On demand 1h 4m 05s Basic

In's and Out's of Negotiating Cloud Services Agreements

Start your free 7-day trial
* Claim credit(s) for one free course during your 7-day trial.

In's and Out's of Negotiating Cloud Services Agreements

This CLE course will provide guidance for attorneys when drafting cloud computing services contracts for clients. The course will highlight key terms in these contracts and discuss how they differ from traditional software license terms as well as address various common mistakes made by attorneys in cloud computing agreements. The course will take a deep dive into important industry trends, pre and post contract diligence, as well as key contract provisions, including service availability, service levels, and client data issues.

Transcript

Well, good day to everyone. I'm Mike Overly and I'm a partner at Foley and Lardner in their information technology and outsourcing group, which means I do on pretty much a daily basis that which we're going to be talking about today, which are the ins and outs of negotiating cloud services agreements. If you do a lot of work in this area, you may already have your hand up and say, Mike, I got to tell you, I think your title is wrong because the last seven times I tried to negotiate a cloud agreement, the vendor basically laughed hysterically and said, it is what it is. We're going to be talking about that problem. So the idea here today is to talk about some real world type of situations and how you might address them in cloud agreements. If you haven't guessed already, the perspective that I'm going to be talking from is that of a customer negotiating with a vendor. Again, if you're if you're a negative person, you might simply say there's no need to have one of these from the vendor's perspective because they simply say, no, that's not really the case. We've actually encountered a lot of vendors who are pretty flexible. In fact, we had a transaction just this morning and we'll have lots of real world examples like this where, you know, we made some thoughtful changes and I would underline and highlight the word thoughtful because and that's what we're going to be defining today if you approach these agreements from a reasonable perspective, is this a $50,000 deal, then I'm going to be negotiating it from the perspective of this is likely not a very big deal for the vendor. And therefore, if I go in and try and rewrite the way they do information security for their organization, that's likely going to be a problem. But the deal that we had this morning, we approached it, that it was a relatively small deal and the client wanted to get it done. We thought about targeted things that we wanted to change in the agreement. We made those changes and the vendor came back with exactly one remaining issue, which was actually quite reasonable. And so we were able to resolve the negotiation very quickly. So let me give you one other sort of word or two of introduction before we dive into our agenda, and that is that my contact information is located in the program slides at the end. Of course, you can just find me online by searching my name and Foley and Lardner. But my point simply is if you have questions and we frequently do, don't hesitate to reach out. And I'll be very pleased to respond to You mean the whole point of this is to give you that ability? One final quick note as we move into our overview is that. We have a lot of content here. We have about an hour and I'm a big fan of doing a bit more in presentations and I know that that's contrary to what a lot of people are doing now, where they'll do a presentation of this kind with two slides, and that's great, and we could certainly do that. But my feeling is that when you get off of this session, you want to have something that kind of records. What do we talk about and what are the exact types of provisions Mike was talking about? How did he say we should revise something? And so we want to give you that information that the PowerPoint slides are more than simply two slides with an outline on it, but rather some useful, if you will, tips and checklists and things like that that you can use in your daily practice. So all right, Let's talk about our overview and we're going to begin with six quick tips about negotiating cloud agreements. We're going to then turn to important industry trends or as I like to call it, the glass half empty club. We're going to talk about something that is becoming ever more important. Remember that I was talking somewhat facetiously, but not entirely about the title of this presentation being incorrect a moment ago. When you do encounter a situation where a cloud agreement is more or less non-negotiable, this third thing we're going to be talking about becomes ever more important, because if there is a business imperative to get this deal done and frequently there is, then you're going to have to find some way to get comfortable with that. And one of the ways to get comfortable is to do a lot of pre contract diligence on the vendor. Have they had performance problems? Have you checked references and not just the references the vendor themselves provide? Have you looked into any regulatory actions against them, if that's relevant? Other types of situations. And then also once you sign the agreement. Again, depending on what it is we're talking about. But the larger the deal, the more it becomes important to do post contract diligence. Is this vendor following the terms of the agreement? Why are we doing that? Are we doing that to find grounds to declare a breach, terminate the agreement and sue the vendor? No, I mean, that might be a result. What we're really trying to do is to ensure the vendor really does understand their obligations under the contract and that they are doing what we want. So we don't have a contract breach. Moving further. We're going to talk about the big four. And this is a popular thing with me, which is, you know, every cloud agreement has a bunch of different contract provisions. The big four are for provisions that sort of work together, if you will, hand in hand. One is not the substitute for another, not in general. And so understanding the big four provisions and when I say understand, it's important, of course, for you to be able to understand it. It's important for you to be able to explain it to your client. But here comes the part that most people miss. It's important for you to be able to explain to the vendor when they say, Well, you don't need all four, you only need this one because it takes into account the other three and all kinds of arguments like that, how you have the ability to explain to the vendor. No, actually that's not correct. So definitely pay attention there. It's something that you'll be able to refer to. Next, we'll talk a bit about key contract provisions, those things in addition to the big four. And here's where we have you know, we won't be spending a tremendous amount of time on any one thing. But likely what we'll do there is sort of go through and highlight interesting things, but there'll be far more material for you to look at there than we can cover in this one hour that we have today. And again, that's entirely intentional so that you have the ability to refer to these slides as sort of a little user manual questions. Again, please do not hesitate to reach out. Sometimes I'll mention something during the presentation, like a particular contract provision or a checklist. Should you be interested, just shoot me an email and I'm sure we can get you what you need. All right, so that's the overview. So let's go right to the six tips about mitigating risk in cloud engagements. Understanding the deal. Now, you're probably looking at this going, well, that sounds like a question of first year associate would ask. The reality is that understanding a particular deal is sometimes quite difficult. Some examples. It may be that you have a document in front of you and by golly, at the top it says Cloud Services Agreement. Excellent. It might even be in times Roman 14 font bold face. Couldn't be happier with that. And as you read through the agreement, though, something doesn't seem to be quite right. And in fact, what you find out is that this is not a cloud agreement, but a software agreement which involves substantial locally installed software, and that that's nowhere accounted for in the, quote, cloud services agreement you're looking at. Also, very often we'll get a document to review and it says at the top in times Roman 14 point font bold face software license agreement. And it's absolutely, positively not a software license agreement. It's a cloud services agreement. Now, you might think this never happens, probably happens in ten, 15% of the cases. You also need to understand about the deal, what's in play, what's important here from our client's perspective, is it information security? Is it availability? What is it that we are worried about? So taking a few minutes at the onset of the deal to really understand what's in play, what's important to our client, what's important to the other side. And again, if you're looking at a contract that involves $70,000 in cloud services with one of the large cloud providers, and your client says to you, we have a great form cloud services agreement that we use all the time, We'll just send that baby over to the vendor. That's going to be a tough negotiation and likely a tremendous amount of time will be wasted. Understand the reality of the market. Again, this goes back to the very first thing I said about the title of this presentation. Understand what is and is not possible. Even in very large engagements, millions of dollars, it's generally not possible to go to a cloud provider, particularly one of the larger ones, but even most of the smaller ones and say, Yeah, here's our information security exhibit. We need you to comply with this, not your current security program. And it's going to require the vendor to rearrange what they're doing for you as one customer, or you provide them with your own set of service levels so that they're somehow going to manage their systems to your unique service levels. Highly unlikely. That's going to work. You need to look at the reality of the market. The third point of the six tips to mitigate risk. In real estate, it's always location, location, location and cloud technology agreements. It's generally diligence, diligence, diligence. Asking questions. Is this really a cloud agreement? If it is a cloud agreement, what kind of data is going to be put in play? If it's something like highly regulated data of a financial institution or a health care provider or consumer products company, you might be very concerned about that data being stored overseas, particularly in some markets or jurisdictions. And so ask questions Is this a situation where and this comes up quite a lot and people are often shocked because it comes up two months into a negotiation, which is. You've done a ton of diligence on the vendor that's sitting across the table from you. You're very excited about their ability to perform, and then you find out that in fact, this cloud provider has absolutely no technology infrastructure whatsoever. They outsource all of that to one of the big cloud providers. Now, there's not necessarily anything wrong with that because one of the big cloud providers is in the business of doing what? Providing cloud services and not having failures or security breaches. The problem is, you know, that unless this vendor that you're contracting with does an unbelievable amount of business with that cloud, the real cloud provider in the background, you know, that the contract that they have with them is likely not very good. More importantly, you know that all of the unique provisions in this agreement that you've negotiated are not going to be flowed through to that cloud provider in the background. The backbone cloud provider, if you will. No way are they is the vendor you're negotiating with going to be able to go to one of these big cloud providers in the background every single time they do a contract and renegotiate their existing agreements? Not going to happen. So diligence, diligence, diligence if privacy is an issue. Have they had any FTC, AG or other actions against them? Class actions. Et cetera. You want to ask these questions? If information security is really important, you may provide them with an information security questionnaire. We'll be talking about that so you can get a feel for exactly what their skill level is. Avoid contract. Balkanization, and that's a big word. And all this really means is it's very popular. In the cloud services industry. To not have one agreement. So. So what what would happen in a typical cloud engagement unless it's a pretty simple cloud engagement, there's likely going to be some implementation. Sometimes that implementation can take weeks, sometimes it can take years. The more involved the implementation, the more important those implementation services. The other thing is that if there's a problem with the cloud services, you're going to pick up the phone and call support. All right. So there are three possibilities. Generally, there's the agreement to get the subscription to the cloud service. There's potentially an agreement for maintenance support and then there's an agreement for implementation. Now, we would like to, as customers, have all of those things in one contract with one set of uniform terms, one set of liability terms in particular. But the most important reason to not allow balkanization of the various contract parts and the primary reason the vendor is trying to do this is the following. In most cloud engagements. When you sign the agreement to subscribe to the cloud service, it's more or less irrevocable. Meaning that you sign on and you're going to pay $1 million a year for the next five years. There is no link whatsoever from that subscription agreement to say, the implementation agreement. There is no link whatsoever between that subscription agreement and the maintenance and support agreement. So if you sign up to pay the million dollars and the vendor completely falls down on the implementation, what will be the result? You can recover damages subject to limitation of liability in the professional services agreement. And what is that liability cap keyed to the fees paid for the implementation services? What can you not do? Terminate the subscription. There's no cross default, meaning that it is absolutely a very real possibility that the vendor could even walk away from an implementation and leave you stranded. And you'll still be paying for the next five years, $1 million a year for a cloud service that you cannot use. Same thing with support, maintenance, support and maintenance are absolutely key to your enjoyment of a cloud services agreement. The problem is that if the vendor starts taking, say, five days to answer the phone for a priority one or level one issue, you're likely going to be quite unhappy. And yes, you can declare a breach of the maintenance support agreement, but that in no way is going to impact the million dollars a year for five years you're paying under the subscription agreement. Be very careful about contract Balkanization. Most vendors that engage in this activity will go to the mat and refuse cross-default provisions, cross acceptance provisions, etcetera. If you can't negotiate around that, you need to be very certain that you've advised your senior management at the client of the very substantial risk that this presents. Maintain negotiating leverage. And this seems like a pretty fundamental thing. It is interesting how many times we get on our initial negotiation call with a vendor only to have. Our side's business. People say to the other side's business people, hey, look, we need to get this signed because our existing agreement essentially expires in 30 days. So we're really under the gun here. So let's everybody work hard to get this negotiated. Translation We're going to give all of our negotiating leverage to the vendor and hope for mercy. You need to be careful about making it clear that no deal is done until it's signed. And if you can't get acceptable terms, you may have to move on. It's very hard to maintain that leverage. But without it, the vendor knows they have the deal and they're not going to be flexible. It's as simple as that. Another thing that you'll encounter in negotiating cloud agreements, particularly in very large transactions, is that vendors are far better at this than the average client. And so you'll have a conversation where there's a substantial discussion in the negotiation about, say, the limitation of liability. And 20 milliseconds after that conversation ends, a senior executive at the vendor is calling a senior executive who was not on the call. At the client saying the lawyers are being unreasonable and trying to go around the negotiation team. And the only way to deal with that is to have already coached client personnel, that if such a call comes in that they immediately say we're speaking with one voice and that voice is the negotiation team and that it is improper to try and go around them. That's not what the vendor wants to hear. Finally, number six, have a plan B? It is very important when you negotiate a critical cloud services agreement that at least as part of your business continuity disaster recovery program, you have some idea of a plan B. If this vendor you're negotiating with goes bankrupt, is subject to a massive force majeure event, decides to simply cease doing business, has a tremendous failure in its systems, and that failure is going on and on and on. What is your plan B? Do you have an alternate vendor? Is it even possible to have an alternate vendor? You need to think through these things, particularly if this is a critical system and you're a regulated entity like a health care provider or financial institution. Failing to have a plan B is essentially a failure to comply with your regulatory obligations, to plan for disasters, to plan for these kinds of events. So please take those six tips to heart and really think about them in negotiating these agreements. I will tell you that although these things seem very simple, these six things go to the heart of whether or not you're going to have a round up with a reasonable agreement. All right. Let's talk about important industry trends. And I've already touched on some of these, so we won't spend a lot of time. But one of the things to think about is aligning expectations. I mean, that on both sides, aligning expectations within your own organization and aligning expectations with the vendor. If you are representing a broker dealer and this is a small contract, then you're likely going to have to set expectations on your side that it's unlikely the vendor is going to be agreeing to extraordinary liability or extraordinary very sophisticated information security requirements. It used to be that ten years ago you could negotiate far better terms than you could negotiate. Today, the market is kind of narrowing and it's now more difficult, but certainly not impossible. It all depends on maintaining leverage. The other thing about cloud agreements is that not only is the data in the cloud, but also most of the key contract terms. And so you may have a document sitting in front of you, which is 15 pages long, and it says cloud services agreement at the top that beautiful times Roman type. And there are wet signatures at the bottom. That is not your entire agreement. Inside of that agreement are likely a number of URL references or website references. For example, an acceptable use policy telling you how you can use the services. The service level agreement that is availability, response time, etcetera likely available through a URL. The description of the service itself likely through a URL. Maintenance of support likely through a URL. Information security likely through a URL. Data or data processing agreement if the GDPR is relevant likely through a URL. Privacy policy Likely through a URL. What does this mean? That in most instances the majority of the contract, in most instances, the majority of really key contract terms are set forth in documents available on the web That can change at any time without your consent. So you're committing to spend that million dollars a year for five years. But most of the key things that define what you're buying can change at any time, and you have nothing to say about it and cannot terminate. That's a problem. Now, we could spend a lot of time in this call talking about techniques to mitigate that risk. I'll just spend a few minutes now. You could certainly print everything out and attach it as an exhibit. Is that possible with most cloud providers? Absolutely not. They won't agree to it. Is it necessarily a good thing to be able to do that? Let me give you an example. If you attach an information security exhibit and it says, this is all we need to do, this is the list. It's definitive. Here it is. Exhibit C. Well, if you do information security for a living and I do you know that the type of vulnerabilities and threats that we're worried about today. May not be the type of vulnerabilities and risks and possible ways to compromise systems in the future. And so you want information, security measures to evolve over time to address the latest types of risk. If you fix the security requirements, you may be allowing the vendor to essentially not continue to evolve security. Other possibilities. You might include the famous don't go negative language. And I must admit most vendors, when pressed, will agree to this language. In fact, many vendors now just in the past year or two are including don't go negative language in their form agreements. What do I what am I talking about? This is language that says, Hey, here are a bunch of URLs. We can change them at any time. And then here comes the key sentence. But we, the vendor, will not materially diminish the overall protections and obligations in those URLs from that existing as the effective date of the agreement, which means they can always go better. They just can't go materially negative. And that is almost always the way these things are worked out. Another thing you might include is non-discrimination language, meaning that if they do make a change to these terms, it has to apply across their entire customer base. Most vendors are willing to give you that as well. The last thing is suppose that the vendor decides they are going to make a material change. What happens. They may give you a termination. Right. But is that really what you want? You spend $500,000 implementing a new cloud system, you train all of your personnel for many weeks. You go live with the system and six months later the vendor sunsets very key functionality and says, Well, no problem. If you're not happy with that, we will allow you to terminate the agreement. Well, you'd be shooting yourself in the foot to do that. First of all, likely that means you're going to have to forfeit the $500,000 and all the time spent training your personnel to go live. Second of all, generally, those termination rights are very narrow as far as timing, which means you may have to terminate. And find another solution. Conduct your diligence. Negotiate a contract and implement that other solution within a time frame which is entirely unworkable. Be careful of things like that. Liability and performance. This kind of goes hand in hand with what we've been talking about from the very beginning of the presentation. We are seeing situations where vendors now, even in engagements, where hundreds of thousands of dollars are essentially saying we don't want any material liability and in fact, we're going to offer no warranties whatsoever. Everything is as is. And you heard me right. We frequently now see agreements involving hundreds of thousands of dollars for important services. And when you run your finger through all of the provisions in the contract, there's no warranty provision. Rather, there's a disclaimer provision that says this whole thing is as is. So you're paying a fairly a fairly substantial amount of money. What's being provided in response need never be available, need never be secure, need, never have any required functionality. And you have no remedy whatsoever. You cannot terminate the agreement because there's an impossibility of breach and you cannot recover a penny of damages because the vendor is assuming no obligations to perform. We had a situation where a pretty popular cloud provider. In a niche industry, essentially hosted accounts payable data. And they suffered a somewhat unbelievable data loss in which they lost not only all the production data of several of its customers. And this this next part is almost inconceivable. Somehow, they also lost all of the backup data, which, again, if you're a technology person, you'd have to work pretty hard to have that happen. And so a company, their one of their customers got a call that said, hey, we lost all of your data. And the customer said, Well, what about backups? And they said, Yeah, we lost all the backups, too. And so the customer came to us and said, What do you think? And we looked at the agreement and sure enough, the vendor had no liability whatsoever for this very kind of thing. Zero. Not even a penny. It took the client, the the customer in this case, months and months and months to have to go in manually and reconstruct all of this information and create a new database. That's the kind of challenge that we see today. As I mentioned earlier, this is just the last bullet point on this page. Nowhere your data is and this may be irrelevant to you, you may manufacture office supplies and you don't really care where purchase data is resides. If you're a hospital, though, you probably don't want medical record information, extremely sensitive data stored just about anywhere in the world, particularly in locations that do not respect confidentiality, privacy, encryption, etcetera. So you may need to understand where data resides. I'm just going to touch on a few other things so that we don't belabor these points about the adverse trends in the industry. But let me let me touch on just this middle bullet point on this slide, which is I think quite telling that in the last just 2 or 3 years. We have seen more cost overruns and I'm talking about really substantial cost overruns and project failures in just the last 2 or 3 years then we've seen in the past 20 years. And why is that happening? Primarily because the vendor agreements now don't really hold the vendors feet to the fire as far as performance. One of the household names in cloud computing signed on to do an enormous transaction for a large, actually multinational financial institution. They got halfway through the project and came in one day and said, You know what? This just isn't really economic for us to continue to perform. You know, we just severely underbid this, so we're going to walk away. And essentially leave the financial institution stranded. The remedies under the contract, though, were such that it really wasn't worth trying to litigate. They got a small refund of fees paid, lost tremendous time in a very critical implementation and project and had to start over from scratch. Please watch out for these things. One last thing that I just want to draw your attention to in this list of adverse trends. Actually, a couple of things. As I mentioned, some cloud providers have no technology whatsoever. That is technology resources. What they do is they outsource to a third party. They're called virtual cloud providers. One of the problems with this is. And I pointed this out earlier, it's basically impossible. And you should not even think it could be possible that every time that vendor, the one you're actually negotiating with signs a contract, that it's somehow going to turn around and amend its agreement with the cloud provider that's in the background to include all the protections that you negotiated. So it's a situation where the party that actually has the data is not in fact signing on to the security privacy service levels, performance requirements in the contract you're signing. Rather, their obligations are governed by another contract, which almost certainly is not as protective. There is a very small trend in the industry. We're seeing it at only maybe three, four, 5% of the cases. Where the cloud service provider that you're contracting with says, Hey, we've picked this company in the background. They're going to they're they are our hosting provider. They're recognized all over the world. So they're wonderful. Um, we take no responsibility whatsoever for their performance. But you can rely on the fact that they're well known. Now consider this argument. You've got a contract with the party across the table and you're going to pay them, say, $1 million a year for five years. But the party that has your data, the party that needs to achieve service levels, the party that may have that you want to have legal compliance obligations you have no contract with. So you've no way really of enforcing any obligations on that background cloud provider, the hosting provider. And yet some vendors in this space are taking that approach with regard to their cloud providers or their hosting providers in the background, essentially saying it is what it is. That is incredibly dangerous. I must admit we've not had a client ever sign a contract like that. It simply creates too much risk. The nth degree of this is, however, the middle bullet point on this page, which is we've seen a number of cases in just the last year. Where ordinarily you would expect every vendor to be responsible for their subcontractors. Yet we're now seeing a very small number of vendors say, hey, look, we always use our reasonable judgment in choosing our subcontractors. But if they fail to perform, they breach the agreement, etcetera. We will assume no responsibility for them whatsoever. Again, I suggest that's an unsignable agreement. Yet there are cloud providers out there that expect that you're not only going to agree to it, but you're going to entrust them with your most sensitive data, or you're going to commit to pay them substantial sums of money, even though they could potentially subcontract the contract to a third party in its entirety and avoid every contract obligation in the contract. Last thing because it comes up so much in cloud computing is encryption. And here's the way it comes up. You'll be talking with a cloud provider and you're very concerned about information security and privacy. And they smile broadly and say, absolutely, we take that seriously, too. But it's absolutely not an issue for you in this engagement. Because we encrypt all the data. And if there were to be a compromise, someone would just get data they couldn't possibly make heads or tails of because it's encrypted. That's not a bad argument. The problem is when you ask some questions because encryption is not foolproof. First of all, you need to pick the method by which you are going to encrypt the methodology. And there are many, many methodologies out there. Some are recommended for health care. Some are recommended in the financial services industry. Some are simply industry well known types of algorithms. Once you choose the methodology or the algorithm, somebody needs to implement it. So who's implementing that here? The vendor. And suppose they implemented incorrectly. Next, who manages the keys to encrypt and decrypt to actually generate the keys and then to have those keys managed to decrypt and encrypt the data? Who handles that? The vendor. So what happens if they mishandle or compromise those keys? And the answer to the last two questions I asked is the vendor will say, well, that's not going to happen. But if it does, we're assuming no responsibility or extremely limited responsibility. Be careful about that. Encryption isn't a panacea. Encryption isn't a situation where you say it's encrypted and it's all good. There are many, many levels of encryption all the way up to the most secure encryption that is out there today. That could take 1000 years to decrypt all the way down to encryption that runs off of a Captain Crunch secret decoder ring that you got free with breakfast this morning. Don't take the vendor's word for it, that in fact, everything's secured just because it's encrypted. Well, I'll also mention that the last bullet point on this this slide, foreign governmental access. Some foreign governments will not allow cloud providers and others who store data within their the limits of their jurisdiction to encrypt that data in such a way that the government can't itself decrypt. So you have situations where the vendor is required to disclose decryption keys to a third party, in this case the government. It just calls into question how secure that data is going to be. Last couple of things. We're seeing lots and lots and lots of use of feedback clauses. This is common. This is not necessarily objectionable. What it means is that if you're talking to a vendor and say, hey, you know, I've got to tell you, if you were to move this functionality from the bottom left side of the screen to the top right side of the screen for the user to interact with, we'd be a lot more productive. And the vendor makes that change. And sure enough, you're very you're more productive. The vendor doesn't want to have to look over its shoulder and say, Well, are these guys that just made that suggestion going to sue us for infringing their IP rights? Of course not. That's what a feedback clause is intended to do. Feedback clauses, however, can be used by vendors in a couple of different ways that create substantial risk. Number one. Feedback clauses can turn into hidden exclusivity clauses. What am I talking about? Most feedback clauses are written in terms of, Hey, if you give feedback about our products and services, we have a perpetual, irrevocable royalty free license to use that feedback in connection with our products and services improving them. Fine. A minority, but not necessarily a trivial minority. A feedback clauses are written differently. They say that if you give us any feedback, you're hereby assigning all intellectual property rights in that feedback to us, which means that you can never use that feedback again in your own organization. Let's put aside the tax implications and the other very negative implications of your organization giving up ownership of intellectual property. And mind you keep in mind how this can happen. You can have somebody walking down the hall with a vendor employee and say, Hey, you know, we've been thinking about doing the following, blah, blah, blah, and all at once IP rights have just been transferred. That's dangerous. But consider this. You're in the midst of a very large implementation and you are constantly interacting with the vendor, giving suggestions, recommendations, etcetera about the implementation. The vendor completely and totally falls down and breaches the contract and you terminate. You go out, spend the time and effort to find a replacement vendor and start making the same recommendations, suggestions, etcetera, during their implementation. No, you can't. Because you no longer own that information. You literally have to go back to the original vendor and get a license, pay a fee to use your own ideas and suggestions, which means it's sort of like an exclusivity clause that you can't really move away from this vendor that's not performing well. There's also the problem of creating customer liability, and this is not addressed in most standard form feedback clauses. What is the vendor going to do with feedback? They're going to potentially include it in their product and distribute it to others. That sounds scary to me. Suppose that it turns out that that's a problem, that it infringes somebody's IP rights and that third party whose IP is infringed does 20 minutes worth of discovery and finds out you provided the feedback and they sue you to. Would this potentially come up? Yes. You send your people out to a trade show, which is pretty common when you're looking at selecting a new solution for something and they see demos by ten different vendors. And three months later you're going through the process of selecting a vendor and you're talking with one, and one of your people says, Hey, you know, and have you ever thought about doing the following? And it's something they have a vague recollection of from a demo of one of their competitors. You give that information and it infringes that competitor's IP rights. First of all, could the vendor that you're contracting with sue you for IP infringement? Sure. And if they roll that out to their customers, could you also be sued for IP infringement? Possibly. So generally it's a very good idea that if you see a feedback clause at minimum to include a clear statement that you don't know if you have the rights to grant the ability to use the feedback it's provided all as is without warranties of any kind, express or implied, and that the vendor waives all claims against you. You're not in business with the with the vendor. You're hiring them to provide a service to you. You're not participating in their profits. They're the company that are specialists in IP development. If you give them a suggestion, it's up to them to conduct patent searches, etcetera. Understand the market and see if they're infringing somebody's IP rights. You should not be taking on that responsibility. Last thing is aggregated data provisions. And I'm just going to be quick here and talk about, you know, one of the things that's really, really important, which doesn't really touch on aggregated data as much as data and on aggregated form. What am I talking about? It used to be that in most cloud engagements there'd be a sentence somewhere that says something like the following. We, the vendor, have the ability to use the customer. That's us data in performing the agreement period. Or we, the vendor, have a non-exclusive license during the term of the agreement to use the customer data in performing the agreement. Sounds okay. Now listen to the way these license provisions are being written now, right now by a majority of vendors. We, the customer, are granting the vendor the right to use our data. To perform the agreement and here it comes. And to improve our products and services. Why is that language being added primarily to address artificial intelligence and machine learning? They want to use your data to train their systems and to make them better to potentially sell products to other customers. You may be fine with that, but you need to understand that that's not aggregated data, that's actually live data which is attributable to you. And there have been lawsuits in this regard that when AI and machine learning is used to train, that sometimes true identifiable information is included as part of the models that are created. You just need to be careful about that. Okay, let's talk about diligence for just a few minutes. And we're perfectly on time. We have about 45 minutes left or not. 45 minutes, 15 minutes left. So Pre-agreement provider due diligence. It's the kind of thing to make sure that, you know, the provider can actually meet the customer's expectations. And the most common way in the industry to accomplish this is to send out a questionnaire. If you don't do a lot of agreements in this space, if you do some Google searches, you will quickly find that these questionnaires can be unbelievably lengthy. I mean, hundreds and hundreds and hundreds of questions. You can imagine that if you start sending out questionnaires of that length in smaller transactions, the vendor is simply going to say, no, they're not going to spend 12 hours responding or an astute vendor will simply send you their current security statement and say, here you go. Take a look at that. So you want to be relatively reasonable in what you decide to include in a questionnaire. The other thing is the questionnaires are not entirely security related or privacy related. They go to things like, does this company we're about to contract with have the financial wherewithal to actually perform. The last thing you want to do is transition to a cloud provider and then find out that they've only got two months worth of money in the bank and likely won't be able to complete the performance. What kind of insurance do they have? What kind of service levels do they have? How many violations of the service levels? How many times have they issued credits against service levels in the past 12 or 24 months? What kind of capacity do they have? It's important to think about, you know, suppose you're a very large online retailer and you're going to sign on with another cloud service provider, and you need them to be able to handle a million transactions an hour. Can they handle that capacity? Of course. What kind of physical logical security. But then you go further and ask about what are their disaster recovery business continuity plans? When's the last time they tested them? These kinds of things. If you want to see an example of a somewhat more reasonable and properly worded questionnaire, just send me an email and I'd be happy to send you a copy of one that we think is a little more in the ballpark and useful in a broader range of transactions. Post-execution. Follow up. As I said at the beginning, the idea here isn't to go in and try and find a means for declaring the vendor in breach of contract, but rather to simply make sure that the vendor understands their obligations. Let's face it, a lot of times, particularly with some offshore vendors, they're so anxious to sign the contract that they don't fully appreciate everything they need to do. And so make sure that you go out and you actually look at what they're doing now. You're not going to do that in a $40,000 deal. But if you're having somebody host the medical records of a large health care provider, you very well would want to go out and walk around and understand what they are doing. All right. I think we're probably going to wind up talking about the big four. Maybe we'll have a moment or two to talk about some other things. Understand from the very beginning that I plan for this, that we're talking about the most important points in this hour. And then there are lots and lots of examples elsewhere in the presentation deck for you to refer to. All right, Big four. Remember what I said about this? That there are four interrelated contract provisions that you should be very aware of. What are those four contract provisions? And pardon me for flipping back and forth here, but it's trial acceptance, warranty and support, trial acceptance warranty and support. The nice thing about the way this is arranged is that it's chronological trial. Trial provisions or trial agreements start up at the earliest possible stage. Acceptance occurs during the pendency of the agreement. Warranties occur or generally kick in right after acceptance and support is there as kind of the last means of protection. Support is frequently there. Long after trial, acceptance and warranties have all sunset, so trial, acceptance, warranty and support. That's the timeline. Let's make sure everybody understands how these work, what the remedies are, how they interrelate. Royal. A trial is simply a way to get an impression of what a particular cloud service can do. What's the user interface look like? Is it cluttered? Is it simple to navigate? What kind of functionality is it? The kind of thing that can be picked up easily, or is it going to require a ton of training? A trial generally occurs very early on in the relationship. It's a quick look. Even if it lasts 30, 60 or even 90 days at a And now here comes key language, an unimplemented test environment version of the cloud services. It is not a test of what this service will actually look like when it's implemented to your specifications and ready to go in your day to day operations. Never get confused about that. Now, a lot of times folks will say you don't need acceptance testing because you had a trial. And we'll talk about acceptance in a moment. Normally, the first thing you say when someone mentions that to you is, well, I could be wrong, but are any professional services required here to go live? Yes. What is the value of those professional services? And if they say 5000, 10,000, $15,000, we're probably good. We probably don't need acceptance. If, on the other hand, they come back and say, oh, well, there's $400,000 of implementation services, you absolutely, positively need acceptance. Why? Because it's telling you that many hours are required to get this service to actually be what you want to use on a day to day basis. So a trial is never going to give you that. What happens if a trial fails? If a trial fails and there are really only two possibilities at the end of a trial. It's either going to be we really don't like the solution. Thanks so much. Best of luck in your future endeavors. The second possibility goes to the first bullet point under trial. A fantastic way to undermine your leverage. The other possible result from a trial is, Wow, our users are really excited about this solution. We can't wait to work with it. Let's get the contract signed. The vendor now knows they have you hooked. The vendor now knows that your senior management is not going to walk away from this. You've just substantially undermined your negotiating leverage. When you have a trial that has a positive result, you don't or not you don't. You need to manage your communications with the vendor to say you are evaluating options with other vendors. Still, you're excited about this one, but you need to make sure you can get an appropriate contract in place or this isn't going to go forward. Be very careful about managing those communications. All right. So that's trial early days generally before you even have a contract signed. You might do a special trial agreement quite short. Acceptance testing is generally conducted so that you can get a look at and fully test the version of the cloud service you're going to use in production, which means acceptance does not kick in. Until the vendor is notified you. We're good. We've completed the implementation. This service is ready for use in your day to day operations. Once that occurs, there's a very structured approach. You have X amount of times your time, normally 30 days to fully vet this, make sure it works. If it doesn't, there's a process in place. We give notice and normally, mind you, acceptance testing should be measured by an objective standard. I know a lot of people like to word it in terms of that the customer doesn't reasonably, you know, accept it. That I suggest to you as a lawsuit. Rather, it should be measured by the objective requirements of the agreement, including the vendor's own documentation. If there is a material failure to comply, then there there's a specific cycle to go through. Customer gives notice of the non-compliance vendor has 20 days to fix. Vendor then submits for re testing and the customer has an additional x amount of time to test. Frequently. If you go through 2 or 3 iterations of that process and it's still nonconforming, there's a specific remedy of the customer can elect to terminate and receive a refund of all fees paid. Clearly vendors don't like that, but there is the possibility that vendors or that rather that vendors do like the idea. And it's normally fine to include this language that if there is a termination, that's it. The parties aren't going to go, there is a termination and refund, the parties aren't going to go and sue each other. That's the end of the problem. So there is an incentive to the vendor to make that refund. So in a trial, the remedy is to just part company. In acceptance testing. The remedy is you go through a couple, three cycles and if it's still nonconforming termination and refund, make sure you understand what that refund goes to that it's not only subscription fees for the cloud service, but also professional service fees that have been paid. Some vendors take the insane approach of saying, well, if it doesn't conform, we nonetheless rendered the professional services. So you forfeit all of those. That is simply unreasonable and unacceptable. All right. We've gone through trial and acceptance. Now let's talk about warranty. Warranty is a clear statement. That. The thing you're buying, the cloud services will materially comply with the requirements of the agreement, including the vendor documentation. In the case of a cloud agreement, normally that warranty subsists during the entire term of the subscription. If this were a software agreement, normally there's a time limit of 30, 60, 90, 180 days, after which the warranty disappears. In cloud agreements, most cloud providers will give this warranty on an ongoing basis for the entire time that you're using the cloud service. Warranty is different than acceptance. Warranty frequently kicks in after acceptance, particularly if warranty is time limited. What are the remedies for breach of warranty? Notice a cure period and potential termination and litigation. Unlike acceptance testing, which specifically provides for a refund. Generally, warranties do not. Warranties are you breach the contract? I need to prove my damages so you can see that warranty is not the same thing as acceptance testing. A lot of times vendors will say, Well, if we give you acceptance testing, you don't need a warranty. That is completely incorrect, particularly in cloud engagements. Why? Because warranty is very time limited, or rather, acceptance is very time limited. After that, you don't have a clear contractual protection with a warranty. You've got an ongoing requirement. It's got to work. Some vendors will put in. Exclusive remedies with regard to warranty breach. If there's a breach of warranty, the vendor sold, an exclusive obligation is to use reasonable efforts to correct the breach. No, you're paying $1 million a year and you can't use the service for two months while they're trying to fix the warranty. No, you're not going to pay for a service that you can't use. Plus, it also means that you can't exercise your termination. Right? It's not acceptable in a cloud engagement to have exclusive remedies like that. Another thing that is used is and also that exclusive remedy is normally not time limited. Rather it's just the vendor will use reasonable efforts to try and fix. If it takes 30 days for reasonable efforts, then it will be 30 days. If it takes two years for reasonable effort, then it's going to take two years. And how do you determine what's reasonable? Got to have a lawsuit. It's a question of fact. Another very dicey thing that some vendors will do is to say, okay, if we breach the warranty that I just described to you, the sole exclusive remedy is the service level remedies. That is also not correct and completely inappropriate. Service level remedies are very de minimis, normally very small credits, very limited termination rights, if any. It's not the same thing. All right. Finally, support. And we'll wind things up with this. Support is where most vendors will say, you don't really need trial, you don't need acceptance testing, you don't need warranty because and here comes the magic words. We have a world class, amazing, fantastic support program. No, they don't. When we hear a vendor say that, a lot of times I will say, let me read your mind. I haven't seen the support program yet, so I definitely could be wrong. And if so, I apologize. But I'm going to bet that what your support program says is that you'll do you'll make reasonable efforts to fix various types of problems, and you might well have a beautifully formatted, potentially even multicolored table in your support program that has a wonderful listing of level one, level two, level three, level four problems. And I'll even list various time periods in it. And all of that information, while interesting, is not actually enforceable. Why? Because at the top where it says if you have a level one, which is the highest level of a support problem and it says resolution within 15 minutes, really what it says, if you read carefully, is that that's a goal, that that's a target, neither of which is really enforceable. And then to add insult to injury, generally, that table is prefaced with reasonable efforts, which means none of those things are strict requirements. It doesn't mean support is a bad thing, it means it support of the various things we've talked about so far. Trial acceptance and warranty is by far the least protective. Keep that in mind when vendors try to argue with you that support really, really is a key protection. It's not. I do these agreements for a living, and I don't think I've ever seen a support program that really provided strong protections for the customer. We always try to take out things like goals and targets. We also try to take out reasonable efforts. If you're committing to resolve within an hour, then you need to resolve within an hour. Think about these things and make sure that you've addressed them. And that's where we're going to end today. This is a perfect place to end because the remainder of the presentation has those example provisions and things that I've talked with you about that you should absolutely keep as sort of a manual, if you will, to look at examples to see how things might be worded and of course, reach out if you have any questions. And with that, I'll thank you very much for your kind attention today, and I look forward to hearing from you. Thank you.

Presenter(s)

MO
Michael Overly
Partner
Foley & Lardner LLP

Course materials

Handout

Practice areas

Credit information

Jurisdiction
Credits
Available until
Status
Alabama
    Pending
    Alaska
    • 1.0 voluntary
    June 19, 2025 at 11:59PM HST Available
    Arizona
    • 1.0 general
    June 19, 2025 at 11:59PM HST Available
    Arkansas
    • 1.0 general
    June 19, 2025 at 11:59PM HST Approved
    California
    • 1.0 general
    June 19, 2025 at 11:59PM HST Approved
    Colorado
      Not Offered
      Connecticut
      • 1.0 general
      June 19, 2025 at 11:59PM HST Available
      Delaware
      • 1.0 general
      Pending
      District of Columbia
        Not Offered
        Florida
          Pending
          Georgia
          • 1.0 general
          Pending
          Guam
          • 1.0 general
          June 19, 2025 at 11:59PM HST Available
          Hawaii
          • 1.0 general
          June 19, 2025 at 11:59PM HST Approved
          Idaho
            Pending
            Illinois
            • 1.0 general
            June 24, 2025 at 11:59PM HST Approved
            Indiana
              Pending
              Iowa
                Pending
                Kansas
                  Pending
                  Kentucky
                  • 1.0 general
                  June 30, 2024 at 11:59PM HST Approved
                  Louisiana
                  • 1.0 general
                  June 28, 2024 at 11:59PM HST Approved
                  Maine
                  • 1.0 general
                  December 31, 2026 at 11:59PM HST Self-apply
                  Maryland
                    Not Offered
                    Massachusetts
                      Not Offered
                      Michigan
                        Not Offered
                        Minnesota
                        • 1.0 general
                        July 20, 2025 at 11:59PM HST Approved
                        Mississippi
                        • 1.0 general
                        June 22, 2024 at 11:59PM HST Approved
                        Missouri
                        • 1.0 general
                        June 19, 2025 at 11:59PM HST Available
                        Montana
                          Pending
                          Nebraska
                          • 1.05 general
                          July 5, 2024 at 11:59PM HST Approved
                          Nevada
                          • 1.0 general
                          December 31, 2026 at 11:59PM HST Approved
                          New Hampshire
                          • 1.0 general
                          June 19, 2025 at 11:59PM HST Available
                          New Jersey
                          • 1.3 general
                          May 2, 2025 at 11:59PM HST Approved
                          New Mexico
                            Pending
                            New York
                            • 1.0 law practice management
                            June 19, 2025 at 11:59PM HST Available
                            North Carolina
                              Pending
                              North Dakota
                              • 1.0 general
                              June 19, 2025 at 11:59PM HST Available
                              Ohio
                              • 1.0 general
                              Pending
                              Oklahoma
                              • 1.0 general
                              June 22, 2024 at 11:59PM HST Approved
                              Oregon
                              • 1.0 general
                              June 23, 2026 at 11:59PM HST Approved
                              Pennsylvania
                                Pending
                                Puerto Rico
                                • 1.05 general
                                Pending
                                Rhode Island
                                  Pending
                                  South Carolina
                                    Pending
                                    South Dakota
                                      Pending
                                      Tennessee
                                      • 1.05 general
                                      June 21, 2024 at 11:59PM HST Approved
                                      Texas
                                      • 1.0 general
                                      June 30, 2024 at 11:59PM HST Approved
                                      Utah
                                        Pending
                                        Vermont
                                        • 1.0 general
                                        June 19, 2025 at 11:59PM HST Approved
                                        Virginia
                                          Not Eligible
                                          Virgin Islands
                                          • 1.0 general
                                          June 19, 2025 at 11:59PM HST Available
                                          Washington
                                          • 1.0 law & legal
                                          June 19, 2028 at 11:59PM HST Approved
                                          West Virginia
                                            Not Eligible
                                            Wisconsin
                                              Not Eligible
                                              Wyoming
                                                Pending
                                                Credits
                                                  Available until
                                                  Status
                                                  Pending
                                                  Credits
                                                  • 1.0 voluntary
                                                  Available until

                                                  June 19, 2025 at 11:59PM HST

                                                  Status
                                                  Available
                                                  Credits
                                                  • 1.0 general
                                                  Available until

                                                  June 19, 2025 at 11:59PM HST

                                                  Status
                                                  Available
                                                  Credits
                                                  • 1.0 general
                                                  Available until

                                                  June 19, 2025 at 11:59PM HST

                                                  Status
                                                  Approved
                                                  Credits
                                                  • 1.0 general
                                                  Available until

                                                  June 19, 2025 at 11:59PM HST

                                                  Status
                                                  Approved
                                                  Credits
                                                    Available until
                                                    Status
                                                    Not Offered
                                                    Credits
                                                    • 1.0 general
                                                    Available until

                                                    June 19, 2025 at 11:59PM HST

                                                    Status
                                                    Available
                                                    Credits
                                                    • 1.0 general
                                                    Available until
                                                    Status
                                                    Pending
                                                    Credits
                                                      Available until
                                                      Status
                                                      Not Offered
                                                      Credits
                                                        Available until
                                                        Status
                                                        Pending
                                                        Credits
                                                        • 1.0 general
                                                        Available until
                                                        Status
                                                        Pending
                                                        Credits
                                                        • 1.0 general
                                                        Available until

                                                        June 19, 2025 at 11:59PM HST

                                                        Status
                                                        Available
                                                        Credits
                                                        • 1.0 general
                                                        Available until

                                                        June 19, 2025 at 11:59PM HST

                                                        Status
                                                        Approved
                                                        Credits
                                                          Available until
                                                          Status
                                                          Pending
                                                          Credits
                                                          • 1.0 general
                                                          Available until

                                                          June 24, 2025 at 11:59PM HST

                                                          Status
                                                          Approved
                                                          Credits
                                                            Available until
                                                            Status
                                                            Pending
                                                            Credits
                                                              Available until
                                                              Status
                                                              Pending
                                                              Credits
                                                                Available until
                                                                Status
                                                                Pending
                                                                Credits
                                                                • 1.0 general
                                                                Available until

                                                                June 30, 2024 at 11:59PM HST

                                                                Status
                                                                Approved
                                                                Credits
                                                                • 1.0 general
                                                                Available until

                                                                June 28, 2024 at 11:59PM HST

                                                                Status
                                                                Approved
                                                                Credits
                                                                • 1.0 general
                                                                Available until

                                                                December 31, 2026 at 11:59PM HST

                                                                Status
                                                                Self-apply
                                                                Credits
                                                                  Available until
                                                                  Status
                                                                  Not Offered
                                                                  Credits
                                                                    Available until
                                                                    Status
                                                                    Not Offered
                                                                    Credits
                                                                      Available until
                                                                      Status
                                                                      Not Offered
                                                                      Credits
                                                                      • 1.0 general
                                                                      Available until

                                                                      July 20, 2025 at 11:59PM HST

                                                                      Status
                                                                      Approved
                                                                      Credits
                                                                      • 1.0 general
                                                                      Available until

                                                                      June 22, 2024 at 11:59PM HST

                                                                      Status
                                                                      Approved
                                                                      Credits
                                                                      • 1.0 general
                                                                      Available until

                                                                      June 19, 2025 at 11:59PM HST

                                                                      Status
                                                                      Available
                                                                      Credits
                                                                        Available until
                                                                        Status
                                                                        Pending
                                                                        Credits
                                                                        • 1.05 general
                                                                        Available until

                                                                        July 5, 2024 at 11:59PM HST

                                                                        Status
                                                                        Approved
                                                                        Credits
                                                                        • 1.0 general
                                                                        Available until

                                                                        December 31, 2026 at 11:59PM HST

                                                                        Status
                                                                        Approved
                                                                        Credits
                                                                        • 1.0 general
                                                                        Available until

                                                                        June 19, 2025 at 11:59PM HST

                                                                        Status
                                                                        Available
                                                                        Credits
                                                                        • 1.3 general
                                                                        Available until

                                                                        May 2, 2025 at 11:59PM HST

                                                                        Status
                                                                        Approved
                                                                        Credits
                                                                          Available until
                                                                          Status
                                                                          Pending
                                                                          Credits
                                                                          • 1.0 law practice management
                                                                          Available until

                                                                          June 19, 2025 at 11:59PM HST

                                                                          Status
                                                                          Available
                                                                          Credits
                                                                            Available until
                                                                            Status
                                                                            Pending
                                                                            Credits
                                                                            • 1.0 general
                                                                            Available until

                                                                            June 19, 2025 at 11:59PM HST

                                                                            Status
                                                                            Available
                                                                            Credits
                                                                            • 1.0 general
                                                                            Available until
                                                                            Status
                                                                            Pending
                                                                            Credits
                                                                            • 1.0 general
                                                                            Available until

                                                                            June 22, 2024 at 11:59PM HST

                                                                            Status
                                                                            Approved
                                                                            Credits
                                                                            • 1.0 general
                                                                            Available until

                                                                            June 23, 2026 at 11:59PM HST

                                                                            Status
                                                                            Approved
                                                                            Credits
                                                                              Available until
                                                                              Status
                                                                              Pending
                                                                              Credits
                                                                              • 1.05 general
                                                                              Available until
                                                                              Status
                                                                              Pending
                                                                              Credits
                                                                                Available until
                                                                                Status
                                                                                Pending
                                                                                Credits
                                                                                  Available until
                                                                                  Status
                                                                                  Pending
                                                                                  Credits
                                                                                    Available until
                                                                                    Status
                                                                                    Pending
                                                                                    Credits
                                                                                    • 1.05 general
                                                                                    Available until

                                                                                    June 21, 2024 at 11:59PM HST

                                                                                    Status
                                                                                    Approved
                                                                                    Credits
                                                                                    • 1.0 general
                                                                                    Available until

                                                                                    June 30, 2024 at 11:59PM HST

                                                                                    Status
                                                                                    Approved
                                                                                    Credits
                                                                                      Available until
                                                                                      Status
                                                                                      Pending
                                                                                      Credits
                                                                                      • 1.0 general
                                                                                      Available until

                                                                                      June 19, 2025 at 11:59PM HST

                                                                                      Status
                                                                                      Approved
                                                                                      Credits
                                                                                        Available until
                                                                                        Status
                                                                                        Not Eligible
                                                                                        Credits
                                                                                        • 1.0 general
                                                                                        Available until

                                                                                        June 19, 2025 at 11:59PM HST

                                                                                        Status
                                                                                        Available
                                                                                        Credits
                                                                                        • 1.0 law & legal
                                                                                        Available until

                                                                                        June 19, 2028 at 11:59PM HST

                                                                                        Status
                                                                                        Approved
                                                                                        Credits
                                                                                          Available until
                                                                                          Status
                                                                                          Not Eligible
                                                                                          Credits
                                                                                            Available until
                                                                                            Status
                                                                                            Not Eligible
                                                                                            Credits
                                                                                              Available until
                                                                                              Status
                                                                                              Pending

                                                                                              Become a Quimbee CLE presenter

                                                                                              Quimbee partners with top attorneys nationwide. We offer course stipends, an in-house production team, and an unparalleled presenter experience. Apply to teach and show us what you've got.

                                                                                              Become a Quimbee CLE presenter image