The best and worst of cloud contracts

THE OK, THE BAD AND THE UGLY OF SERVICE AVAILABILITY

The availability of cloud services are usually governed by service level agreements (SLAs) – which bind the provider to a maximum amount of downtime per month or year. Rather than give customers their money back for outages beyond that SLA, most cloud providers offer service credits as remedy for an outage.

Unfortunately, these service credits tend to be capped at a percentage — usually between 10 percent (at worst) and 100 percent (at best) of the hosting fees paid in that month.

The study advises customers to avoid SLA provisions that give the cloud provider a huge list of exceptions before they have to pay any service credits for outages.

Beyond the excuse of ‘scheduled maintenance’, outages resulting from alleged ‘misuse’ of the service and outages caused by telco/ISP failure, Oracle was bold enough to excuse itself in the contract for outages caused by ‘hackers or virus attacks’ and ‘denial of service attacks’. Worse still, Oracle prohibits customers from using their own monitoring tools to independently measure system performance.

The variance in how credits were calculated and applied was extreme. The examples of Nirvanix, VMVault and Softlayer, explained in the full report, were a case in point. Comparing them like for like was thus difficult – and customers were advised to study each carefully.

Possibly the worst practice lies in GoGrid’s cloud contract, which attempts to qualify its rather ridiculous “10,000 percent” uptime guarantee. The fine print reveals that credits are capped for 100 percent of the hosting fees paid that month or for two months of the year, and only calculated for the longest continuous outage that month (and only for outages over 15 minutes).

Worse still – outages are measured only from when GoGrid staff choose to register a complaint, but credits must be requested within 48 hours of a failure.

There were – unfortunately – no best practices to note in the area of SLAs and service availability – meaning there is much work ahead for cloud providers before the next Cloud Cover study.

DATA SOVEREIGNTY AND PRIVACY

Privacy legislation was top-of-mind for Shelston IP when compiling the research, because as of March 2014 Australia will be subject to new privacy laws under the Privacy Amendment (Enhancing Privacy Protection) Act 2012.

Most global cloud providers allow themselves in the contract the flexibility to move a customer's data as they see fit — with local providers Ninefold and Cloud Central marketing themselves on the basis that the data stays at home.

Telstra, incidentally, asks customers to consent to it transferring data outside of Australia within its cloud contract.

Microsoft, Telstra and Oracle offered the best protections around the tricky subject of disclosing data to the law enforcement bodies of foreign governments. Most contracts included in the study allow for the cloud provider to disclose data to meet an enforceable government request in a given territory (such as from ASIO or the FBI).

The two examples below from Microsoft and Oracle represent best practice:

“We will not disclose Customer Data to law enforcement unless required by law. Should law enforcement contact us with a demand for Customer Data, we will attempt to redirect the law enforcement agency to request it directly from you. As part of this effort we may provide your basic contact information to the agency. If compelled to disclose Customer Data to law enforcement, we will use commercially reasonable efforts to notify you in advance of a disclosure unless legally prohibited.”
[Microsoft Office365]

“Except as otherwise required by law, Oracle will promptly notify Customer of any subpoena, judicial, administrative or arbitral order of an executive or administrative agency or other governmental authority (“demand”) that it receives and which relates to the Personal Data Oracle is processing on Customer’s behalf. At Customer’s request, Oracle will provide Customer with reasonable information in its possession that may be responsive to the demand and any assistance reasonably required for Customer to respond to the demand in a timely manner. Customer acknowledges that Oracle has no responsibility to interact directly with the entity making the demand.”
[Oracle Data Processing Agreement for Cloud]

Vincent said that this “goes at least some way – to any extent possible – of mitigating the risks around foreign government access.”

TRANSITION OUT

The report notes that many Australian organisations have compliance obligations around the retention of data. These make for essential considerations when considering the ease with which a customer can transition out of a cloud provider’s service, move its data elsewhere or delete the data.

Again, the surveyed cloud providers have made little progress on this score since the 2011 study.

Assistance with transition out – when promised – was rarely specific.

Best practice in this area was attributed to Australia’s Macquarie Telecom, which commits to cooperation between the said provider and customer for the “orderly transfer or shutdown” or any cancelled service.

Salesforce.com equally provides a .csv file of customer data – plus any attachments in their native format – within 30 days of a customer terminating its subscription.   

PULLING A SWIFTY

The 2013 study also — for the first time — included warnings about clauses within cloud contracts that allow the cloud provider to unilaterally vary terms.

Several cloud providers allow themselves this right in the contract under the promise that they will notify end users of the revised conditions on their web site.

Vincent points out that some are bold enough to suggest that continued use of the service “amounts to acceptance of the modified terms”.

The contract for cloud provider Joyent was the most extreme: it states that the company "reserves the right to update and change the terms of service from time to time and without notice."

The better practice in this area again falls to Salesforce.com, the contract for which states clearly that any modification to terms are not effective unless “in writing and either signed or accepted electronically” by the customer.

Vincent said customers should look for provisions that state that any amendments to terms are only valid upon renewal of the contract, to allow for renegotiation.

Finally, the report notes that customers should be concerned with the choice of law or jurisdiction nominated by the contract in the case of dispute resolution.

Generally, US providers designate their home state — which makes legal action by an Australian customer an expensive and daunting exercise. Salesforce.com, meanwhile, selects Singapore as its jurisdiction for Asia Pacific customers.

Best practice for Australian customers was Oracle’s cloud service, which adopts NSW as the exclusive jurisdiction for Australian customers.

Read on for a checklist of best practice...