An academic study of cloud contracts has highlighted numerous areas of risk for customers who might be tempted to sign up to vendors’ standard terms of business without negotiating the detail.

The study was conducted by the ‘Cloud Legal Project’ at Queen Mary, University of London which reviewed 31 sets of standard terms from 27 different vendors. It identifies five key issues which it says customers should assess with care when evaluating potential cloud providers, particularly if they’re contemplating moving business-critical data into the cloud. Here are the five areas highlighted:

1. 1. The ‘CIA Triad’ of data security
   

The ‘CIA Triad’ is confidentiality, integrity and availability.

‘Confidentiality’ refers to the customer’s expectation that its data wont be released to third parties, whether in error (e.g. because of security deficiencies) or through deliberate disclosure (e.g. because the vendor would rather make information available than expend time and money resisting requests which could become litigious).

‘Integrity’ means prevention of data loss or corruption.

‘Availability’ is the assumption that storage or processing (or whatever service the customer has bought) will work when required.

The Queen Mary study found that in many contracts responsibility for confidentiality and integrity was expressly placed on the customer. This despite customers in most cases having to rely on vendors’ own security systems because of the need to decrypt data during active processing. Standard terms of business also tended to allow vendors to disclose data ‘in their sole discretion’ rather than in more limited circumstances such as where legally compelled to do so having given the customer prior notice.

Terms relating to cloud-service availability were usually contained in service level type agreements and, while many of these appeared attractive at first glance, most were qualified by carve outs for things like non-time-bound ‘scheduled’ maintenance, software failures regardless of cause and broadly defined force majeure events. 

2. 2. Location of Data
   

An important consideration for every cloud service customer should be the location at which their data will be stored. This is particularly relevant to European companies who will be subject to data protection restrictions on the export of personal data outside the European Economic Area.

The Queen Mary study found that many cloud contracts did not specify location restrictions and, even where an option was provided to select a country or region, the vendor rarely went so far as to warrant compliance with this in its terms of service.

3. 3. Jurisdiction and Governing Law
   

Around half of the contracts examined in the research were governed by US law. Almost all gave the vendor’s home (or relevant US state’s) courts exclusive jurisdiction to hear disputes - meaning that customers outside the vendor’s jurisdiction would have to travel to a foreign court to argue their claims under unfamiliar laws. 

4. 4.Limitation of liability and other exclusions
   

Of the 31 contracts examined, not one offered a refund of charges as a remedy for service failure. In most cases the sole remedy was service credits, but only for use against future spend and even then usually capped at one month’s standard billing.

Most vendors also excluded liability for damage arising from use of the service, including any indirect or consequential loss. Those that didn’t exclude liability altogether tended to cap it at a level equivalent to around one month’s charges.

Of course for most customers, damages from service failures will generally be indirect - in the form of lost orders. It appears however that, even where these are not excluded altogether by the vendor’s terms of business, they will usually be capped at a level way below the likely value of the actual loss suffered by the customer.

The study points out that, taken together, these issues expose customers to significant risk and put them at a severe disadvantage in the event of dispute.

There was also a fifth area of concern, which arises from vendors’ typical approach to amending their terms.

5. Variation of terms

Many standard terms permitted vendors to vary the contract simply by posting an updated version on their website, in which case acceptance by the customer was deemed to have been given through continued use of the service. As with standard website terms of use, this effectively compels customers to review vendors’ terms regularly. Even then, the customer has little recourse if it objects to the changes except to take its business elsewhere, which may or may not be practical at short notice.

The study concludes that while cloud based services are highly attractive, the sector remains relatively undeveloped and customers should not lose sight of the need for appropriate due diligence before signing up to legal terms which may impact business-critical functions.

Vendors themselves should also be wary of course, given the limits under the Unfair Contract Terms Act (in the UK) on the enforceability of standard terms of business. Other legislation imposes similar restrictions in many other EU member states.