Clouds without borders: the dangers of non-localized cloud contracts

Careful scrutiny of cloud computing contracts will mitigate dangers of borderless agreements

Lisa R. Lifshitz

It’s an exciting time in your organization. Your business has completed its due diligence and has found the perfect service provider, located in another jurisdiction. Not to worry; the vendor assures you that they have a localized form of a simple three-page cloud agreement that has been tailored to meet Canadian legal requirements, and if you just sign the cover page and click through the terms the service can be up and running almost overnight. Easy peasy, right? Wrong!

As someone who spends much of her professional career reading technology contracts, it’s fair to say that some foreign vendors remain challenged by the specific and unique requirements of doing business in Canada. While the larger, reputable providers have in the past several years considerably improved their standard cloud contracts, taking into account Canadian regulatory and other legal obligations that their customers face, smaller vendors — or those that choose to remain willfully ignorant of local conditions — continue to contract with Canadian clients using substandard contracts.

Referencing Canadian law in the governing law clause of a cloud agreement may be only the beginning of a properly localized cloud agreement. In addition to the usual hotly negotiated clauses of cloud contracts (representations/warranties, indemnities, limitation of liability and meaningful service levels), I have over time observed several other pitfalls in insufficiently localized cloud contracts, as follows.

Beware of the deadly hyperlink. Where’s Waldo? More precisely, where are the actual cloud terms located? Some cloud providers prefer to have their customers sign order forms or statements of work with the critical cloud terms buried in extensive hyperlinks. The problem with this practice is that the hyperlinked documents — whether the acceptable use policy, the service level agreement or the terms of service — often contain legal terms that either expressly violate Canadian legal requirements, cause the users to waive critical legal rights/protections or plainly contradict the Canadian governing law clause, incorporating a plethora of foreign legislation. You may even find that significant components of the actual cloud services are not even performed by the actual cloud vendor.

Unfortunately, reviewing a cloud contract does not end with the front-facing document. Be prepared to start clicking and reviewing all those hyperlinked ancillary documents in order to understand all of the baklava-like layers of your prospective cloud agreement.

Beware of generalized language. What does it mean when a cloud provider agrees to comply with applicable laws or good industry practices? If you are at all concerned about complying with specific Canadian regulations, especially privacy and security requirements, or if your business is a highly regulated industry (i.e., financial services or healthcare sectors, or government services), the cloud provider’s willingness to comply with their own laws will not go far enough towards meeting your varied regulatory requirements. Specificity will be required to ensure any critical requirements are addressed in the cloud contract, particularly in the area of data protection, data location, location of subcontractors, critical security controls and mandatory data breach notification requirements, including record retention.

Avoid agreeing to statements such as each party agrees to comply “with all data protection laws applicable to the provision of the services” if the vendor is actually located in California. Does that mean a Canadian client is signing up to comply with the California Consumer Protection Act or other state laws? Vague language is not your friend.

Beware of the reverse onus. In the name of “balance” or “shared responsibility,” some cloud agreements will make demands such as requiring customers not to upload personal information (other than business contact information) to the cloud service so that the vendor has no obligation to protect it, or making it the client’s sole responsibility to “select the appropriate services and to implement security measures and practices that are commensurate to the sensitivity of the Customer’s data that may be stored on and/or transmitted through the Services.” Alternatively, the customer will be required to sign up to the same requirements as the vendor, such as committing to purchase the same amount of amount of commercial general liability, professional liability, network privacy and security/cyber-liability insurance covering property damage, bodily injury (including death), and claims arising from a party’s obligations. How is this fair?

Beware of sloppy drafting. So-called “Canadian” contracts are often rife with the legal terminology and concepts of other jurisdictions such as the United States or Europe. Consider the following language from a recent “Canadian” cloud agreement I reviewed: “Each party will at all times comply with data protection legislation in respect of its processing of Personally Identifiable Information.” In their haste to create international one-size-fits-all cloud contracts, Canadian entities are being asked to confirm their strict compliance with Europe’s General Data Protection Regulation legislation even when doing business with a Canadian or American vendor, which is (i) completely unnecessary; and (ii) not an accurate assertion for many Canadian entities. More to the point, why would a cloud agreement between a Canadian company and a localized vendor ostensibly doing business in Canada incorporate a “data processor agreement” that refers to “data protection laws” of Canada “and to the extent applicable, the data protection or privacy laws of any other country”?

Beware of overly broad clauses. This one is a common “gotcha” in many so-called Canadian cloud contracts, particularly in the areas of export control and intellectual property rights.

While Canada is a member of many international sanctions regimes, our exports control laws do differ from those of other nations. Yes, we do business with Cuba. Yes, we welcome immigrants from all over the world, including those who may be dual citizens of “problematic” countries. U.S. export laws and regulations are lengthy and complex, so why risk potential non-compliance and thousands of dollars in fines by agreeing to comply with all restrictions of the U.S. Department of Commerce or the U.K. Department for Business, Innovation and Skills or any other domestic or foreign agency or authority in connection with your use of the services and to not, in violation of any laws, transfer or authorize the transfer of any services into any U.S., Canadian-, U.K.- or U.N.-embargoed countries?

You may also be asked to represent and warrant that you are not located in, under the control of, or a national or resident of any such country, or using the services for a purpose that is otherwise prohibited in accordance with any such list. This might be tough for any company with a diversified international work force such as Canada. I strongly urge prospective cloud customers to require revisions to export control language that requires them not to “obtain, retain, use, or provide access to the Services to an Affiliate or any third party in a manner that may breach any applicable export control or economic sanctions laws and regulations for any jurisdiction.”

Similarly, in the name of shared vendor responsibility some Canadian cloud customers are asked to confirm that none of their content/materials/data or those of their members/users/clients uploaded to the vendor’s cloud infringes the intellectual property rights of any third parties (in the world). This representation and warranty would include the rights of individuals from Greenland in the Kingdom of Denmark to Botswana and Tuvalu. Proportionality, please.

Is the service/content itself sufficiently localized? Lastly, prospective cloud clients should inquire whether specialized cloud providers have met their business requirements that may require specific customizations to the cloud service and related content in order to comply with local laws and requirements. This goes to the heart of what the cloud vendor is actually selling and whether its services meet the expectations of the business stakeholders and complies with Canadian industry requirements and applicable legislation. Accordingly, it is suggested that cloud agreements reference detailed requirements documents and contain representations requiring adherence to such technical requirements and functionality, along with an agreement by the vendor to rectify any shortcomings found in production and requisite indemnities for failure to achieve same.

To conclude, it is imperative for prospective clients to do their homework when evaluating any prospective cloud vendor, particularly one located in another jurisdiction. Look at the vendor’s references and reputation, review their stand-form cloud agreement, and allow time to negotiate and correct any unacceptable terms found. Careful scrutiny of the vendor’s cloud computing contract, coupled with the fortitude to negotiate the traps, will go a long way towards mitigating the dangers of borderless cloud agreements.