The best and worst of cloud contracts

Providers of cloud computing services continue to ask users to sign up to onerous terms around data privacy, security and service availability, according a comprehensive study by Shelston IP, commissioned by iTnews.

Our second edition of Cloud Cover dissects the generic cloud computing contracts offered by Amazon Web Services, Cloud Central, GoGrid, Google, IBM, Joyent, Melbourne IT, Microsoft, Ninefold, Nirvanix, OpSource, Oracle, Rackspace, Salesforce.com, SAP, Softlayer, Telstra and VM Vault.

Today we can reveal the best and worst practices identified by law firm Shelston IP within the 53 contracts studied to help inform end users of what to avoid.

Shelston IP partner Mark Vincent told delegates at the Australian Data Centre Strategy Summit that there has been significant progress made in promoting best practices within cloud computing contracts since the first Cloud Cover report was published two years ago.

“Clearly end user organisations have been making demands of suppliers that are being heard,” he said. “Initiatives like the UK Government’s G-Cloud or the Open Data Center Alliance are setting new benchmarks for suppliers to adhere to, and some of those best practices forged at enterprise level is filtering down into generic contracts.”

Whilst our 2011 study focused almost exclusively on clauses end users should attempt to avoid, the maturity of the market in 2013 warranted an equal amount of analysis around what Shelston IP sees as ‘best practice’ – the terms end users should be seeking in any cloud contract. 

Rackspace and Microsoft have clearly done their homework since the 2011 study, oft-cited for best practice approaches to their cloud contracts, with Oracle and Salesforce.com providing a level of maturity tainted only by a few glaring issues.

We conclude today’s summary with a list of what end users should expect from their contracts.

SECURITY - BEST AND WORST PRACTICE

As in the 2011 study, the analysis of the 53 contracts found that most cloud providers are unable to provide guarantees around their security posture.

Locally, Macquarie Telecom’s cloud contract suggests that the customer is responsible for ensuring adequate security.

The generic contract for US-based cloud provider Nirvanix took it one step further, stating that:

“[We are] not responsible for any unauthorised access to, alteration of, or the deletion, destruction, damage loss or failure to store any Content or other data which you submit in connection with your account.”

Over half of the cloud providers surveyed provide some level of assurance around security – but even these tend to be arbitrary.

Several of these providers agree in their contracts to maintain “reasonable” and “appropriate” measures related to both physical security (as promised by Salesforce.com and Softlayer) and specific security technologies (SAP promises to use encryption, password protection and firewalls).

Google is out on its own when promising to adhere to “reasonable security standards no less protective” than those in place for its own data “of a similar type”. As in the terms “reasonable” and “appropriate”, this clause is subject to legal interpretation.

Vincent told iTnews the terms “reasonable and appropriate” would need to be tested in a court for better definition, and would depend on the circumstances of each contract.

The best practice, according to Vincent, was when cloud providers included in their contracts a commitment to specific security compliance standards, such as ISO/OEC 27000, 27001 and 27003.

Standard contracts for both Rackspace and Microsoft point to the promises made on their websites around these credentials. Rackspace makes specific commitments on its website — eferred to within its contract — that promise annual, independent audits of these security standards, documented change management procedures, secure document/media destruction and robust processes around the handling of security incidents.

Oracle also offers the opportunity — via what appears to be an arduous process — for a customer to independently audit its security posture.

“The willingness of some cloud providers to contractually bind themselves to meet the standards referred to in promotional material, such as that provided on their web sites, is a welcome step,” Vincent said.

He noted that promotional material on web sites are subject to protection under Australian consumer law if found to have been untrue or misleading. This would go some way to dealing with the lack of definition of words such as 'reasonable' or 'appropriate'.

Data breaches

The report found a divide between those providers that offer data breach notification within their contracts.

Whilst the Australian Law Reform Commission has long pushed for laws around such notifications, Australian organisations are still not required by law to notify customers when their information leaks out, and in turn very few cloud providers commit to such transparency.

Softlayer and GoGrid both warrant that they will contact customers if data is leaked, but only if required by law.

Again, it was Rackspace, Microsoft and Oracle that promoted best practice in their contracts — all promising to immediately or promptly report data breaches to customers.

Read on for our summary of service availability and transition out clauses + a quick checklist of best practice...

THE OK, THE BAD AND THE UGLY OF SERVICE AVAILABILITY

The availability of cloud services are usually governed by service level agreements (SLAs) – which bind the provider to a maximum amount of downtime per month or year. Rather than give customers their money back for outages beyond that SLA, most cloud providers offer service credits as remedy for an outage.

Unfortunately, these service credits tend to be capped at a percentage — usually between 10 percent (at worst) and 100 percent (at best) of the hosting fees paid in that month.

The study advises customers to avoid SLA provisions that give the cloud provider a huge list of exceptions before they have to pay any service credits for outages.

Beyond the excuse of ‘scheduled maintenance’, outages resulting from alleged ‘misuse’ of the service and outages caused by telco/ISP failure, Oracle was bold enough to excuse itself in the contract for outages caused by ‘hackers or virus attacks’ and ‘denial of service attacks’. Worse still, Oracle prohibits customers from using their own monitoring tools to independently measure system performance.

The variance in how credits were calculated and applied was extreme. The examples of Nirvanix, VMVault and Softlayer, explained in the full report, were a case in point. Comparing them like for like was thus difficult – and customers were advised to study each carefully.

Possibly the worst practice lies in GoGrid’s cloud contract, which attempts to qualify its rather ridiculous “10,000 percent” uptime guarantee. The fine print reveals that credits are capped for 100 percent of the hosting fees paid that month or for two months of the year, and only calculated for the longest continuous outage that month (and only for outages over 15 minutes).

Worse still – outages are measured only from when GoGrid staff choose to register a complaint, but credits must be requested within 48 hours of a failure.

There were – unfortunately – no best practices to note in the area of SLAs and service availability – meaning there is much work ahead for cloud providers before the next Cloud Cover study.

DATA SOVEREIGNTY AND PRIVACY

Privacy legislation was top-of-mind for Shelston IP when compiling the research, because as of March 2014 Australia will be subject to new privacy laws under the Privacy Amendment (Enhancing Privacy Protection) Act 2012.

Most global cloud providers allow themselves in the contract the flexibility to move a customer's data as they see fit — with local providers Ninefold and Cloud Central marketing themselves on the basis that the data stays at home.

Telstra, incidentally, asks customers to consent to it transferring data outside of Australia within its cloud contract.

Microsoft, Telstra and Oracle offered the best protections around the tricky subject of disclosing data to the law enforcement bodies of foreign governments. Most contracts included in the study allow for the cloud provider to disclose data to meet an enforceable government request in a given territory (such as from ASIO or the FBI).

The two examples below from Microsoft and Oracle represent best practice:

“We will not disclose Customer Data to law enforcement unless required by law. Should law enforcement contact us with a demand for Customer Data, we will attempt to redirect the law enforcement agency to request it directly from you. As part of this effort we may provide your basic contact information to the agency. If compelled to disclose Customer Data to law enforcement, we will use commercially reasonable efforts to notify you in advance of a disclosure unless legally prohibited.”
[Microsoft Office365]

“Except as otherwise required by law, Oracle will promptly notify Customer of any subpoena, judicial, administrative or arbitral order of an executive or administrative agency or other governmental authority (“demand”) that it receives and which relates to the Personal Data Oracle is processing on Customer’s behalf. At Customer’s request, Oracle will provide Customer with reasonable information in its possession that may be responsive to the demand and any assistance reasonably required for Customer to respond to the demand in a timely manner. Customer acknowledges that Oracle has no responsibility to interact directly with the entity making the demand.”
[Oracle Data Processing Agreement for Cloud]

Vincent said that this “goes at least some way – to any extent possible – of mitigating the risks around foreign government access.”

TRANSITION OUT

The report notes that many Australian organisations have compliance obligations around the retention of data. These make for essential considerations when considering the ease with which a customer can transition out of a cloud provider’s service, move its data elsewhere or delete the data.

Again, the surveyed cloud providers have made little progress on this score since the 2011 study.

Assistance with transition out – when promised – was rarely specific.

Best practice in this area was attributed to Australia’s Macquarie Telecom, which commits to cooperation between the said provider and customer for the “orderly transfer or shutdown” or any cancelled service.

Salesforce.com equally provides a .csv file of customer data – plus any attachments in their native format – within 30 days of a customer terminating its subscription.   

PULLING A SWIFTY

The 2013 study also — for the first time — included warnings about clauses within cloud contracts that allow the cloud provider to unilaterally vary terms.

Several cloud providers allow themselves this right in the contract under the promise that they will notify end users of the revised conditions on their web site.

Vincent points out that some are bold enough to suggest that continued use of the service “amounts to acceptance of the modified terms”.

The contract for cloud provider Joyent was the most extreme: it states that the company "reserves the right to update and change the terms of service from time to time and without notice."

The better practice in this area again falls to Salesforce.com, the contract for which states clearly that any modification to terms are not effective unless “in writing and either signed or accepted electronically” by the customer.

Vincent said customers should look for provisions that state that any amendments to terms are only valid upon renewal of the contract, to allow for renegotiation.

Finally, the report notes that customers should be concerned with the choice of law or jurisdiction nominated by the contract in the case of dispute resolution.

Generally, US providers designate their home state — which makes legal action by an Australian customer an expensive and daunting exercise. Salesforce.com, meanwhile, selects Singapore as its jurisdiction for Asia Pacific customers.

Best practice for Australian customers was Oracle’s cloud service, which adopts NSW as the exclusive jurisdiction for Australian customers.

Read on for a checklist of best practice...

Best practice: a checklist

The Second Edition of Cloud Cover recommends customers seek out providers that:

• Specify adherence to reputable security standards within the contract;
• Allow customers to audit the provider over security and privacy standards;
• Include in the contract a commitment to data breach notification;
• Commit within the contract to informing the customer before submitting customer data to law enforcement;
• Make few excuses in the contract for service availability and offer credits for all downtime outside the SLA;
• Commit within the contract to an orderly transition out, with data available on a specified format within a specified timeframe;
• Cannot vary the terms of the contract without express customer consent;
• Choose Australia as its jurisdiction for resolution of disputes.