While there is no reason to assume that cloud services present any greater risk than other contracts you may enter into, taking a cautious approach is always wise. ACCAN recommends that you consider - and be sure you are comfortable with - the items listed in Table 1.
Table 1 – Checklist of Cloud Contractual Considerations
- Scope of service.
- System availability.
- Deadlines for error correction and removal of malfunctions.
- Contractual fines for non-performance and delays.
- Changes in service requirements.
- Location of servers, either within Australia or elsewhere.
- Obligations due to regulatory or legislative amendments.
- Prior consent required for engagement of sub-contractors.
- Software used by the provider is properly licensed.
- Ownership of stored data, and exclusive right of access.
- Data protection agreements.
- Security measures and responsibilities.
- Non-disclosure obligations.
- Monitoring and reporting.
- Technical, process, and user/system administrator documentation.
- Right to control and audit, including standard third-party certification.
- Back-up and disaster recovery contingency plans.
- Provision for software-escrow in case the cloud-service provider goes bankrupt.
- Applicable law and jurisdiction.
- Mediation, conciliation and/or arbitration.
- Insurance, guarantees, warranties, and provision for damages.
- The term of the contract, and termination conditions.
- End-of-service/exit-management provisions, including transmission/deletion of data;
(adapted from the CCBE Guidelines)
There are many resources available online, including a 'Customer Bill of Rights' that addresses thirty-nine "best practices", to help extend or modify this checklist to better suit your needs.