Managing Contractual Risk in Cloud Contracts (Part 1)

by [Published on 26 June 2014 / Last Updated on 26 June 2014]

In this two part article we will look at contractual terms in cloud services contracts and issues for consideration, to reduce risk.

If you would like to read the next part in this article series please go to Managing Contractual Risk in Cloud Contracts (Part 2).

Due diligence procedures should not be overlooked when selecting a cloud provider. Cloud computing risks can be identified, managed and even reduced through thorough scrutiny of the services contracts to ensure the appropriate contract assurances and operations best practices are in place. Contracts for cloud services vary, from ‘one-fit-all’ solution contract or a multi-layered services agreement.


Cloud services are increasingly being adopted, however the exponential growth should not hide the fact that cloud services are still somewhat contractually immature and thus susceptible to manipulation. A lot of the time customers are taking on increased risk in the haste to embrace these modern cloud services. Cloud contracts require proper standardisation and transparency to avoid complications as well as to mitigate risk. For the past few years this has been a persistent issue, with the industry pushing for transparency and urging cloud service providers to engage honourably with customers.

When it comes to standardising cloud contracts, rigidity will not work. Cloud services require a degree of flexibility because of the variations present in cloud technologies and services. A best practice solution ensuring transparency and increased customer/user awareness with regards to cloud contracts will go a long way to improve confidence and clarity in the cloud and assist users in managing cloud risk.

It’s essential that users have an awareness of which contractual terms should feature in their cloud contract and through ensuring that the vital elements clearly feature in the contract will assist with cloud risk management in the long term. The cloud contract allocates risk between the service provider and the customer essentially.

It’s not always possible to negotiate your cloud contract, and some cloud providers will hide behind this fact, only delivering substandard services because the contracts are written in such a way that do not properly hold them accountable for non-service delivery. This is dependent on the service you are acquiring and how economical it is but largely today it has become more common practice to possibly negotiate your contract especially with the crowded cloud market becoming increasingly competitive. Whatever the circumstance it’s imperative to ensure that the contract that you enter in to covers all the necessary elements.

Is the Service Provider using contract best practice?

Cloud providers can adopt best practices in their contracts. Some of the best practices to look out for in the contract include:

  • Clear and easy to read and understand SLA’s
  • Straight forward escalation procedures
  • Clarity on data control
  • Clearly Documented management systems, procedures and resources
  • Clarity on data centre location and data replication location
  • Clarity on jurisdiction and governing law
  • Level of liability acceptance
  • Contract adaptation and termination
  • Procedures for retrieval of data
  • Migration procedures if required to an alternate provider
  • On boarding and also off boarding (Off boarding is often forgotten and if the customer needs to move off the service, higher costs are typically attracted or it is not tenable to obtain the data from the service provider)

Issues for business/customer consideration

  1. Uptime guarantees/availability and liability for service failure (possibly penalties)

Service failure is a possibility, although cloud service providers guarantee uptimes and most do their utmost to ensure service failures are avoided, service failures do occur even with large well known providers.

Ensure that service/performance levels are documented contractually with penalties if they are not obtained. Understand what the guaranteed availability is and the remedies if they are not met efficiently.

Typically service providers will exclude maintenance, force majeure and issues caused by the customer from availability guarantees. You must be sure to contractually agree an appropriate time and enough notice for any planned maintenance. Read this carefully and make sure that you accept these terms.

Cloud providers often exclude liability within their contracts for their customer’s losses (direct or indirect) as a result of cloud service failure.

The lack of compensation for losses represents a form of risk exposure in cloud contracts. A single service provider failure could have a detrimental effect on thousands of customers concurrently which represents risk for the provider, thus providers avoid contractual obligation for taking liability and issuing compensation. Understandably providers are trying to cover themselves for the eventuality of a service failure occurring but the customer is left with the risk.

If providers assume no form of liability, try to re-negotiate if possible, choosing a provider that is well known within the market with an exceptional track record and strong reputation to uphold and shows assurance to remain in the cloud computing market may not always reduce the risk.

When negotiating your cloud contract you should negotiate supplementary liability insurances where possible leveraging the fact that providers will have liability insurance and be prepared to walk away if you are not satisfied.

  1. SLA’s and penalties

The Service Level Agreement should be based on what suits your business directives. The agreement should cover areas of cloud provider responsibility in ways that are unbiased and give rights to reports, review, monitor and audit.

It’s important that the SLA within your contract covers the follow availability aspect:

  • Point of measurement (service availability at the point of user consumption)
  • Service measurement duration/down time (what period of time is service availability guaranteed)
  • Application availability
  • Priority levels for example P1, P2, P3, P4 and the way the Service Provider will respond based on the priority level.
  • Penalties, some providers may offer cash back or service tokens if the level of service is not attained.
  • Service measurement, be sure you know who is measuring the service, and if it’s the service provider ensure you receive the server delivery report at least on a monthly basis.

Although most providers now provide some form of penalty within the SLA contract to give a form of assurance to their customers if they fail to meet their service level agreement, this is an aspect that should be carefully considered if not found in your contractual terms. Take note if penalty exclusions exist and re-negotiate this.

The penalties assist in identifying potential risk and maintaining risk at manageable levels. However these penalties should not be your only form of resolution as they may prevent you from claiming for damages or even terminating your contract.


Research has shown that at present and for some time to come the transparency offered and contractual language and protections offered by cloud service providers is dissatisfactory.

With the knowledge of cloud contract best practice and fundamentals the contract should feature, with respect to your business needs, you might find the need to negotiate and challenge certain components of the contract.

Having a clear understanding of the relationships within your cloud services supply chain you can leverage negotiating power to achieve a contract that best suits your prerequisites.

It’s vital that prior to entering into a cloud contract you critically question and fully understand it. To sustainably lessen risk the contact should be reviewed regularly and adjusted according to changing business objectives and circumstances.

Finally, if you are not comfortable with the contract as a whole and the provider is not willing to revise it or negotiate to get it to the point where it suits your business objectives and where you are happy with it, don’t enter into it, move on - there are many cloud service providers who will be willing to assist.

In the next article of the series we will cover Data control and regulation on data security and privacy as this has become an area of particular interest in the last 9-12 months. Additionally we will also cover contractual elements that should be covered if a subcontractor to the cloud provider is involved, as this area is often overlooked and can result in a gap in the contract where no responsibility has been assigned. Areas like governing law and Jurisdiction are also addressed as well as other areas that you as a corporation should consider closely when subscribing to a service or cloud product.

If you would like to read the next part in this article series please go to Managing Contractual Risk in Cloud Contracts (Part 2).

See Also

The Author — Ricky M. & Monique L. Magalhaes

Ricky M. & Monique L. Magalhaes avatar

Ricky M Magalhaes is an International Information Security architect, working with a myriad of high profile organizations. Monique is an international security researcher, she holds a BSc Degree (Cum Laude). Previously she has focussed on research and development at leading enterprises in the Southern hemisphere.


Featured Links