A number of key legal issues that should be agreed upon by the cloud service consumer and the service provider are as follows:
Governing law and jurisdiction
This is often liable and governed within the service provider’s country. In the same vein, disputes arising from any legal contract are always under the jurisdiction of the courts of the service provider’s country.
This can be amended if the cloud service consumer wishes to move any legal jurisdiction to their home country and in some cases when the service provider is a large multinational, this may be possible.
Such a provision can be removed from a contract and you can allow a legal debate to decide when or if such a situation arises.
Issues related to data storage locations must be addressed directly within the contract by the cloud service provider and the customer.
Although maintaining data across multiple geographical locations provides a greater level of security, concerns usually grow over time relative to export controls leading to legislation against extraterritorial storage.
Privacy and confidentiality
Most often, data are used for a specific purpose for which they are collected. However, contracts governing data outsourcing need to ensure data usage specifically for the required service, and non-disclosure of data by the third party without authorization. This needs to be expressed explicitly within a contact to ensure that enforcement is not compromised.
Independent specific security standards should be used to replace relative cloud service providers envisioned reasonable or industry standard security provisions in the contract to realize greater level of security.
The meaning of reasonable or industry standard is relative and can lead to serious argument and misinterpretation over time between the cloud provider and the cloud consumer.
However, the independent security standards adopted must be updated and audited from time to time. Also, any contract must contain a requirement on the service provider to inform of data or security breaches.
Data access for E-discovery
This contract is expected to exhibit the architecture of the service being provided. The contract must also specify the format used for data storage and available tools for data access if any e-discovery requirements arise.
Some services fail to provide such tools, turning e-discovery into a complex and time consuming task.
In a situation where the cloud subscriber makes end users of the service to abide to the terms and agreements of the cloud service provider and customer, a liability of the third-party usage of the system is placed with the cloud consumer.
An alternative would be to enforce and agreement between third parties and the service provider for compliance of the service providers’ terms and conditions.
Inappropriate and unauthorized usage
In an attempt made by the service providers to place the responsibility of monitoring and preventing inappropriate and unauthorized usage of the provided service with the customer, the customer should ensure that the service contract limits the liability to the customer not authorizing or knowingly allowing prohibited usage of the service since the service resides in the cloud and outside the control of the customer.
These contracts should also include a requirement for the customer to inform the service provider of all material breaches and other unauthorized or inappropriate usage of the service.
Caution must be exercised by the customer to report material breaches rather than unauthorized usages.
End-users’ account suspension
Service providers can suspend the customer’s end-users’ account at their will on the violation of some terms and conditions. It is preferable for the customer to restrict the service provider’s right of suspension to material or significant violations that compromise the security of the vendor’s system.
Emergency security issues
Service providers may have legislation laws inserted to suspend without notice, a provisioned service, in the event an unethical use of such a service causes an emergency issue.
In the consumer’s best interest, what constitutes an emergency issue should be clearly defined with the service provider so as to limit the flexibility and/ or discretion of the service provider if any emergency occurs.
Service suspension and termination
Service providers have the reserved right to suspend a service or to even terminate a service in the event of specified events. While such conditions are practical and legitimate from the service provider’s point of view, the service consumer must ensure that the service contract offers a time-window opportunity to rectify the situation, rather than an immediate denial of service (except for extreme emergencies), and to provide the consumer some reasonable period of time to make alternative arrangements for service provision.
The service provider must ensure that if such an event occurs, the customer’s data is made available in usable format for a specified amount of time after service termination. Finally, the contract must oblige the service provider to return or destroy any customer data once the service termination is complete.
The service contract between the service provider and the consumer is expected to explicitly state that all data is the property of the customer and the service provider does not acquire any licenses or rights to the customer’s data based on the transaction.
The restriction of any security interest in the customer’s data by the service provider should also be noted.
The service provider may request to use the customer’s name, logos or trademarks for the service providers’ own advertisement purpose; while this can be occasionally granted, cloud service consumers must request than an approval be sought regarding the use of any of their associated brand or limit the use to the customer name without implying an endorsement.
Service Level Agreements (SLAs)
Guarantees for the service provision need to be detailed to provide for the minimum amount of uptime, the process, and the timescale associated with correcting the downtime. Consequences for falling outside the agreed SLAs need to be precise and detailed.
Disclaimer of warranty
The service contract is expected to guarantee that the provided service operates correspondingly to its specifications without breaching the rights of any third party as a basic minimum requirement.
If these kinds of warranties are absent in a service contract, an enforceable assurance of the service functionalities is not possible, or the service provider even has the authority to provide the service.
If a service failure event occurs or a liable action is taken against the cloud consumer, without such warranties, the consumer will not have any legal recourse against the service provider.
Some service provider contracts require indemnification for the service provider in the event of illicit third-party actions, together with the consumer’s actions.
The cloud service consumer must ensure that this liability is not voluntary accepted, although it does not constitute adopting and extra liability as the customer is liable to face legal action over the third-party content.
Service provider contracts rarely outline any indemnification that benefits the customer, despite legal protection being essential in a minimum of two scenarios – third-party intellectual property rights infringement and a breach or unauthorized disclosure of sensitive customer data.
In both the scenarios, the responsibility lies solely with the service provider, and defending or remedying the situation can prove extremely costly.
Care must be taken by the cloud service consumer to ensure that the prospective service provider is ready to accept liability in either scenario before a decision is being made.
The cloud service consumer must ensure that the rights of the service providers to modify services are required must be made limited to those services that would not expose the consumer to service deterioration even if the service providers reserve the right to modify their services as they deem them fit.
URL terms incorporation
Beyond advertised contract terms advertised on the service provider’s website and other related avenues, legal information, legal information should rather be maintained within the confines of the service contract.
In the case where service providers cannot provide this, an advanced and individual notice of such a change should be incorporated, with the option of termination of service provided to the customer without penalties, if such amendments are materially detrimental to the requirements of the customer.
It is expected of a service contract to provide advanced notice of any changes to terms and conditions in the renewal, and automatically renew with the option of termination on short notice within a specified period of time after the automatic renewal.