Would you agree to a service- level agreement (SLA) where outages for a cloud service of up to 30 minutes would not be considered downtime? Would you sign a contract that, on termination of a service, gave no opportunity to retrieve your data – not even one day?
Would you use a service provider that exempted itself from any form of liability for losing or deleting your data?
Few enterprises would agree to such arrangements with a systems integrator or an IT outsourcer, however these terms were included in service-level agreements for cloud computing services available in the market today.
Sydney law firm Truman Hoyle surveyed 25 SLAs for cloud computing services targeting the corporate market. The project, led by technology and intellectual property law partner Mark Vincent, found huge variations in the terms and conditions buried in the legal documents – even in jurisdictions, from Australia to Singapore to Britain.
The lack of a standard model for cloud computing agreements showed the immaturity of the industry and how much further it needs to travel before companies can use cloud services with a reasonable guarantee of fairness.
No choice in law
The white paper “Cloud Computing Contracts – A Survey of Terms and Conditions” was written by Vincent and two colleagues in early 2011 and surveyed contracts from infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) and software-as-a-service (SaaS) providers.
Vincent released the white paper at a seminar in the Hilton Hotel, Sydney, in conjunction with CRN’s sister site iTnews.com.au and vendor VMware. While all services were available to Australian companies, the choice of law for the SLAs was not always the local code. Providers typically choose the country where the main office is located as the only location and legal framework for settling disputes.
Vincent said the study revealed that more than half the contracts looked to overseas jurisdictions for exclusively resolving disputes.
The contracts were split between the US (11), Australia (10), Singapore (2) and Britain (1). This meant that in the case of a dispute, the contract would be settled in a court in which it was formed.
Providers with a strong multinational presence specified the choice of law as being the place where the transaction is performed.
The disadvantage to resolving a dispute in another country are obvious. Australian companies are unlikely to be familiar with law elsewhere and would face the cost and inconvenience of employing a legal team in the chosen country.
If the termination was by the provider or was inadvertent, customers could struggle to access their data
Data location, location, location
Vincent also highlighted the well-known problem of regulatory restrictions on personal data being sent offshore. One problem with cloud services is that because data and computing resources are constantly shifting between locations, even the providers can find it difficult or impossible to say where data or an application is going to reside.
Under the Privacy Act, personal information is data about which the identity of a person can be established. Tough restrictions in large, developed countries have seen the growth of cloud service providers that can guarantee data will remain within the US or the European Union.
However, “Australia has a limited population and it’s unlikely that these public cloud offerings will be offered only in Australia,” Vincent said. The efficiencies from regional solutions, such as cheap electricity and cheap labour, would be lost to Australia-only cloud providers.
Personal information can only leave Australia if consent has been given to the transfer; when the transaction benefits the individual and might be impractical to get consent but it was likely that it would be given; or if reasonable steps have been taken to ensure information won’t be used inconsistently with the National Privacy Principles.
A proposed update to the privacy laws in Australia would require that the discloser take reasonable steps to ensure an overseas recipient would not breach the national privacy principals.
Say it with an SLA
More worrying was the discrepancy in terms for SLAs among the 25 contracts. Some providers had redefined downtime to exclude outages of less than 10 minutes.
One provider extended the minimum to 30 minutes.
Rather than take faith in a guaranteed percentage uptime, “customers need to examine track record of service providers”, Vincent said. Damages were typically paid as a credit for the service fees paid or payable. These ranged from generous (100 percent if percentage uptime in a month is less than 95 percent) to the stingy (5 percent per 60 minutes monthly accumulated downtime).
Many of the contracts contained terms which state that data and services will be unavailable during scheduled maintenance, either at particular times or after a notice period provided by the provider. However, some providers had removed the scheduled downtime exception from their SLAs and also removed threshold limits of unscheduled downtime before customers could claim service level credits.
“This is done to overcome the apprehension potential customers may have that by moving to public cloud model they will be vulnerable to experiencing unexpected downtime,” Vincent wrote in the report.
Security was one area where cloud providers exceeded the norm in the IT industry. Vincent said most of the contracts failed to say which security standards applied. Some specifically rejected a commitment to provide security.
“The service is provided with no warranties regarding security, reliability, protection from attacks, data integrity, or data availability,” one contract stated. Other contracts required the customer to implement security measures to protect their data using encryption and maintaining backups.
However, in practice many providers had world’s best practice. “Despite lack of specificity in most contracts, global providers offer better and more sophisticated security standards than individual companies could achieve,” Vincent said. By contrast, a recent audit review of security patches found 40 percent of government departments weren’t up to date.
The get-out clause
Traditional outsourcing agreements go into detail outlining the process of leaving a provider. By comparison Truman Hoyle found cloud computing contracts that failed to provide any framework for leaving a service. Five of the 25 contracts gave no days at all to remove data. The best case was 90 days.
If a customer had chosen to terminate an agreement it could make plans to retrieve the data before the service period expired. However, if the termination was by the provider or was inadvertent, customers could struggle to access their data.
The report noted that “virtually all” contracts surveyed allowed the vendor to terminate the agreement immediately for cause in at least some circumstances. Of these, only one specifically gave the customer the right to retrieve its data in those circumstances.
Vincent thought “there would be movement” within the terms of contracts as there was evidence of vendors competing on terms and conditions. He said he had seen press releases from vendors announcing maintenance would be undertaken on the vendor’s time, or promises of no downtime.
The transition clauses were definitely expected to improve. “Those promises the industry makes about transition out will have to get better, Vincent said.
Cloud computing providers also gave themselves very generous terms for limiting liability. The most common scenario was to cap losses at one year of fees, Vincent said.
Exposure to liability should be reasonable based on the type of service offered, Vincent said. A highly standardised or commoditised service with known risks would likely come with tight limitations for liability. This was because a commoditised cloud computing provider would need to manage the potential risk for its customers to afford a mass- consumption service.
Vincent pointed out if a similar service was being supplied by an in-house IT department there would be no ability to claim for damages in the case of data loss or downtime. All the risk of a service failing could not be borne by the reseller.
“There will be no wholesale opening up of liability that vendors will take on. Commercial services need predictable amounts of exposure. “Suppliers are not insurers,” he said.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
