accept these full terms and conditions. Click to confirm.”
many times have you subscribed to a cloud provider’s service and clicked on
that box without reading what’s in the small-font legalese you just agreed to?
do it again.
you take nothing more from this post, if you stop reading now, that’s fine. Just
make certain that for any high value business service you or your employees don’t
click another one of those boxes without reading the fine print and understanding
what you are signing up for.
I described in my last post, When
Compliance and Cloud Computing Collide, the ease with which cloud services
can be consumed has made it practical for anyone to effectively enter your
company into a binding sourcing agreement with the click of a button. The
problem is that if you – or worse, one of your company’s employees – blindly
enter into a cloud computing contract without due diligence, you could be in
for unexpected surprises.
Piper LLP consultant
noted in a presentation last year,
“The form contracts or terms that cloud service
providers typically offer (especially in online, ‘click-through’ agreements)
are generally quite one-sided and contain few, if any, terms to protect their
customers from potential legal risks and liabilities. Only large companies will
likely have the leverage to negotiate material changes to those terms. Small
companies will often be faced with a ‘take it or leave it’ situation.”
look at a few examples of how two of the better-known service providers handle
some of the more sensitive topics to get some idea of what common things to
look for. But before I do, it’s only
fair to start by letting you know where to find ours (http://welcome.hp.com/country/us/en/termsofuse.html)
too. Happy reading!
want to make it clear that I’m neither endorsing nor critiquing anyone’s term
sheets. The point is that, I suspect,
unlike many users, I’ve taken the time to read them and consider the
implications to my organization.
depending on the nature of the service and the sensitivity of service quality
and security, there are numerous issues you need to consider, especially as it relates to
retaining ownership of your intellectual property. Having said that, there are a
few areas that most often cause consternation among users and suppliers alike,
specifically those relating to access to – and the security of – your data. Let’s
take a look at both.
Security and Encryption
Are you clear on what’s “in the
clear?” Most consumers today assume that their data will be stored in encrypted
format, but it’s not always the case (or even a good idea). Read the fine print
to ensure you’re not in breach of your compliance and governance requirements. In the case of the Amazon Web Services agreement, clause 4.2 illustrates that the onus is clearly on the user to
protect their data:
“You are responsible for
properly configuring and using the Service Offerings and taking your own steps
to maintain appropriate security, protection and backup of Your Content, which
may include the use of encryption technology to protect Your Content from
unauthorized access and routine archiving Your Content.”
Termination and Transition
whole idea of cloud services is to allow you to focus on getting value from the
service, not running it, but there are times when you need to take direct
control. This is especially true of transitioning your data back to you upon
termination of service. It’s critical that your service provider has a clear
policy for doing so. For example, check out clause 12.5 of the Salesforce.com
12.5. Return of
Your Data. Upon
request by You made within 30 days after the effective date of termination of a
Purchased Services subscription, We will make available to You for download a
file of Your Data …
there’s a risk that your chosen service provider may be forced to close their
business without notice. While less of an issue with large, established names,
it’s a legitimate concern with smaller companies. In these cases additional
precautions might be required, such as the ability to maintain your own offsite
backup of the data at will – it’s worth asking for.
By looking before you click, you
may find yourself reading a contract that you wouldn’t even want your worst
enemy to enter into. Here are ten things
to make sure your employees look for in a cloud-based services contract.
- Who’s responsible for security?
- Who’s responsible for regulatory compliance
(privacy or reporting)?
- Who’s responsible for ensuring performance?
- What facilities do you have to audit the service
- Are you transferring intellectual property
rights to your provider?
- What happens to your data if the service
provider closes their doors?
- How much notice is necessary to terminate a
- How much time will it take to get your data
- What format will the data be in and how will it
be transported to and from the provider?
Better still, it would be so much easier to use a portal where a service
broker has brought together a variety of cloud-based services that use a set of
terms pre-negotiated for your users by your legal team. At HP we’ve created
an innovation project code-named CORAL which is exploring new ways of thinking
about the problem that takes just this approach. To give you an idea of what the world of
the service broker might look like, check out a free trial (https://coral.saas.hp.com/coral/web/service-catalog/) and while you are there you may want to register to
qualify to be one of our first users of the new HP Public Cloud Service
Oh, but don’t forget to read the terms of service first!