Main Nav

 

CLOUD COMPUTING CONTRACTS

Introduction

This Wiki is intended to serve as a companion piece to the Educause Quarterly article (Volume 33, Number 2, 2010) "If It's In The Cloud, Get It On Paper: Cloud Computing Contract Issues" by Thomas Trappler.  The article includes examples of Cloud Computing contract clause provisions that have been succesfuly negotiated by higher education institutions and effectively address a risk or concern unique to Cloud Computing and its use in higher education. 

The example contract clauses are posted in this Wiki in the hope that it can serve as a useful reference source, and that others will add their own example contract clauses to make this a dynamic, living resource going forward.  I invite you to share your example contract clauses in one of the following categories below:

Service Level Agreement Parameters

Data Processing and Storage

Infrastructure/Security

Vendor Relationship

 

Article - "If It's In The Cloud, Get It On Paper: Cloud Computing Contract Issues"

http://www.educause.edu/EDUCAUSE+Quarterly/EDUCAUSEQuarterlyMagazineVolum/IfItsintheCloudGetItonPaperClo/206532

 

Example Contract Clauses Re: Service Level Agreement Parameters

Service Level Agreement Parameters language from Exhibit A of the City of Los Angeles' Google Apps contract (http://clkrep.lacity.org/onlinecontracts/2009/C-116359_c_11-20-09.pdf):

Google Apps SLA.  During the Term of the applicable Google Apps Agreement, the Google Apps Covered Services web interface will be operational and available to Customer at least 99.9% of the time in any calendar month (the “Google Apps SLA”).

 

Service Level Agreement Definitions language from Exhibit A of the City of Los Angeles' Google Apps contract (http://clkrep.lacity.org/onlinecontracts/2009/C-116359_c_11-20-09.pdf):

“Downtime” means, for a domain, if there is more than a five percent user error rate. Downtime is measured based on server side error rate.

“Downtime Period” means, for a domain, a period of ten consecutive minutes of Downtime. Intermittent Downtime for a period of less than ten minutes will not be counted towards any Downtime Periods.

“Monthly Uptime Percentage” means total number of minutes in a calendar month minus the number of minutes of Downtime suffered from all Downtime Periods in a calendar month, divided by the total number of minutes in a calendar month.

“Scheduled Downtime” means those times where Google notified Customer of periods of Downtime at least five days prior to the commencement of such Downtime. There will be no more than twelve hours of Scheduled Downtime per calendar year. Scheduled Downtime is not considered Downtime for purposes of this Google Apps SLA, and will not be counted towards any Downtime Periods.

 

Service Level Agreement Remedies language from Exhibit A of the City of Los Angeles' Google Apps contract (http://clkrep.lacity.org/onlinecontracts/2009/C-116359_c_11-20-09.pdf):

If Google does not meet the Google Apps SLA, and if Customer meets its obligations under this Google Apps SLA, Customer will be eligible to receive the Service Credits described below…

 

Service Level Agreement Remedies language from  Exhibit A of the City of Los Angeles' Google Apps contract (http://clkrep.lacity.org/onlinecontracts/2009/C-116359_c_11-20-09.pdf):

Service Credit shall be applied as liquidated damages against the following year of service cost. If service is discontinued for any reason, the Service Credit shall be in the form of a rebate at the end of service.

Service Credits shall be computed by dividing the number of Days of Service credited by the number 365 and multiplied by the Annual Service Fee.

Customer Must Request Service Credit. In order to receive any of the Service Credits described above, Customer must notify Reseller or Google, or Customer’s Reseller must notify Google, within thirty days from the time Customer becomes eligible to receive a Service Credit. Failure to comply with this requirement will forfeit Customer’s right to receive a Service Credit.

 

Example Contract Clauses Re: Data Processing and Storage

 Data Ownership language from the Amazon Web Services Customer Agreement (http://aws.amazon.com/agreement/):

10.2. Your Applications, Data and Content.  Othe thanthe rights and interests expressly set forth in this Agreement, and excluding Amazon Properties and work derived from Amazon Properties, you reserve all right, title and interest (including all intellectual property and proprietary rights) in and to Your Content.

 

Dispotion of Data language from the Internet2 Wiki Information Security Guide (https://wiki.internet2.edu/confluence/display/itsg2/Data+Protection+After+Contract+Termination#DataProtectionAfterContractTermination-SampleContractClauses)

Upon request by Customer made before or within sixty (60) days after the effective date of termination, [Vendor] will make available to Customer for a complete and secure (i.e. encrypted and appropriated authenticated) download file of Customer Data in XML format including all schema and transformation definitions and/or delimited text files with documented, detailed schema definitions along with attachments in their native format.

 

Data Disposition language from the European Commission's "Standard Contractual Clauses processors)"  (http://ec.europa.eu/justice_home/fsj/privacy/docs/modelcontracts/c_2010_593/c_2010_0593_en.doc):

 

  1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.   2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.  

 

Data Breach language from Article 6 of the University of California "Appendix - DS(http://www.ucop.edu/irc/itsec/uc/documents/datasecurityappen.pdf):

 

  “Contractor shall report, either orally or in writing, to University any use or disclosure of Covered Data not authorized by this Agreement or in writing by University, including any reasonable belief that an unauthorized individual has accessed Covered Data. Contractor shall make the report to University immediately upon discovery of the unauthorized disclosure, but in no event more than two (2) business days after Contractor reasonably believes there has been such unauthorized use or disclosure. Contractor’s report shall identify: (i) the nature of the unauthorized use or disclosure, (ii) the University Covered Data used or disclosed, (iii) who made the unauthorized use or received the unauthorized disclosure, (iv) what Contractor has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure, and (v) what corrective action Contractor has taken or shall take to prevent future similar unauthorized use or disclosure. Contractor shall provide such other information, including a written report, as reasonably requested by University. 

 

Data Breach language from the University of Minnesota's Google Apps for Education contract:

 

“6.5 Personally Identifiable Information.    Each party acknowledges that, in the course of performance hereunder, they may receive personally identifiable information that may be restricted from disclosure under the Health Insurance Portability and Accountability Act (HIPAA) and/or the Family Educational Rights and Privacy Act (FERPA). Notwithstanding any other provision of this Agreement, each party will be responsible for all damages, fines and corrective action arising from disclosure of such information caused by such party’s breach of its data security or confidentiality provisions hereunder. 

 

Data Location language from Appendix J of the City of Los Angeles' Google Apps contract (http://clkrep.lacity.org/onlinecontracts/2009/C-116359_c_11-20-09.pdf):

 

1.7 Data Transfer. Google agrees to store and process Customer's email and Google Message Discovery (GMD) data only in the continental United States. As soon as it shall become commercially feasible, Google shall store and process all other Customer Data, from any other Google Apps applications, only in the continental United States… 

 

Data Access language from a UCLA SaaS contract:

 

  Where a Receiving Party is required to disclose the Confidential Information of the Disclosing Party pursuant to the order of a court or administrative body of competent jurisdiction or a government agency, the Receiving Party shall: (i) if practicable and permitted by law, notify the Disclosing Party prior to such disclosure, and as soon as possible after such order: (ii) cooperate with the Disclosing Party (at the Disclosing Party’s costs and expense) in the event that the Disclosing Party elects to legally contest, request confidential treatment, or otherwise attempt to avoid or limit such disclosure; and (iii) limit such disclosure to the extent legally permissible.  

 

Example Contract Clauses Re: Infrastructure/Security

Data Center Audits/Certifications language from the U.S. General Services Administration (GSA) Cloud Computing contract Amendment (https://forum.webcontent.gov/resource/resmgr/model_amendment_to_tos_for_g.pdf):

…An SAS 70 Type II audit certification will be conducted annually, and Company agrees to provide Agency with the current SAS 70 Type II audit certification upon the Agency’s request…

 

Data Center Inspections language from the Internet2 Wiki Information Security Guide (https://wiki.internet2.edu/confluence/display/itsg2/Security+Audits+and+Scans+%28Independent+Verification%29#SecurityAuditsandScans%28IndependentVerification%29-SampleContractClauses):

[Vendor] agrees to have an independent third party (e.g. Cap Gemini, Ernst & Young, Deloitte & Touche, or other industry recognized firms) security audit performed at least once a year. The audit results and [Vendor]'s plan for addressing or resolving of the audit results shall be shared with the Institution within XX (X) days of the [Vendor]'s receipt of the audit results. The audit should minimally check for buffer overflows, open ports, unnecessary services, lack of user input filtering, cross site scripting vulnerabilities, SQL injection vulnerabilities, and any other well-known (published on bugtraq or similar mailing list) vulnerabilities.

 

Example Contract Clauses Re: Vendor Relationship

Sample Price Cap language:

University shall pay Vendor annual renewal fees (on the annual anniversaries of the Effective Date) based upon Vendor’s rates for renewal term; provided that Vendor may not increase the renewal fees more than three percent (3%) or CPI-U, Not Seasonally Adjusted, U.S. City Average, All Items, Base Period 1982-84=100, whichever is less, from one annual term to another; and provided further that the renewal fees shall, at all times, be at the lowest rate charged for the same services to any of Vendor’s other customers. 

Termination language from the U.S. General Services Administration (GSA) Cloud Computing contract Amendment (https://forum.webcontent.gov/resource/resmgr/model_amendment_to_tos_for_g.pdf):

Agency may close Agency’s account and terminate this agreement at any time.

 

Termination language from a UCLA SaaS contract:

Unless otherwise required by law, Vendor may not withdraw availability of the Services during the Term of this Agreement without first providing University with ninety (90) days advance notice of same, and then only if Vendor is withdrawing availability from all of its customers.

  

Sample Mergers & Acquisitions language: 

ASSIGNMENT. This Agreement shall be binding on the parties and their successors (through merger, acquisition or other process) and permitted assigns. Neither party may assign, delegate or otherwise transfer its obligations or rights under this Agreement to a Third Party without the prior written consent of the other party.

 

 

Close
Close


EDUCAUSE Connect
View dates and locations

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

EDUCAUSE Institute
Leadership/Management Programs
Explore More

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.