Cloud solutions have proven to be cost-efficient, productive and flexible for any business sphere. Technically, they are not intended for downloading by users, as users only get access to certain functions. Still, sometimes download option is available. Hence a question: which type of agreement works better between a cloud provider and users, i.e. license, service or hybrid?
If there is a cloud solution without the user downloading the provider’s software, then a service agreement would be most appropriate. Alternatively, the use of a cloud solution with downloadable software would be duly regulated by a hybrid agreement combining provisions related to the licensing of the software and provision of services by the cloud provider.
Since quality of service is a key element of a cloud, the agreement in question should contain guaranteed performance indicators for each computing resource and detailed measurable characteristics (processor frequency, disk speed, etc.), which may allow for the evaluation of the quality of the services provided. This is a disadvantage of a license, as it grants the right to use a software solution which may still not be assessed from the quality standpoint.
A service agreement should also guarantee safety and integrity of the customers’ data, the prevention of its loss (which usually includes an obligation of the provider to take security measures and back up the data), as well as for the provider to bear liability in the event that the cloud service becomes unavailable for users through the provider’s fault. In some cases, the provider can also take out liability insurance as an additional guarantee for customers.
In some cases, the provider needs to access data in order to perform a back-up. Besides, access may be granted to third parties whose infrastructure/services the provider uses (e.g., the service provider may deploy its applications on thirty-party infrastructure). Upon termination of the contract, data uploaded to the cloud is to be deleted from all the provider’s servers and also from third-party systems to which the provider transferred such data.
Since the user (as an operator) may upload to the cloud personal data collected in Russia and this data may be transferred abroad if, for example, the provider’s server is located outside Russia, the agreement must include certain information about the location of the provider’s and third parties’ servers used for storing personal data. If the server is located outside of Russia, the operator needs to obtain individuals’ consents to the cross-border transfer of their personal data unless the recipient country is on the list approved by the Russian surveillance authority (Roskomnadzor), or the recipient country has signed the Convention for the protection of individuals with regard to automatic processing of personal data (1981). Also, the operator should localize the personal data of Russian citizens in Russia by means of using databases (servers) located in Russia in the course of the recording, arrangement, accumulation, storage, rectification (renewal, alteration) and retrieval of the personal data of Russian citizens, unless the law allows otherwise. A failure to localize personal data may lead to significant administrative fines (in some cases, up to USD 240,000).
In addition, the operator is required to comply with other numerous requirements on personal data, such as to ensure legal grounds for the collecting and processing of personal data (e.g., an agreement with the personal data subject or a consent, etc.), notify the Russian supervisory authority of the intention to process personal data, publish an internal policy on personal data, appoint a data protection officer (DPO), apply necessary security measures to personal data, etc. In practice, in order to reduce extensive paperwork, many companies assess the level of risk associated with various minor inconsistencies, as in some cases the negative consequences do not exceed the resources required to adopt numerous internal documents.
To sum up, cloud solutions are a great alternative to usual schemes of dealing with data, but it is important to make sure that the relevant contracts provide for sufficient protection of all parties.
By Vera Zotova, Associate, and Alexey Nikitin, Specialist Partner, Borenius