Cloud – Thinking About Procurement and Contracts in a Different Way

Nicky Stewart, Skyscape Cloud

1. About Skyscape Cloud Services Limited

  • Skyscape was founded in 2011 to meet the emerging UK public sector cloud requirement. Skyscape has been on a journey with the UK public sector in its adoption of cloud services. G-Cloud was the catalyst. G-Cloud gave UK public sector buyers a compliant route to buy cloud services, and access to a large community of cloud providers who had never done business with the UK public sector before. Cloud has delivered many benefits to the UK public sector, and has made buyers and suppliers think about procurements and contracts in a different way.

2. Introduction

  • Cloud contracts. Service level agreements. Privacy and Security. All are big topics for cloud, and even bigger topics in Brussels.
  • Take cloud contracts. Lots of work has been done by lots of people comparing cloud contracts. Not least by or on behalf of Brussels, where the European Commission convened an “Expert Group on Cloud Computing Contracts”, which Skyscape has participated in since the beginning. There is a widely held view that cloud contracts are a major obstacle to the adoption of cloud computing in Europe.
  • Why are cloud contracts different? First, it is important to make some key differentiations: cloud services (and therefore cloud contracts) fall into two broad camps. Firstly, C2B contracts, where the service being provided is usually “free” (if you don’t mind exchanging your personal data for the service in question), and second, B2B contracts, where the service is generally paid for. These are two important initial differentiators.
  • The next differentiator is the nature of cloud services themselves. With some exceptions – such as private cloud - the majority of mainstream cloud services are standardised, and transacted as a utility. Many users – millions in the case of some online retailers and social media services – are consuming the same service. Anyone who has had any experience of contract management will realise that the only sensible approach in this scenario is to have standard contracts – and this means non-negotiable in most cases.
  • Given the scale of the service, and the huge number of consumers, any other approach are simply unworkable. If you have 1000s of customers consuming the same service, it simply isn’t possible to make service/contracts for one customer. All the other customers would need to buy into the change, and there is every likelihood that at least one customer would say no.
  • Buying cloud requires the buyer to think differently about procurement, and contracts. In the same way that you wouldn’t expect to negotiate your electricity contract with your utility provider, you wouldn’t generally expect to negotiate a contract with your cloud provider either. As a consumer, you want the best deal, and terms that are favourable to you.

3. Is a standard contract an unfair contract?

  • As consumers, the vast majority of contracts that we will encounter will be online the“click-through” contract. Sometimes known as “adhesion contracts”, these are presented on a “take it or leave it” basis, and assume no bargaining power on the part of the buyer.
  • Not all click-through contracts are cloud contracts, but given the speed of cloud provisioning, many cloud contracts are click-through contracts. Buyers are strongly recommended to read the click-through terms, as a cloud contract may (although not always) have at least some of the following characteristics:
  • A cloud provider has a unilateral right to modify the terms and conditions and/or the terms of service (including price) at any time, without customer consent
  • A cloud provider may exclude, or excessively limit, its liability for service failures, and any direct or indirect damages
  • A cloud provider may limit a customer’s termination rights
  • A cloud provider may give itself rights to suspend the service provided to the customer
  • The jurisdiction of a cloud provider’s contract may not be in a jurisdiction that is favourable to the customer
  • The customer may not have any control on where their data is processed
  • A cloud provider may give itself unreasonable termination rights, and limit the customer’s termination rights
  • The customer will not be granted audit rights
  • A cloud provider may not make a customer’s data available in an easily portable format once the contract comes to an end
  • Many of the characteristics listed above are very different from conventional B2B ICT contracts, which usually involve at least some negotiation. A few of the characteristics are justifiable in the context of multi-tenant cloud provisioning. A cloud provider which is hosting many customers on the same platform will need to have the ability to suspend service if the service user threatens to compromise the security of the provider’s other customers. Multi-lateral modification of terms and conditions is not feasible (although customers ought to be given the option to opt out easily and without penalty if they are unhappy with the modifications).
  • All of these characteristics have led to a regulatory view that cloud contracts are inherently unfair to the consumer.

5. Are cloud contracts really an obstacle to cloud adoption?

  • In 2014, security researchers on behalf of Europol set up a Wi-Fi hotspot in London. In return for free Wi-Fi, the click-through terms asked customers to promise "to assign their first born child to us for the duration of eternity." Predictably, a number of people signed up. Research has shown that the vast majority of consumers will not read their online contract.
  •  2 Research undertaken by Politecnico di Milano School of Management suggests that the average consumer of cloud services is less concerned with the characteristics of a cloud contract than the regulator is. A sample of 332 SME cloud buyers showed:
  • 51% had analysed the contract, and found no critical issues
  • 1% took issue with the terms and tried to negotiate
  • 1% took issue with the terms and did not enter into the contract
  • 3% took issue with the terms, but entered into the contract anyway
  • 44% did not analyse the terms

5. So what should a buyer be looking for in a cloud contract?

  • Not all buyers are the same, and clearly large enterprises and governments will be less relaxed about typical cloud contracts than your average individual or SME consumer. It is important to emphasise that not all cloud contracts are unfair, but the onus must always be on the consumer to ensure the terms of the cloud provider’s contract is fit for the consumer’s purpose.
  • Cloud often means multiple legal jurisdictions can apply to the cloud service, and therefore by default, the buyers data. All contracts should specify the governing law of the contract, and buyers will need to understand the legal implications of the governing law on their data, as well checking that they would be comfortable enforcing the contract terms in the event of a dispute in the specified jurisdiction
  • Buyers, irrespective of whether they are C2B or B2B, need to understand the law that applies to the cloud service, their data, and the service they may be providing via the cloud service. This is particularly the case for data protection regulation, but other laws may well apply, depending on where the service is being delivered, and the functions being performed by the service. This aspect can be even more critical when the public sector consumes cloud services
  • Data protection regulation requires data controllers to ensure that personal data is secure and protected. Buyers must ensure that the cloud service has adequate and proportionate technical and legal measures in place. Some externally validated accreditations and certifications, such as ISO27001 and ISO27028 can be a good demonstration of a cloud provider’s security credentials
  • Processing data in the cloud means that data is being added, modified, removed or generated. A cloud providers terms must clearly state where data ownership lies, including any new data. Some cloud providers contracts give them a licence to republish some or all of the buyer’s data for the purpose of provision of the service. In this scenario, buyers will need to satisfy themselves that they remain compliant with data protection regulation, and their third party obligations 
  • Many cloud providers find the granting of audit rights to a customer difficult, as potentially thousands of customers could invoke their audit rights, which not only becomes an unacceptable security risk for other customers, but also creates an unmanageable overhead for the cloud provider
  • Step in rights are similarly problematic for cloud providers. This is particularly the case where the services are delivered from a multi-tenanted platform. Step in rights simply won’t work under this scenario, whatever the reason for invoking them might be. Instead, buyers need to be confident that their data can be retrieved, or is made available, in a useable format that can easily be transitioned to a new cloud provider
  • A good contract will clearly set out the rights and responsibilities of both buyer and provider, and this applies to cloud contracts as it would to any other contract
  • Buyers will need to understand if third parties will have access to their data and, if so, the extent and nature of the supply chain will need to be understood, including the extent of a cloud provider’s liability for sub-contractor failure, and that any sub-contractors are also complaint with regulatory, legislative and security requirements
  • Cloud providers may put extensive limitations on their liability for service failures, and/or data damage and loss. Buyers will need to be confident that they will receive adequate and proportionate compensation from the cloud provider, should anything go wrong. Buyers will also need to acknowledge that the highly competitive price-points that cloud services deliver do not sit comfortably with a more conventional liability regime
  • Most cloud providers will offer some form of service level agreement. The service levels will invariably be standard and therefore non-negotiable. The buyer must ensure the service level regime is fit for purpose, and offers adequate compensation when service levels are not met
  • Cloud services are often relatively easy to adopt, but as with any IT service, buyers will need to satisfy themselves that they are easy to leave too. As with any contract, buyers will need to check the cloud provider’s terms to determine whether there are penalties for cessation of consumption or contract termination, the manner and ease in which the buyer’s data can be recovered, and the cloud providers data retention policy

6. G-Cloud makes buying cloud easy

  • None of this should be a reason for a buyer not to use cloud. Cloud will underpin Europe’s digital future and it is in the interest of a buyer and their organisation to understand cloud and think differently about buying cloud. G-Cloud, the UK government’s flag-ship initiative for cloud adoption in the UK public sector, has made significant advances in cloud procurement, in a way that is compliant with all applicable regulations, fosters innovation, drives competition and value, and removes the high barriers to entry to what has historically been a difficult market to break into.
  • The Digital Marketplace is an online catalogue of the services available for purchase by government organisations under the G-Cloud framework agreement. The Digital Marketplace showcases the services and their essential characteristics and prices, as well as supplier terms and conditions. All of the information in the Digital Marketplace is transparent and publically available. This approach drives competition and value, and allows the buyer to easily compare and benchmark service characteristics and prices.
  • The advantages of buying through the Digital Marketplace are many: the process is OJEU compliant, quick and transparent, and the buyer has access to wide range of innovative services, many of which can be deployed in hours. The Digital Marketplace’s transparent and open approach to pricing means that services can be purchased at considerably less cost than through more conventional purchasing routes.
  • The entire approach is based on standardisation and commoditisation, in a way that specifically meets the need of the UK public sector market. This makes for a highly efficient buying process:
  • Services are easy to buy. The framework agreement/catalogue approach gives the buyer access to OJEU compliant services, without the need for lengthy procurements
  • G-Cloud is transparent: all G-Cloud providers must show their service features and pricing in the Digital Marketplace, which is available to all. This drives competition and choice
  • More competition delivers greater efficiencies. Cabinet Office has estimated that G-Cloud delivers savings of between 20-50%, and transaction cost avoidance of approximately £23,000.00
  • Friction free: G-Cloud services are easy to adopt, and can be terminated for no cause. There are many services to try, and many G-Cloud providers offer free trials
  • Once a G-Cloud buyer has a clear, approved and funded requirement, they can use the Digital Marketplace to prepare longlists and shortlists. Short-listed suppliers will need to be evaluated. The engagement process will vary according to the nature and complexity of the requirements. In some simple cases short-listed suppliers and services can be evaluated via the Digital Marketplace against key functions, and by comparing the service descriptions. There are rules which the buyer must take into account, in order for the procurement to be compliant:
  • Services are fixed at the point of tender and cannot be materially changed or re-negotiated
  • Buyers cannot negotiate or accept individual price discounts. Any price reduction must be made available to all and reflected in the supplier’s pricing document
  • Once the preferred supplier has been identified, the G Cloud call-off contract can then be completed and signed by both parties to formalise the engagement. The contract is made up of the following documents, in a hierarchy:
  • Government standard G-Cloud Framework Agreement
  • Government standard G Cloud call-off overarching terms and conditions
  • Government standard Order form
  • Standard Supplier terms and conditions (not negotiable)
  • Any relevant supporting documents (such as service descriptions)
  • The supplier terms and conditions will form part of the G Cloud call-off contract. Whilst the government standard terms place obligations on the supplier, a supplier’s terms will place obligations on the buyer. A supplier’s terms cannot be altered at the point of call-off. The buyer will therefore need to be satisfied that supplier terms and conditions are either acceptable in full or, where partially acceptable, that the undesirable clauses are effectively over-ridden by existing clauses in the G- Cloud call-off contract terms and conditions, which take precedence. It goes without saying that G-Cloud supplier contracts that contain unfair terms tend not to be selected.
  • By thinking out of the box, and being prepared to think differently about public procurement, G-Cloud is delivering significant benefits for both buyer and supplier. The buyer benefits from innovative, fully compliant services, and all-round efficiency driven by unprecedented transparency, and standardisation. The low barriers to entry to the G-Cloud framework means that the majority of G-Cloud suppliers are SMEs, and to date 61% of all G-Cloud sales (just south of £1bn) have been with SMEs. G-Cloud is underpinning the UK government’s digital transformation, is contributing to the UKs digital economic growth, and has solved many of the problems conventionally associated with buying cloud services.