Fragen und Antworten zu Cloud-Computing Verträgen in der Schweiz

Dieser Artikel ist nur auf Englisch verfügbar.

 

Types of contract

What forms of cloud computing contracts are usually adopted?

Cloud computing contracts can be focused on the processing of data residing in the cloud, or can be regarded as contracts of the SaaS category, involving the online operation of applications of all kind, including more and more business-critical applications such as enterprise resource planning programmes, supply chain and logistics management, asset management and asset maintenance, workflow management, human resources, CRM, among others.

 

Typical terms for governing law

What are the typical terms of a B2B public cloud computing contract covering governing law, jurisdiction, enforceability and cross-border issues, and dispute resolution?

B2B public cloud computing contracts are often made by international service providers, who include governing law and jurisdiction of their home state or may include international arbitration. Swiss service providers often include an arbitration clause indicating specialized Swiss arbitration forums as competent for claims (Swiss Rules of International Arbitration). Some contracts contain dispute resolution clauses that set forth an escalation of disputes up to the level of the executive board of the parties, and if this does not result in a positive outcome, then arbitration, court procedures, or mediation by an external third person are possibilities. With respect to enforceability, salvation clauses normally foresee that clauses that would be invalid or unenforceable, will be automatically adapted in a way that remains as close as possible to the intended meaning of the relevant clause.

 

Typical terms of service

What are the typical terms of a B2B public cloud computing contract in covering material terms, such as commercial terms of service and acceptable use, and variation?

If implementation services are involved, a separate price is foreseen for the implementation service, and this will be paid according to milestones, where the acceptance of the delivered service will oblige the customer to pay the relevant price. The operational cloud service is typically paid as a subscription, with annual or monthly payments, typically paid up front. The price can be based on the allowed number of users or the used volume or number of transactions. The cloud contracts normally include an acceptable use policy, providing suspension and possibly even termination of the contract if the use policy is not respected.

Because the cloud service is often a one-to-many relationship, the service provider is practically obliged to include a variation clause in the contract, enabling him or her to modify the service unilaterally when this is needed to provide an acceptable service. To balance the rights of the customer, such clause will provide a termination right of the customer with an acceptable notice period if he or she does not agree, especially when the cost of the service is increased or certain functionalities are lost. Legislation concerning abusive clauses in general terms and conditions may have an impact on such variation clauses.

 

Typical terms covering data protection

What are the typical terms of a B2B public cloud computing contract covering data and confidentiality considerations?

Cloud contracts will contain a description of the data centre, the communication lines and the security provisions protecting the communication and safety of the data. Data are usually located in a data centre provided by the service provider or by one of his or her suppliers. Customers that are aware of the risks will ask for service levels that are included in a service-level agreement (SLA) with clear levels and financial sanctions (credits). Regarding data security, the service provider will usually provide encryption and access management, authorisation methods; more and more the compliance with industry standards is demonstrated through certificates.

When personal data is involved, the requirements will at least allow compliance with the legal and sectoral standards for data protection. In that case, customers require a warranty that data remain located in servers in the Swiss or the EU territory. If data must be transferred to, or used from, third countries such as the US, Swiss and European compliance measures must be respected. Before the GDPR, clauses regarding the notification of data breaches were not very common. However, this has changed since the GDPR also in Switzerland. General awareness about the risk of breaches on privacy has increased.

The ownership of business data is often specified in a contract and may have an impact on the possibilities of a SaaS provider to make use of business data of customers (e.g. for statistical use or for service improvement). Depending on the concrete circumstances, a customer may seek to limit such right (e.g. if he or she believes that the business data could be abused or could be used in a competitive context). Similarly, the right to obtain the data after the termination of the contract is a critical issue and should be warranted by contract, whether or not at a cost price, and whether or not through migration obligations that must be executed by the cloud service provider.

Clauses obliging the provider to guarantee the certification of services (ISO 27001, ISAE, etc.) for the duration of the contract are also common.

 

Typical terms covering liability

What are the typical terms of a B2B public cloud computing contract in covering liability, warranties and provision of service?

Every cloud contract contains some kind of limitation of liability for any damage caused by the service; liability for consequential and other indirect damages are usually excluded and direct damages are usually limited (often referring to the fee paid for the service as the limitation for damage in the aggregate).

Damage caused by intention or gross negligence can neither be limited nor excluded by Swiss law. Although the possible liabilities of the customer are often considered as less likely, many contracts will balance the customer’s liability in a similar way. Indemnities are usually provided as a safe harmless clause when a customer is confronted with a claim of a third party for infringement of its intellectual property rights. The customer can be liable for infringement on third party’s rights based on infringing applications provided by the service provider, and in that case the service provider will take control of legal proceedings or negotiations and will not hold the customer liable for damages.

In the direct relationship between a data controller and his or her customer, liability for breach of the data protection rules cannot be limited. Similarly, when the customer has a direct claim against a data processor (e.g. the cloud service provider) based on a breach of these rules, his or her liability cannot be limited. It is, however, accepted that between a data controller and his or her cloud service provider (acting as data processor), the liability can be limited even for damage caused by breach of the data protection rules.

SLAs are becoming a normal standard of cloud contracts, guaranteeing the availability of the service, timely response of a helpdesk and performance levels, service levels and KPIs should be measured and reported. The levels can be negotiated by the customer unless the service is standard for many customers: in which case, the SLA is a take-it or leave-it matter. SLAs are not always sanctioned by financial penalties; however, financial service credits are increasingly applied when the service levels are not met by the provider.

A normal cloud contract should contain clear explanation and warranties regarding business continuity and disaster recovery (e.g. through replication of data or applications to spare servers); specific key performance indicators can be set forth to cover maximum loss of data packages and the time needed to be up again after a shutdown. Damages for loss of data are often excluded as damage compensation.

 

Typical terms covering IP rights

What are the typical terms of a B2B public cloud computing contract covering intellectual property rights (IPR) ownership in content and the consequences of infringement of third-party rights?

The intellectual property rights of the applications involved in SaaS agreements or similar contracts remain with the provider of the cloud service; this is usually the case for developed interfaces and specific adaptations as well. Data and other content that is created by the customer usually belong to the customer. The service provider’s right to use such data for statistical purposes or for service improvement, or for other uses, are more and more explicitly safeguarded or, inversely, limited. Most contracts contain a provision that warrants the return of data during the course of, or after the termination of, a cloud contract (data portability).

When the cloud service is endangered because of infringement of third-party rights by the applications of the service provider, the contract clauses usually state that the service provider has the right to apply the appropriate remedy chosen by him or her, such as the adaptation or replacement of infringing code, and if that is not feasible, the termination of the contract with a partial refund of any upfront payment of fees. Damage compensation is usually excluded or at least limited.

 

Typical terms covering termination

What are the typical terms of a B2B public cloud computing contract covering termination?

B2B cloud computing contracts usually have a rather short applicability period (typically of one year, automatically renewable unless terminated by either party before the anniversary date of the contract). If an important investment was involved, such a contract can be agreed for three years, in exceptional cases longer.

Termination for no cause will always take a notice period into consideration that is sufficient for both parties to find an alternative contract partner. Termination for cause, on the other hand, is foreseen in the case of material breach, usually after a grace period of one month, and in cases of bankruptcy and insolvency procedures.

The retention and return of data is of utmost importance in case of termination and is usually foreseen, although any assistance with data migration can be subject to an additional payment. The service provider will usually not provide a retention right for himself or herself, unless in case of non-payment of service fees where it might be used as a pressure mechanism.

Juni 2020 | Autor: Dr. Martin Eckert

Ihr Team

Ihr Kontakt

Wünschen Sie, dass wir Sie kontaktieren? Bitte füllen Sie das Formular aus und unsere Berater setzen sich gerne persönlich mit Ihnen in Verbindung.