Coupon Accepted Successfully!


Cloud computing and the law

Cloud computing has brought a revolution in the world of internet and technology in the last half a decade. It is now all pervasive – with almost every service provider, technology company, internet-based services and even intra-corporate services departments using cloud computing services. Google, Microsoft, Amazon, Apple and all such major service providers are themselves using and also providing cloud computing services. Amazon Web Services, Skydrive, Google Drive, internet hosting services like HostGator are some examples of cloud computing services.

Please read this excerpt from Wikipedia entry on Cloud Computing to understand some of the important aspects of the concept:

Cloud computing is the use of computing resources (hardware and software) that are delivered as a service over a network (typically the Internet). For example, email. The name ‘cloud computing’ comes from the common use of a cloud-shaped symbol as an abstraction for the complex infrastructure it contains in system diagrams. Cloud computing entrusts remote services with a user's data, software and computation.

End users access cloud-based applications through a web browser or a light-weight desktop or mobile app while the business software and user's data are stored on servers at a remote location. Proponents claim that cloud computing allows companies to avoid upfront infrastructure costs, and focus on projects that differentiate their businesses instead of infrastructure. Proponents also claim that cloud computing allows enterprises to get their applications up and running faster, with improved manageability and less maintenance, and enables IT to more rapidly adjust resources to meet fluctuating and unpredictable business demand.

In the business model using software as a service (SaaS), users are provided access to application software and databases. Cloud providers manage the infrastructure and platforms that run the applications. SaaS is sometimes referred to as "on-demand software" and is usually priced on a pay-per-use basis. SaaS providers generally price applications using a subscription fee.

Proponents claim SaaS allows a business the potential to reduce IT operational costs by outsourcing hardware and software maintenance and support to the cloud provider. This enables the business to reallocate IT operations costs away from hardware/software spending and personnel expenses, towards meeting other goals. In addition, with applications hosted centrally, updates can be released without the need for users to install new software. One drawback of SaaS is that the users' data are stored on the cloud provider's server. As a result, there could be unauthorized access to the data.


Cloud computing services are being frequently used by businesses for providing services to clients or customers. Earlier, the relationship of a customer with an online business was direct – the business would collect information and perform key functions on its own servers (which could either be owned by them or rented or licensed from a service provider such as Hostgator). Now, however, services related to storage, collection and provision of data are often outsourced to entities which provide these services through servers or processes running on the ‘cloud’.

This shift has enabled businesses to reduce costs and at the same time retain the capability to scale up quickly when the need arises. Cloud computing raises certain legal issues - related to data protection and others related to contractual aspects, which are discussed here.

This chapter is relevant for businesses which utilize cloud based services -
it covers key legal and contractual issues that arise with respect to any cloud computing agreement, and provides pointers for negotiating them. Some agreements may be standardized and offer little room for negotiation, while others may be more customizable depending on the needs of an individual users. Examples from standardized agreements of the largest cloud computing services providers (listed below) are used to discuss these issues wherever possible:

  • Amazon Web Services (AWS) Customer Agreement (Amazon Customer Agreement (version updated on March 15, 2012) (Available here)
  • Salesforce.com Master Subscription Agreement (Available here)
  • Google Apps Agreement (Available here)

Note: Depending on the circumstances, it may be possible to negotiate standardized agreements as well (for example, where the client is availing of cloud-related services in large volumes). In other cases, standardized agreements may specifically leave room for addition of certain ‘optional’ components, which can be used by businesses to customize the services to their needs – entrepreneurs, lawyers, consultants and other advisors who are aware of such possibilities will be in a better position to obtain favourable terms which protect their own or their client’s interest.

For example, most terms of the AWS agreement are standardized, with one exception - the data-retrieval terms in the agreement (these terms are applicable if the customer wants to recover any data from AWS services) clearly specify that Amazon may provide additional data retrieval assistance (over and above the assistance ordinarily provided to other users) depending on mutual agreement between partiesSee Clause 7.3, Amazon Customer Agreement.Therefore, there is room to negotiate these terms for a business.

Part 1: Legal and contractual issues in standardized cloud computing agreements

Most cloud computing contracts are standard form contracts with pre-decided terms. Entrepreneurs are usually faced with the choice of accepting all the terms in totality, or else they may have to risk finding another service provider. Since the terms of the contract are drafted by the service provider itself, they are usually one sided to begin with, but may be modified to accommodate the interest of the business. It is much easier for entrepreneurs to negotiate if they are able to adequately identify the risks arising from such contracts. The purpose of this chapter is to enable entrepreneurs using cloud services to understand key terms in cloud computing service agreements. After going through this chapter, they should be able to identify the risks
and even negotiate terms of agreements pertaining to cloud-related services.


1. Data security and confidentiality

Cloud computing services have become increasingly popular for enterprise use - often, businesses using these services deal in personal data, which is either processed or stored on cloud servers located in multiple locations. Note that in any such situation, the primary responsibility under statutory provisions for security and confidentiality of customer data is on the business which is utilizing the cloud services - the cloud computing service provider has not direct relationship with the end-user whose data is stored. Breach of this responsibility can result in serious liabilities for the business - hence, data security and confidentiality provisions in cloud computing agreements are extremely important.

The key issues related to data security and confidentiality are described below:

Cloud computing agreements sometimes mention that security practices that are ‘reasonable’ or which qualify as ‘industry standard’ will be observed with respect to customer’s data. However, these terms are not objectively defined, so it is prudent to specifically identify and mention any industry standards that the service provider will be compliant with under the agreement. For example, ISO 27001 is one such standard.


ii) Some organizations also state that their controls, processes and data protection policies will be periodically reviewed and audited – often, clients are not provided the opportunity to understand or observe the results of the audit process. Wherever possible, an entrepreneur should incorporate an opportunity to be informed about review and audit processes.


iii) Sometimes large companies assign functions to their ‘associate’ or ‘group’ companies, or to third parties. Certain cloud SLAs also allow the service provider to transfer data to any jurisdiction that it considers fit. This can be dangerous if the entity in the new jurisdiction to which the data is transferred does not follow similar standards - in such cases, it should be ensured (through incorporation of specific terms in the cloud computing agreement), that the security practices adopted by a transferee entity are at least of the same level as required under Indian law.


Further, the circumstances under which government and regulatory authorities can be provided access to such information is important - if access to an Indian regulator is refused by the cloud computing service provider without justification, the Indian startup may be in breach of data protection laws. Therefore, a business (which has presence in India) should consider inserting a clause imposing an obligation on the cloud services provider to allow access to information to Indian government or its authorized agencies as per the provisions of Indian law.


iv) It is also important for the entity using the cloud computing services that confidential data is not used by the cloud computing service provider, its agents, or any third parties who provide backend services to the cloud computing service provider, for any purpose, apart from providing the specific service that is the subject matter of the agreement.


A business could consider incorporation of a specific term that prohibits the cloud computing service provider from disclosing any confidential information to any other entities unless it provides prior notice. Many standardized agreements lack this provision by default.


Examples from standardized agreements

  • AWS: Section 9.2 of the AWS Agreement provides that the Amazon Services does not have any confidentiality obligation and cannot be held liable in case of breach of privacy.
  • Google Apps: According to Section 8 of Google Apps Agreement, duty to protect any information will only exist if it is clearly and specifically marked as confidential or whose confidentiality is not in doubt (this is a subjective expression).  A reasonable degree of care is supposed to be exercised in protecting the data. Hence, it is prudent for businesses using this service to specifically identify which data is confidential.
  • Salesforce: Under Section 8.2 of the Salesforce Agreement the service provider must use reasonable degree of care to protect data, and cannot use confidential information of the user for any other purpose apart from those given in the agreement.


2. Limitation of service provider’s responsibility with respect to data protection: 

An enterprise user will desire that a cloud computing service provider is held liable for any losses caused out of a security breach - the liability of the service provider should therefore be linked to the loss caused to the business. However, most service providers contractually impose a financial limit on their liability (which may be too low) and even exclude indirect losses or special damages. Standardised SLAs such as AWS, Google Apps or Salesforce completely disclaim all liability with respect to consequential or indirect losses. Salesforce, for example, limits its liability to US $500,000 for any single incident, even if actual losses are higher (Clause 11, Salesforce Agreement).

Ideally, in case of a negotiated cloud SLA, the cloud service provider should be informed about the importance of the service to the entire process by the business availing of the service, and the quantum of loss that interruptions could cause to it – which should be recorded in the contract. Even if indirect or special damages are excluded, any financial limitations on the liability of the service provider should be computed keeping in mind how critical the function outsourced to the cloud computing service provider is to the business operation as a whole.

Third party dependencies

Cloud computing service providers may be dependent on a lot of third party vendors for provision of their services. This can create a potential risk for an enterprise user – since the quality and availability of cloud computing services is dependent on the capability of these third parties as well. Often, cloud services providers may state that they are only responsible for failures in performance arising from the infrastructure or services that they own. It does not include responsibility for failures by third parties.

Sometimes, third parties can provide extremely critical services to the cloud computing service provider which potentially endangers the availability of the cloud computing service itself. In such cases, cloud computing service providers tend to retain the right to terminate the agreement altogether (without providing any costs or compensation to the client/ enterprise user) if a third party relationship has been adversely affected.

For example, a clause in the AWS Agreement characterizes the uncertainty inherent in cloud computing agreements – it states that Amazon can terminate the agreement immediately upon notice if its relationship with a third party partner who provides software or other technology it uses to provide its services expires, terminates or requires it to change the way it provides software or other technology as part of its services, if it believes providing the services could create a substantial economic or technical burden or material security risk for itself. (Clause 7.2(b)(ii) of the AWS Agreement).

t is important to understand whether third parties (other than the cloud provider) are involved in the provision of cloud services. From the perspective of a business availing cloud-based services, it is important that the responsibility for performance of the third party’s services is undertaken by the cloud service provider, since it does not itself have a direct relationship with the third party service providers.


4. Discretion of the service provider to terminate services

Vendors can have extensive freedom under the cloud computing agreement, often standardized SLAs specify the circumstances in which the vendor can terminate the agreement or unilaterally modify the scope of its services without sufficient notice or compensation.

An entity availing of cloud computing services must bear in mind whether the agreement can be terminated prematurely when it is not at fault. It may consider specifying a longer notice period (so that it can look for alternative service providers) or compensation by the service provider if a shorter notice is provided in case of premature termination.

Usually the notice period is longer if the contract is terminated due to no fault of the customer, and much shorter if it is terminated for reasons of breach, or due to changes caused by occurrences that are not in the hands of a cloud computing services provider, e.g. a change in legal regulations that make it difficult or commercially unviable to provide the services.



  • AWS: under the AWS Contract, Amazon can terminate the contract any time for any reason or no reason after giving a notice 60 days in advance.
  • Google Apps: The Google Apps Service Contract provides for a 6-month notice period, if the termination is without cause, or for 30 day notice period if a user fails to cure any breach of contract caused by him. In case of multiple instances of a breach by a client, Google can terminate, suspend or modify the terms service at its option, after giving a reasonable notice. Google may also do so if it reasonably determines that it is commercially impractical to continue providing the Services in light of applicable laws.
  • Salesforce Agreement: Under the Salesforce Master Subscription (SMS) Agreement, A party can terminate the agreement after giving a notice of 30 days if there has been a breach, and if the breach has not been cured in that period. It can also terminate if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors.


4.Changes to the terms of services under the agreement

Service providers often retain a unilateral right to modify the terms of the agreement at any point of time, just by posting the modification on their websites. Often, the scope of the ‘modification’ is not limited or restricted. A business should insist on written assurances in the cloud computing agreement that the key commercial terms of the contract will be preserved, and that modifications which adversely affect the customer will not be made without consultation with the customer or providing suitable compensation for any losses.


  • AWS: As per Clause 2 of the Amazon Web Services (AWS) agreement, Amazon reserves the right to revise or modify the terms of the contract anytime, which become effective upon posting on the website and it is the user’s responsibility to keep checking the website for renewed/ modified agreements. 
  • Google Apps: As per the Google Apps agreement, Google can make modifications to the agreement at any time, which become effective upon posting on the website and it is the user’s responsibility to keep checking the website for renewed/ modified agreements.


Comments on the Google Apps and AWS Agreement

1) In case of both – AWS and the Google Apps agreement, it is not necessary for the user to have been specifically intimated about the change or for it to have read the modified conditions on the website - if the user continues to use the service, it is automatically assumed that it has accepted the revised condition.


2) The agreements do not specify whether the customer has any consequential right to terminate the agreement (apart from the ability to terminate the agreement by a notice) in the event there is a modification. The vendor can modify the agreement by simply posting on its website and the continued use of the service by the customer implies the latter’s approval to the modification. This takes away the customer’s right to terminate the agreement if the modifications are unacceptable to him.

: As per the Indian Contract Act, 1872, such modification of the contract amounts to novation, which is considered to be a fresh agreement in law. A fresh agreement requires fresh consent of all parties and cannot be effective simply through unilateral alteration. Secondly, if a service provider can unilaterally modify the agreement at any time, a court of law may hold (in case the agreement is challenged) that the agreement is uncertain and hence ineffective.

 Provisions with regard to suspension of services or other interruptions

Suspension of service and unplanned interruption in service by the service provider can have a serious impact on continuity and might lead to considerable damage to the user. Generally under these contracts the service provider is insulated against any liability arising out of such suspension of service.



  • AWS: As per Clause 7 of the AWS agreement, Amazon can suspend the service for any reason, including system failure. Amazon is only required to give a 60 day notice. It is not required to assign any reason. For suspension on account of a reason specified in the contract, a shorter notice of only 15 days is sufficient.
  • Salesforce: Salesforce can suspend service under the Salesforce Agreement if the amount owed by user is overdue for more than 30 days, after a 7 day notice (Clause 6.4, Salesforce Agreement).


6.Client’s right to terminate an agreement

While negotiating an SLA for using cloud services, a business should assess whether it has the right to terminate the service in case the service regularly falls below agreed service levels. In such cases, the duration of notice required for termination must be short. The amount of termination penalties payable and the quality of support available from the service provider’s end for migration of client’s data in such cases should be known in advance.

Conflicting agreements/ clauses

Cloud documentation with service providers can be quite complex – many companies do not enter into a single agreement but refer to multiple agreements and policies such as service level agreements, privacy agreements, terms of service, etc., which must be agreed by the user (by a simple click on the ‘I Agree’ button) as a condition to availing the cloud computing services. Services offered by Google are an example. In such cases, it is extremely difficult for an uninitiated user to understand the terms that collectively apply. There is also a risk of inconsistency amongst different policies.

What should a businessman/ entrepreneur availing cloud computing services be aware of in such cases?

It is important to know whether the documents apply to different components of the service, or whether all of them apply together to the same service. For example, the terms of service for Google Hangouts are different when it is private, compared to when the Hangout is broadcast live on YouTube. Similarly, there should be some level of consistency with respect to the essential terms - an entrepreneur should try to find out which document takes precedence in case there is a conflict in the terms of different documents. If such a clause is absent, it must be specifically included in the agreement.

 Disputes, governing law and jurisdiction of courts: 


A cloud computing agreement usually specifies the law of the country which will be applied in resolving any contractual dispute. Indian entities availing of cloud computing services would prefer Indian law to be applicable (for the sake of certainty and convenience), wherever possible. Some cloud computing service agreements specify that the law of the country where the contract has been entered into will be applicable. A service provider operating from India is likely to agree to the applicability of Indian law. However, this is not the case in case the service provider is a behemoth and is based in another jurisdiction – for example, Google, Amazon, etc.

For example, the AWS agreement and the Google Apps Agreement are both subject to laws of the US,  while the Salesforce agreement is subject to the law of U.S., Canada, Switzerland, Japan or Singapore, depending upon the place of contract.

Similarly, the jurisdiction whose courts can be approached in case of a dispute is also important. In most cases, a judicial authority is likely to respect the choice of the parties as specified in the agreement, so long as the contract has some relationship with that jurisdiction. For example, if a service provider is based in US and the client is in India, an Indian court will refuse to entertain a dispute before itself. However, if the agreement confers jurisdiction on the courts of UK, such a choice will be invalid.

Standard form agreements drafted by major service providers specify that all legal claims are subject to the exclusive jurisdiction of the country where the service provider is situated (and not the user’s country). In a substantial number of cases, the user is based in another country, making the clause extremely inconvenient for the user to enforce (in case such a situation arises).

For example,
under the AWS Agreement, any dispute where compensation of more than US $7,500 is claimed is subject to exclusive the jurisdiction of courts in Washington. The Salesforce contract, on the other hand, specifies 5 cities (by region) where disputes may be settled, depending on the region where the user is based. India is not one of the countries on that list.

There must be an escalation clause included within all contracts for disputes.  Clear processes should be in place for resolving contractual issues, especially those associated with SLA adherence. Strong escalation processes around SLAs can be a critical element in establishing open communication, transparency and a healthy overall relationship with key vendors.

9. Termination process, vendor’s responsibility on termination, including data retention and transfer provisions

A cloud computing agreement may be terminated on account of various reasons - expiry at the end of its stipulated term, termination for default or simply by notice by either party. A business user should have the ability to terminate the contract by serving a notice (which could be useful in the event of migration to an alternative service provider).

At the time of entering into the contract, an entrepreneur must be aware of how data will be treated post termination of the contract - whether it will be stored on the cloud servers post-termination for some time or immediately deleted, whether data can be migrated in a usable form, downloaded for transfer in a format which is compatible for use on other cloud computing platforms (without compromising on confidentiality or security of the data).

Since there are no obligations for a service provider to facilitate data migration, an obligation for facilitating and cooperating in the process of data migration or retrieval must be specified in the contract. Where a cloud computing agreement is negotiable, the user should make sure that terms regarding data transition are well-documented under the SLA.

The discussion below highlights some of the important post-termination issues in relation to cloud computing agreements in greater detail:

Does the SLA have any provision regarding data transfer? What is the mechanism for data transfer?

It may be prudent to incorporate a detailed mechanism for retrieval, transfer or migration of data. The mechanism should ideally indicate when and how the transfer process can be initiated, the costs for transfer, time-process in which transfer can be completed, format in which data is transferred (the migrated data must be in some standard format which is compatible with other service providers’ infrastructure as well) and any other critical details keeping in mind the business of the user. Usually, data can be retrieved if request is made upon within a stipulated time period after termination. Some agreements may require additional fees to be payable in case of termination.

The contract must also clearly specify the liability of service provider in case of loss of data. Specific provisions regarding the form, appearance or presentation in which data needs to be returned should be given in the contract.

For how long after termination will data be stored on the cloud? What are the conditions for retrieving data?

(Note: This question is especially relevant if third party data is also stored on the cloud)

The user might prefer that the data is deleted and that no backups of the same remain once he terminates the services of the cloud operator. Questions relating to confidentiality and circumstances permitting disclosure of data assume are even more important if the business has availed of cloud services for storing or processing third party data. The user’s responsibility for the third party data will depend on the provisions of the Information Technology Act and terms and conditions in any contract, end-user license agreement (EULA) or disclosure statement with the third parties.



  • AWS: As per the AWS Agreement, ordinarily data will be stored for 30 days post termination (barring exceptional cases), and Amazon will be extend the same level of assistance in data retrieval as is provided to other users. Any further assistance is subject to mutual agreement between the user and Amazon. 
  • Salesforce: As per the Salesforce Master Subscription Agreement, Salesforce is only responsible to return data if a request is made within a period of 30 days by the user – after 30 days they are free to delete data from their system. Salesforce provides user data in CSV (comma separated values) format and in the native format that was uploaded by the user.    
  • Google Apps - Under the Google Apps Agreement, Google may transfer, store, and process customer data wherever it maintains its facilities or wherever it wants to. The customer consents to this transfer, store and process, by using the services.


10. Negotiating service levels

While Amazon, Salesforce and Google Apps have standardized agreements and it may not be feasible to negotiate these in a real-life situation for a small business, the business could avail cloud-based services from other providers (whether they operate in India or abroad), who provide the opportunity to negotiate commitments. In such cases, apart from negotiating the clauses in the agreement (as explained above), the heads specifying the ‘service levels’ (typically in the annexure to an agreement) may also require negotiation. Typically, the business should know about the uptime percentage. However, the computation of uptime percentage can vary depending on the way it is calculated under the specific cloud computing agreement. Usually, the following variables must be scrutinized to understand how uptime percentage is calculated:

  • Downtime: When is a site or service considered to be down? Every moment at which the site or service is not accessible is not counted towards downtime. In many agreements, downtime count starts only when there is more than a 5% user error rate.
  • Downtime period: A period of 10 consecutive minutes of downtime.
  • Intermittent downtime: A period of less than 10 minutes is not counted toward downtime periods.
  • Monthly uptime percentage: (Total number of minutes in a calendar month - number of minutes of downtime) / (Total number of minutes in a calendar month).
  • Scheduled downtime: This refers to periods when a provider notifies customers of downtime at least five days prior to the commencement of such downtime. Is there a limit on the maximum scheduled downtime per calendar year? Is scheduled downtime counted towards total downtime? Providers such as Google do not consider scheduled downtime as countable toward the total downtime.

How should service levels be negotiated?

A business should ideally identify critical needs and times when the cloud computing service must be available for users. Usually, this is done through managerial processes which identify and establish key performance indicators (KPIs) which are unique to the company’s business requirements. Some of the metrics which are relevant to establish KPIs could be:

  • acceptable latency levels,
  • the measured impact of downtime or lost data,
  • the need for constant access to business data (current or archived), and
  • a usage patterns for cloud services

For example, if a business expects peak transaction load at certain times of the month (and at other times the transactions are relatively insignificant), latency figures based on monthly averages will not be ideal indicators of the quality of the service – it is possible that the monthly average is good, but the service is not available during times when the business faces peak transaction load.

Example – How Google altered its policies to benefit users

In January 2011, Google announced that it will no longer provide an exception for scheduled downtime (usually services are down during pre-planned upgrades) or intermittent downtime (downtime (downtime lasting less than 10 continuous minutes). Therefore, both scheduled downtime and intermittent downtime would be considered by Google as regular downtime and hence would be counted as a shortfall in the service. It became the first cloud provider to eliminate headroom for maintenance activity.

Consequences of failure to meet service levels

The reliability, performance and reputation of a cloud service provider must be evaluated before entering into a commercial relationship with the provider - if the website or an essential application is down at a time when it is witnessing its highest traffic, end users may lose access to critical data and applications, which could severely impact the business.

At the time of entering into an agreement with a cloud service provider, the consequences of failure to meet desired service levels should be known in advance.

What is the policy of the service provider
if it fails to meet agreed service levels?

Many SLAs entitle users to receive ‘credits’, which usually is set-off against future payments of the service to the provider (money is not usually refunded directly in liquid cash or equivalents). A more sophisticated structure could involve service credits that progressively escalate as the length of downtime increases. The credits should impose significant obligations on the vendor, so that he is incentivised to provide acceptable levels of service.

Secondly, the length of the period over which downtime is measured is important. The longer the measurement period, the more diluted the effects of the downtime. For example, downtime of 5 minutes per week may be more acceptable, as compared to 5 minutes per day.

Thirdly, any circumstances when failure to meet service credits will not lead to accumulation of credits should be taken into account.

Test Your Skills Now!
Take a Quiz now
Reviewer Name