saas, paas and iaas: evaluating cloud service agreement...

SaaS, PaaS and IaaS: Evaluating Cloud Service

Agreement Models, Negotiating Key Terms,

Minimizing Contract Disputes

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.

TUESDAY, APRIL 17, 2018

Presenting a live 90-minute webinar with interactive Q&A

Michael R. Overly, Partner, Foley & Lardner, Los Angeles

David W. Tollen, Founder, Tech Contracts Academy, San Francisco

Nathan Leong, Lead Counsel, U.S. Health & Life Sciences Legal, Microsoft, Chicago

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-866-961-8499 and enter your PIN when prompted. Otherwise, please

send us a chat or e-mail sound@straffordpub.com immediately so we can address

the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the F11 key on your keyboard. To exit full screen,

press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your

participation in this webinar by completing and submitting the Attendance

Affirmation/Evaluation after the webinar.

A link to the Attendance Affirmation/Evaluation will be in the thank you email

that you will receive immediately following the program.

For additional information about continuing education, call us at 1-800-926-7926

ext. 2.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

6

http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

7

“a fancy way of saying stuff’s not on your computer.” *

*Quinn Norton, “Byte Rights,” Maximum PC, September 2010, at 12.

8

9

10

• Software as a Service (“SaaS”)

• Platform as a Service (“PaaS”)

• Infrastructure as a Service (“IaaS”)

11

Single Family Residence Condo Shared Patio Outdoor

Kitchen

Restaurant – self-cook raw

meat buffet

Restaurant – kitchen menu

Chef Chef Chef Chef

Meat, Veggies, Cookware Meat, Veggies, Cookware Meat, Veggies, Cookware Meat, Veggies, Cookware

Grill, Gas, Hood Grill, Gas, Hood Grill, Gas, Hood Grill, Gas, Hood

Traditional Software IaaS PaaS SaaS

Facility responsibility

Customer responsibility

12

Mitigating Risk in

Cloud Computing:

Warranties and SLAs

Michael Overly, Esq., CISA, CISSP, COP, CIPP, ISSMP, CRISC

© 2018 Foley & Lardner LLP 13

•14•14

Most Important Preliminary Steps

▪ Set expectations on both sides

▪ Conduct a risk assessment

▪ Determine your requirements

© 2018 Foley & Lardner LLP 14

15

Setting and Managing Service Levels

© 2018 Foley & Lardner LLP 15

•16•16

Service Level Overview

▪ Identify what is important

▪ Understand the vendor limitations

▪ How will performance be measured and reported?

▪ What are your remedies (what is the vendor’s incentive to perform)?

– SLAs as a sword or shield?

© 2018 Foley & Lardner LLP 16

•17•17

Service Availability

▪ The most important metric

▪ How is it measured?

▪ Ping v. actual functionality

▪ Over what period of time?

▪ Beware extensive exceptions

© 2018 Foley & Lardner LLP 17

•18•18

Service Availability

▪ Goals v. requirements?

▪ What about force majeure?

▪ “Routine Maintenance”

▪ Service Level Credits

▪ Exclusive remedies

© 2018 Foley & Lardner LLP 18

•19•19

Other SLAs▪ Response time

– Absolutely key to user experience

– How many simultaneous users?

– Link to known indexes (Keynote and Google PageSpeed)

– Measurement time is key

© 2018 Foley & Lardner LLP 19

•20•20

Other SLAs

▪ Other services levels?

– RTO

– RPO

– Support

© 2018 Foley & Lardner LLP 20

21

Have Appropriate Warranties

© 2018 Foley & Lardner LLP 21

•22•22

Warranties▪ Warranty duration

▪ What is warranted?

– Cloud service, itself

– Professional services

– Support services

© 2018 Foley & Lardner LLP 22

•23•23

Warranties▪ The services will perform in

accordance with the specifications and, to the extent not inconsistent, provider’s documentation

▪ All services will be provided in a timely, workmanlike manner, in compliance with industry best practices

© 2018 Foley & Lardner LLP 23

•24•24

Warranties

▪ The provider will provide adequate training, as needed, to client on the use of the services

▪ The services will comply with all federal, state, and local laws, rules, and regulations

© 2018 Foley & Lardner LLP 24

•25•25

Warranties▪ The services will not infringe the

intellectual property rights of any third person

▪ The services will be free from viruses and other destructive programs

▪ There is no pending or threatened litigation involving provider that may impair or interfere with the client’s right to use the services

© 2018 Foley & Lardner LLP 25

•26•26

Warranties

▪ The provider has sufficient authority to enter into the agreement and grant the rights provided in the agreement to the client.

▪ Provider will not permit possession or access to Customer data outside the United States.

© 2018 Foley & Lardner LLP 26

Questions?

Michael R. Overly, Esq., CISA, CISSP, COP, CIPP, ISSMP, CRISC

Partner

Foley & Lardner LLP

(213) 972-4533

moverly@foley.com

© 2018 Foley & Lardner LLP 27

&

28

Data Management & Security

The GDPR and the Rest

29

A. The GDPR

• Broad non-EU application:

A. Data processing in the EU

B. Processing anywhere re (i) offering goods/services in EU or (ii) monitoring behavior in EU, including selling in, through EU currency, etc.

• Broad personal data definition: just about anything that can identify an individual

• Controller: decides what to do with data; Processor: does it.

• Two set of obligations:

1. Physical compliance

2. Contracts between controller and processor

30

subject matter and duration of processing

nature and purpose of processing

type of personal data and categories of data subject

obligations and rights of the controller

B. GDPR-Required Contract Terms:Disclosures

31

GDPR-Required Terms (cont’d):Restrictions on Processor

• only act on written instructions of controller

• ensure people processing data are subject to duty of confidence

• take appropriate measures to ensure security

• only engage sub-processors with controller’s consent and written contract

• assist controller in allowing data subjects to exercise their access and other rights

• assist controller in meeting GDPR obligations re security, notification of breaches, and data protection impact assessments

• delete or return all personal data at the end of the contract

• submit to audits/inspections, provide information controller needs per Article 28 obligations, and tell the controller immediately if asked to do infringe GDPR or other data law

32

C. Data Security Clauses

• Data Management & E-Discovery Terms

Access, use, & legal restrictions

Customer’s ownership

E-discovery

Injunction

• Data Security Terms

Data security program

Audits & testing

Data breach response

33

Indemnities

A. Indemnity Basics

• Obligation: hire lawyers, pay judgments, pay settlements

• Why?: allocation of risk, not punishment

• Types: IP, personal injury, data security, etc.

• Who?: usually the vendor, but not necessarily

35

B. IP Indemnity

• IP risk management: tech indemnity vs. content indemnity

• Exceptions:

1. Customer breach

2. Software revisions w/o vendor consent

3. Failure to incorporate updates: yellow flag issue for customer

4. Vendor’s development based on customer specs: orange flag issue for customer

5. Interface w/ Third Party Technology: red flag issue for customer

36

C. Data Breach Indemnity

The big problem:

When the breach happens, and possibly through much of the litigation, no one knows who’s at fault. Who’s the

indemnitor?

• Customer as indemnitor?

• Vendor as indemnitor?

• No indemnity?

37

D. Other Indemnities

• Personal Injury

• Harassment and Defamation

• Spam

• Be creative …

38

Limits of Liability

Details of the Limit

• Dollar Cap: 1x the contract? 1x the SoW? 3x the contract? …

• No Consequential Damages

• Exclusions:

Indemnity

NDA breach

Gross negligence?

Customer obligations: payment, IP infringement

40

David W. Tollendavid@techcontracts.com

© 2018Tech Contracts Academy™

LLC

Graphics courtesy of Pixabay: www.Pixabay.com

42

43