module_6_21_

TECHNOLOGY
CONTRACTS

CERTIFICATE COURSE

Page | 4

DEVELOPED BY

MODULE - 6

OTHER IT SERVICES AGREEMENTS

6.1 CLOUD COMPUTING AGREEMENTS • Infrastructure-as-a-service(IaaS): customers
need not buy and maintain servers, network
6.1.1 What is cloud computing? infrastructure, IT equipment or any other
Cloud computing is defined as “an abstract types of hardware and house it within its own
computing and data storage business method where data processing centre; instead they can
dynamic IT capabilities such as hardware access the IT infrastructure and servers of a
(Infrastructure-as-a-Service), software (Software-as- third party service provider or a remote cloud
a-Service) and tools (Platform as-a-Service) are service through the internet or a private IaaS
provided by third parties/cloud service providers network. Benefits of the IaaS model include a
which enables users to store as well as access their ‘pay-as-you-use’ pricing model and access to
data and applications virtually from anywhere and an expandable and elastic IT infrastructure.
through any connected device.”iThe US National This model is also known as hardware cloud.
Institute of Standards and Technology (NIST) defines Examples include Amazon Web Services
cloud computing as “ model for enabling ubiquitous, (AWS), Microsoft Azure, Google Compute
convenient, on-demand network access to a shared Engine (GCE).
pool of configurable computing resources (e.g.
networks, servers, storage, application and services) • Software-as-a-service (SaaS): the SaaS
that can be rapidly provisioned and released with model offers a web-based applications
minimal management effort or service provider hosting service, or a software cloud, meaning
interaction.”ii The Indian Government relies on the that users are allowed remote access to
above stated definition of cloud computing. software applications hosted by the remote
cloud service provider via the internet,
6.1.2 Types of cloud computing agreements instead of requiring to install and run
software on their own computers. This
Cloud computing agreements are mainly of the implies that customers availing the
following three categories:iii

Page | 2

SaaS need not expend resources on software service provider is rendered incapable of
updates, maintenance and technical support. delivering the promised services to the client,
The pricing structure of a SaaS model is based due to any of the possible reasons including
on subscription of services. Examples include but not limited to, a server being down, power
Google Apps, Salesforce. outage, failure of a telecommunications link, a
• Platform-as-a-Service (PaaS): also known as force majeure event, the service provider
desktop cloud, the PaaS model offers a withholding services on account of a fee
software production environment to its dispute, or closing of the business by the
users. Meaning, that users can avail the service provider due to bankruptcy or any
platforms and tools offered by the cloud other financial difficulties. This clause should
server for developing and testing software specify disaster recovery methods obligating
applications, instead of installing and the service provider to provide continued
maintaining any such platforms/tools on their services despite disasters or any other
own computers. Examples include Facebook, difficulties. For instance, the cloud service
Ning, 10gen. provider should make provisions to deliver
the requisite services to the client through a
6.1.3. Key Clauses secondary server, data centre or a service
provider in the event of a prolonged power
Key clauses of a well-drafted cloud computing outage, and must implement a disaster
services agreement should include:iv avoidance (power outage is the disaster in
this instance) measure in the first place.
• Service availability: the purpose of a service Provisions should also be made whereby the
availability clause in a cloud services cloud service provider is mandated to either
agreement is to ensure that the customer regularly backup the client’s data onto an
receives uninterrupted services from the offsite data centre, allow the client ongoing
cloud service provider and is able to access all access to all such data or provide periodic
its data in the cloud at all times and continue copies of such data to the client, to ensure
to operate its business as usual. Thus, the that the client’s data is not lost or destroyed
service availability clause addresses the during a power outage of any other possible
circumstances when the client’s business may
be interrupted or adversely affected if the

Page | 3

disasters. To avoid unavailability of services availability of services with minimal
due to the cloud service provider’s disruptions, prompt response time for
bankruptcy, provision should be made delivering services to the users, able support
whereby the cloud service provider is to a predefined number of simultaneous
obligated to furnish periodic financial reports users, resolution of service level issues in a
to the client to demonstrate its financial timely manner, and remedies available to the
capability to continue the services. On client for breach of a service level obligation
detecting any issues, the client must be able by the cloud service provider, including
to take necessary actions to reduce the termination of the agreement in case of a
adverse impact. If indeed the cloud service prolonged breach.
provider goes bankrupt, provision should be • Data: the cloud service provider must adopt
made enabling the customer to terminate the adequate data security measures and
agreement as well as requesting assistance safeguards to protect the client’s data against
and cooperation from the cloud service any forms of security breaches, threats or
provider to transition its services to the new vulnerabilities such as malicious code,
cloud service provider. Further, if the cloud spyware or a virus attack. It is prudent for the
service provider is going out of business, the client to review the service provider’s
client must be able to request the service security measures, identify the data centre
provider to develop an in-house software operator and determine the users who may
solution. be granted access to its data while in the
• Service levels: the cloud services agreement custody of the service provider. If the cloud
must set out service levels to be attained by service provider does not itself operate the
the cloud service provider in delivering its data centre but subcontracts it to a third
services to the client. A service level clause party contractor, the customer must lay down
provides quality-assurance to the client as explicit provisions requiring such third party
regards the availability and responsiveness of contractor to comply with all requisite data
the services delivered by the cloud services security and protection measures; and,
provider. Common service level obligations imposing a joint and several liability on both
that must be specified include continued the cloud service provider and the third party

Page | 4

contractor in case of any data security breach, • Insurance: this clause addresses the
whether intentional or not, by the third party insurance issues in cloud computing
service provider. The cloud computing agreements. It is desirable for the customer to
agreement must address issues regarding opt for a cyber liability insurance policy which
data backup, whereby the cloud service covers damages arising from data theft or
provider should either grant to the client an destruction, unauthorized access and use of
ongoing access to the data, frequently customer’s data, hacker and denial of service
perform data backups of the customer’s data attacks, data loss or damage due to malware,
onto a separate offsite data storage, or and security breaches of personal
provide periodic copies of such data to the information. The cloud service provider
customer. The cloud service provider must should also have a cyber insurance policy
also preserve and protect the integrity and which covers IT related risks such as a liability
confidentiality of the client’s data and comply insurance for damages arising out of
with applicable data privacy laws of the technology errors and omissions, a
concerned jurisdiction. It must restrict any commercial blanket bond which insures an
unauthorized access or use of the customer’s employer (here, the cloud service provider)
data stored on its cloud. Further, the cloud against dishonest conducts by its employees
service provider must perform data migration such as embezzlement, forgery, fraud, theft or
from the client’s IT equipment to its cloud at any other related mischief, and an insurance
its own cost or at a mutually agreed price. against unauthorized access and cyber
Additionally, on termination of the crimes.
agreement, irrespective of the reason, the
cloud service provider is obliged to return the • Intellectual property: the client is to remain
client’s data, both in the data format used by the sole owner of all intellectual property
the service provider as well a rights in the data transferred to the cloud
technology/platform-neutral data format, service provider pursuant to the cloud
and destroy and delete all information of the computing agreement. Further, provisions
client from its servers. must be made to enable the client to obtain
ownership over any software product

Page | 5

developed during the term of this agreement, after exceeding a predefined data storage
which is created by incorporating a limit, while negotiating the fee structure.
intellectual property protected work of the • Warranties: in this clause, the cloud service
cloud service provider. provider warrants that the cloud services
• Indemnification: the cloud service provider is provided will substantially conform to the
obliged to indemnify, defend and hold mutually agreed on specifications laid down
harmless the client in the event of any data in the agreement, and to the documentation
security breach, violation of confidentiality provided by the service provider; the services
provisions or intellectual property or any will be delivered in a timely manner by
other proprietary rights infringement of a professionally competent and qualified
third party. service provider personnel with adequate
• Fees: this clause lays down the pricing model technical know-how; the service provider will
to be used in providing the cloud computing maintain the data privacy and confidentiality
service, which is typically a ‘pay-per-use’ fees of the client, and deploy adequate security
structure, for instance, pay per virtual measures to protect the data from
machine each hour, pay per active user each unauthorized access and use by external
month, or pay per gigabyte of storage each parties; the service provider will comply with
month. The clause should also address the all applicable laws and regulations; the
customer’s ability to scale up or down, that is, services provided by the cloud computing
the customer should be allowed to add or vendor will be free from virus, spyware,
remove resources depending on the current malware and any other forms of security
business growth or fall, and the pricing threats; the provider’s services will not
structure should reflect the corresponding tantamount to intellectual property rights
increment or decrement in the fees to be paid. infringement of any third party; the cloud
Further, the client must address issues such service provider will adequately train the
as additional charges by the cloud service customer to use the cloud services; and that,
provider for software maintenance and there is no lis pendens against the cloud
support, or additional fees for data storage service provider which may affect the client’s

Page | 6

right to use the vendor’s cloud services. cloud service provider set out in the
• Limitation of liability: this clause should be agreement, including service level
obligations, warranties and liabilities.
carefully examined so that the cloud service • Term: this clause specifies the term of the
provider does not hide behind an cloud services agreement between the
unreasonable limitation of liability clause. The customer and the cloud service provider. It
cloud computing agreement must provide for also provides the right to terminate the
limiting the liabilities of both parties, and agreement by either party under mutually
ensure that liabilities such as data security agreed circumstances, such as expiry of the
and confidentiality obligation of the cloud term of the agreement, discharge of
service provider, third party indemnification obligations under the contract, or material
obligations of both parties, intellectual breach or violation of any terms and
property protection obligation of both conditions of the agreement by either party.
parties, and claims for which the cloud service The cloud service provider may incorporate a
provider is insured, are excluded from the lock-in clause, whereby the client cannot
limitation of liability clause. terminate the agreement within a prescribed
• Assignment: the assignment clause in a cloud time period, for the purpose of recouping its
computing agreement enables both the (the service provider’s) investment towards
client/customer and the cloud service securing the business of the customer. In such
provider to assign its rights in the cloud a circumstance, the service provider must
services agreement to an affiliate or furnish proof of its upfront costs, sales
subsidiary company due to a reorganization, expenses, and any related costs to the
consolidation, or a merger and acquisition. On customer, in order to justify requirement of
assignment of such rights, the client’s the lock-in period. Further, this clause lays
assignee is bound by all the obligations of the down conditions under which the term of the
client under the agreement; conversely, the agreement may be extended beyond its
assignee of the service provider is also bound original term.
by all the duties and responsibilities of the

Page | 7

6.1.4. Benefits and applications. Further, cloud computing
Few major benefits of cloud computing include:v enhances collaboration between a diverse
group of individuals and/or organizations
• Cost reduction: availing cloud computing who meet and exchange valuable information
services enables users to share a common IT in the virtual space, which in turn improves
infrastructure and thus eliminates the need the quality of customer service and product
for setting up, operating, managing and development.
maintaining its own data processing facility or • Scalability and flexibility: in a cloud
IT equipment. This, coupled with the pay as computing arrangement, businesses can scale
you use or subscription based pricing model, up or down, that is add or remove resources
helps an organization curtail on its capital according to their growth or fall in their
expenses and operational costs, and frees up business environment. Thus companies can
capital for the company to funnel into core avail resources as and when they require
business activities. according to their business circumstances,
thereby ensuring a more flexible approach
• Automation: cloud computing services helps than traditional computing methods. Further,
automatize the users’ data management cloud computing offers an added advantage
systems. Further, cloud service providers are of mobility, whereby users can access the
responsible for regularly updating, information located on the cloud whenever
maintaining and technically supporting the and wherever.
users’ software systems, including automated • Focused approach: allowing a cloud server to
security updates. manage an organization’s IT system enables
such business entity to focus on its core
• Resource sharing: cloud computing business areas, research and development, or
facilitates and promotes sharing of computing business innovations and enhance
resources and thus help organizations in performance, rather than spending time and
saving managerial, operational, financial and resources in setting up and managing the
human resources in setting up their own data operations of its own IT equipment.
processing units. Cloud services also have the
advantage of a vast storage capacity, thus
enabling users to store large volumes of data

Page | 8

6.1.5 issues and control over all its data and applications that are
Key issues and challenges that could potentially arise transferred onto the cloud of the remote services
out of a cloud computing agreement include:vi provider. The contract must also clarify that the client
shall continue to remain the sole owner of the data
6.1.5.1. Data privacy and confidentiality stored on the cloud even when the cloud service
provider outsources or assigns some of its business
The cloud service provider must, at all times, preserve operations to third party contractors.
the confidentiality and integrity of the client’s data,
and as such, must be aware of data privacy laws of 6.1.5.3. Data storage
concerned jurisdictions and comply with them. Often
various jurisdictions have industry specific laws and Although clients can decide the storage location of
regulations that impose restrictions on sharing of data and their backup, such is rarely the practice.
data, for instance, restrictions imposed on sharing of Usually the cloud service providers store the client
patient medical records by a US healthcare company data over multiple clouds spanning across multiple
as per the Health Insurance Portability and jurisdictions. This implies compliance with data
Accountability Actvii, or adherence to a code of privacy and data transfer/storage laws of more than
conduct issued by the Reserve Bank of India when one jurisdiction, failure of which might attract
Indian banks outsource their financial services to a multiple lawsuits. Another added disadvantage is
third party contractorviii, and care must be taken by that data privacy laws of one jurisdiction might be
the cloud service provider to not violate such laws more onerous than the other, thus adversely
and regulations. The contract must also stipulate that affecting the client.
the cloud servicing vendor has adequate data
security measures and safeguards in place to protect 6.1.5.4 Integration and service levels
the client data. Further, it must lay down the party to
be held accountable or responsible for any loss or In a cloud computing arrangement, data is often
destruction of data on the cloud. stored across several scattered clouds. This implies
that data and applications dispersed across these
6.1.5.2. Ownership various clouds need to be eventually integrated, and
potential issues may arise if the client organization is
Provision must be made in the cloud services not granted complete access to such cloud sources or
agreement stating that the client retains ownership the configurations of the cloud provider and the

Page | 9

client are incompatible with each other, thus, 6.1.5.6 Taxation
rendering services integration by the client
effectively impossible. Therefore, the cloud servicing In the Indian context, issues relating to taxation of
agreement should address such issues, or the entire cloud computing services can be classified into two
purpose of cloud servicing will be defeated. Further, broad categories – characterization of income and
the cloud service provider must guarantee that it will permanent establishments. As regards
adhere to the mutually agreed upon service levels, characterization of income, the issue is, whether the
and would not compromise on the quality of cloud income received by foreign cloud service providers
services. Thus, the cloud contract must incorporate a are ‘royalties’ or ‘business profits’. If such income is
service level clause to ensure consistency in the characterized as ‘royalties’, then a withholding tax is
services performed by the cloud services provider. to be levied in India on such royalties. On the
contrary, if the income is characterized as ‘business
6.1.5.5 Vendor contracts profits’, it would be taxable in India only if such
foreign cloud service provider has a permanent
Care must be taken to draft a well negotiated establishment in Indiaix. Further, with regards to
contract between the cloud service provider and the permanent establishments, the issue to be
client, to ensure that the contract is not overtly determined is, whether a foreign cloud service
vendor friendly and does not grant the cloud service provider can be regarded as a permanent
vendor any unilateral rights, effectively making the establishment of the client (based on the type of
agreement a one-sided contract. The cloud service control exercised by the client over the cloud service
contract should contain vendor representations and provider), and if so, all business profits that the client
warranties on data security, liabilities, payments, may earn which can be attributed to the cloud
termination rights etc and allow for easy negotiation computing services, is liable to be taxed by the
by the client, to avoid disputes at a later stage. country of location of the cloud service.

Page | 10

i ‘Cloud Computing Risks/Challenges – Legal & Tax Issues’ v ‘Top 10 Advantages of Cloud Computing’ (Idexcel
(Nishith Desai Associates, 2013) Technologies, 17 October 2017)
http://www.nishithdesai.com/fileadmin/user_upload/pdfs/Clou http://www.idexcel.com/blog/top-10-advantages-of-cloud-
d_Computing.pdf accessed 21 January 2019 computing/ accessed 31 January 2019

ii Himanshu Sharma &MartandNemana, ‘Cloud Computing vi Cloud Computing Risks (n 1)
and IP Challenges’ (Singh & Associates, 6 September 2016)
http://www.mondaq.com/india/x/524422/IT+internet/CLOUD vii Summary of the HIPAA Privacy Rule (US Dept. of Health
+COMPUTING+IP+CHALLENGES accessed 21 January and Human Services) https://www.hhs.gov/hipaa/for-
2019 professionals/privacy/laws-regulations/index.html accessed 31
January 2019
iii ibid
viii Guidelines on Managing Risks and Code of Conduct in
iv Michael R. Overly, ‘Drafting and Negotiating Effective Outsourcing of Financial Services by Banks (RBI, 3
Cloud Computing Agreements’ (Lexis Practice Advisor November 2006)
Journal, 30 November 2015) https://rbidocs.rbi.org.in/rdocs/notification/PDFs/73713.pdf
https://www.lexisnexis.com/lexis-practice-advisor/the- accessed 31 January 2019
journal/b/lpa/archive/2015/11/30/drafting-and-negotiating-
effective-cloud-computing-agreements.aspx accessed 31 ix Kripa Raman, ‘Tax treatment for cloud computing needs
January 2019 scrutiny, says law firm’ (The Hindu Business Line, 17 October
2011) https://www.thehindubusinessline.com/info-tech/tax-
treatment-for-cloud-computing-needs-scrutiny-says-law-
firm/article23055707.ece accessed 31 January 2019

Page | 11