Desktop version

Home arrow Computer Science

  • Increase font
  • Decrease font

<<   CONTENTS   >>

Data Redundancy

Because the customer relies on the vendor as the custodian of its data, cloud computing agreements commonly contain explicit provisions regarding the vendor’s obligations to back up customer data and the frequency of that backup (e.g., frequent partial backups and periodic full backups). A good place to start is for the customer to compare the vendor’s backup policies to its own backup requirements and ensure that the two policies are consistent in all material and critical respects. Below is a sample provision addressing these obligations:

Vendor will: (i) execute (A) nightly database backups to a backup server, (B) incremental database transaction log file backups every thirty minutes to a backup server, (C) weekly backups of all hosted Customer information and the default path to a backup server, and (D) nightly incremental backups of the default path to a backup server; (ii) replicate Customer’s database and default path to an off-site location (i.e., other than the primary data center); and (iii) save the last fourteen nightly database backups on a secure transfer server (i.e., at any given time, the last fourteen nightly database backups will be on the secure transfer server) from which Customer may retrieve the database backups at any time.

Use of Customer Information, Data Conversion, and Transition

Because the vendor will have access to and will be storing the customer’s data, the agreement should contain specific language regarding the vendor’s obligations to maintain the confidentiality of such information and confirming that the vendor has no right to use such information except in connection with its performance under the cloud computing agreement. Moreover, data conversion, both at the onset and termination of the cloud computing agreement, must be addressed to avoid hidden costs and being locked in to the vendor’s solution.

First, it is becoming increasingly common for cloud computing vendors to want to analyze and use the customer data that resides on their servers for their own commercial benefit, in particular the data customers create as they use the software. For example, the vendor may wish to use a customer’s data, aggregated along with other customer’s data, to provide data analysis to industry groups or marketers. The vendor may limit its use to deidentified customer data, but this is not always the case. These uses are very similar to what businesses and individuals have been facing for years with respect to the ability of “cookies” to track and follow where we go and what we do on the Internet.

Here, however, the customer data in the cloud is proprietary and confidential to the customer and its business. As a result, the customer should consider such use of any of its data very carefully, and if the agreement does not mention these sort of uses, the customer should ask the vendor about its uses and add a vendor representation about which uses, if any, are permitted. It is commonly the case that customers conclude that the vendor should not have any right to use customer data, whether in raw form, aggregated, or deidentified, beyond what is strictly necessary to provide the software or for the vendor to perform its other obligations under the agreement. An example where commercial use might be acceptable is where the vendor provides a service that directly depends on the ancillary use of such customer data, such as aggregating customer data to provide data trending and analysis to the customer and similarly situated customers within an industry. In this case, it would be appropriate to specifically draft what customer information the vendor is permitted to access and what are the specific permitted uses.

Second, the customer must address data conversion issues and return of data upon termination of the cloud computing agreement and the relationship. Going into the relationship, the customer should know that its data can be directly imported into the vendor’s software or that any data conversion needed will be done at vendor’s cost or at customer’s cost. It is commonly appropriate for a customer to conduct a test run of a vendor’s mapping scheme to see how easy or complicated it will be (likewise when checking vendor’s references, to ask about data migration experiences).

Lastly, the customer does not want to be trapped into staying with a vendor because of data formatting issues. To that point, cloud computing agreements commonly contain explicit obligations on the part of the vendor to return the customer’s data, both in vendor’s data format and in a platform-agnostic format, and thereafter destroy all of the customer’s information on vendor’s servers, all upon termination of the agreement. A sample provision to illustrate this obligation:

At Customer’s request, Vendor will provide a copy of Customer information to Customer in an ASCII comma-delimited format on a CD-ROM or DVD-ROM. Upon expiration of this Agreement or termination of this Agreement for any reason, (i) Vendor shall (a) deliver to Customer, at no cost to Customer, a current copy of all of the Customer information in the form in use as of the date of such expiration or termination and (b) completely destroy or erase all other copies of the Customer Information in Vendor’s or its agents’ or subcontractors’ possession in any form, including but not limited to electronic, hard copy or other memory device. At Customer’s request, Vendor shall have its officers certify in writing that it has so destroyed or erased all copies of the Customer information and that it shall not make any use of the Customer information.

<<   CONTENTS   >>

Related topics