27th January 2023
Despite hearing rumblings of some organisations bringing cloud applications back in house, cloud computing remains a key component of many organisations’ IT infrastructure; the greater flexibility, efficiencies and cost saving advantages that businesses can achieve through using cloud services is still of considerable appeal.
There are a number of common issues with the use of cloud software that businesses should be aware of. Walker Morris Technology Disputes specialists Jack Heward and Louise Norbury-Robinson share their tips on how best to address them.
Standard cloud agreements place significant limits on the cloud service provider’s liability for unavailability or lost data and include a number of other terms that are written in their favour. Very often there is no detail of the specification for the services and so little ability to assess whether the cloud services have been under or oversold. Businesses should be comfortable that they can accept and live with their cloud provider’s standard terms, and they should consider how quickly they can exit from the contract if it turns out the solution is not as expected.
Contrast this with a cloud service which is provided through private cloud software (a separate instance of the software that is dedicated to the customer and delivered through a browser). There are more options in these kinds of services to agree bespoke terms and service and support levels. This means a customer can have more control over the nature of the cloud services. It’s important to understand as a business what kind of cloud service is being purchased so that appropriate steps can be taken to mitigate risk.
One other risk to bear in mind is that, in the unfortunate event the cloud service provider becomes insolvent, there could be a significant impact on business continuity for their users. While some cloud service providers back up the data they host via source code deposit services, there are still risks with using those services and getting timely access to the data. Businesses should assess alternative ways of protecting and retrieving their data in the event of the cloud service provider going under, such as by storing their own local back-up.
It’s common for cloud service providers to be located in different jurisdictions or to have data centres (for back-up purposes) in different jurisdictions, which can lead to complexity when it comes to cross-border transfers of personal data. This can lead to breaches of the UK and EU GDPR regimes if the right provisions are not included and may lead to enforcement action and fines for the businesses concerned. This is particularly the case where the cloud service provider has subcontracted its own storage of the data to other cloud providers in different countries, where there may be cost saving benefits for them to do so. This is a point many businesses are often surprised to learn.
Make sure that data flows and security standards are clearly understood before the contract is signed and appropriate protections are included.
A business should agree with their cloud service provider at the outset that the business has unequivocal access to its data at all times, including a method of transferring or retrieving the data once the services come to an end. Failure to do so could create a number of potential issues for the business if the contract ends and they are unable to access their data. This could have a huge knock-on effect for day-to-day operations. It highlights the need to make sure the terms and conditions between the business and the cloud provider are ones that reflect the practical needs of the business.
As cloud systems operate through the internet or a private network, loss of connection can have a large impact on their users, even if it’s just for a short period of time. Businesses will want to check that the cloud service provider’s business continuity services form part of the contractual agreement between them to best mitigate the effects of this scenario. Businesses will also want to check the drafting of the force majeure clauses in the contract, to make sure the cloud service provider is not given too much leeway in the event it can’t provide its services.
Standard cloud service agreements often include a provision that the agreement will auto-renew on the same terms at the end of a fixed period. There’s also typically a term that will allow the cloud service provider to unilaterally vary the terms at short notice. Businesses should make sure they know when a fixed term period comes to an end so that they can consider moving to a different supplier if necessary before they’re locked in to a further term.
Because of the multi-jurisdictional nature of some cloud providers’ businesses, it’s crucial that the cloud service contract specifies a clear choice of law and jurisdiction that applies to it. This will save a lot of time and costs later on in the event of a dispute between the business and the cloud service provider.
Walker Morris’ Commercial Dispute Resolution and Technology & Digital specialists are well placed to advise on disputes that concern cloud systems and software. Please contact Louise or Jack if you have queries on any of the issues covered in this briefing or need any further advice or assistance in relation to cloud services.