How to manage contractual risks in cloud computing

Practical and commercial risks when adopting cloud computing services can be identified and mitigated through due diligence processes especially in the service contract.
Written by Ryan Huang, Contributor

There will be practical and commercial risks when choosing a cloud service, but these can be mitigated through due diligence by focusing on the service contract.

Firstly, according to Rob Bratby, managing partner at law firm Olswang Asia, the business must understand what it needs and what it will get from the cloud service. Depending on the complexity and value of the services, businesses may prepare their own service description or start with the vendor's version.

Ultimately the service description should comprehensively set out the business needs. "If it doesn't, it must be challenged and any inadequacies should be dealt with. If this isn't done, the risk is that the service contract for cloud services that may prove to be lacking later down the line. The same goes for pricing, service levels and service credits, rights to exit, rights to change the services, security plans and standards, disaster recovery arrangements and governance arrangements," added Bratby.

At this stage, subject matter experts, commercial leaders and lawyers should be roped in to help with the review, he advised.

Second, the service contract must enable the business to comply with its own obligations, be they contractual, regulatory and legal, according to the lawyer.
Bratby points to two prongs of attack which can help:

  1. The service contract should include rights to reports, review, monitor and audit. This way, issues should be spotted at the early stages. Businesses should also ensure control rights so that issues can be resolved by making changes to any of the details set out in the service contract.
  2. Obligations that businesses are subject to in contracts with third parties (including customers, employees and counterparties) and under regulations and laws should be passed down to the vendor in the service contract.

A third area of risk to cover in the service contract is to make sure that the business is not locked into a service contract and that switching vendors or products can be a smooth exercise.

"This is a legal and a practical issue. The service contract should include sufficient termination rights for the business (e.g. for default, change of control, insolvency, service deterioration, security/confidentiality breach, regulatory requirements) and, in any event, the service contract should not be evergreen; it should be for a fixed period of time to force the business to take stock of affairs," said Bratby.

Clause for exit useful

According to Matthew Hunter, associate at Olswang Asia, including a right for the business to exit at will is also useful but may come at a cost. "Although, an advantage of cloud may be that pay-as-you-go services allow for flexibility here," he noted.

On the practical side, the service contract should include a plan detailing the steps to be taken on exit, the assistance the vendor must provide and how data will be extracted from the vendor, added Hunter. "This last point is imperative so that businesses comply with their confidentiality, privacy and security obligations. Regulators would often expect businesses to ensure that data is returned or destroyed upon request at the end of a contract's life," said the Olswang associate.

One final area is intellectual property risk, as cloud services may involve the use of software and other intellectual property rights under a licence, noted Hunter. The business could be dragged into a legal dispute in the event of third party claims of infringement against the cloud service provider. 

"Vendors should be expected to protect businesses from this risk by providing an intellectual property indemnity in the service contract in favor of the business," said Hunter.

Editorial standards