In this article, we have a look at some of the important aspects that must be kept in mind when building a Cloud Services Agreement
A Cloud Services Agreement is a contract between a customer and a cloud service provider that stipulates the terms and conditions for using the provider's services. It's like a rule book for using someone else's computer systems over the internet.
Cloud Services can be divided into three main categories: software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS). Here's a explanation of each type:
Software-as-a-Service (SaaS): SaaS provides software applications that you can use over the internet without needing to install them on your own computer. Instead of buying a software license and installing it on your device, you access the software through a web browser and usually pay a subscription fee. Examples of SaaS include Google Workspace (formerly G Suite), Microsoft Office 365, and Salesforce.
Platform-as-a-Service (PaaS): PaaS offers a complete environment for developers to build, test, and deploy software applications without worrying about the underlying infrastructure. The service provider takes care of the servers, storage, networking, and other infrastructure components, while the user can focus on writing code and managing the application. Examples of PaaS include Google App Engine, Microsoft Azure App Service, and Heroku.
Infrastructure-as-a-Service (IaaS): IaaS provides virtualized computing resources over the internet, such as virtual machines, storage, and networking. Users can rent these resources as needed and scale them up or down according to their requirements. IaaS is like renting a virtual computer and its components instead of buying and maintaining physical hardware. Examples of IaaS include Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform.
In summary, SaaS is like renting software applications, PaaS provides a development platform for creating your own applications, and IaaS offers the virtual infrastructure to run your applications and store data.
When you use Cloud Services, you're generally granted a limited, non-exclusive, and often non-transferable right to access and use the software hosted by the service provider. With a Software License you are provided with a license which provides you with the right to use a specific version of the software, which often includes the rights to make copies for backup purposes or install it on a certain number of devices.
Cloud Services are usually provided under a subscription-based model and no copy of the Software is provided to the Customer (therefore, there is no need for a license).
Software, however, you generally pay a license fee and you receive a copy of the software.
Order Forms typically include the specific details related to a Cloud Services Agreement, such as the negotiated commercial terms, the duration of the agreement, and any other information agreed upon between the Provider and the Customer. By using an Order Form, businesses can streamline their negotiations and focus on the most critical aspects of the agreement.
In addition to the Order Form, a Master Cloud Services Subscription Agreement is often referenced, which contains other terms and conditions of a more legal nature. This agreement can be found on the Provider's website and is presented as their standard terms and conditions for contracting with Customers. This approach gives the impression that the terms within the Master Cloud Services Agreement are non-negotiable, further simplifying the negotiation process.
Moreover, Providers prefer using Order Forms and referencing a Master Cloud Services Agreement because it allows them to make amendments to the terms and conditions more efficiently. When an amendment is made to the Master Cloud Services Agreement, the Provider generally notifies Customers via email, giving them the right to object to the changes. If no objections are received, the amendment is considered accepted and automatically incorporated into the Agreement. This method not only saves time but also helps maintain consistency across contracts with multiple customers.
The first block generally contain a couple of sections. Let's have a look-
Access rights: This section states that the Provider grants the Customer a limited right to access and use the Cloud Services, as long as the Customer pays the required fees and follows the terms and conditions of the agreement. This access is given for the duration of the agreed-upon term.
Affiliates: If applicable, the Customer's affiliated companies can also use the Cloud Services, as long as they follow the terms and conditions set in the agreement and the Order Form.
Permitted use: This section clarifies that the Customer, their Affiliates, and their individual users can only use the Cloud Services according to the allowed purposes (Permitted Use - usually stated in the Order Form) and the documentation relating to the Cloud Services.
Retained rights: This section emphasizes that the Provider maintains all ownership rights and interests in the Cloud Services, including any software used to provide those services.
Users: The Customer is responsible for their users' actions while using the Cloud Service, and for ensuring that those users comply with the terms of the agreement.
Login credentials: This section states that the Customer must ensure their users keep their login credentials confidential. If there is any breach or compromise of user accounts or credentials, the Customer must promptly notify the Provider.
Usage restrictions in Cloud Services Agreements are provisions that limit the way customers can use the cloud services provided by the service provider.
These restrictions are included to protect the service provider's interests, ensure legal compliance, maintain the security and integrity of the system, and prevent unauthorized or potentially harmful activities.
Common usage restrictions found in Cloud Services Agreements include:
Illegal activities: Customers are prohibited from using the cloud services for any unlawful purposes, including activities that violate any applicable local, state, national, or international laws and regulations.
Security breaches: Customers are not allowed to use the cloud services to breach the security of any networks, systems, or accounts, including unauthorized access, data theft, or distribution of malware or viruses.
Intellectual property infringement: Customers must not use the cloud services to infringe upon the copyrights, trademarks, patents, or trade secrets of others, including unauthorized use, copying, or distribution of protected content.
Spam and unsolicited messages: Customers are typically prohibited from using the cloud services to send unsolicited messages, such as spam or other unwanted communications, which can be disruptive or harmful to others.
Resource abuse: Customers are often restricted from using the cloud services in a way that consumes excessive resources or disrupts the service for other users, such as initiating DDoS attacks or using automated scripts to consume bandwidth or processing power.
Sharing of access credentials: Customers are typically not allowed to share their login credentials with unauthorized users, and they are responsible for maintaining the security and confidentiality of their account information.
Reverse engineering and modification: Customers are generally prohibited from reverse engineering, decompiling, or disassembling the cloud services or their underlying software, as well as making any modifications or creating derivative works based on the services or software.
Reselling or sublicensing: Customers may be restricted from reselling, sublicensing, or otherwise transferring their rights to use the cloud services to third parties without the service provider's explicit consent.
Cloud Service Providers often makes available various integrations through the Cloud Services. If this is the case, it is important to provide how the use of these integration (Third Party Products) impacts on the Parties and who takes responsibility for what.
Important sections to include from a Provider's perspective are-
By outlining specific scenarios under which the Service Provider can suspend services, the agreement helps to safeguard the provider's intellectual property, reputation, and legal compliance. This is essential to maintain the provider's business operations and maintain the security of the overall cloud infrastructure.
The sections part of the suspension rights block generally addresses the circumstances under which the Service Provider can temporarily suspend the Customer's or its users' access to the Cloud Services. These circumstances generally include:
The suspension rights block may contain a section that requires the provider to make a reasonable effort to inform the customer about the suspension and give updates on when access to the cloud services will be resumed. This ensures that the customer is informed and can take appropriate action.
Also the suspension rights block may contain a section which obligates the Service Provider to attempt to restore access to the cloud services as soon as possible once the issue is resolved. This encourages both parties to address the issue promptly and minimize the impact of the suspension.
From a Service Provider's perspective, you want to be clear that the Service Provider is not liable for any damages or losses the customer may face due to the suspension and add a separate section addressing the liability concerns. This limits the Service Provider's risk exposure and financial liability in case of suspension.
A financial stability block is not often found in Cloud Services contracts. However, if it is impossible to do proper due diligence on the Service Provider and your business will be relying heavily on expensive the Cloud Services, adding a financial stability clause may not be a bad idea.
This financial stability block contains a couple of sections, each addressing a different aspect of the financial review process between the Customer and the Provider-
The purpose of an audit clause is to determine if the Customer is complying with the Agreement, and more specifically, if the Customer is not exceeding any usage limitation (for example, number of users accessing the Cloud Services).
An audit block is inserted for the sole benefit of the Service Provider and generally contain the following sections-
A fee benchmark clause is important in a Cloud Services Agreement because it allows the customer to periodically compare the service provider's fees with those of similar businesses. This helps ensure that the provider's fees remain competitive and in line with industry standards.
From a Service Provider's perspective, including a fee benchmark clause can be beneficial as it demonstrates transparency and a commitment to fair pricing, which can enhance trust and customer satisfaction. Moreover, it may also provide the service provider with valuable insights into the market and help identify areas where they can improve or adjust their pricing strategy to remain competitive.
A fee benchmark block should address the following important aspects-
The purpose of an insurance clause in a Cloud Services Agreement is to protect both parties (the Customer and the Service Provider) from potential financial losses and liabilities arising from risks and events associated with the provision of Cloud Services.
The insurance clause typically needs to address the following-
The subcontracting block provides the requirements related to subcontracting and generally contains the following sections-
Read more on building intellectual property clauses.
Generally, Cloud Services provide "out of the box" functionality and Providers do not include any Acceptance Testing provisions.
However, there are situations where a Customer may require custom functionality that must be bolted onto the Cloud Services. In such cases, it may be appropriate to include Acceptance Testing provisions.
As discussed above, only usage rights are provided to the Customer and no licence is provided in respect of software.
The above being said, there may be a situations where the Cloud Services are "mission critical" to the Customer. Especially in situations where there has been extensive bespoke development done for a Customer to further the available functionality of the Cloud Service, it may be appropriate to provide for certain escrow arrangements in the Agreement.
The following agreements and policies generally determine the rights and obligations between the Parties: