Beyond the Fine Print: Four Hidden Pitfalls in Cloud Agreements

It is arguable that standard contracts for the provision of cloud and managed services have improved over the years, becoming more balanced and fairer to customers. However, users of cloud services should still be aware of certain time bombs concealed by some cloud vendors in their standard contracts. This article discusses a few examples of these hidden pitfalls and what can be done about them. 

1. Frustrated Backups 

It is not unusual for cloud computing agreements to require customers to acknowledge and agree that they, the customers, are solely responsible for ensuring their data is backed up, including any necessary configuration, monitoring and management of the backup and recovery process. In the same paragraph of the agreement, the cloud vendor may then say that it, the vendor, has no responsibility or liability for backing up any data (including customer data), nor for the adequacy, completeness or security of any backup made by the customer or the customer’s ability to successfully recover the data. All well and good, and arguably part of the “shared responsibility” model that many cloud vendors espouse.

However, from a purely practical and technical perspective, such a model is actually a bit of legal sleight of hand—or skillful deception. Unless the cloud vendor willingly provides the customer with the necessary application programming interfaces (“APIs”) or other technological means to interface with the vendor’s cloud systems, there will be no way that a customer can actually back up the data held by its cloud vendor nor return any data back into the cloud vendor’s systems to resume operations. Frustrating and worrisome, this model can cause a considerable business risk for customers who need the peace of mind of knowing that their critical data is always available. Moreover, even if the cloud vendor does back up the customer’s data for a limited period of time, there is no guarantee that such time-limited backups will comply with an individual customer’s own legally mandated data retention obligations, which will depend on the laws and regulations applicable to the customer’s business. 

Therefore, during the negotiation process, savvy cloud customers should demand that their cloud vendors make available such backup-and-restore APIs and other software necessary before agreeing to any shared-responsibility-model statements and should stipulate this obligation in detail in their cloud contract. Furthermore, to ensure this activity continues during the life cycle of the contract, the client’s counsel should expressly draft an additional clause obliging the cloud vendor to provide the necessary APIs to perform granular backups and restores from the cloud vendor’s system on an ongoing basis, permitting the customer to meet its own regulatory requirements (particularly financial institutions and governmental entity customers) and any contractual obligations between the parties.

2. Who Has the Keys to Customer Data?

These days, many cloud contracts are more transparent about the fact that the cloud provider is reliant upon other third-party companies, such as Amazon Web Services, to host their cloud services (“hosting vendor”). However, the downside of such acknowledgment is that the same cloud vendors often endeavour to expressly limit (and disclaim) any liability for the actions and omissions of such hosting vendors, and any compliance by such hosting vendors with the negotiated terms of the cloud contracts (often because such vendors state that they have little practical control over such hosting vendors).

This development is more problematic in that actual cloud contracts may be silent as to the protections that are put in place between the cloud provider and its third-party hosting vendors. Such hosting vendors may not even be considered “subcontractors” for the purposes of the contract, depending on the relevant definitions. Gaps may ensue. For example, does the cloud vendor expressly state that all client data transferred to the hosting vendor is encrypted in flight, at rest, and stored encrypted by the hosting vendor? If so, does the hosting vendor have the encryption keys to decrypt data in order to provide necessary maintenance and support services? If it does, this right could serve as a back door for the hosting vendor to access the customer’s data. 

It may sound obvious, but cloud customers should pay special attention to cloud vendor attempts to carve out liability for their hosting vendors and should conduct additional due diligence to better understand the contractual and security protections in place between such parties.

3. AI or Not?

The use of artificial intelligence (“AI”) technology has become ubiquitous for many cloud providers, but, unfortunately, many cloud contracts are less than transparent about such usage in connection with the cloud providers’ services. Cloud vendors’ embrace of such technology may raise a host of red flags involving concerns regarding customer data protection / data security; confidentiality; the provenance of the AI systems’ training data (synthetic or customer data?); and potential copyright and legal claims relating to such data, bias considerations, and the like. Alternatively, some cloud vendors hide behind entirely separate AI-focused, hyperlinked terms that contradict the main cloud vendor agreement and that generally seek to disclaim all responsibility and liability for the AI portions of the cloud vendor solution and any output (including services) provided through such AI solutions.

A detailed review of all of the critical contractual terms necessary and required for AI contracts is unfortunately beyond the scope of this article. However, all users of cloud services should be asking pointed questions regarding the use by the vendor of AI tools and systems; and if the answer to any of these questions is yes, then customers should review and vet their contracts through an AI lens and ensure their cloud agreement contains clear and protective contractual terms regarding data ownership, data security and usage of customer data. At a minimum, the cloud contract should include very clear guardrails and requirements as to how the cloud vendor can collect and analyze customer data and other information in connection with the cloud vendor’s provision of the services and how the cloud provider will be using information concerning customer data and derived data to improve and enhance its services. Such guardrails should address the use of any personal information provided by the customer, which if permitted by the customer, should include requirements to anonymize such data.

4. “Hotel California” Exits

The lyrics contained in the classic Eagles’ song “Hotel California” that state “[y]ou can check out any time you like you like[,] [b]ut you can never leave” still apply to the treatment some cloud providers give to customers following the termination of their cloud contracts. Simply put, many cloud vendors not only make it less than easy for the customer to sever its ongoing relationship, but also take the opportunity to extract certain revenge.

This retribution can take many forms, assisted by the fact that most standard cloud agreements either remain resolutely silent on the exit process or devote a few insufficient sentences mainly ensuring that the cloud vendor receives its outstanding payments. Too often cloud providers merely provide clients with the opportunity to retrieve their data during a very short window of time (30 days or less), and remain mum on everything else associated with an orderly wind-down and exit from a long-term business relationship.

For example, most contracts lack contractual commitments on the part of the cloud vendor ensuring that it shall maintain its service levels and provide prompt support during the exit period. Most cloud providers do not commit that the data being made available for retrieval by customers is in a format accessible and useful to the client (and any replacement cloud vendor) and do not commit that the existing cloud vendor will be required to actively assist the client to securely migrate its data back to the client’s own cloud or to another third-party vendor cloud. Practically, will the customer truly be able to claw back all its proprietary information, confidential information and personal information from the cloud vendor—or is this technically impossible given the ingestion of such data through the vendor’s services and systems? Furthermore, if the cloud vendor is using AI tools and processes, what elements of client data, derived or otherwise, will continue to be used by the vendor post-termination? High-dollar-value-negotiated cloud agreements may contain these details, but many standard lower-value cloud agreements do not adequately address these concerns, which is problematic considering the strategic value and importance of such data to the customer.

Unfortunately, experience has shown that while some forward-thinking cloud vendors will remain helpful during this sometimes-difficult transition period, it is entirely preferable (and strongly recommended) that clients seek express commitments from their cloud vendor to ensure continuity of service with no service degradation and, as required, other business requirements through a more robust transition plan (or at least the process to arrive at such a plan) to better protect client interests.

Conclusion

To conclude, while standard-form cloud computing agreements have definitely become more balanced during the past several years, there is still room for improvement. The client’s legal counsel, working with the company’s business and technical personnel, should continue to play a critical role in this process. For more information about these and other pitfalls pertaining to cloud computing agreements, please contact Lisa R. Lifshitz at Torkin Manes LLP.