Gartner Wrote It (About the Cloud), But Here Is A Software Attorney’s Take

Gartner just wrote this interesting piece called the “Rights and Responsibilities for Consumers of Cloud Computing Services” and published it in the Cloudbook. It is worth a read, and I added some of my insights on how and where to address the issues (what should be in the cloud agreement and what is more of a policy statement or communication issue). Just some thoughts for any company seeking a venture capital investment or growth capital as part of their business growth strategies.

1) Retain Ownership of One’s Data. This is covered ground and nothing new to most people. I think all cloud agreements should address this issue as clearly as possible so everyone knows who owns what, and how and when data will be returned to the customer. Oh yea, there is already some reported litigation on this issue, so remember this is important! Recent Case (see page 4). (Address in Cloud Agreement) 

2) Service Level Agreement. This one is also nothing new, as service level agreements have been around forever (at least it seems like it). I think the SLA should be in the cloud agreement and not left to a policy statement. (Address in Cloud Agreement) 
3) Notification of Changes to the Service. This is a great idea and cloud vendors really should communicate about any material or significant change to their service (i.e. ones that would impact their customer or a change they would want/should know about). I think the key here is for the vendor to be as transparent as possible so there aren’t any missed expectations (that is what often leads to disputes and litigation). This too is a communication or policy matter so it does not need to be in the cloud agreement. (Address via Communication) 

4) Understand the Technical Limitations.Gartner is suggesting here that vendors educate their customer on architecture and technical issues. This seems like a no brainer and is something every cloud vendor should implement as part of selling and supporting their service. (Address via Communication Before and After the Sale) 

5) Understand the Legal Requirements of Jurisdictions Where the Service Provider Operates. In essence, Gartner is saying that the cloud vendor should tell their customer where their data resides, and handle any legal and privacy issues associated with the transfer of customer data. This seems like a reasonable expectation and also sounds more like a policy statement (not something that necessarily needs to be in the cloud agreement . . . other than some type of vendor warranty that “they will comply with all applicable laws regarding their performance under the agreement”). (Address via Communication Before and After the Sale)

6) Know the Security Process the Provider Follows. While this is usually not a contractual issue for a cloud agreement, I think it should be a policy statement wherein vendors communicate what they are doing to secure the customer data. I actually think the company I use for my legal billing does a great job of this in their security statement (here is their statement on security). (Address via Policy Statement)

7) Understand and Adhere to Software License Requirements. The issue here is that software vendors should communicate to their customers if they allow their customers to move their licenses from an on-premise license to the cloud. I find this is more of a policy statement by a vendor, but it should be documented (if the transfer or use/access is allowed) in an addendum or some type of legal agreement between the customer and the software vendor. (Address via Communication and in an Amendment)

All in all, I think this is a great current and short list of many of the important issues to consider when working with a cloud vendor. However, it seems like these lists keep changing and everyone (including me) is still trying to figure out what the most important issues are and how to address them appropriately. I hope this is interesting or useful, and is the kind of thing you should expect from venture capital advisors. 

Resources (lots of these Bill of Rights things out there!):

CNET Cloud Computing Bill of Rights.
Altimeter’s: SAAS Bill of Rights.
Disclaimer: This is not legal advice, and is for educational and informational purposes only. Contact and hire an attorney if you need legal advice, which advice should be provided only after review of all the facts and the applicable law.