Global Businesses are leveraging the Cloud capabilities to meet the Global Customer needs, Scale out to new geographic locations, make efficient use of Operational expense & Capital expense , drive forward in innovative ways and accelerate the business growth. It is not hidden that Cloud Technologies can transform your business to touch new highs, it is extremely important to choose the right Cloud Service provider (CSP) who would be acting as a Backbone for your critical Business Applications and Processes. Choosing a CSP that fuels your Business’s growth engine and signing a Cloud Contract is crucial because this will have a direct impact on your Revenue, Growth, Financials, Market Competition and ultimately the future of your Business.
In this Blog post, I am going to cover the important areas while negotiating a Cloud contract with any Cloud Service Provider(CSP). After reading this post, you will have a fair idea on which topics and terms should be agreed upon with CSP before signing a Legal contract with CSP. This Blog doesn’t cover each and every aspect of any Cloud contract but focusing on the most important ones.
Key Focus areas for Negotiating a Cloud Contract
Negotiating a Cloud contract is not just about -
- Who is cheaper or Who is charging less?
- Who is providing more services?
- Who is supporting more technologies?
- Who is committing 99.99% uptime?
Negotiating a Cloud contract goes far beyond this. You must negotiate to protect all of your interests very precisely. There can’t be a standard Cloud Contract which works for every Customer due to numerous varying factors. These include Type of Industry, Nature of Business, Geographic location, Regional Constraint, Local Laws and Regulation requirements, Security requirements etc.
Negotiating a Cloud contract is incomplete without discussing and agreeing upon areas like Data Ownership, Security, Legal terms and conditions, Indemnification Clause, Regulations and Compliance and Reporting & Monitoring Requirements. Let’s discuss each of them.
1. Data Ownership
Every Cloud Service provider says - You own the data. Before you are convinced of this statement, see the nitty gritty to it. Negotiate that in case you plan to exit or move to another Cloud service provider, you get your entire Data and that too in the format you can use.
Get the below Questions answered -
- Who has access to your data on cloud - Cloud Service Provider, Contractor/Sub Contractor of CSP, Partner of CSP, Government Entities, Regulation boards etc.
- Do Cloud service providers provide the regular Data export/Backups?
- Are Data export services automatic or you need to set them up manually?
- Is the Data backup provided to you Encrypted?
- Do I get a sufficient amount of time to move my data to another Cloud in case I plan to exit or end the contract?
- Will any Third party or Government authorities access my data stored in the Cloud in any way?
- What guardrails are in place against insider access?
Google Cloud Platform offers a great and granular level of Transparency on How your Data Ownership rights are protected. See the details HERE.
2. Security
A Big area to consider during the Cloud Contract. It is very crucial to get assured that ‘Each and Everything is Secure’. To maintain Customers Trust, make sure that your IT assets are safe from Theft and Leakage. Few essential points to consider here -
- Identify the Security Standards for your Industry and verify that Cloud Service providers maintain those Standards and Privacy regulations during Data Storage, Data Processing, Data In-transit and Data retrieval . For example, if you are a Payment processing Company then you should insist on adherence to the PCI Data Security Standard (PCI DSS).
- Encryption of Data during different stages of Data Lifecycle.
- Who is responsible for maintaining the Security posture? Is it Your responsibility or Cloud Vendor or Shared responsibility? Drill down on shared responsibility and see at what levels you are responsible - Application Design & Architecture, Data Layer, Encryption at rest, Encryption in-transit etc.
- Ability to perform vulnerability scans on the vendor’s cloud service using your tools, and negotiate an SLA for the vendor to remediate any high and medium vulnerability findings.
- In case of any Security breach, How the Cloud Vendor would assess the impact and How fast they inform you? What mechanisms are available to stop the propagation of data breach?
- Get a good understanding of management and administrative overhead to get the desired Security Level.
- Closely examine the Cloud vendors Security system -
- Infrastructure Security - Security of Data Center , Hardware
- Network Security - Security of in-transit data, Protection from Network attacks
- Security Monitoring - Availability of tools or Service to monitor the Security health check and respond to any activity that makes your Cloud environment Unsecure.
GCP solves and answers all of these questions. GCP offers the world’s most advanced security by Design and by default. Please read the great details HERE.
3. Legal Terms and Conditions
Cloud contracts are different from Traditional Software License procurement. In the Cloud ecosystem, Software is not provided to install and run on your Computers rather Cloud Vendor hosts and run the Software or Services. Legal terms and conditions must specify the Support Obligation, Downtime, Maintenance Window, Service Upgrade/Downgrade clauses.
It is good to have the below given Terms and Conditions in your Cloud Contract-
- Uptime and Availability of the Service
- Service level agreements, Report-Response-Resolution timelines
- Warranties that Service will perform as per Specification along with the Start date and End date
- Monetary refund in case of Service level agreements break
- Disaster recovery plan in case of Earthquack, War, any Natural disaster
- Termination clauses in case of merger or acquisition of Cloud Vendor, Bankruptcy etc.
- Insurance Terms and Conditions which included coverage for data breaches, network attacks, denial of service.
4. Indemnification Clause
It is essential to include a robust indemnification clause in your cloud contract. This clause should explicitly state that the vendor is obligated to compensate you for any losses, damages, or liabilities arising from:
- Unauthorized Use or Disclosure of Your Data: This encompasses situations where the vendor, its employees, or its subcontractors mishandle your data, leading to unauthorized access, disclosure, or misuse.
- Security Breaches: If the vendor’s systems or services experience a security breach that compromises the confidentiality, integrity, or availability of your data, the vendor should be held liable for the resulting damages.
Key Points to Consider:
- Scope of Indemnification: Clearly define the scope of the indemnification to include direct damages, indirect damages, consequential damages, legal fees, and any other foreseeable losses.
- Thresholds and Limitations: Negotiate reasonable thresholds or limitations on the vendor’s liability, taking into account the size and nature of your business and the potential risks involved.
- Exceptions: Specify any exceptions to the indemnification clause, such as events beyond the vendor’s reasonable control, like natural disasters or acts of terrorism.
- Insurance: Ensure that the vendor maintains adequate insurance coverage to back up their indemnification obligations.
- Survival: The indemnification clause should survive the termination of the contract to cover any breaches that may come to light after the relationship ends.
Remember: Indemnification is a critical aspect of risk allocation in cloud contracts. By requiring the CSP to indemnify you against their own actions or failures, you can protect your business from potential financial and reputational harm. Work with legal counsel to draft a comprehensive and enforceable indemnification clause that aligns with your business needs and risk tolerance.
5. Regulations and Compliance
Each business should assess its compliance requirements based on its data and operations. Cloud Compliance is the process of adhering to regulations, laws, and industry standards that govern the use of cloud computing. It’s important to ensure that data is stored, managed, and protected in the cloud in a way that meets these requirements.
Some regulations and standards that apply to cloud computing include:
GDPR - The General Data Protection Regulation is a European law that requires corporations to process data in a lawful, fair, and transparent manner.
HIPAA - The Health Insurance Portability and Accountability Act is a regulation that applies to healthcare organizations.
PCI DSS - The Payment Card Industry Data Security Standard is an industry standard that applies to the payment card industry.
ISO - The International Organization for Standardization is a standard that applies to cloud computing.
Depending on the Industry of your Business and Government Laws, A Cloud contract must make sure that your Cloud footprints are Regulated and Complaint. GCP has achieved various Compliance Certifications for different Countries and Regions. Find the full list HERE.
6. Reporting & Monitoring Requirements
Cloud Vendor must provide Tooling for periodic and recurrent Monitoring activities. Make sure that you have access to Monitoring Dashboards to confirm that Cloud Services performance is as per SLA.
- Identify the Reports you need for your internal usage from the Cloud Vendor. This may be your Finance department who needs the Invoicing and billing reports or Technology teams who would like to see the performance reports for the Cloud Services over a period of time.
- Agree upon the frequency of these reports, level of details in the report and how the reports are sent to you.
- Apart from Standard Reports, see if you need any customized report and mention the same in your Cloud contract.
GCP offers various Billing reports having different levels of details and information about your Cloud Spending. Please see the detailed documentation HERE.
GCP provided the Observability services to monitor the health of your Applications in terms of performance and behavior. You can implement the Alerting policies and take immediate action in case the performance is degrading below to the specified levels.
Conclusion:
Creating and Negotiating a Cloud Contract is not an easy task and requires to drill down into multiple areas of Security, Terms & Conditions, Data Ownership, Regulations and Compliance etc. Understanding your Business, Business Model, Business Geography will help you to identify your requirements and must be negotiated in your Cloud Contract. CSPs are trying to solve many of the common challenges that Cloud Customers are facing but drill down into your specific areas that help you to protect your rights as a Cloud Customer and you can truly leverage the Cloud to innovate and grow your Business.