, user accounts, or other services

The Provider will generally provide support and training to the Customer's Users, and the terms of the support and training must be detailed in this section. Or, if not detailed in the Cloud Services Agreement, the Provider may consider making use of a support policy hyperlinked in the Agreement.


Professional services can also be included as part of the Cloud Services Agreement or incorporated into a separate Professional Services Agreement. If professional services are included as part of the Cloud Services Agreement, ensure that the commercials relating to these services are unambiguously stipulated within the Agreement.

The Customer would want to protect the confidentiality of and reserve its ownership rights in, data that it uploads for processing and storage by the Cloud Services.


It may be that the Provider has a Standard Data Protection Policy that covers the above aspects. However, with a higher value and more complex Cloud Services transactions, the Parties may want to agree on a separate Data Protection schedule.


The ownership and permissible uses of data that derived from the Provider's monitoring of the Customer's access to and use of the Cloud Services or processing of customer data or usage data (derivative or resultant data) can be significant negotiation points.


Read more on data protection clauses.

The Provider will generally retain all intellectual property relating to the Software, and no licence is provided in respect of the Software. For this reason, the intellectual property provisions within a Cloud Services Agreement are generally not overly complex.


An aspect that will, however, need to be addressed in the Cloud Services Agreement is feedback rights. In other words, if the Customer provides the Provider with feedback relating to the Cloud Services, will the Provider be able to use the feedback to improve the Cloud Services and make these improvements available to other Customers?


The default position is usually that the Provider may use all feedback freely without restriction or obligation.


Read more on building intellectual property clauses.

The payment provisions will detail payment terms, overdue amounts, method of payment, setoff, taxes, payment disputes etc.


Read more on payment clauses.

Both Parties would generally want to protect such sensitive information, which, if disclosed to certain third parties, will be detrimental to their business. The confidentiality provisions provide which information must be regarded as confidential, obligations relating to handling confidential information, and what happens if there are unauthorised disclosures.


Read more on confidentiality clauses.

Unrecoverable losses and maximum liability are generally dealt with under the limitation of liability provisions. Unrecoverable losses may include, for example, consequential losses, and claims relating to breach of data protection provisions may be limited under the maximum liability amount to a fixed amount.


Read more on the limitation of liability clauses.

The Customer and Provider will usually provide certain mutual warranties. These may include, for example, that they have the legal capacity to enter into the Agreement and that they have not offered unlawful or prohibited inducements to the other Party or any other person in connection with the Agreement.

Then there will also be warranties related to the Cloud Services that will be provided.


Typical warranties will include that no viruses will be introduced into the Cloud Services, the Cloud Services does not and will not infringe on any third party intellectual property rights, the Cloud Services will be updated as necessary to comply with applicable laws etc.


Breach of the warranties will also need to be addressed, and the disclaimers that relate to the warranties.


Read more on warranty clauses.

An indemnity often found in a Cloud Services Agreement is an indemnity relating to Intellectual Property infringement claims.


The indemnity provisions need to identify what will be regarded as indemnified losses (what will be covered), what will trigger the indemnity and the claims procedure.


Read more on indemnity clauses.

The Provider may be required to take insurance against, for example, cyber crimes. The insurance provisions should detail the type of cover to be taken out, the amount of cover required, what happens if there is a failure to maintain cover and obligations to produce certificates confirming cover. 

A clause that is not often included in Cloud Services Agreements is a Financial Reporting clause requiring the Provider to report it's financial position to the Customer.


These clauses may give the Customer "early warning" of trouble. If the Provider faces financial instability, it could tumble into bankruptcy, and it could lose the will or ability to perform vital services. But if the Customer sees that trouble far enough in advance, it can protect itself—by terminating the contract, retaining another provider, taking back the data, etc.

Technology is evolving at a rapid pace and a Customer may want to have the right to benchmark the Provider's performance and price. If found that the Provider does not meet die benchmarking requirements, the clause may provide certain remedies to the Customer.


Whether or not such a clause will be included will depend on the respective bargaining power of the Parties.

Although most of the time there will not be a need for Personnel and Non-Solicitation clauses, it may be that there will be some form of professional service provided with the Cloud Services. In such a case, the Provider may want to include Personnel and Non-Solicitation clauses.


Read more on Personnel and Non-Solicitation clauses.

For a Customer, it may be difficult to determine whether or not the Provider is executing their obligations under the Agreement. Audit rights allow the Customer, or their authorised representative, to conduct certain audits.


With the audit clause, aspects often addressed include notices of audits, the number of allowed audits, confidentiality and what happens if there is an adverse finding.

The Parties may conclude the Cloud Services Agreement for a fixed term. There may also be auto-renewal of the Term, which must also be detailed within this section.


The termination provisions detail when a Party can terminate the Agreement before the Term ends and may also provide for termination assistance the Provider must provide if the Agreement is terminated.


Read more on term and termination clauses

How will the Parties deal with disputes? Through a Court process or alternative dispute resolution? Are there different processes for different disputes - For example, expert determination for disputes relating to technical aspects of the Cloud Services?


Read more on dispute resolution clauses.

The boilerplate clauses will include the provisions relating to public disclosure, third-party beneficiaries, how amendments will be dealt with, how notices under the Agreement must be provided, assignment etc.


Read more on boilerplate clauses.


Generally, Cloud Services provide "out of the box" functionality and Providers do not include any Acceptance Testing provisions.


However, there are situations where a Customer may require custom functionality that must be bolted onto the Cloud Services. In such cases, it may be appropriate to include Acceptance Testing provisions.

As discussed above, only usage rights are provided to the Customer and no licence is provided in respect of software.


The above being said, there may be a situations where the Cloud Services are "mission critical" to the Customer. Especially in situations where there has been extensive bespoke development done for a Customer to further the available functionality of the Cloud Service, it may be appropriate to provide for certain escrow arrangements in the Agreement.

The following agreements and policies generally determine the rights and obligations between the Parties:

  • Order Form
  • Data Protection Policy
  • Support & Maintenance Policy
  • Service Level Agreement (SLA)
  • Acceptable Use Policy (AUP)


The Author

Martin Kotze is a commercial lawyer with over 10 years of experience. He specialises in transactional work within the Tech, Financial Services and Property industries. 

He is also one of the co-founders at DocNinja and regularly advises listed companies to small and medium enterprises on how to contract better with their customers. 

Martin Kotze

This is a free 30min consultation to better understand your business and your needs.

Table of Contents

Schedule a call with a Solutions Specialist

+27 82 891 3029