Gartner wrote this interesting piece recently called the “Rights and Responsibilities for Consumers of Cloud Computing Services” and published it in the Cloudbook. It is worth a read, and I also have added some of my insights on how and where to address the issues (what should be in the cloud agreement/cloud contract and what is more of a policy statement/communication issue).
1) Retain Ownership of Data. This is covered ground, and nothing new to most people. I think all cloud agreements should address this issue as clearly as possible, so everyone knows who owns what, and how and when data can be returned to the customer. Oh yea, there is already litigation on this issue, so this is an important issue! Recent Case (see page 4). (Address in Cloud Agreement)
2) Service Level Agreement. This one too is nothing new, as service level agreements have been around forever. I think the SLA should be in the cloud agreement, and not left to a policy statement. (Address in Cloud Agreement)
3) Notification of Changes to the Service. This is a great idea, and cloud vendors really should communicate about (but let’s add material or significant) change to their service (i.e. ones that would impact their customer or that they would want/should know about). I think the key here is for the vendor to be as transparent as possible, so there aren’t any missed expectations (that is what often leads to disputes and litigation). This too is a communication or policy thing, so it does not need to be in the cloud agreement. (Address via Communication)
4) Understand the Technical Limitations. Gartner is suggesting here that the vendor educate their customer on architecture and technical issues that they should know about. This seems like a no brainer, and is something that every cloud vendor should do as part of selling and supporting their service. (Address via Communication Before and After the Sale)
5) Understand the Legal Requirements of Jurisdictions Where Service Provider Operates. In essence, Gartner is saying that the cloud vendor should tell their customer where their data resides, and handle any legal and privacy issues associated with the transfer of customer data. This seems like a reasonable expectation, and also sounds more like a policy statement (not something that necessarily needs to be in the cloud agreement . . . other than some type of vendor warranty that “they will comply with all applicable laws regarding their performance under the agreement”). (Address via Communication Before and After the Sale)
6) Know the Security Process the Provider Follows. While this is usually not a contractual issue for a cloud agreement, I think it should be a policy statement wherein vendors communicate what they are doing to secure the customer data. (Address via Policy Statement)
7) Understand and Adhere to Software License Requirements. The issue here is that software vendors should communicate if they allow their customer’s to move their licenses from an on-premise license to the cloud. I find that this is more of a policy statement by a vendor, but it should be documented (if the transfer or use/access is allowed) in an addendum or some type of legal agreement. (Address via Communication and in an Amendment)
All in all, I think this is a great current and short list of many of the important issues to consider when working with a cloud vendor. However, it seems like these lists keep changing and everyone (including me) is still trying to figure out what the most important issues are, and how to address them appropriately.
Resources (lot’s of these Bill of Rights things out there!):
Legal Disclaimer: This does not constitute legal advice, and is provided for educational or informational purposes only.