SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement...
Transcript of SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement...
![Page 1: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/1.jpg)
SaaS, PaaS and IaaS: Evaluating Cloud Service
Agreement Models, Negotiating Key Terms,
Minimizing Contract Disputes
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.
WEDNESDAY, APRIL 17, 2019
Presenting a live 90-minute webinar with interactive Q&A
Nathan Leong, Lead Counsel, U.S. Health & Life Sciences Legal, Microsoft, Chicago
Michael R. Overly, Partner, Foley & Lardner, Los Angeles
David W. Tollen, Founder, Tech Contracts Academy, San Francisco
![Page 2: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/2.jpg)
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-866-961-8499 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can address
the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
![Page 3: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/3.jpg)
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about continuing education, call us at 1-800-926-7926
ext. 2.
FOR LIVE EVENT ONLY
![Page 4: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/4.jpg)
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
![Page 5: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/5.jpg)
![Page 6: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/6.jpg)
6
![Page 7: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/7.jpg)
http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
7
![Page 8: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/8.jpg)
“a fancy way of saying stuff’s not on your computer.” *
*Quinn Norton, “Byte Rights,” Maximum PC, September 2010, at 12.
8
![Page 9: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/9.jpg)
9
![Page 10: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/10.jpg)
10
![Page 11: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/11.jpg)
• Software as a Service (“SaaS”)
• Platform as a Service (“PaaS”)
• Infrastructure as a Service (“IaaS”)
11
![Page 12: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/12.jpg)
Single Family Residence Condo Shared Patio Outdoor Kitchen
Restaurant – self-cook raw meat buffet
Restaurant – kitchen menu
Chef Chef Chef Chef
Meat, Veggies, Cookware Meat, Veggies, Cookware Meat, Veggies, Cookware Meat, Veggies, Cookware
Grill, Gas, Hood Grill, Gas, Hood Grill, Gas, Hood Grill, Gas, Hood
Traditional Software IaaS PaaS SaaS
Facility responsibility
Customer responsibility
12
![Page 13: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/13.jpg)
Mitigating Risk inCloud Computing:
Warranties and SLAs
Michael Overly, Esq., CISA, CISSP, COP, CIPP, ISSMP, CRISC
© 2018 Foley & Lardner LLP 13
![Page 14: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/14.jpg)
Most Important Preliminary Steps
Set expectations on both sides
Conduct a risk assessment
Determine your requirements
© 2018 Foley & Lardner LLP 14
![Page 15: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/15.jpg)
Setting and Managing Service Levels
© 2018 Foley & Lardner LLP 15
![Page 16: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/16.jpg)
Service Level Overview
Identify what is important
Understand the vendor limitations
How will performance be measured and reported?
What are your remedies (what is the vendor’s incentive to perform)?
– SLAs as a sword or shield?
© 2018 Foley & Lardner LLP 16
![Page 17: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/17.jpg)
Service Availability
The most important metric
How is it measured?
Ping v. actual functionality
Over what period of time?
Beware extensive exceptions
© 2018 Foley & Lardner LLP 17
![Page 18: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/18.jpg)
Service Availability
Goals v. requirements?
What about force majeure?
“Routine Maintenance”
Service Level Credits
Exclusive remedies
© 2018 Foley & Lardner LLP 18
![Page 19: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/19.jpg)
Other SLAs Response time
– Absolutely key to user experience
– How many simultaneous users?
– Link to known indexes (Keynote and Google PageSpeed)
– Measurement time is key
© 2018 Foley & Lardner LLP 19
![Page 20: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/20.jpg)
Other SLAs
Other services levels?
– RTO
– RPO
– Support
© 2018 Foley & Lardner LLP 20
![Page 21: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/21.jpg)
Have Appropriate Warranties
© 2018 Foley & Lardner LLP 21
![Page 22: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/22.jpg)
Warranties Warranty duration
What is warranted?
– Cloud service, itself
– Professional services
– Support services
© 2018 Foley & Lardner LLP 22
![Page 23: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/23.jpg)
Warranties The services will perform in
accordance with the specifications and, to the extent not inconsistent, provider’s documentation
All services will be provided in a timely, workmanlike manner, in compliance with industry best practices
© 2018 Foley & Lardner LLP 23
![Page 24: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/24.jpg)
Warranties
The provider will provide adequate training, as needed, to client on the use of the services
The services will comply with all federal, state, and local laws, rules, and regulations
© 2018 Foley & Lardner LLP 24
![Page 25: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/25.jpg)
Warranties The services will not infringe the
intellectual property rights of any third person
The services will be free from viruses and other destructive programs
There is no pending or threatened litigation involving provider that may impair or interfere with the client’s right to use the services
© 2018 Foley & Lardner LLP 25
![Page 26: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/26.jpg)
Warranties
The provider has sufficient authority to enter into the agreement and grant the rights provided in the agreement to the client.
Provider will not permit possession or access to Customer data outside the United States.
© 2018 Foley & Lardner LLP 26
![Page 27: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/27.jpg)
Questions?
Michael R. Overly, Esq., CISA, CISSP, COP, CIPP, ISSMP, CRISC
Partner
Foley & Lardner LLP
(213) 972-4533
© 2018 Foley & Lardner LLP 27
![Page 28: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/28.jpg)
David W. Tollen
Training on drafting and negotiating IT agreements – for lawyers and
businesspeople
www.TechContracts.com
415-278-0950 x1
San Francisco
IT contracts and privacy; expert witness services
www.SycamoreLegal.com
415-278-0950 x1
San Francisco
![Page 29: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/29.jpg)
Additional Resources
Tech Contracts Academy™: training on drafting & negotiating IT contracts, TechContracts.com
The Tech Contracts Handbook: easy, simple, comprehensive
TechContracts.com: free resources – sample language, articles, etc.
Sycamore Legal, P.C.: legal services re IT contracts, expert witness servicesSycamoreLegal.com
29
![Page 30: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/30.jpg)
Outline
DATA TERMS IN IT CONTRACTS
1.Data “Ownership” and its Limits
2.Data Control
3.Data Security
4.A Few Customer Concerns re Data Breach Indemnities
30
![Page 31: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/31.jpg)
Data “Ownership”The problem: you can’t really own data
What to do about ownership?
• Ownership Acknowledgement – or assignment if applicable
• IP-Related “Confirmations”
Valuable property
Trade secrets
Original compilation under copyright
Substantial resources collecting, managing, compiling – under copyright
Plus ownership of derived data & derivative works …
TRADESECRET!
31
![Page 32: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/32.jpg)
Data Control Issue #1:Restrictions on Use
Solely to serve customer
For vendor purposes too
Analysis & reporting
Improving products/services
Publication and sale
• Restrictions on marketing w/ data
• Aggregate data
De-Identified: all PII removed
Truly Anonymized: PII removed an no key/code available to recreate it
32
![Page 33: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/33.jpg)
Data Control Issue #2:Restrictions on Use
• Subcontractor & employee access
• Customer access
• Moving data
• Termination and deletion of data
• Compliance w/ applicable law
GDPR
Other privacy laws: GLBA, HIPAA, FCRA, etc.
33
![Page 34: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/34.jpg)
Data Control Issue #3:E-Discovery
• E-Discovery
Making sure the vendor doesn’t get you in trouble by deleting relevant data
Making sure your opponent in litigation can’t subpoena the vendor
This is you, in trouble with the court over e-discovery. (Not really,
but it isn’t pretty.)
34
![Page 35: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/35.jpg)
Data Security
• Technical Security: big kahuna
• Audits & Testing: SOC-1/SSAE-16, SOC-2, SOC-3, ISO 270001 – outside CPA professionals
• Background Checks: for employees and contractors
• Data Breach Response
35
![Page 36: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/36.jpg)
Data Breach Indemnity and theFault Problem
In a fault-based indemnity, the indemnitor has an incentive to blame the indemnified party—even while defending! (Interests are not shared!)
When the breach happens, and possibly through much of the litigation, no one knows who’s at fault.
Possible solutions
• Fault-based anyway (common)
• Indemnity based on whose computers leaked (problematic)
• Limit of liability covers indemnity
• No indemnity
36
![Page 37: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/37.jpg)
© 2019Tech Contracts Academy™
LLC
Graphics courtesy of Pixabay: www.Pixabay.com
37
![Page 38: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/38.jpg)
38
![Page 39: SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement ...media.straffordpub.com/products/saas-paas-and-iaas-evaluating-clo… · David W. Tollen Training on drafting and negotiating](https://reader034.fdocuments.net/reader034/viewer/2022042321/5f0b3cbf7e708231d42f85e5/html5/thumbnails/39.jpg)
39