Hunton Retail Law Resource

Our retail clients are increasingly deploying cloud services solutions to realize cost savings, gain efficiency and enable scalability across numerous functions. In the past year, we have helped our clients deploy dozens of cloud-based point solutions, Enterprise Resource Planning systems and multi-application platforms. And our clients are not alone. One study forecasts that, in 2020, the worldwide public cloud service revenue will be $411.48 billion. However, while the benefits and popularity of cloud services are clear, cloud solutions are not without risks and challenges. In addition to the normal risks inherent in licensing and using technology, retailers should keep in mind the following when contracting for cloud services solutions:

• Use and Users. Cloud service agreements should clearly identify the allowed use and users of the cloud services, as well as any related limitations (both now or in the future). For example, can employees use the service? Which ones? Affiliates? Third-party contractors and other service providers? Customers? Is their use restricted or subject to additional fees? Consider the following:

1. • categories of users who may access and use the technology, and how they may access and use the technology;

1. • limitations on the number of authorized users or the purposes for which authorized users may use the technology;
   • whether indirect users (e.g., downstream users of cloud outputs or integrated applications and their users) are permitted and at what cost; and
   • restrictions on the physical/geographic locations in which authorized users may access and use the technology.

Staying mindful of these questions when negotiating cloud service agreements ensures that the cloud service aligns with business requirements and intended use—and avoids unpleasant surprises.

• Ownership and Use of Data. It is likely that the retailer’s data will be submitted to, or generated, collected or processed by, the underlying cloud service. Therefore, cloud service agreements should clearly specify what is customer-owned data, how the cloud provider is to handle and protect customer data, and what data-related obligations the cloud provider has upon the termination or expiration of the cloud service agreement.

Customer data might also be used in generating reports, analytics or other output by the cloud service during the term of the cloud service agreement. While the underlying application will remain the cloud provider’s exclusive intellectual property, the output generated from customer data should not be. Therefore, retailers should make sure to retain ownership of, or at least obtain a broad license in, the output. If any cloud provider materials are necessary to access and use the output, then retailers should ensure they have a license to those materials as well, even after the relationship with the cloud provider ends.

Cloud providers often reserve the right to use aggregated or anonymized data for their own purposes. Consider whether to limit those rights—or avoid sharing the underlying data if these uses are not acceptable. We also think it is fair for the provider to warrant that that data will remain secure and anonymous.

• Warranties. Retailers should include appropriate warranties for the functions being performed by the cloud service, such as:

1. • a performance warranty, for the cloud service and any services provided;
   • compliance warranties, obligating the cloud provider to adhere to applicable laws and regulations, including privacy laws, the Payment Card Industry Data Security Standard (where credit card data is involved), and policies/procedures provided to the cloud provider;
   • a non-infringement warranty, assuring that the cloud service and any related deliverables do not infringe or misappropriate any third-party intellectual property right; and
   • a warranty against malware/viruses introduced to or through the cloud service.

• Service Levels. In addition to warranties, providers should offer clearly enumerated service levels to set expectations regarding performance and define the metrics by which this performance is measured. This is particularly important when procuring cloud services for business critical services. When crafting service levels, be sure to include expectations around priority levels, uptime, availability, problem response and resolution, disaster recovery and service level reporting. Watch out for broad exclusions which can render the service level meaningless—such as a carve-out for any “emergency maintenance” in an uptime guarantee.

The service levels should also describe the remedies available if the cloud provider fails to meet performance requirements. Remedies might include additional “free” services, monetary credits or termination rights.

• Click-Wrap Agreements/Online Terms. Retailers should consider the following situation: You negotiated a cloud service agreement with the protections and provisions discussed above, but your users are asked to “click to accept” different terms and conditions when they log-in to the cloud service. Those terms and conditions also happen to supersede any other agreement previously executed between the parties. Problematic, right?

To prevent this, retailers should include language stating that any click-wrap, click-through or shrink-wrap agreements, or any online terms on the cloud provider’s website, do not supersede the provisions of the underlying cloud services agreement, and that such terms and conditions are void.

• Be Prepared for “NO.” Most cloud providers will claim that their pricing model does not support variation from their standard terms. We find that is not always true. But, when the provider does finally say “No,” retailers should be prepared to thoughtfully balance the attractions of the cloud against the risks they are asked to retain. Where we cannot negotiate the terms our clients prefer, we are often asked to help structure work-arounds to avoid risks that the provider will not accept—or to support the retailer’s own decision to say “No.”

As is often the case with technology contracts, the importance of a particular issue may vary from one technology to another, depending on the nature of the services being performed and what rights and protections the parties may otherwise have under the relevant agreement. While this list outlines several key issues to consider when reviewing cloud services agreements, it is not a substitute for legal review.