Print this article | Return to Article | Return to CFO.com
If you decide to use cloud-computing services, be sure your contract with the provider gives you maximum protection.
Rob Livingstone, CFO Magazine
June 15, 2012
When a business moves to the cloud, it hands off its servers, its networks, and even its data to its provider. All that it has left is a contract. Given this, CFOs need to ensure that their cloud contracts are comprehensive, balanced, and enforceable, preferably in legal jurisdictions that suit the needs of their companies. Here are six actions to take before signing a contract:
1. Get a "wet-ink" contract. Early on, cloud adopters were mostly consumers and small businesses that agreed to cloud contracts online in the form of a click-through "I Accept" button or a similar mechanism. In almost all instances, these contracts contained clauses that allowed providers to amend the terms of the agreement unilaterally. This approach is not ideal for most businesses, and it presents a potential risk if the vendor's changes are not in a company's best interest. If cloud initiatives are critical to business, companies should seek a fully encapsulated "wet-ink" (original) contract that cannot be changed without approval by both parties.
2. Secure minimum functionality. Companies that can negotiate with their providers should ensure that their contracts include minimum- functionality standards. This is especially important in software-as-a-service (SaaS) contracts that allow vendors to terminate parts of their service portfolios. If a company depends on services that have been terminated, it could essentially be pushed out of its contract.
3. Safeguard the right to terminate. To upgrade and maintain their services, providers may add or remove key features. If any of these changes alter the application's functionality, companies should be able to terminate their contracts without penalty. Businesses should also try to ensure that vendors will provide them with assistance and host their data while they transfer to another service.
4. Demand full disclosure. It is not uncommon for SaaS providers to use other providers for different cloud services. Companies should ensure that vendors offer assurances on privacy and data residency throughout their cloud network. They should also determine whether these contracts will affect their regulatory and compliance obligations if some of their provider's own service providers are foreign-owned.
5. Maintain the right to audit. Companies should make sure their contracts allow them to employ an independent and qualified auditor to validate their provider's performance under the contract. The role of cloud auditor is clearly explained in Section 2.4 of the National Institute of Standards and Technology Cloud Reference Architecture.
6. Guard against mergers and acquisitions. The cloud landscape is volatile, and a provider may be bought by another outfit at some point in the future. Make sure the cloud contract is an irrevocable guarantee of continuous service and is binding on all parties and their successors through the provider's supply chain. Contracts should also exclude the possibility that users can be terminated without cause at the vendor's convenience.
Rob Livingstone is a consultant and former CIO, and a regular contributor to CFO.com.