Key terms for customer agreements

Purpose

The purpose of this guidance is to identify some key contract terms and conditions that agencies may wish to specifically consider when they are negotiating customer agreements with suppliers of public cloud services. 

Background

Sometimes, consumption of public cloud services occurs with little if any negotiation of contract terms – especially when the service is perceived as low risk/low value, commoditised and/or ‘click to accept’ terms apply.  However, agencies may wish to negotiate specific contract terms.  For example, where the risk or value to the agency is high, or otherwise to deal with agency-specific requirements.

Disclaimer

This guidance should not be used as a substitute for legal advice. Agencies should comply with their own policies and consult their own legal advisors before accepting any supplier contract terms and conditions or relying on any of the information below. It is recommended that agencies read the terms of supplier contracts in full before accepting them. No liability is accepted by the Department of Internal Affairs. 

This guidance also does not cover all public cloud service contract terms.  For example, those relating to account set-up and administration, contract term, pricing/payment, scope of the cloud service being procured, or suitability of that service for the agency’s purposes. These need to be considered by agencies too.

Key terms of customer agreements

The analysis below identifies some common contract terms that agencies may want to review and negotiate with cloud service providers.  Some issues raised by these terms, and alternative positions are described, but the appropriate outcome for an agency will vary depending on its individual circumstances and the service being procured.

Customer indemnifying supplier

The supplier’s customer agreement (contract) often requires the customer to defend, hold harmless or indemnify the supplier and/or any other entity.

Generally, under the Public Finance Act (PFA), agencies cannot give indemnities and, accordingly, they should seek to have them excluded from the contract.  If there is to be a customer indemnity in the contract, the contract must be approved in accordance with the PFA, before it is entered into.

Supplier indemnifying customer

Suppliers do not always indemnify their customers for defaults, acts or omissions of the supplier that cause a loss to the customer.

The supplier should indemnify the agency for loss arising from significant events for which the supplier is responsible, e.g. resulting from its wilful misconduct, a breach of agency IP rights or third party IP infringement claims.

Control of Claims

If the supplier does agree to indemnify the customer, the contract will often state the supplier has sole control of the conduct of any associated proceedings.

Agencies, however, may need to be able to approve any defence, settlement or counsel proposed by the supplier, as per the Cabinet Directions for the Conduct of Crown Legal Business 2016.

Customer Liability

Supplier contracts often do not limit the liability of the customer to the supplier. In this context, “limited” may mean, for example, that a maximum liability cap applies and/or that indirect and consequential losses are not claimable.

Agencies will want their liability to be limited to help them quantify their exposure and so that risks under the contract are appropriately allocated.  It might nevertheless still be acceptable to an agency if some events give rise to unlimited liability.  For example, in relation to a violation of the supplier’s IP rights or breach of the agency’s confidentiality obligations.

Supplier liability

Suppliers often exclude their own liability to the customer to the maximum extent permitted by law.

Suppliers should accept liability for their acts or omissions to an extent that reasonably protects the agency against losses it may incur.  The supplier’s liability may be limited but there may be exceptions where unlimited liability should apply too.  For example, in relation to wilful misconduct, violation of third party or customer IP rights, unauthorised use or disclosure of customer data or breaches of the supplier’s confidentiality obligations.  Note that it is not always appropriate for the agency’s and supplier’s liability to be equivalent or reciprocal – the parties’ risks, likelihood of breaching the contract and likely losses may be quite different.

Warranties and service levels

Some contracts exclude supplier warranties or limit their scope, duration or the remedies applicable to them, or only state the service is provided ‘as is’.

The agency might want the supplier to warrant that it can perform the contract properly at all times. Warranties might cover things like:

  • services will comply with technical and functional specifications (including security information)
  • it has the necessary IP rights to provide the services
  • it will provide the services with due skill and care
  • all information it provides is true and accurate.

Public cloud services may be subject to ‘service levels’. Often, these are standard across all customers of the supplier, which makes it hard to negotiate agency-specific arrangements. However, agencies may still want to assess the supplier’s service levels and whether they are fit for its purpose.

Exclusive remedies

Supplier contracts may try to limit the remedies available to customers for supplier breaches and other failures.  For example, the contract may state service credits are the only remedy in the case of a breach of service levels.

It is usually preferable for agencies to have a range of remedies (for example, damages, service credits, re-performance/resupply, termination) available to them in relation to any breach or default on the part of the supplier.  An exception may be where the supplier modifies the service, in which event it isn’t unusual for termination to be the agency’s sole remedy.  

Dispute resolution

Contracts may not include dispute resolution provisions or, conversely, require a number of escalating processes to be followed to deal with any issues arising between the parties, including arbitration.

It is usually preferable for agencies if disputes that cannot be resolved through standard relationship management or governance arrangements are referred for resolution via mediation.  Nothing in the contract should prevent either party from seeking urgent relief from a Court.

Governing law and jurisdiction

Supplier contracts may be governed by an overseas law, with which the customer will not usually be familiar.  This could make it expensive and time-consuming for the customer to enforce its rights or the supplier’s obligations, and increases jurisdictional and data sovereignty risks.

Agencies should seek to have New Zealand law and jurisdiction apply for the purposes of the contract, regardless of where the supplier is based or from where the service is provided or data is stored. This approach should apply to any dispute resolution terms (see above) too.

Information Security

Supplier contracts don’t always deal in any detail with how security-related risks and incidents will be managed and dealt with, and how the customer will be notified about them, and their impact, when they do occur.

The contract should provide that the supplier is obliged to notify and provide all information and assistance to the customer in relation to any security incident, as well as to rectify the issue at its own cost as soon as possible. 

Data, privacy

Supplier contracts do not always deal in any detail with how customer data (including information about its business operations, customers and personal information) will be managed or how the supplier will work with the customer if any issues affecting such data do occur.

The contract should describe how the supplier deals with issues affecting agency data and keeps it secure. Agencies should get prior written notice before any data is provided to a regulatory/government organisation in any jurisdiction.  Where personal information may be used in connection with the service, the supplier should comply with all applicable privacy laws. How agency data will be treated (e.g. returned, deleted) after the contract terminates or expires should also be covered in the contract.

Confidentiality, Official Information

Supplier contracts often include confidentiality provisions.

Agencies should ensure clauses covering use and disclosure of information that is confidential are mutually expressed and do not apply only in favour of the supplier.  The supplier should also acknowledge that the agency may be subject to the Official Information Act or the Local Government Official Information and Meetings Act.

Intellectual Property (IP)

Supplier contracts sometimes include IP clauses that are worded broadly or in the supplier’s favour that may mean the customer won’t own, or have rights to use, property that it might expect to have or hold.

Agencies should ensure IP provisions aren’t over-reaching and they retain ownership of all their property (including client and operational data) and have appropriate use rights, including after the contract has ended.

Entire agreement, applicable documents and precedence

Supplier contracts often incorporate additional documents, like policies, product terms, specifications and service level/support agreements, and provide that these documents may be supplemented or changed over time.

Supplier contracts often do not include “precedence” clauses. Where the contract comprises multiple documents, it needs to be clear which applies in the event of any conflict or inconsistency between any of them.  Agencies should try to ensure: (1) all applicable documents are identified up front, (2) an order of precedence is set, and (3) applicable documents can’t be changed without their prior agreement (see “Amendment” below).  Also, ancillary or subsequent documents (e.g. order forms or invoices) shouldn’t be allowed to alter the agreed document set or the order of precedence.

Amendment

The supplier contract may allow the supplier to vary terms of the contract, or any document forming part of it, without the customer’s prior agreement.

Agencies should try to ensure that only changes to which the agency has agreed in writing will apply to any of the services they receive.  Suppliers may insist on being able to unilaterally change the service or certain policies/standards etc. For example, because it is too administratively complicated to obtain all customers’ consents before doing so. If the service is materially changed, the agency will usually be entitled to terminate the contract.

Template customer agreement

The extract below is a clause the Department of Internal Affairs has included in its template cloud framework agreement (Schedule 7, clause 2.4).  This clause sets out certain minimum requirements if the supplier enters into a cloud framework agreement with the Department.  For example, that governing law under the supplier’s contract must be New Zealand law.   The extract uses the following terms: Affiliate, Vendor, and Affiliate Agreement to mean agency, cloud services provider, and customer agreement respectively.

The issues covered by this clause represent the minimum agencies should seek to cover off when they negotiate contracts for public cloud services (there may be other things an agency should deal with too, where they are relevant to its own procurement or use of that service). 

“The Vendor acknowledges that, despite any provision to the contrary in any agreement or the Vendor Standard Terms:

(a) no indemnities: the Affiliate shall not be under any obligation under this Affiliate Agreement or any other agreement or document to defend, hold harmless or indemnify the Vendor or any other person or entity (and for this purpose “indemnify” includes any obligation in the nature of an indemnity);

(b) documents which comprise this Affiliate Agreement: this Affiliate Agreement comprises only the documents specified in clause;

(c) precedence of documents: the precedence of the documents comprising this Affiliate Agreement is the precedence specified in clause;

(d) entire agreement: this Affiliate Agreement constitutes the entire agreement of the parties with respect to its subject matter, as provided in clause;

(e) no exclusive remedy: any reference in the Vendor Standard Terms to a remedy being the sole or exclusive remedy does not apply except for where the Vendor’s Standard Terms provide that where the Vendor modifies a Cloud Service during the Cloud Services Term the Affiliate’s sole and exclusive right is to terminate;

(f) control of claims: any reference in the Vendor Standard Terms to the Vendor having control of the defence or settlement of any claim against the Affiliate, or appointing counsel to represent the Affiliate, is subject to the Affiliate’s approval; and    

(g) governing law: the governing law and jurisdiction for all matters relating to this Affiliate Agreement is as provided in clause.”  

Page last updated: 08/08/2017