“I accept these full terms and conditions. Click to confirm.”
How many times have you subscribed to a cloud provider’s service and clicked on that box without reading what’s in the small-font legalese you just agreed to?
Don’t do it again.
If you take nothing more from this post, if you stop reading now, that’s fine. Just make certain that for any high value business service you or your employees don’t click another one of those boxes without reading the fine print and understanding what you are signing up for.
As I described in my last post, When Compliance and Cloud Computing Collide, the ease with which cloud services can be consumed has made it practical for anyone to effectively enter your company into a binding sourcing agreement with the click of a button. The problem is that if you – or worse, one of your company’s employees – blindly enter into a cloud computing contract without due diligence, you could be in for unexpected surprises.
As one DLA Piper LLP consultant noted in a presentation last year,
“The form contracts or terms that cloud service providers typically offer (especially in online, ‘click-through’ agreements) are generally quite one-sided and contain few, if any, terms to protect their customers from potential legal risks and liabilities. Only large companies will likely have the leverage to negotiate material changes to those terms. Small companies will often be faced with a ‘take it or leave it’ situation.”
Let’s look at a few examples of how two of the better-known service providers handle some of the more sensitive topics to get some idea of what common things to look for. But before I do, it’s only fair to start by letting you know where to find ours (http://welcome.hp.com/country/us/en/termsofuse.html) too. Happy reading!
I want to make it clear that I’m neither endorsing nor critiquing anyone’s term sheets. The point is that, I suspect, unlike many users, I’ve taken the time to read them and consider the implications to my organization.
Now, depending on the nature of the service and the sensitivity of service quality and security, there are numerous issues you need to consider, especially as it relates to retaining ownership of your intellectual property. Having said that, there are a few areas that most often cause consternation among users and suppliers alike, specifically those relating to access to – and the security of - your data. Let’s take a look at both.
Security and Encryption
Are you clear on what’s “in the clear?” Most consumers today assume that their data will be stored in encrypted format, but it’s not always the case (or even a good idea). Read the fine print to ensure you’re not in breach of your compliance and governance requirements. In the case of the Amazon Web Services agreement, clause 4.2 illustrates that the onus is clearly on the user to protect their data:
“You are responsible for properly configuring and using the Service Offerings and taking your own steps to maintain appropriate security, protection and backup of Your Content, which may include the use of encryption technology to protect Your Content from unauthorized access and routine archiving Your Content.”
Termination and Transition
12.5. Return of Your Data. Upon request by You made within 30 days after the effective date of termination of a Purchased Services subscription, We will make available to You for download a file of Your Data …
However, there’s a risk that your chosen service provider may be forced to close their business without notice. While less of an issue with large, established names, it’s a legitimate concern with smaller companies. In these cases additional precautions might be required, such as the ability to maintain your own offsite backup of the data at will – it’s worth asking for.
By looking before you click, you may find yourself reading a contract that you wouldn’t even want your worst enemy to enter into. Here are ten things to make sure your employees look for in a cloud-based services contract.
- Who’s responsible for security?
- Who’s responsible for regulatory compliance (privacy or reporting)?
- Who’s responsible for ensuring performance?
- What facilities do you have to audit the service provider’s claims?
- Are you transferring intellectual property rights to your provider?
- What happens to your data if the service provider closes their doors?
- How much notice is necessary to terminate a contract?
- How much time will it take to get your data back?
- What format will the data be in and how will it be transported to and from the provider?
Better still, it would be so much easier to use a portal where a service broker has brought together a variety of cloud-based services that use a set of terms pre-negotiated for your users by your legal team. At HP we’ve created an innovation project code-named CORAL which is exploring new ways of thinking about the problem that takes just this approach. To give you an idea of what the world of the service broker might look like, check out a free trial (https://coral.saas.hp.com/coral/web/service-catalog/) and while you are there you may want to register to qualify to be one of our first users of the new HP Public Cloud Service Catalog (beta)!
Oh, but don’t forget to read the terms of service first!