In negotiating a cloud based services contract a company is going to have to consider may unique and individualized needs. Many of these needs will depend on the corporations industry and its likely use of the cloud service to the transfer or storage of privileged, regulated or restricted information. While no single list can possibly cover all points the following should provide good starting checklist for most companies.
1. Does the cloud provider own all storage and transfer sites for static and dynamic data which will be put on the service?
2. If not, who are the subcontractors?
3. Will the subcontractors be bound to the terms of your contract?
4. Will you have a direct right of action against the subcontractors?
5. If work is subsequently transferred to subcontractors will you be notified in advance to allow you to re-evaluate service? Will identity of intended subcontractors be disclosed in advance?
6. Where are the storage servers located–where will your data reside?
7. If in a foreign state or country, are you comfortable with the foreign law? You may want to restrict the cloud provider to only using local sites or a specific site.
8. Do you need and will the cloud service provide customization? Remember that customization may keep you from benefiting from regular cite upgrades.
9. Do you need up time guarantees? Get a representation as to their prior year’s downtime record.
10. Lock down the provider’s maintenance schedule and its impact on the service.
11. Lock down security guaranties. Are they providing encryption? Who has access to the servers? Other legal security and segregation requirements (e.g., HIPAA, European Union, Gramm-Leach-Bliley, and state information privacy laws such as those in Massachusetts).
12. If your company has environmental guidelines, does the provider comply? One online provider, for example, uses only wind power for their servers.
13. Will the provider agree to certain deletion standards if the contract is terminated?
14. Will the provider agree to procure SAS 70 Type II audits or are they ISO 27001 certified for security?
15. Will they notify you in the event of a breach of security? How and how quickly? What level of detail? This may be necessary for certain regulated information. (e.g. HIPAA, HITECH)
16. Will they notify you in the event of insolvency? Advanced notice of termination?
17. Will they provide you with different format options to recover or transfer your data upon termination of the relationship?
18. What happens to your data in the event of a dispute with the provider? You don’t want to be held hostage.
19. Are damages caps acceptable for the type of data stored? Are intentional or grossly negligent acts exempted?
20. What privacy standards and laws apply?
21. What jurisdiction for a dispute?