SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement...
Transcript of SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement...
SaaS, PaaS and IaaS: Evaluating Cloud Service
Agreement Models, Negotiating Key Terms,
Minimizing Contract Disputes
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.
TUESDAY, APRIL 17, 2018
Presenting a live 90-minute webinar with interactive Q&A
Michael R. Overly, Partner, Foley & Lardner, Los Angeles
David W. Tollen, Founder, Tech Contracts Academy, San Francisco
Nathan Leong, Lead Counsel, U.S. Health & Life Sciences Legal, Microsoft, Chicago
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-866-961-8499 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can address
the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about continuing education, call us at 1-800-926-7926
ext. 2.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
6
http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
7
“a fancy way of saying stuff’s not on your computer.” *
*Quinn Norton, “Byte Rights,” Maximum PC, September 2010, at 12.
8
9
10
• Software as a Service (“SaaS”)
• Platform as a Service (“PaaS”)
• Infrastructure as a Service (“IaaS”)
11
Single Family Residence Condo Shared Patio Outdoor
Kitchen
Restaurant – self-cook raw
meat buffet
Restaurant – kitchen menu
Chef Chef Chef Chef
Meat, Veggies, Cookware Meat, Veggies, Cookware Meat, Veggies, Cookware Meat, Veggies, Cookware
Grill, Gas, Hood Grill, Gas, Hood Grill, Gas, Hood Grill, Gas, Hood
Traditional Software IaaS PaaS SaaS
Facility responsibility
Customer responsibility
12
Mitigating Risk in
Cloud Computing:
Warranties and SLAs
Michael Overly, Esq., CISA, CISSP, COP, CIPP, ISSMP, CRISC
© 2018 Foley & Lardner LLP 13
•14•14
Most Important Preliminary Steps
▪ Set expectations on both sides
▪ Conduct a risk assessment
▪ Determine your requirements
© 2018 Foley & Lardner LLP 14
15
Setting and Managing Service Levels
© 2018 Foley & Lardner LLP 15
•16•16
Service Level Overview
▪ Identify what is important
▪ Understand the vendor limitations
▪ How will performance be measured and reported?
▪ What are your remedies (what is the vendor’s incentive to perform)?
– SLAs as a sword or shield?
© 2018 Foley & Lardner LLP 16
•17•17
Service Availability
▪ The most important metric
▪ How is it measured?
▪ Ping v. actual functionality
▪ Over what period of time?
▪ Beware extensive exceptions
© 2018 Foley & Lardner LLP 17
•18•18
Service Availability
▪ Goals v. requirements?
▪ What about force majeure?
▪ “Routine Maintenance”
▪ Service Level Credits
▪ Exclusive remedies
© 2018 Foley & Lardner LLP 18
•19•19
Other SLAs▪ Response time
– Absolutely key to user experience
– How many simultaneous users?
– Link to known indexes (Keynote and Google PageSpeed)
– Measurement time is key
© 2018 Foley & Lardner LLP 19
•20•20
Other SLAs
▪ Other services levels?
– RTO
– RPO
– Support
© 2018 Foley & Lardner LLP 20
21
Have Appropriate Warranties
© 2018 Foley & Lardner LLP 21
•22•22
Warranties▪ Warranty duration
▪ What is warranted?
– Cloud service, itself
– Professional services
– Support services
© 2018 Foley & Lardner LLP 22
•23•23
Warranties▪ The services will perform in
accordance with the specifications and, to the extent not inconsistent, provider’s documentation
▪ All services will be provided in a timely, workmanlike manner, in compliance with industry best practices
© 2018 Foley & Lardner LLP 23
•24•24
Warranties
▪ The provider will provide adequate training, as needed, to client on the use of the services
▪ The services will comply with all federal, state, and local laws, rules, and regulations
© 2018 Foley & Lardner LLP 24
•25•25
Warranties▪ The services will not infringe the
intellectual property rights of any third person
▪ The services will be free from viruses and other destructive programs
▪ There is no pending or threatened litigation involving provider that may impair or interfere with the client’s right to use the services
© 2018 Foley & Lardner LLP 25
•26•26
Warranties
▪ The provider has sufficient authority to enter into the agreement and grant the rights provided in the agreement to the client.
▪ Provider will not permit possession or access to Customer data outside the United States.
© 2018 Foley & Lardner LLP 26
Questions?
Michael R. Overly, Esq., CISA, CISSP, COP, CIPP, ISSMP, CRISC
Partner
Foley & Lardner LLP
(213) 972-4533
© 2018 Foley & Lardner LLP 27
&
28
Data Management & Security
The GDPR and the Rest
29
A. The GDPR
• Broad non-EU application:
A. Data processing in the EU
B. Processing anywhere re (i) offering goods/services in EU or (ii) monitoring behavior in EU, including selling in, through EU currency, etc.
• Broad personal data definition: just about anything that can identify an individual
• Controller: decides what to do with data; Processor: does it.
• Two set of obligations:
1. Physical compliance
2. Contracts between controller and processor
30
subject matter and duration of processing
nature and purpose of processing
type of personal data and categories of data subject
obligations and rights of the controller
B. GDPR-Required Contract Terms:Disclosures
31
GDPR-Required Terms (cont’d):Restrictions on Processor
• only act on written instructions of controller
• ensure people processing data are subject to duty of confidence
• take appropriate measures to ensure security
• only engage sub-processors with controller’s consent and written contract
• assist controller in allowing data subjects to exercise their access and other rights
• assist controller in meeting GDPR obligations re security, notification of breaches, and data protection impact assessments
• delete or return all personal data at the end of the contract
• submit to audits/inspections, provide information controller needs per Article 28 obligations, and tell the controller immediately if asked to do infringe GDPR or other data law
32
C. Data Security Clauses
• Data Management & E-Discovery Terms
Access, use, & legal restrictions
Customer’s ownership
E-discovery
Injunction
• Data Security Terms
Data security program
Audits & testing
Data breach response
33
Indemnities
A. Indemnity Basics
• Obligation: hire lawyers, pay judgments, pay settlements
• Why?: allocation of risk, not punishment
• Types: IP, personal injury, data security, etc.
• Who?: usually the vendor, but not necessarily
35
B. IP Indemnity
• IP risk management: tech indemnity vs. content indemnity
• Exceptions:
1. Customer breach
2. Software revisions w/o vendor consent
3. Failure to incorporate updates: yellow flag issue for customer
4. Vendor’s development based on customer specs: orange flag issue for customer
5. Interface w/ Third Party Technology: red flag issue for customer
36
C. Data Breach Indemnity
The big problem:
When the breach happens, and possibly through much of the litigation, no one knows who’s at fault. Who’s the
indemnitor?
• Customer as indemnitor?
• Vendor as indemnitor?
• No indemnity?
37
D. Other Indemnities
• Personal Injury
• Harassment and Defamation
• Spam
• Be creative …
38
Limits of Liability
Details of the Limit
• Dollar Cap: 1x the contract? 1x the SoW? 3x the contract? …
• No Consequential Damages
• Exclusions:
Indemnity
NDA breach
Gross negligence?
Customer obligations: payment, IP infringement
40
David W. [email protected]
© 2018Tech Contracts Academy™
LLC
Graphics courtesy of Pixabay: www.Pixabay.com
42
43