I recently had the opportunity to put this question to in-house counsel from several major public Canadian and U.S. cloud vendors in connection with a speech I gave on “The Evolution of IT Licensing: From Software Licensing to Software as a Service” at the Canadian IT Law Association’s Annual Meeting in October.
Agreeing to speak to me on an anonymous basis, the vendors confirmed that cloud computing remains an ever fluid, rapidly changing field, there is no “one-size-fits-all cloud arrangement,” and cloud agreements have indeed evolved beyond the vanilla templates of even a few years ago in order to meet the demands of particular regulated industries and government clients. A few selected highlights are mentioned below.
There is no question cloud vendors own the IP behind their technology. However, the ownership of customizations remains contentious.
As one vendor complained, “Downtown lawyers do not really understand IP ownership in the cloud. Clients are not in the SaaS business themselves. So effectively, it is not useful for customers to ‘own’ customizations because what good does this really achieve for their business?”
Many vendors confirmed while customer data definitely belongs to customers, they asserted ownership over consultations or custom work as company policy. If a vendor does grant ownership, the vendor definitely typically wants a licence back so it can use the IP for other customers.
Interestingly, vendors are increasingly asking for indemnities for third-party IP claims arising from hosting customer content on their own platforms.
The ownership and use of metadata — information about the customer’s use of the cloud service — remains another contentious area of negotiation that often requires clarification in the contract.
Several vendors acknowledged the murkiness that arises from the data generated through customer’s use of their cloud. Most asserted the need to own this data, to consolidate trends, glean useful derived information, improve service offerings, etc. But does this ownership then allow for wholesale and unfettered resale/commercial exploitation by third parties?
The secondary use of data and metadata remains a concern for many customers and several of the cloud vendors reassured me — at least on their platforms — such customer data was anonymized and aggregated and does not get “sold on” or otherwise monetized. Any use was limited to internal purposes only by senior technical staff — at least right now.
If the protection of such data is important to a customer, it is imperative the cloud agreement reflect this limitation.
Cloud vendors see auditing — i.e. access to their facilities and systems — as a very sensitive issue.
While acknowledging certain access and audit rights are important for financial institutions and governments, one vendor quipped that for non-financial institutions it “only really becomes an issue when outside lawyers become involved” in the negotiations.
Needless to say, almost all the cloud vendors I spoke with resisted third-party testing unless they conducted such tests themselves and provided customers with a truncated summary version of the results (perhaps on a quarterly basis). There is also reluctance to allow access to cloud data centres amongst some vendors as “cloud services are meant to be a standard offering.”
Cloud vendors are very aware that clients all want to know where their data is. However, while they can sell clients a service that will keep their data in one designated location (i.e. Canada), this service option will cost more money and some customers will balk at the additional expense.
However, one may also observe that audit clauses represent one area of cloud agreements that have evolved over the years as vendors now get many access requests to audit their premises and thus many do allow for it on a limited basis.
At least one vendor allowed site visits of their data centres to show “how secure we are.” Almost all the vendors agreed they are receiving more requests for audits and the use of third-party auditors in general, particularly in the regulated industries. Penetration testing requests only come from financial institutions. Other than those and governments, the “vast majority of clients” appear to be satisfied receiving third-party audit reports or other proof of audits.
On the flip side, many vendors are now asking to audit their clients, not just to ensure their customers are financially solvent but also to ensure that platform users can lawfully make available their content, IP licences, and other information to cloud providers.
As one of my own cloud-user clients said to this point, “when engaging cloud computing, one has no choice but to ‘trust the cloud vendor’ since there is no real transparency in a cloud service. Therefore, it is critical to look at the track record of the particular cloud vendor, their industry reputation, and choose a vendor that you trust.”
There is no question that among the cloud vendors I spoke to, “security is the hottest issue,” the “No. 1” topic, and very key in the hearts and minds of customers.
Vendors have reacted very differently to differing customer demands and expectations in this area. Several have created Canadian data centres. One commented that customers approach this issue very differently — some do not want to know the gritty details regarding security and protection and just ask for unlimited liability for damages. Others spend the time to really understand the security issues and differing levels of security and seek in their agreements a balance between mitigating security concerns and budget constraints.
If you are negotiating this issue for a client, it is critical to verify under the particular fact circumstances what the organization wants.
Not surprisingly, customers are most concerned about the protection of their data — data transfers, where the data is, how the date is used, location of the data centre. Also, who has access to the data — subcontractor, who else?
As public clouds are intended to be homogenous, most of the cloud vendors said they can take steps to meet some of these concerns — i.e. segmenting data by jurisdiction to ensure it is located in a neutral area — but such refinement costs extra.
Key issues in data today include questions around who will pay damages for a data breach (the amount of such damages is hotly contested in most cloud agreements), carve-outs and limits for such data breaches, and how much clients are willing to pay for increased security protections.
At least one vendor also commented the cloud vendor community has concerns about misuse of its technologies and expressed a fervent desire to “keep government out of data.” To that end, companies are pushing back using technological features to ensure their own systems are secured against government or other third-party surreptitious access/intrusion.
Most providers don’t want to be the middlemen in government investigations or a pawn of the police. Interestingly, at least one client of mine also acknowledged that companies that use the cloud must also monitor and watch over their own employees’ use of the cloud as often the customer users can be a point of significant weakness. “Internal security is critical-internal tracking, included. Protect User IDs and monitor against stealing using monitoring software if necessary,” said the client.
Many other issues were discussed, so please read more about my conversation with the vendors in next month’s column.