Key contract provisions

Service descriptions in cloud contract agreements can be vague – it is important that they are clearly specified.

Key points when agreeing a contract include:

• Ensure there is a service description that is precise enough to be relied on – but not so technical that it is difficult to understand. While the marketing and technical documents can be useful guides, neither are likely to be pitched at the correct level to form the actual service description. It is preferable to ensure that the service description is set out in the contract rather than simply contained in a web-link. 
• Check whether the service is being offered on a ‘reasonable endeavours’ basis only, or something more concrete, such as ‘in accordance with agreed service levels’.
• Check whether the supplier can change or remove the services without your consent or without sufficient notice – and whether this could result in you losing key functionality, or the cloud service no longer working with other aspects of your IT system (in which case you should ensure you have the right to terminate without cost/ liability).
• Consider whether you need a period of testing or acceptance before paying the charges in full. Not all cloud services are ready ‘out of the box’ – it is important to check compatibility with your other systems at the outset.
• Ensure that upgrades are backwards compatible so that you can test interfaces to other systems and regress in the event there is a compatibility issue – this is particularly relevant for private cloud and/or where you have any customisations.

Be mindful of your business plan when you place the initial order for your cloud service. Think further than your immediate business requirements – does your organisation have plans to expand its business or usage of the cloud?

One advantage of cloud services is the flexibility to change the level of service provided as required. A professional cloud supplier should ask if you have any expansion plans to enable them to design the best fit for your business – in the short, medium and long term. In some cases, there may be little difference in cost.

Be mindful of your business plan when you place the initial order for your cloud service. Think further than your immediate business requirements – does your organisation have plans to expand its business or usage of the cloud?

One advantage of cloud services is the flexibility to change the level of service provided as required. A professional cloud supplier should ask if you have any expansion plans to enable them to design the best fit for your business – in the short, medium and long term. In some cases, there may be little difference in cost.

Always ask a cloud supplier the costs of adding more applications, services, users and storage to ensure that these are not disproportionate or would obstruct expansion. Also, be mindful of your own protocols and procedures for increasing services. Due to ease of use, there is a risk that you consume more of the cloud service than intended, which can mean higher than anticipated bills. Ensure that the contract makes it clear who has authority to instruct increases in usage and how you will be notified if services are being used above a certain level and that the business clearly understands the true-up provisions that apply. Some providers will include harsh provisions for extra cost where a customer exceeds license usage. There is an increasing trend for cloud contract template terms to include verification rights for the provider to audit a customer’s usage and demand payment at a much higher price for excess usage. In such cases, any subsequent delay or failure to pay these excess charges can be subject to suspension / termination rights, making this a business-critical issue.

Always ask if there are any additional charges for configuration, project management, implementation and support. Likewise, find out if there are charges or notice periods for decreasing your service requirements.

The responsibility for software licences can be a source of potential confusion with cloud computing.

Where the service involves the provision of software or applications (known as ‘software as a service’), the provider should arrange all necessary usage permissions. You should also check that the licence given allows you to use the service how you need to and that it does not include any restrictions which would impact your usage / your business.

However, if the service you are receiving involves the provision of a software platform or infrastructure, you will be responsible for ensuring that it is properly licensed. Make sure you are clear whether it is the provider's responsibility to arrange and manage any requisite software licences together with the payment of any associated fees, or whether this falls on you as the customer.

If you are using a reseller rather than dealing with the cloud software provider directly, ensure that if the reseller has promised to ensure that you are appropriately licensed, it has the right to offer these terms to you and has backed them off with the cloud software provider itself.

The time a hosted service is operating is called uptime. It is usually shown as a percentage. Care should be taken in understanding how this percentage is calculated because it may allow for service outages which means you may not be able to access the services and your data may not be available for certain periods of time. For example, if a provider specifies an outage as being anything of 30 minutes or more, and the service is not functional for 29 minutes, uptime may still be 100%. You should check whether these outages will be announced in advance and whether they will occur outside of your normal operating hours.

The definition of ‘up’ is also important. Your cloud system may be ‘up’ according to your SLA even if a number of features are unresponsive or not functioning properly, provided that core systems can be accessed by the majority of users. Ultimately, your availability figure should mirror the time you actually need to have access to a fully functional system (or, at a minimum, functional in all critical respects).

Ask your provider for evidence of its history of downtime and the measures that have been taken to prevent similar incidents in future. You could also contact other customers of the cloud provider for references.

Given the nature of the cloud service (and certainly public cloud), support and maintenance should be included as part of the standard pricing model, since this will be required to keep the service operational. However, it may be that only basic support is included in your package, with premium support available at an extra cost.

Pay particular attention to helpdesk opening hours, as well as response times and procedures if there are different support packages on offer. The initial helpdesk response may simply log the problem, with a further call back to provide substantive support, and so the definition of what constitutes a response should be linked to the substantive support. It is useful to look for resolution times, as this will allow you to be aware of when your issue should be fixed.

Like most modern IT systems, cloud arrangements depend on internet availability. Also, your IT equipment will need to be of a certain technical specification to access the cloud service. Generally this will be your responsibility to check, but you should ask whether your provider will offer advice on, and support with, checking the necessary equipment and internet connection required for optimum cloud system performance. Your provider may also advise on contingency plans for internet outages.

Your provider should give a clear explanation of the remedies for unscheduled downtime. Key issues are:

• Will you automatically receive service credits (in other words, a reduction in charges) in the event of failure?
• If so, are these set at a meaningful level?
• Is any further compensation available in the event of serious outages?
• Can you terminate for persistent and/or serious failure to meet the agreed service levels – this will be better than having to rely on “material breach” which can be hard to define in practice.

The contract should spell out the security provided to ensure compliance with best practice and any applicable data and security regulations. This is often done by referring to the provider’s IT security policy. Companies that provide cloud computing services should look to ensure their own working practices follow best practice and demonstrate this through certification achievements such as ISO 27001/ISO 27017, Cyber Essentials, Cyber Essentials+ or NIST CSF.

Where and how your data is stored is also important. If you are investing in a cloud-based software solution, it is likely the provider will have a hosting provider partner or host their solution on one of the major platforms such as Azure or Amazon Web Services. Questions such as how they ensure the hosting service is secure are extremely important. In all likelihood, standard configuration set-ups will be insufficient and these often need additional configuration applied.

There are various industry standards that can be used to check the quality and facilities of any data centre used, including issues such as staff vetting. Furthermore, your cloud provider should undertake to audit its data centre facilities at least annually.

You should expect the provider to supply proof of penetration testing results and that these are relatively current. Annual penetration testing should be the expected minimum. This will provide valuable reassurance that both the environment and the software itself is being kept up to date with patching and the latest security best practices when developing the product.

Consideration should be given to the providers own BC/DR plan, both in the sense of how they operate as a business (if they are unable to operate how will they provide you with their services?) and regarding the software solution they may be providing you with. How can they recover from an incident, what is the Recovery Time Objective (the expected amount of time a service can be back up and running by)?
Consider the true value of any audit findings produced by a provider. For example, will an audit report for a service provider (who may have shared cloud premises all over the globe) provide enough detail on the specific data centre where your server will be held, and perhaps even the specific area of the premises where your server sits?

Other factors to consider are restrictions on access to your cloud service. Is access restricted to corporate devices provided by your business or restricted to only your own network environment? What level of encryption is applied when signing into the solution from your device to the hosted environment?

Cloud security also depends, to a large extent, on the measures your organisation takes.

For example, your staff should use strong passwords and make sure multi-factor authentication (MFA) is switched-on. Ideally MFA should be provided through the use of an authentication app, but at least via text or email.

Set-up of the software itself should ensure the least privilege is given to each user to ensure that individuals do not have greater access than they require. Strong password policies in place - passphrases, minimum attempts and frequency of password resetting should all be considered.

Ideally access to the cloud provider’s service should not be allowed for non-corporate devices. If this is required, make sure a set of policies exists covering this type of use and that adequate technical controls are in place such as Mobile Device Management. This is important, as non-corporate devices are unlikely to have the same protections in place as your corporate devices (Anti-Virus, Web and Mail filtering options) and even if they do, they may fall out with what your own firm uses.