Module_6

MODULE 6
CLOUD COMPUTING AGREEMENTS: AN ANALYSIS

6.1 CLOUD COMPUTING AGREEMENTS

6.1.1 What is cloud computing?

Cloud computing is defined as “an abstract computing and data storage
business method where dynamic IT capabilities such as hardware
(Infrastructure-as-a-Service), software (Software-as-a-Service) and tools
(Platform as-a-Service) are provided by third parties/cloud service
providers which enables users to store as well as access their data and
applications virtually from anywhere and through any connected
device.”1The US National Institute of Standards and Technology (NIST)
defines cloud computing as “ model for enabling ubiquitous, convenient,
on-demand network access to a shared pool of configurable computing
resources (e.g. networks, servers, storage, application and services) that
can be rapidly provisioned and released with minimal management effort
or service provider interaction.”2 The Indian Government relies on the
above stated definition of cloud computing.

1 ‘Cloud Computing Risks/Challenges – Legal & Tax Issues’ (Nishith Desai Associates, 2013)

http://www.nishithdesai.com/fileadmin/user_upload/pdfs/Cloud_Computing.pdf accessed 21 January 2019
2 Himanshu Sharma &MartandNemana, ‘Cloud Computing and IP Challenges’ (Singh & Associates, 6

September 2016)

http://www.mondaq.com/india/x/524422/IT+internet/CLOUD+COMPUTING+IP+CHALLENGES accessed 21

January 2019

6.1.2 Types of cloud computing agreements

Cloud computing agreements are mainly of the following three
categories:3

• Infrastructure-as-a-service (IaaS): customers need not buy and
maintain servers, network infrastructure, IT equipment or any other
types of hardware and house it within its own data processing centre;
instead they can access the IT infrastructure and servers of a third
party service provider or a remote cloud service through the internet
or a private IaaS network. Benefits of the IaaS model include a ‘pay-
as-you-use’ pricing model and access to an expandable and elastic
IT infrastructure. This model is also known as hardware cloud.
Examples include Amazon Web Services (AWS), Microsoft Azure,
Google Compute Engine (GCE).

• Software-as-a-service (SaaS): the SaaS model offers a web-based
applications hosting service, or a software cloud, meaning that users
are allowed remote access to software applications hosted by the
remote cloud service provider via the internet, instead of requiring to
install and run software on their own computers. This implies that
customers availing the SaaS need not expend resources on software
updates, maintenance and technical support. The pricing structure of
a SaaS model is based on subscription of services. Examples include
Google Apps, Salesforce.

• Platform-as-a-Service (PaaS): also known as desktop cloud, the
PaaS model offers a software production environment to its users.

3 ibid

Meaning, that users can avail the platforms and tools offered by the
cloud server for developing and testing software applications,
instead of installing and maintaining any such platforms/tools on
their own computers. Examples include Facebook, Ning, 10gen.

6.1.3. Key Clauses

Key clauses of a well-drafted cloud computing services agreement should
include:4

• Service availability: the purpose of a service availability clause in a
cloud services agreement is to ensure that the customer receives
uninterrupted services from the cloud service provider and is able to
access all its data in the cloud at all times and continue to operate its
business as usual. Thus, the service availability clause addresses the
circumstances when the client’s business may be interrupted or
adversely affected if the service provider is rendered incapable of
delivering the promised services to the client, due to any of the
possible reasons including but not limited to, a server being down,
power outage, failure of a telecommunications link, a force majeure
event, the service provider withholding services on account of a fee
dispute, or closing of the business by the service provider due to
bankruptcy or any other financial difficulties. This clause should
specify disaster recovery methods obligating the service provider to
provide continued services despite disasters or any other difficulties.

4 Michael R. Overly, ‘Drafting and Negotiating Effective Cloud Computing Agreements’ (Lexis Practice
Advisor Journal, 30 November 2015) https://www.lexisnexis.com/lexis-practice-advisor/the-
journal/b/lpa/archive/2015/11/30/drafting-and-negotiating-effective-cloud-computing-agreements.aspx accessed
31 January 2019

For instance, the cloud service provider should make provisions to
deliver the requisite services to the client through a secondary server,
data centre or a service provider in the event of a prolonged power
outage, and must implement a disaster avoidance (power outage is
the disaster in this instance) measure in the first place. Provisions
should also be made whereby the cloud service provider is mandated
to either regularly backup the client’s data onto an offsite data
centre, allow the client ongoing access to all such data or provide
periodic copies of such data to the client, to ensure that the client’s
data is not lost or destroyed during a power outage of any other
possible disasters. To avoid unavailability of services due to the
cloud service provider’s bankruptcy, provision should be made
whereby the cloud service provider is obligated to furnish periodic
financial reports to the client to demonstrate its financial capability
to continue the services. On detecting any issues, the client must be
able to take necessary actions to reduce the adverse impact. If indeed
the cloud service provider goes bankrupt, provision should be made
enabling the customer to terminate the agreement as well as
requesting assistance and cooperation from the cloud service
provider to transition its services to the new cloud service provider.
Further, if the cloud service provider is going out of business, the
client must be able to request the service provider to develop an in-
house software solution.
• Service levels: the cloud services agreement must set out service
levels to be attained by the cloud service provider in delivering its
services to the client. A service level clause provides quality-
assurance to the client as regards the availability and responsiveness

of the services delivered by the cloud services provider. Common
service level obligations that must be specified include continued
availability of services with minimal disruptions, prompt response
time for delivering services to the users, able support to a predefined
number of simultaneous users, resolution of service level issues in a
timely manner, and remedies available to the client for breach of a
service level obligation by the cloud service provider, including
termination of the agreement in case of a prolonged breach.
• Data: the cloud service provider must adopt adequate data security
measures and safeguards to protect the client’s data against any
forms of security breaches, threats or vulnerabilities such as
malicious code, spyware or a virus attack. It is prudent for the client
to review the service provider’s security measures, identify the data
centre operator and determine the users who may be granted access
to its data while in the custody of the service provider. If the cloud
service provider does not itself operate the data centre but
subcontracts it to a third party contractor, the customer must lay
down explicit provisions requiring such third party contractor to
comply with all requisite data security and protection measures; and,
imposing a joint and several liability on both the cloud service
provider and the third party contractor in case of any data security
breach, whether intentional or not, by the third party service
provider. The cloud computing agreement must address issues
regarding data backup, whereby the cloud service provider should
either grant to the client an ongoing access to the data, frequently
perform data backups of the customer’s data onto a separate offsite
data storage, or provide periodic copies of such data to the customer.

The cloud service provider must also preserve and protect the
integrity and confidentiality of the client’s data and comply with
applicable data privacy laws of the concerned jurisdiction. It must
restrict any unauthorized access or use of the customer’s data stored
on its cloud. Further, the cloud service provider must perform data
migration from the client’s IT equipment to its cloud at its own cost
or at a mutually agreed price. Additionally, on termination of the
agreement, irrespective of the reason, the cloud service provider is
obliged to return the client’s data, both in the data format used by the
service provider as well a technology/platform-neutral data format,
and destroy and delete all information of the client from its servers.
• Insurance: this clause addresses the insurance issues in cloud
computing agreements. It is desirable for the customer to opt for a
cyber liability insurance policy which covers damages arising from
data theft or destruction, unauthorized access and use of customer’s
data, hacker and denial of service attacks, data loss or damage due to
malware, and security breaches of personal information. The cloud
service provider should also have a cyber insurance policy which
covers IT related risks such as a liability insurance for damages
arising out of technology errors and omissions, a commercial blanket
bond which insures an employer (here, the cloud service provider)
against dishonest conducts by its employees such as embezzlement,
forgery, fraud, theft or any other related mischief, and an insurance
against unauthorized access and cyber crimes.
• Intellectual property: the client is to remain the sole owner of all
intellectual property rights in the data transferred to the cloud service
provider pursuant to the cloud computing agreement. Further,

provisions must be made to enable the client to obtain ownership
over any software product developed during the term of this
agreement, which is created by incorporating a intellectual property
protected work of the cloud service provider.
• Indemnification: the cloud service provider is obliged to indemnify,
defend and hold harmless the client in the event of any data security
breach, violation of confidentiality provisions or intellectual
property or any other proprietary rights infringement of a third party.
• Fees: this clause lays down the pricing model to be used in
providing the cloud computing service, which is typically a ‘pay-
per-use’ fees structure, for instance, pay per virtual machine each
hour, pay per active user each month, or pay per gigabyte of storage
each month. The clause should also address the customer’s ability to
scale up or down, that is, the customer should be allowed to add or
remove resources depending on the current business growth or fall,
and the pricing structure should reflect the corresponding increment
or decrement in the fees to be paid. Further, the client must address
issues such as additional charges by the cloud service provider for
software maintenance and support, or additional fees for data storage
after exceeding a predefined data storage limit, while negotiating the
fee structure.
• Warranties: in this clause, the cloud service provider warrants that
the cloud services provided will substantially conform to the
mutually agreed on specifications laid down in the agreement, and to
the documentation provided by the service provider; the services will
be delivered in a timely manner by professionally competent and
qualified service provider personnel with adequate technical know-

how; the service provider will maintain the data privacy and
confidentiality of the client, and deploy adequate security measures
to protect the data from unauthorized access and use by external
parties; the service provider will comply with all applicable laws and
regulations; the services provided by the cloud computing vendor
will be free from virus, spyware, malware and any other forms of
security threats; the provider’s services will not tantamount to
intellectual property rights infringement of any third party; the cloud
service provider will adequately train the customer to use the cloud
services; and that, there is no lis pendens against the cloud service
provider which may affect the client’s right to use the vendor’s cloud
services.
• Limitation of liability: this clause should be carefully examined so
that the cloud service provider does not hide behind an unreasonable
limitation of liability clause. The cloud computing agreement must
provide for limiting the liabilities of both parties, and ensure that
liabilities such as data security and confidentiality obligation of the
cloud service provider, third party indemnification obligations of
both parties, intellectual property protection obligation of both
parties, and claims for which the cloud service provider is insured,
are excluded from the limitation of liability clause.
• Assignment: the assignment clause in a cloud computing agreement
enables both the client/customer and the cloud service provider to
assign its rights in the cloud services agreement to an affiliate or
subsidiary company due to a reorganization, consolidation, or a
merger and acquisition. On assignment of such rights, the client’s
assignee is bound by all the obligations of the client under the

agreement; conversely, the assignee of the service provider is also
bound by all the duties and responsibilities of the cloud service
provider set out in the agreement, including service level obligations,
warranties and liabilities.
• Term: this clause specifies the term of the cloud services agreement
between the customer and the cloud service provider. It also
provides the right to terminate the agreement by either party under
mutually agreed circumstances, such as expiry of the term of the
agreement, discharge of obligations under the contract, or material
breach or violation of any terms and conditions of the agreement by
either party. The cloud service provider may incorporate a lock-in
clause, whereby the client cannot terminate the agreement within a
prescribed time period, for the purpose of recouping its (the service
provider’s) investment towards securing the business of the
customer. In such a circumstance, the service provider must furnish
proof of its upfront costs, sales expenses, and any related costs to the
customer, in order to justify requirement of the lock-in period.
Further, this clause lays down conditions under which the term of
the agreement may be extended beyond its original term.

6.1.4. Benefits

Few major benefits of cloud computing include:5

• Cost reduction: availing cloud computing services enables users to
share a common IT infrastructure and thus eliminates the need for
setting up, operating, managing and maintaining its own data
processing facility or IT equipment. This, coupled with the pay as
you use or subscription based pricing model, helps an organization
curtail on its capital expenses and operational costs, and frees up
capital for the company to funnel into core business activities.

• Automation: cloud computing services helps automatize the users’
data management systems. Further, cloud service providers are
responsible for regularly updating, maintaining and technically
supporting the users’ software systems, including automated security
updates.

• Resource sharing: cloud computing facilitates and promotes sharing
of computing resources and thus help organizations in saving
managerial, operational, financial and human resources in setting up
their own data processing units. Cloud services also have the
advantage of a vast storage capacity, thus enabling users to store
large volumes of data and applications. Further, cloud computing
enhances collaboration between a diverse group of individuals
and/or organizations who meet and exchange vsaluable information
in the virtual space, which in turn improves the quality of customer
service and product development.

5 ‘Top 10 Advantages of Cloud Computing’ (Idexcel Technologies, 17 October 2017)
http://www.idexcel.com/blog/top-10-advantages-of-cloud-computing/ accessed 31 January 2019.

• Scalability and flexibility: in a cloud computing arrangement,
businesses can scale up or down, that is add or remove resources
according to their growth or fall in their business environment. Thus
companies can avail resources as and when they require according to
their business circumstances, thereby ensuring a more flexible
approach than traditional computing methods. Further, cloud
computing offers an added advantage of mobility, whereby users can
access the information located on the cloud whenever and wherever.

• Focused approach: allowing a cloud server to manage an
organization’s IT system enables such business entity to focus on its
core business areas, research and development, or business
innovations and enhance performance, rather than spending time and
resources in setting up and managing the operations of its own IT
equipment.

6.1.5 issues

Key issues and challenges that could potentially arise out of a cloud
computing agreement include:6

6.1.5.1. Data privacy and confidentiality

The cloud service provider must, at all times, preserve the confidentiality
and integrity of the client’s data, and as such, must be aware of data
privacy laws of concerned jurisdictions and comply with them. Often
various jurisdictions have industry specific laws and regulations that
impose restrictions on sharing of data, for instance, restrictions imposed on

6 Cloud Computing Risks (n 1)

sharing of patient medical records by a US healthcare company as per the
Health Insurance Portability and Accountability Act7, or adherence to a
code of conduct issued by the Reserve Bank of India when Indian banks
outsource their financial services to a third party contractor8, and care must
be taken by the cloud service provider to not violate such laws and
regulations. The contract must also stipulate that the cloud servicing
vendor has adequate data security measures and safeguards in place to
protect the client data. Further, it must lay down the party to be held
accountable or responsible for any loss or destruction of data on the cloud.

6.1.5.2. Ownership

Provision must be made in the cloud services agreement stating that the
client retains ownership and control over all its data and applications that
are transferred onto the cloud of the remote services provider. The contract
must also clarify that the client shall continue to remain the sole owner of
the data stored on the cloud even when the cloud service provider
outsources or assigns some of its business operations to third party
contractors.

6.1.5.3. Data storage

Although clients can decide the storage location of data and their backup,
such is rarely the practice. Usually the cloud service providers store the
client data over multiple clouds spanning across multiple jurisdictions.
This implies compliance with data privacy and data transfer/storage laws

7 Summary of the HIPAA Privacy Rule (US Dept. of Health and Human Services)
https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html accessed 31 January 2019
8 Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by Banks (RBI, 3
November 2006) https://rbidocs.rbi.org.in/rdocs/notification/PDFs/73713.pdf accessed 31 January 2019

of more than one jurisdiction, failure of which might attract multiple
lawsuits. Another added disadvantage is that data privacy laws of one
jurisdiction might be more onerous than the other, thus adversely affecting
the client.

6.1.5.4 Integration and service levels

In a cloud computing arrangement, data is often stored across several
scattered clouds. This implies that data and applications dispersed across
these various clouds need to be eventually integrated, and potential issues
may arise if the client organization is not granted complete access to such
cloud sources or the configurations of the cloud provider and the client are
incompatible with each other, thus, rendering services integration by the
client effectively impossible. Therefore, the cloud servicing agreement
should address such issues, or the entire purpose of cloud servicing will be
defeated. Further, the cloud service provider must guarantee that it will
adhere to the mutually agreed upon service levels, and would not
compromise on the quality of cloud services. Thus, the cloud contract must
incorporate a service level clause to ensure consistency in the services
performed by the cloud services provider.

6.1.5.5 Vendor contracts

Care must be taken to draft a well negotiated contract between the cloud
service provider and the client, to ensure that the contract is not overtly
vendor friendly and does not grant the cloud service vendor any unilateral
rights, effectively making the agreement a one-sided contract. The cloud
service contract should contain vendor representations and warranties on

data security, liabilities, payments, termination rights etc and allow for
easy negotiation by the client, to avoid disputes at a later stage.

6.1.5.6 Taxation

In the Indian context, issues relating to taxation of cloud computing
services can be classified into two broad categories – characterization of
income and permanent establishments. As regards characterization of
income, the issue is, whether the income received by foreign cloud service
providers are ‘royalties’ or ‘business profits’. If such income is
characterized as ‘royalties’, then a withholding tax is to be levied in India
on such royalties. On the contrary, if the income is characterized as
‘business profits’, it would be taxable in India only if such foreign cloud
service provider has a permanent establishment in India9. Further, with
regards to permanent establishments, the issue to be determined is,
whether a foreign cloud service provider can be regarded as a permanent
establishment of the client (based on the type of control exercised by the
client over the cloud service provider), and if so, all business profits that
the client may earn which can be attributed to the cloud computing
services, is liable to be taxed by the country of location of the cloud
service.

9 Kripa Raman, ‘Tax treatment for cloud computing needs scrutiny, says law firm’ (The Hindu Business Line, 17
October 2011) https://www.thehindubusinessline.com/info-tech/tax-treatment-for-cloud-computing-needs-
scrutiny-says-law-firm/article23055707.ece accessed 31 January 2019