The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
Presenting a live 90-minute webinar with interactive Q&A
SaaS, PaaS and IaaS: Evaluating Cloud
Service Agreement Models, Negotiating
Key Terms, and Minimizing Contract Disputes
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
WEDNESDAY, APRIL 19, 2017
Megan Smith Demicco, Kilpatrick Townsend & Stockton, Atlanta
Monique McNeill, Commercial Counsel, Novelis, Atlanta
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-866-961-8499 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can
address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about continuing education, call us at 1-800-926-7926
ext. 35.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
© 2017 Kilpatrick Townsend
SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement Models, Negotiating Key Terms, and Minimizing Contract Disputes
6
Agenda
Negotiating the Cloud
• Overview of the Cloud
• Services & Service Levels
• Securing the Cloud
• IP Ownership / IP Infringement in the Cloud
• Limitation of Liability
• Access to Data & Return after Termination
• Insurance as Risk Mitigation
• Other Considerations
7
A Brief Overview of the Cloud
cloud com·put·ing
noun
1. the use of a network of remote servers hosted on the Internet to store,
manage, and process data, rather than local servers or personal computers.
8
Common Service Delivery Models
SaaS: Software as
Service
PaaS: Platform as
Service
IaaS: Infrastructure
as a Service
Consumer uses
provider’s applications
running on provider's
cloud infrastructure.
Consumer can create
custom applications
using programming
tools supported by the
provider and deploy
them onto the
provider's cloud
infrastructure.
Consumer can
provision computing
resources within
provider's infrastructure
upon which they can
deploy and run
arbitrary software,
including OS and
applications. Allows for
dynamic scaling.
Google Docs, Gmail,
Salesforce CRM,
Microsoft Azure, Spring
Source, Google App
Engine
Amazon Web Services,
RackSpace, VMware
9
Common Service Delivery Models
10
• Public Cloud
Multi-tenant, massive scale, pay for
use, multi-datacenter redundancy
• Private Cloud
Single tenant, may be hosted internally
or externally by a third party; allows a
greater degree of control of data and
systems
• Hybrid Cloud
Use of public cloud, while keeping other
IT-resources on-premise or in a private
cloud
Deployment Models
11
• How critical is the cloud service?
• How confidential is the data?
• What service levels are being offered?
• Can the provider meet your company’s expectations?
• What are the economics of the transaction?
• What is the relative bargaining position of the parties?
• Are other alternatives available?
Informed Tradeoffs
12
Medium
High
Transaction Risk Profile
“Nice to have”
business tool
Mission critical
application
Serv
ice c
riticalit
y/d
ata
sensitiv
ity
Risk
13
14
Negotiating the Cloud:
Service Levels and Credits
15
• “Battle” of the forms
• Definition of “Services” should permit customer the full use
of the services and avoid surprise charges
• Interoperability & configuration, not customization
– Cloud providers generally limit customizations so Provider can
more efficiently manage Services and provide scalable solution
– Identify upfront if any customizations will be needed
Service Definition & Quality of Service
16
Ability to update service specifications
• “The Service descriptions are available at www.example.com. Vendor
may change or otherwise update the Service descriptions at its
discretion (including, without limitation, to reflect changes in technology,
industry practices, patterns of system use, and availability of third-party
content).”
• “The Service descriptions are available at www.example.com attached
to the applicable order document. Provider may change or otherwise
update the Service descriptions at its discretion (including, without
limitation, to reflect changes in technology, industry practices, patterns
of system use, and availability of third-party content); provided,
however, that any such changes or updates will not result in a [material]
reduction in the level of functionality, performance, security, or
availability of the Service.”
Service Definition & Quality of Service
17
• Why have SLAs?
• What to measure?
• When to measure?
• Where to measure?
• How to measure actual performance?
• Who will measure/report?
Service Levels in the Cloud
18
SLA Description SLA
Metric
Measurement
Window
SLA Credit
(% of Monthly
Charges)
Availability 99.999% Daily/Monthly 10%
Severity 1 Incident
Resolution within 2
hours
99.000% Monthly 10%
SLA Metrics
• Availability • Scalability • Response times • Problem escalation/resolution • Carve-outs • Monitoring/root cause analysis • Disaster recovery – RTOs / RPOs
19
• SLA Credits
– At risk amount
– Credited towards next month’s invoice
– Right to set off against fees
– Sole and exclusive remedy
• Right to Terminate
– For repeated failures of the same or different SLAs
– No termination fee
– No waiting or cure period
SLA Default – Remedies
20
Securing the Cloud:
Security and Confidentiality
21
Stormy Times in Cloud & Data Security
22
Overview of Contractual Security Regime
• Specific data practices and limits
• Compliance with data security laws (e.g., Massachusetts’
security regulations, 201 CMR 17.00-17.05, HIPAA)
• Independent security standards (e.g., ISO 27001, PCI
DSS, NIST) and “industry best practices”
• Security audits (e.g., SOC 1, SOC 2, SOC 3, Type I, Type
II)
• Breach response requirements
Data Security—Contractual Requirements
23
Specific Data Practices and Limits
• Broad contractual terms that outline permitted use and
prohibited use
• Internal policies relevant to data security
– Network security requirements
– Physical security requirements
• Ownership and return of data
• Data as “confidential information”
Data Security—Contractual Requirements
24
Compliance with Data Security and Privacy Laws
• Massachusetts’ security regulations
• 201 CMR 17.00-17.05
• HIPAA
• Gramm-Leach-Bliley
• EU Data Protection Directive
Data Security—Contractual Requirements
25
Independent Security Standards
• PCI DSS
• NIST
• ISO 27000 series
– 27001—requirements for information security management
systems
– 27002—code of practice
– 27003—implementation guidance
• Industry best practices
Data Security—Contractual Requirements
26
Security Audits
• Customer audits
• Independent audits
– SOC 1 (SSAE 16)—internal controls over financial reporting
– SOC 2 (AT Section 101)—security, availability, integrity,
confidentiality, and privacy
– SOC 3 (AT Section 101)—security, availability, processing integrity,
confidentiality and privacy; less detail, fewer restrictions than SOC
2
– Type I report —design of controls
– Type II report—design and testing (i.e., operational effectiveness)
– General use reports
Data Security—Contractual Requirements
27
Security Audits
Data Security—Contractual Requirements
28
Breach Response
• Suspected vs. actual
• Responses:
– Notice of breach
– Investigation
– Cooperation
– Mitigation
– Notices to authorities and affected parties
– Remedies
• Applicability when the vendor has complied with its
obligations
Data Security—Contractual Requirements
29
IP Ownership and
IP Indemnities in the Cloud
30
• Typically, no “IP infringement” rep and warranty
• Indemnity for third-party IP infringement claims
• Exclusions to IP infringement indemnity
• Provider may seek customer indemnity for customer
data/content
• Shifting liability depending on how much the cloud is
“customized” for a customer
• Relative leverage of the parties may limit the range
of achievable negotiation outcomes
Risk of IP Infringement
31
• Work product
Unless specific, unique deliverable / innovation developed for
customer, cloud provider typically retains ownership of all IP
For deliverables that create a “competitive advantage,” consider
restricting the provider’s rights to offer to another customer if
provider is unwilling to grant ownership
Be sure to retain ownership of solution output
• Feedback provisions
License vs. Ownership
• Risk of loss of trade secret status
Other IP Issues
32
Limitations of Liability in the Cloud
33
• Using the business model (one to many) as
justification, cloud agreements typically offer very
limited liability for the provider
• Providers are less likely to agree to exceptions to the
cap for breaches of confidentiality and security due to
the increasing costs of security breaches
• Liability for security breaches will typically be limited
to provider’s breach of its security obligations or a
breach solely caused by provider
Cloud is a Battleground: Limitations & Exceptions
34
• If possible, ask for unlimited liability for the following:
– Indemnification
– Breaches of confidentiality and/or security
– Violation of law
– Gross negligence, willful / intentional misconduct and/or fraud
• If the provider won’t agree to unlimited liability, propose
tiered caps (lower cap of the greater of $X or 12 to 24
months of fees for most claims, higher cap of $5X for
confidentiality / security breaches). Include a reasonable
“floor” for damages.
• Another way to mitigate risk is to choose a cloud provider
with a good track record and a strong reputation to
protect.
Exceptions to Request
35
Access to Data & Return After Termination
36
Definition of “Customer Data”
• “means any content, materials, data and information that
Customer or its Authorized Users enter into the Service”
• “means all data and/or information provided or submitted by or
on behalf of Customer, and all data and/or information stored,
recorded, processed, created, derived or generated by the
Vendor as a result of and/or as part of the Service, regardless
of whether considered Confidential Information”
Cloud Data – Ownership & Use
37
Data Access, Storage and Return
• Who can access your data?
• How and where is it stored?
• How do I get my data back and for how long?
• What happens if the cloud vendor goes out of business or
files for bankruptcy?
• How do I ensure compliance with our record retention
policy?
Data in the Cloud
38
• Termination
– Customer ability to terminate
– Provider ability to suspend or interrupt services
– Escrow of cloud application
– Termination charges
• Termination Assistance – Scope of termination assistance
– Post-termination rights
– Time frame to retrieve data
– Price protection
Exit Strategy in the Cloud
39
Insurance as Risk Mitigation in the Cloud
40
Specialty Cyber Insurance Should Cover
All Types of Cyber Risk, But May Not
The “Oops” The “Hacker” The “Ghost in
the Machine”
The
“Blogger”
Now carriers issue specialty “cyber” coverage, but
there is no “standard” – examine your policies closely
to see if all risks are covered.
41
Cyber Insurance - Top Ten Questions
1. Do you have concurrency/gaps between your cyber policy, your crime policies, and/or
other policies?
2. Are your first-party loss sub-limits reasonable in light of your size/risk?
3. Does your policy cover third-party provider systems/negligence?
4. Does your policy cover all potential first-party losses, or is it “opt-in”?
5. Is there an “acts of foreign governments” exclusion?
6. Is there an exclusion for claims alleging violations of consumer protection laws?
7. Is there an exclusion for “any malfunction or error in programming or error or omission
in processing” or for losses arising from “mechanical failure,” “error in design,” or
“gradual deterioration of a computer system”?
8. Is there an exclusion for an insured’s failure to follow minimum required practices, such
as the failure of the insured to continuously implement the procedures and risk controls
identified in the application for insurance and related materials?
9. To what extent does the policy cover regulatory risks?
10. Does the carrier mandate its choice of counsel, forensic experts, and crisis
management firms?
42
Other Contracting Considerations
43
Other Contracting Considerations
Warranties • Performance
• Personnel
• No disabling devices
Cross-Border Issues • Data flow
• Regulatory regimes
Testing • Ensure the service works in accordance with its
specifications
• Ensure the system is properly implemented and integrates
with other systems
• Testing of updates
44
Other Considerations
Right to Suspend
• Prohibit the cloud provider’s right to suspend, or restrict it to
failure to pay
• Require prior notice and opportunity to cure
• Require that provider restore services within a certain
number of days after payment
Assignment
• Consider the risks associated with another entity obtaining
control of your cloud provider
Subcontracting
• Are there any restrictions to the provider’s ability to
subcontract?
• Ensure the cloud provider is fully liable for the performance
of its subcontractors
45
Questions?
Megan Demicco
Kilpatrick Townsend
(404) 532-6969
Atlanta, GA
Monique McNeill
Novelis Inc.
(404) 760-6492
Atlanta, GA
46
Biographies
47
Megan Demicco
• Megan Demicco focuses her practice in the areas of
outsourcing agreements, technology licensing, and
other complex commercial transactions.
• Ms. Demicco regularly assists customers with
domestic and offshore technology and business
process outsourcing arrangements, and advises on
and negotiates transactions relating to software
licensing and support, cloud computing “as a service”
transactions (SaaS, IaaS, PaaS), electronic
commerce arrangements, and other similar complex
commercial transactions.
Associate
Atlanta
(404) 532-6969
48
Monique McNeill
• Monique McNeill joined Novelis in May 2011 as
Commercial Counsel.
• Ms. McNeill negotiates a wide range of commercial and
IT agreements, including customer supply agreements,
procurement contracts, technology licensing, and
professional services agreements. She also regularly
provides legal counsel, advice and guidance on complex
commercial arrangements, global technology
transactions, general corporate matters, and strategic
initiatives.
• Prior to joining Novelis, Ms. McNeill served as Associate
Counsel at Aflac Incorporated, where she focused on the
negotiation of a variety of IT commercial and corporate
transactions.
Commercial Counsel
Atlanta
(404) 760-6492
Top Related