The use of cloud systems raises questions on control over the equipment, software and most importantly… the data. This increases the need for a solid contract. What should you as general counsel specifically consider when looking at a contract for cloud and AI services?
What exactly do we pay for?
When procuring a DVD with standard software it is relatively clear what you are getting. You can install and run the software and the license agreement will protect you against claims of the software manufacturer based on its intellectual property rights. You won’t know what the software is capable of, but you will at least be able to check this out for yourself and describe the functionality of the software on that basis.
And if a perpetual license is granted for the software at hand, there is a considerable chance that you will enjoy additional protection under the concept of “conformity”. The reasoning here is as follows: when a perpetual license is granted in return for a one-off royalty payment, the same rules should apply as for the sale of goods. This, in turn, means that the user can go back to his software supplier if the product does not meet the requirements that one could reasonably expect of this type of product.
As cloud-based software, especially when offered in SaaS models, will continuously change, the user cannot easily prove that certain functionality used to work fine, but is no longer available or working. For this reason it makes sense to check whether the key features are (or can be) described in a document and to refer to that description in the agreement.
Can we move to another provider if things go wrong?
Having your systems and data in the cloud generally means you are dependent on external providers. As long as these providers do their job properly, that’s no problem. But if an issue arises, you may find your company “locked in” unless there is a practical way to get all data and configuration details necessary to deploy an alternative IT system to ensure business continuity. In addition to an exit clause in the agreement it is equally important to ensure access to the data and key configuration information needed to set up a copy of the system somewhere else – without having to first seek the cooperation of the initial IT supplier.
Can we verify everything is in check?
If your IT system is running on cloud infrastructure, there are others who have physical and logical access to your data. Naturally the cloud supplier should be bound to non-disclosure obligations and commit to data security measures. In addition you should put in place detailed audit rights to at least have the right to have your own people check whether the measures taken are indeed appropriate.
Are the right restrictions on use of data spelled out?
Provisions like “The client shall be the owner of all data” sound comforting, but do not give much protection. When procuring cloud services, be mindful that your data can be used in many ways. Just agreeing on confidentiality does not mean that the data cannot be used to train AI algorithms, create benchmarks or develop new services. If you wish that your supplier only touches the data in the course of the service provision to you, and does not use it for its own business purposes, then make sure this (as well as a corresponding audit right) is articulated in the cloud services contract.