Nine Ways To Manage Risk in Your Cloud Contracts

When purchasing cloud computing services, here are nine practical considerations to manage your business and legal risks to ensure successful adoption of this emerging compute model.

These recommendations were presented at the San Francisco-based CloudCon Expo by Riaz Karamali, legal expert and partner at Sheppard Mullin Richter & Hampton LLP.

Mr. Karamali first suggested that if click-through terms do not fully meet your needs, writing the initial cloud contract to “factor in your business realities, compliance requirements and expectations” is the best way to ensure that your unique needs are met.

While cloud services vendors usually offer one-size-fits-all terms, be sure to negotiate all ways to mitigate your risk.

The following checklist of nine practical tips can help you do that.

1 ) Performance
Service level agreements usually include uptime, service availability, and even quality or accuracy of deliverables. Exceptions are made for emergencies, routine maintenance and force majeure events like acts of God. Remedies often include service credits. But depending upon service or data loss and its impact on your business, actual damages might be a better option. Requesting root cause analysis can help determine and prevent future breaches. And termination rights need to be included as a final remedy.

2 ) Data Security
Terms should consider outside attacks, malicious insiders and human errors. Sometimes a breach from a disgruntled employee might be worse than one from an outside attack and needs to be considered.

3 ) Data Privacy
You should consider the nature of the data and where collected, stored and processed, relative to your specific needs and compliance requirements. It is also important to know which laws govern your data privacy and what the vendor obligations are. Example of laws governing data privacy include

In U.S.: Electronic Communications Privacy Act (ECPA), Health Information Privacy (HIPAA) and HITECH ActsGramm-Leach-Bliley ActFTC Act, state data breach notification laws.
In European Union: EU Data Protection Directive

4 ) Force Majeure and Disaster Planning
Force majeure is an “event that is outside the control of the parties, such as a natural disaster or war, that causes a party to be unable to perform its obligations under the contract.” Force majeure events can be used as an excuse for non-performance, and therefore should be carefully defined and addressed in your cloud contract terms. And every cloud services vendor should have a disaster recovery plan that addresses contingency plans to be followed in the case of possible foreseeable force majeure events. But there are rarely any “guarantees!”

5 ) Interoperability
In sourcing multiple cloud vendors for the same services, ensure that your vendors will be able to work with each other. Don’t forget coverage for post-termination transfer of data. Data transfer between clouds can be labor-intensive in the absence of uniform data standards. It is most important to ensure reliable and timely access to your data and clarify your versus your vendor’s responsibilities.

6 ) Liability and Indemnification
Limits on liability will address the type and amount of liability, with negotiated exceptions. Remedies for liability must also be specified, and the vendor should be required to cover appropriate insurance for the benefit of the customer.

7 ) Audit Rights
Contract terms should include audits to evaluate billing procedures, security systems and legal compliance over the life of a cloud services agreement. Vendors typically offer the Service Organization Control (SOC) 2 Report under SSAE 16 Auditing standard. The SOC 2 report evaluates a service provider’s controls with respect to system security, availability, processing integrity, confidentiality, and privacy. This is a good start, but it is often important to negotiate for additional audit rights allowing for inspections to be conducted by the customer or its representatives.

8 ) Long Term Issues
When choosing a cloud services provider, consider stability, possibility for acquisition, termination of service and any other transition that will affect or end your service relationship.

9 ) Intellectual Property Ownership
In a Software as a Service model, intellectual property ownership is clear in that the vendor owns the application and you own your data. But with other cloud service types, customization of applications and other contributions which you as the user build into the solution must be factored in.

Mr. Karamali summarized by stating that it is practically impossible for a customer to eliminate all risk or to win on all points in a negotiation. On any given legal point, the customer needs to understand and assess the likely risks and then make a pragmatic business decision.

Follow @JacquelnVanacek for how to launch and optimize your cloud computing investment. 

This post originally appeared on Forbes.