Representations and warranties
Typical representations and warranties in a cloud computing contract fall into three categories: ability to enter or perform the agreement generally, service-related and software-related.
The first category of representations and warranties is directed to the parties stating that they have the ability to enter into the agreement, they have all the rights necessary to grant the rights granted therein, they aren’t under any pre-existing agreement that would limit their ability to perform this agreement, they will not enter into any agreement that would limit their ability to perform this agreement, and they will comply with all applicable laws (including data breach notification laws).
The second category of representations and warranties target the performance of services under the agreement. Generally, the vendor is required to represent and warrant that it will perform all services in a good and workmanlike manner, with qualified personnel having the skill required of the industry, it will replace any unsatisfactory personnel (if applicable) and re-perform any unsatisfactory services, and it will use its established, industry-standard methodologies to provide services. The vendor may also expressly warrant that it will meet its service levels.
The third category of representations and warranties target the software components of the cloud service. Typically the vendor will represent and warrant that there is no malicious code or virus within the cloud software, and that the software itself (and use of it) does not violate any third-party intellectual property right (eg, patents and copyrights). Open source representations and warranties may be appropriate or not depending on the offering.
Limitation of liability
The limitation of liability provision is closely connected to the indemnification provisions and addresses qualitative limits on type of damages and quantitative limits on amount of damages. The limit on type of damages typically excludes indirect, consequential, special, incidental and punitive damages and may expressly exclude lost revenues or profits, loss of use and loss of data. The limit on amount of damages can be set at a specific number or it can scale (eg, with reference to the amount paid or payable under the agreement (or some multiple thereof)) over a certain period of time. Typically, when the quantitative limitation of liability references amounts paid or payable over some period of time, there is also some reasonable floor to cover a significant liability in the early part of the contract term when payments have not accrued sufficiently to cover such a liability.
Often there are exceptions to the limitations of liability for specific items, such as breach of an obligation of confidentiality or data security or privacy, indemnification obligations, misuse of intellectual property, bodily injury (including death) and injury to personal or real property (not unusual to see, but less likely to be relevant in a cloud computing agreement), fraud, gross negligence or wilful misconduct. The parties typically will spend a lot of time negotiating the limit on liability exceptions. An alternative is to set a separate (often higher) limit for these items (rather than excepting them from any limitation of liability).
The indemnification provision typically includes an obligation to indemnify and hold the other party harmless for certain enumerated circumstances. Often the indemnification provision includes an obligation to defend, though this depends on the offering and the parties.
Indemnified parties are typically defined to include the parties to the agreement, their affiliates and their directors, officers, employees and successors. This list can be expanded to include subcontractors, suppliers, and customers, under certain circumstances.
The items for which a party (typically the vendor, but in some circumstances the customer) has an indemnification obligation in cloud computing contracts typically include:
- breach of the agreement (or, more specifically, breach of a representation or warranty);
- IP infringement claims;
- tort actions (ie, bodily injury, death or damage to personal property) due to acts or omissions of a party;
- fraud, gross negligence and wilful misconduct;
- breach of confidentiality;
- breach of data security provisions or data breach; and
- violation of law.
Also addressed in the indemnification provision is the procedure for obtaining indemnification, including terms for notice, cooperation and the right to participate in the defence.
Service-level agreements (SLAs)
SLAs typically address availability (uptime), latency, incident response times and work levels until resolution, and backup and restoration procedures.
The single most common SLA is availability, and some vendors, if they offer any SLAs, will offer only an availability SLA. It is common for a vendor to qualify an availability SLA with a commitment to use ‘commercially reasonable efforts’ to achieve a stated availability (though this is often objected to by the customer). The availability SLA commonly has exclusions for scheduled and emergency maintenance and force majeure events, and specific notice and reporting to customer in preparation for downtime. Customers will want vendors to self-monitor and report compliance with SLAs to the customer, whereas the vendor will want customers to have to monitor (or ‘feel’) and report suspected SLA failures to the vendor.
Often the remedy for a breach of an SLA will be limited to the vendor providing a service credit to customers.
Back to top