The Complete Guide to Drafting Cloud Services Agreements

A detailed guide on creating a Cloud Services Agreement using foundation, primary, secondary and schedule building blocks.
Cloud Services Agreement Building Blocks


Cloud Services Agreement

To understand cloud services it is useful to first look at what the difference is between a software license agreement and a cloud services agreement.

By way of a practical example, let’s compare Microsoft Office 2019 and Microsoft Office 365.

Software License: Microsoft Office 2019

When you purchase Microsoft Office 2019, you’re buying a software license. This entitles you to install and use the software on your computer. Here’s how it works:

  • Purchase and installation: You buy the software once, either online or from a physical store, and you receive a product key. You then download the software or install it from a physical disc, and use the product key to activate the software on your computer.

  • Use: Once installed, you can use the software offline. Your files are typically stored on your own computer, although you can choose to store them in the cloud.

  • Ownership: The software license is perpetual. This means that as long as you’re using it on the same machine, you can use the software forever.

  • Updates: You receive updates and security patches for a certain period, but to get new features after that, you’d need to buy a new license for the next version of the software.

Cloud Services Subscription: Microsoft Office 365

Office 365, now known as Microsoft 365, is a cloud-based subscription service. Here’s how it differs from a traditional software license:

  1. Purchase and installation: Instead of a one-time purchase, you pay a monthly or yearly subscription fee. You can download the apps to your device, but they will require regular online check-ins for continued access.

  2. Use: You can use the software whether you’re online or offline. However, being online provides extra benefits like real-time collaboration and access to your files from any device through the cloud.

  3. Ownership: The subscription model means you’re essentially “renting” the software. If you stop paying the subscription fee, you lose access to the software.

  4. Updates: As long as your subscription is active, you get regular updates including security patches and new features at no extra cost.

In summary, the key difference between a software license and a cloud services subscription lies in the method of access, payment structure, and how updates are managed. A software license often involves a one-time payment for perpetual use, whereas a cloud services subscription requires regular payments for continued access and automatically includes updates.

Different types of Cloud Services

There are various different types of Cloud Services and the different types continue to expand. Here are a couple of examples of Cloud Services types you may find:

  1. Infrastructure as a Service (IaaS): This is the most basic category of cloud computing services. With IaaS, you rent IT infrastructure – servers, virtual machines (VMs), storage, networks, and operating systems – from a cloud provider on a pay-as-you-go basis.

    Example: Amazon Web Services (AWS) Elastic Compute Cloud (EC2) provides scalable computing capacity in the Amazon Web Services (AWS) cloud. Using Amazon EC2 eliminates your need to invest in hardware upfront, so you can develop and deploy applications faster.

  2. Platform as a Service (PaaS): PaaS is a cloud computing model where a third-party provider delivers hardware and software tools to users over the internet. These tools are typically needed for application development. A PaaS provider hosts the hardware and software on its own infrastructure, freeing developers from having to install in-house hardware and software to develop or run a new application.

    Example: Google App Engine is a PaaS that allows developers to build, deploy, and scale applications without worrying about the underlying infrastructure. This allows developers to focus on writing code and application logic, rather than managing servers, databases, load balancers, and so forth.

  3. Software as a Service (SaaS): With SaaS, service providers deliver software applications over the internet on a subscription basis. These applications are often accessed through a web browser, with data and settings stored in the cloud.

    Example: Salesforce is a SaaS provider that offers a wide array of software solutions for businesses, including customer relationship management (CRM) software, analytics, and marketing automation tools. Users access these services online, typically paying a subscription fee.

  4. Function as a Service (FaaS): FaaS is a category of cloud computing services that provides a platform allowing developers to execute code in response to events without the complex infrastructure typically associated with building and launching microservice applications.

    Example: AWS Lambda allows developers to run their code without provisioning or managing servers. They simply write the code, and AWS Lambda takes care of everything required to run and scale the execution to meet actual demand.

  5. Business Process as a Service (BPaaS): BPaaS is a type of cloud service where an entire business process is outsourced to a cloud provider. These processes could be horizontal (standard across multiple types of businesses, like email handling, HR, and finance) or vertical (specific to a particular industry, like insurance claim management). The provider manages the process, related software, and underlying infrastructure, and updates the process as needed. The customer accesses the process via a web-based interface or an API.

    Example: SAP offers cloud-based Human Capital Management solutions that manage all HR processes, from payroll to employee experience. This would be considered BPaaS as it’s providing a complete business process (HR management) as a service.

  6. Containers as a Service (CaaS): CaaS is a cloud service that allows developers to manage and orchestrate containers using container-based virtualization. Containers package an application along with its required libraries, frameworks, and configuration files together, making it easy to deploy across various environments. CaaS providers offer a framework that allows users to utilize the benefits of container orchestration without the complexity of setting up and managing the underlying infrastructure.

    Example: Google Kubernetes Engine (GKE) is a managed environment for deploying, managing, and scaling your applications using Google infrastructure. The service offers the power of Kubernetes (a container orchestration tool), without the need to install and operate a Kubernetes cluster.

  7. Backend as a Service (BaaS): BaaS, also known as mBaaS (mobile Backend as a Service), is a cloud service model that serves as the middleware that provides developers with ways to connect their applications to backend cloud storage and processing while also providing features like user management, push notifications, and integration with social networking services.

    Example: Firebase, a Google service, provides a suite of backend services like a real-time database, user authentication, and hosting for web and mobile applications. Developers can use Firebase to speed up the development process by eliminating the need to manage servers and write server-side code.

Build your own custom Cloud Services Agreement now!



A Cloud Services Agreement is typically a contract between two main parties:

  1. Cloud Service Provider (CSP): This is the company or entity that provides cloud-based services, which can include infrastructure, software, data storage, platforms, and more. Examples of CSPs include well-known companies like Amazon Web Services (AWS), Microsoft Azure, Google Cloud, and IBM Cloud, among others. CSPs are responsible for maintaining the infrastructure and ensuring that the services agreed upon are delivered as per the terms of the agreement.

  2. Customer (also referred to as the Client or Subscriber): This is the individual, company, or entity that is using the services provided by the CSP. The customer can be a business of any size, a government organization, or an individual depending on the nature of the services being provided. 

The exact titles of the parties involved can vary from one Cloud Services Agreement to another. Regardless of the specific terminology used, the most crucial point is that each party’s rights, responsibilities, and obligations are clearly defined within the agreement.

Background / recitals

Introductory sections offer valuable understanding into the background and goals of the Cloud Services Agreement. Although they are not legally obligatory and do not carry immediate legal consequences, they can significantly aid in interpreting the agreement’s functional provisions in case of a dispute.

Cloud Services Agreements typically detail crucial introductory elements relevant to any agreement concerning cloud-based services. Given the unique characteristics and terms of the agreement, the parties may decide to incorporate more extensive details or choose to omit some of the basic introductory elements.

Cloud Services

The Cloud Services block will generally address:

  • Access rights to the Cloud Services: This part outlines who can access the cloud services, and to what extent. It essentially sets the boundaries for the use of the Cloud Services. This includes determining whether access is restricted to certain users, limited to a certain number of transactions, or only provided for a certain number of concurrent users. This could also include stipulations about geolocation restrictions, user roles, or machine/IP address limitations.  Let’s consider a practical example. A company might subscribe to Salesforce, a popular customer relationship management (CRM) platform. The access rights part in their Cloud Services Agreement with Salesforce would detail the scope of access to be provided which could include-

    1. Certain number of transactions: This could mean that the company can execute a fixed number of transactions or operations within a certain time period. For instance, the agreement might limit the company to 1,000 data retrieval operations per hour.

    2. Certain number of concurrent users: The agreement might restrict access to a specified number of users at the same time. For instance, if the company purchased a license for 50 concurrent users, only 50 users from the company would be able to log in and use Salesforce at the same time.

    3. User-based restrictions: The agreement may also specify which individuals or roles within the company are allowed to access the cloud service. For instance, it might state that only sales department employees can use the Salesforce account.

    4. Geolocation restrictions: The access rights could also be limited based on geographic location. For instance, the agreement could stipulate that only users within the United States can access the Salesforce platform.

Thus, the Access Rights clause in a Cloud Services Agreement provides a clear definition of who can use the cloud service, how much they can use it, and under what conditions. It is an essential part of the agreement as it prevents misuse of the service, ensures fair usage, and helps maintain the performance and integrity of the service for all users.

  • Affiliates’ rights to use the Cloud Services: Affiliates are related companies, such as subsidiaries. A Cloud Services Agreement might specify whether or not affiliates of the subscribing company can also use the cloud services. For instance, a multinational corporation using Office 365 might have this right extended to its subsidiaries in different countries.

  • Permitted Use for the Cloud Services: This part outlines what the cloud services can be used for. For example, let’s say the Permitted Use is only for internal business purposes. This means the customer can only use the cloud services for its own internal operations. For example, a company might subscribe to Microsoft Azure’s cloud computing services. The agreement may specify that these services should only be used for the company’s internal business operations like data analysis, hosting company websites, and so on. It would prevent the company from using the services to create a separate commercial product that leverages Microsoft Azure.

  • Login credentials: This part covers the management and protection of user login details. For example, Zoom might stipulate in their agreement that users are responsible for keeping their login credentials confidential, and the customer organization is responsible for any activity that occurs under their users’ accounts.

  • Changes to the Cloud Services: This part explains how and when the cloud provider can make changes to their services. For instance, Google Workspace (formerly G Suite) might include a provision stating that they can introduce new features, modify existing features, or remove features, and will notify customers in advance of significant changes.


Next, the usage restrictions are addressed. Common usage restrictions include:

  • Disassemble, reverse engineer, modify, or create derivate works of the Cloud Services: This restriction means that users aren’t allowed to take apart the software to understand its inner workings (reverse engineering), alter the software (modification), or create new software based on the original (creating derivative works). For example, a user of Adobe Creative Cloud can’t reverse engineer Photoshop to build a competing photo editing application.
  • Use the Cloud Services in violation of applicable laws: This prohibits users from using the cloud service to engage in illegal activities. For example, a Dropbox user can’t store and distribute pirated movies, as this violates copyright laws.
  • Circumvent or disable any security features or other aspects of the Cloud Services: This means users can’t tamper with the security measures in place, like attempting to bypass encryption or disabling firewalls. An AWS user, for instance, shouldn’t try to crack the encryption algorithm used to secure data in the cloud.
  • Attempt to gain unauthorized access to the source code of the Cloud Services: This means that users can’t try to access the underlying code that powers the cloud service. A user of Google’s G Suite, for instance, can’t try to obtain the source code for Google Docs.
  • Use the Cloud Services to transmit unlawful material, or to store or transmit material in violation of third-party privacy rights: This prohibits the use of the cloud service for sharing illegal content, or content that invades someone’s privacy. For example, an iCloud user can’t store and share someone else’s private photos without their consent.
  • Use the Cloud Services to store or transmit any material that may infringe the software or other rights of third parties: This means users can’t use the cloud service to host or share content that violates someone’s copyright or other rights. A Spotify user, for instance, can’t upload and share songs they don’t have rights to.
  • Knowingly or negligently use the Cloud Services in a way that abuses or disrupts servers, user accounts, or other services: This prohibits behavior that could harm the cloud provider’s infrastructure or negatively impact other users. For instance, a Salesforce user shouldn’t try to overload the servers by making an excessive number of requests in a short period of time.

Suspension rights

As a Cloud Services provider you want to be able to suspend a Customer’s access to the Cloud Services in certain circumstances and these suspension rights will have to be reserved in the Agreement. Here is a couple of examples of circumstances which may trigger suspension rights:

  • Threat to Intellectual Property: When a cloud service is provided, the underlying code, algorithms, and designs are the intellectual property of the service provider. If a user attempts to deconstruct, reverse engineer, or misuse this IP in any way, it could compromise the provider’s competitive edge and infringe on their legal rights. An example could be a user of a cloud-based AI service trying to reverse-engineer the algorithms to create their own competing AI platform. In this case, the provider has the right to suspend access to protect its intellectual property.
  • Security risks: If a user’s actions risk the security of the cloud service, this could endanger the provider’s infrastructure and potentially compromise other users’ data. For instance, if a user of a cloud storage service is attempting to breach the provider’s security measures or is uploading malware-infected files, the provider would have the right to suspend their service to mitigate the security threat.
  • Illegal activities: Cloud services should not be used to facilitate illegal activities. This could range from using cloud storage to share copyrighted material, to using cloud computing resources to run an illegal online gambling operation. If the provider becomes aware of such misuse, they have the right to suspend the service to comply with the law and protect their business reputation.
  • Bankruptcy: If a user is unable to pay for the service due to bankruptcy or financial insolvency, the provider faces a high risk of non-payment. This would present a significant business risk to the provider. In such a scenario, it’s within the provider’s rights to suspend the service. For example, if a company using a cloud-based CRM service is unable to continue paying the subscription due to bankruptcy, the CRM provider could suspend their service.
  • Legal compliance: If legal or regulatory changes make providing the service illegal, the provider has the right to suspend the service. For instance, if new data privacy regulations in a certain region prohibit the type of data processing carried out by a cloud-based analytics service, the provider would have to suspend service for users in that region.
  • Vendor issues: Cloud service providers often rely on other vendors for certain components of their service. If a critical vendor stops providing a necessary service or product, this can disrupt the provider’s ability to offer their service. For instance, a cloud-based video conferencing service might rely on a third-party server vendor. If the server vendor goes out of business or discontinues their service, the conferencing service may have to suspend its service until it can find a new server vendor.

Third-party products

Incorporating third-party products into a cloud service can provide substantial benefits to a cloud service provider. These benefits include an enhanced service offering, where the provider can leverage existing, proven solutions to add new features and functionalities without needing to build them in-house.

This approach not only accelerates the time to market but also brings cost efficiency by reducing development and maintenance expenses. It allows the provider to focus more on their core competencies and strategic areas, ensuring they deliver the best possible primary service. However, while these advantages are significant, the provider must carefully manage any associated risks, such as security vulnerabilities, data privacy issues, and reliance on another vendor’s service continuity. Here are a couple of parts to considered and addressed in the Cloud Services Agreement:

  • Terms and conditions: Third-party products integrated into the cloud service usually operate under their own terms and conditions. For instance, a cloud service might use Google Maps API to offer location-based features. The usage of Google Maps API is subject to Google’s own terms, separate from the cloud service’s terms. Therefore, it’s essential that the user agrees to these separate terms. If the user doesn’t agree, they should avoid using the specific feature or service that involves the third-party product.

  • Liability and indemnification: The user is generally responsible for any risk arising from the use of third-party products. For instance, if a third-party data analytics tool integrated into the cloud service inaccurately predicts customer behavior leading to financial loss for the user, the cloud service provider cannot be held responsible. The user must indemnify the provider against any such claims, which means they agree to protect the provider from any losses.

  • Data security and privacy: Once the user’s data is transferred to a third-party platform, the provider is typically not responsible for its security or privacy. For instance, if the cloud service integrates with a third-party CRM and the CRM gets hacked, the provider would generally not be responsible for the data breach. It’s the user’s responsibility to ensure that the third-party platform has adequate security measures.

  • Compliance with laws and regulations: The user is responsible for ensuring that their use of third-party products complies with all applicable laws and regulations. For instance, if a user integrates a cloud service with a third-party email marketing tool, it’s the user’s responsibility to ensure that the marketing campaigns comply with spam laws and data protection regulations.

  • Termination of integration: The provider generally wants to retain the right to terminate any integration if it deems the third-party platform to be insecure or in violation of any laws. For instance, if a third-party payment gateway integrated into the cloud service is found to be non-compliant with payment card industry standards, the provider can terminate the integration to protect its users and comply with regulations.

These provisions are critical to clarify responsibilities, protect the provider, and ensure legal compliance when third-party products are part of the cloud service. They help manage risks, promote transparency, and protect all parties involved.

Primary Blocks

Limitation of liability

[View detailed guide on limitation of liability provisions ↗]

A Cloud Service Provides generally requires that a limitation of liability block be included in the Cloud Services Agreement. The reasons for inclusion differ depending on the specific Cloud Service being provided. Here are a couple of reasons that a Cloud Service Provider would want to include a limitation of liability block in the Cloud Services Agreement-

  • Protection from excessive financial liability: Providing cloud services can involve many potential risks and unforeseen issues. A limitation of liability block helps protect providers from excessive financial liability, which could be disastrous if a major issue like a data breach or service outage arises.

  • Allocation of risk: By including a limitation of liability block, providers can allocate risk between themselves and the customer more fairly. This can help ensure that the provider is not solely responsible for all issues that may arise during the provision of cloud services.

  • Predictability: Knowing the maximum extent of their liability allows providers to plan and manage their finances more effectively. This predictability can help them make better decisions about their business and allocate resources accordingly.

  • Focus on core competencies: By limiting their liability, providers can focus on their core competencies and work more efficiently, knowing that they have a safety net in place to protect them from excessive claims.

Typical liabilities a cloud service provider would want to protect against include the following:

  1. Data breaches: One of the biggest risks in providing cloud services is the potential for data breaches. For example, a hacker might gain unauthorized access to the cloud servers and steal sensitive customer data. A limitation of liability block can cap the financial responsibility of the cloud service provider in the event of such a breach, ensuring they won’t be bankrupted by damages or lawsuits that could potentially arise from the incident.

  2. Service outages: Cloud services depend on the continuous availability of servers and networks. However, unforeseen circumstances like natural disasters, technical glitches, or cyber-attacks can lead to service outages. For instance, a severe storm could knock out power to a data center, causing an outage. A limitation of liability clause can specify that the provider is not liable for indirect or consequential damages resulting from such outages, thus protecting them from excessive financial claims.

  3. Data loss: While cloud providers implement extensive data backup and redundancy measures, unforeseen issues like a software bug or hardware failure could still lead to data loss. In such a case, a limitation of liability clause could limit the provider’s financial liability to the amount paid by the customer over a certain period, thus providing a cap to potential compensation claims.

  4. Third-Party integrations: Many cloud services rely on third-party products or services. If one of these third parties experiences an issue, it can affect the cloud service, potentially leading to financial claims from customers. A limitation of liability block can stipulate that the provider is not responsible for issues arising from third-party integrations, thus providing a layer of legal protection.

  5. Compliance and legal issues: Cloud providers often handle sensitive data, making them subject to numerous laws and regulations. Unexpected changes in these laws, or discovery of non-compliance, can lead to significant legal and financial implications. Limitation of liability blocks can exclude certain types of damages (like consequential damages) or cap the total liability to a predetermined amount, helping to mitigate these risks.



[View the detailed guide on indemnities ↗]

The indemnity blocks help manage risk, protect against potential liabilities, and set a framework for handling unforeseen issues during the use of cloud services. Here’s an exploration of why both parties would want to include indemnity blocks in cloud services agreement:

  1. Intellectual property infringement: Indemnities for third-party intellectual property infringement claims are vital in protecting the customer from potential legal complications if the cloud service provided infringes on a third-parties’ intellectual property. For instance, if a cloud service provider inadvertently uses patented technology in their cloud services, the indemnity block shields the customer from financial liability ensuing from a third-party infringement lawsuit.

  2. Data breach: In the cloud ecosystem, data breaches and unauthorized data access are significant concerns. Including indemnities that address the fallout from a data breach or unauthorized access caused by the provider’s negligence can protect the customer from financial losses and damage to their reputation. Suppose a provider’s negligence leads to a security vulnerability in the cloud service, resulting in a data breach at the customer’s end. In that case, the indemnity block would obligate the provider to shoulder the costs associated with the breach, such as legal fees, regulatory fines, and notifications to affected parties.


[View the detailed guide on termination provisions ↗]

Including provisions which provide a clear framework for dealing with the termination of the business relationship is important for several reasons:

  1. Clarity and predictability: Termination provisions outline the circumstances under which the agreement may be terminated and the procedures to be followed. This clarity helps both parties understand their rights, obligations, and expectations, minimizing the risk of misunderstandings and disputes.

  2. Protecting interests: Termination provisions safeguard the interests of both parties in the case of breaches, poor performance, or changes in business requirements. For example, a customer may want to terminate an agreement if the cloud service provider fails to meet the agreed service levels or data security standards. Conversely, the provider may want to end the contract if the customer does not make timely payments or violates usage policies.

  3. Flexibility: Termination for convenience provisions allow for flexibility in the business relationship, providing options for both parties to exit the agreement if circumstances change or if the relationship is no longer beneficial. For instance, a customer may need to terminate the contract due to a shift in their cloud strategy, while a provider might want to end the agreement due to changes in its product offerings or resource allocations.

  4. Risk management: Termination provisions help manage risks associated with providing and using cloud services, which can be unpredictable and subject to various technical or regulatory challenges. By establishing clear termination criteria, both parties can mitigate potential damages and losses in case of service failures or unforeseen issues.

  5. Smooth transitions: Termination provisions often include requirements for transition assistance, such as the transfer of customer data or cooperation in transitioning to a new provider. These provisions ensure a smooth disengagement from the agreement, minimizing disruptions to ongoing operations and enabling a seamless transition to new services or providers.

  6. Legal compliance: Termination provisions can address changes in the legal or regulatory environment, allowing parties to terminate the agreement if compliance becomes impossible or overly burdensome. For example, if new data protection regulations make it challenging for a provider to continue offering services, a termination provision can provide an exit strategy for both parties.

In summary, termination provisions in Cloud Services Agreements play a vital role in managing risks, protecting interests, and providing a clear framework for navigating potential challenges or changes in the business relationship. These provisions are particularly essential in the dynamic and complex landscape of cloud computing.


[View the detailed guide on warranties ↗]

Incorporating warranty provisions in a Cloud Services Agreement is vital for various reasons, as it helps establish a solid foundation for the business relationship, protect both parties’ interests, and ensure the successful delivery of the cloud services. Here are some key reasons why warranty provisions are important in a Cloud Services Agreement:

  1. Quality assurance: Warranty provisions in a Cloud Services Agreement guarantee that the cloud services provided will meet specific quality standards, be available and accessible as per the agreed service level agreements, and function as outlined in the services description.

  2. Clear performance expectations: Warranty provisions set clear expectations for the performance of the cloud services, ensuring that both parties understand the minimum requirements for a successful service provision. This can help prevent misunderstandings or disputes about the service’s availability, functionality, or performance.

  3. Defined remedies: Warranty provisions outline the available remedies in case the cloud services fail to meet the agreed-upon specifications or performance criteria. This can include service credits, rectification of service defects, or in certain cases, termination rights. Having these remedies clearly defined helps streamline the resolution process and avoids prolonged disputes or legal battles.

  4. Risk allocation: Including warranty provisions in a Cloud Services Agreement helps allocate risks between the service provider and the customer. The provider is responsible for delivering a functional service that meets the specified requirements, while the customer must ensure they comply with the usage policies. This risk allocation establishes a fair and transparent business relationship.

  5. Legal protection: Warranty provisions offer legal protection for both parties in case of disagreements or breaches. In the event of a dispute, the warranty terms serve as a reference point for determining each party’s responsibilities and the appropriate course of action to resolve the issue.

Warranties often included in Cloud Services Agreements:

  • Non-infringement: The provider should warrant that the use of its cloud services does not infringe on any third-party intellectual property rights. This protects the customer from potential legal issues related to IP infringement.

  • Compliance with Laws: The provider should warrant that its services comply with all applicable laws and regulations. For cloud services, these might include data protection laws such as the General Data Protection Regulation (GDPR) in the European Union or the California Consumer Privacy Act (CCPA) in the United States, both requiring special compliance actions regarding the handling of personal data.

  • Conformity to Industry Best Practices: The provider should warrant that its services adhere to recognized industry best practices for security, data protection, and service delivery. This ensures the customer that the provider is maintaining high standards in the provision of their services.

In summary, warranty provisions in Cloud Services Agreements are essential for assuring quality, setting clear performance expectations, defining remedies, allocating risks, providing legal protection, and enhancing the provider’s reputation. Including well-crafted warranty provisions in Cloud Services Agreements helps create a solid foundation for a successful service delivery and a healthy business relationship between the parties involved.

Intellectual property

[View the detailed guide on intellectual property ↗]

Including intellectual property (IP) provisions in a Cloud Services Agreement is crucial for several reasons. These provisions help to clarify ownership, protect the interests of both parties, ensure proper use and control of the IP, and provide a basis for resolving disputes.

  1. Ownership and control: IP provisions clarifies the ownership and control of the intellectual property rights of the parties in the Cloud Services Agreement. In a typical cloud service arrangement, the cloud service provider retains ownership of all IP rights in the service, including any improvements or modifications. The customer, on the other hand, usually retains ownership of any data or content they upload to the cloud service.

  2. Protection of interests: Clearly defined IP provisions help protect the interests of both parties. The service provider’s interests are protected by retaining ownership of their IP and having the ability to use, license, or modify their IP for other customers or purposes. The customer’s interests are protected by ensuring that they have the necessary rights to use the cloud service for their business operations without infringing on the provider’s IP rights.

  3. Proper use and commercialization: IP provisions in a Cloud Services Agreement allow for the proper use of the cloud service. The customer can use the service according to the terms of the agreement, while the service provider retains the ability to provide the service to other customers or use it for their own operations.

  4. Dispute resolution: IP provisions can also help to resolve disputes related to the ownership and use of the intellectual property. A well-drafted agreement can provide a clear understanding of the rights and obligations of each party, reducing the likelihood of disputes. In the event of a disagreement, the provisions can serve as a basis for resolving the issue, potentially avoiding costly legal battles.


[View the detailed guide on confidentiality ↗]

These provisions protect sensitive information, maintain competitive advantage, safeguard intellectual property rights, and promote trust and collaboration between the parties involved. Here are some reasons why confidentiality provisions are important in a Cloud Services Agreement:

  • Protection of sensitive information: Cloud Services often involve the exchange of valuable and sensitive information, such as customer data, business strategies, and technical specifications. Confidentiality provisions ensure that both parties are legally obligated to protect this sensitive information from unauthorized disclosure or use, thereby reducing the risk of potential harm or misuse. For instance, the service provider may be privy to sensitive business data of the customer while providing the service. A breach of this data could have significant ramifications for the customer’s business.
  • Maintaining competitive advantage: A company’s competitive advantage often relies on the confidentiality of its proprietary technologies, processes, and strategies. By incorporating confidentiality provisions in a Cloud Services Agreement, parties can ensure that their trade secrets and unique innovations are protected, helping to maintain their competitive edge in the market. For example, a customer using cloud-based AI analytics might have proprietary algorithms that provide a competitive advantage, and a breach could benefit competitors.
  • Trust and collaboration: Confidentiality provisions help promote trust and collaboration between the parties involved in the cloud service. By agreeing to protect each other’s sensitive information, both parties can confidently share data and resources, fostering a collaborative environment that is conducive to innovation and success.
  • Legal recourse in case of breach: In the event of a breach of confidentiality provisions, the affected party can seek legal recourse, including damages and injunctive relief, to address the harm caused by the unauthorized disclosure or use of confidential information. This provides a safety net for both parties and reinforces the importance of adhering to confidentiality obligations.


Dispute resolution

[View the detailed guide on dispute resolution ↗]

Incorporating a dispute resolution block in a Cloud Services Agreement is essential for several reasons. It provides a clear framework for resolving disputes that may arise during the course of the service, ensuring that both parties understand their rights and obligations in the event of a disagreement. Here are some key reasons why including a dispute resolution block is crucial in a Cloud Services Agreement:

  • Clarity and predictability: A well-drafted dispute resolution block sets out the process to be followed if a disagreement arises between the parties, such as a breach of security, data privacy issues, or disagreements over service levels. This clarity helps the parties understand the steps to be taken in the event of a dispute, reducing confusion and facilitating a more efficient resolution. For instance, the block may require the parties to first negotiate in good faith or to use a neutral third-party mediator before proceeding to litigation.
  • Cost and time savings: Alternative dispute resolution (ADR) methods, such as mediation and arbitration, are often faster and less expensive than traditional litigation. By specifying an ADR method in the dispute resolution block, parties can save time and resources by avoiding lengthy court battles and focusing on resolving the dispute through a more streamlined process. This can be particularly beneficial in the context of cloud services, where technical issues may be better understood and resolved by a technology-savvy arbitrator.
  • Confidentiality: ADR methods like mediation and arbitration typically provide for greater confidentiality than court litigation. Including a dispute resolution block that specifies the use of an ADR method can help protect sensitive information, such as customer data or proprietary algorithms, from public disclosure during the dispute resolution process.
  • Control over the process: A dispute resolution block allows parties to tailor the dispute resolution process to their specific needs, such as choosing the governing law, location of dispute resolution, and the qualifications of the mediator or arbitrator. This flexibility enables the parties to select a process that is best suited to the nature of the Cloud Services Agreement and their specific requirements.
  • Preservation of business relationships: ADR methods are generally less adversarial than litigation, focusing on collaborative problem-solving and achieving a mutually satisfactory resolution. By including a dispute resolution block that encourages negotiation, mediation, or arbitration, parties can work to resolve disputes amicably and preserve their business relationships, which is especially important in long-term cloud service contracts where the parties anticipate an ongoing business relationship.
  • Enforceability: A well-drafted dispute resolution block can help ensure that any decision or settlement reached through the dispute resolution process is enforceable in court. This provides both parties with greater certainty and confidence in the outcome of the dispute resolution process.

Force majeure

[View the detailed guide on force majeure ↗]

Incorporating a force majeure block in a Cloud Services Agreement is crucial due to the numerous uncertainties that can arise in the volatile digital world. These provisions manage the parties’ rights and obligations in the event of unforeseen circumstances beyond their control, such as natural disasters, power outages, or cyberattacks, which could impact the ability to deliver cloud services. From a cloud service provider’s perspective, here are several reasons why including force majeure provisions is crucial, especially concerning outages of a data center beyond their control:

  • Allocation of risk: Force majeure provisions allocate the risks associated with unforeseen events between the parties. For a cloud service provider, these provisions can be critical when unexpected events, such as a blackout or a natural disaster, affect the data center, and consequently, the cloud service delivery. This ensures that the provider is not unfairly penalized for circumstances beyond their control, fostering a fair contractual relationship.
  • Legal protection: In the event of a force majeure occurrence, such as an extended power outage at a third-party data center, these provisions offer legal protection to the cloud service provider, shielding them from liability for non-performance or delayed performance of their contractual obligations.
  • Clear expectations: Force majeure provisions establish clear expectations for how such events will be managed. For instance, if an outage occurs due to a third-party data center’s failure, the provider’s responsibility might be limited to working with the data center operator to restore the service as quickly as possible, without bearing the complete liability for the outage.
  • Business continuity: Force majeure provisions often include obligations for the affected party to mitigate the impact of the event. This could involve the cloud service provider implementing a disaster recovery plan, deploying redundant systems, or switching to an alternative data center, aiming to ensure business continuity for their clients and minimize the negative consequences of the disruption.
  • Termination rights: In cases where a force majeure event continues for an extended period or renders service provision impossible or commercially unfeasible, these provisions may allow for termination of the agreement. This offers both parties an exit strategy, enabling them to reevaluate their options and pursue alternative arrangements if necessary.

Overall, from a cloud service provider’s perspective, including force majeure provisions in a Cloud Services Agreement is essential for managing risks and uncertainties inherent in the digital realm. These provisions help protect the provider from liability, clarify expectations, ensure business continuity, and offer flexibility and termination rights in the face of unforeseen events. By incorporating well-drafted force majeure provisions, the cloud service provider can foster a more resilient and successful contractual relationship.

Secondary Blocks

Business continuity

[View the detailed guide on business continuity ↗]

Including a business continuity block in a cloud services agreement may assist in safeguarding operational stability in the face of unexpected disruptions or disasters. In the world of cloud services, unexpected events, such as power outages, natural disasters, or cyber-attacks, can significantly hinder the provision of services or even halt the provision of cloud services.

Having a business continuity block ensures that the cloud service provider has established procedures to maintain and promptly restore service functionality amidst such disruptions. Furthermore, it helps to delineate clear responsibilities and expectations while promoting trust between contracting parties.

Exit plan

[View the detailed guide on exit plans ↗]

An exit plan block in a Cloud Services Agreement is crucial as it lays the groundwork for a shift should the relationship between the client and the cloud service provider conclude.

Take, for example, a scenario where a finance company (the customer) contracts a cloud service provider to host and manage their customer data and software applications. Over time, if the finance company decides to either take their cloud services in-house or switch to another cloud provider, a termination and transition block in the initial agreement helps mitigate potential disruption to services or loss of critical data during the changeover period. It outlines steps for transferring data, user credentials, configurations, and any related intellectual property to the finance company, as well as details about training the new team or maintaining service levels during the transition.

Without such a block, the finance company might face significant operational challenges, including potential service outages, loss of vital customer data, or even legal issues related to intellectual property rights. Thus, including a termination and transition clause provides both parties with a clear roadmap and mitigates risks during the termination process.

Software escrow

[View the detailed guide on source code escrows ↗]

A source code escrow block in a Cloud Services Agreement is vital, especially when the cloud services being provided are proprietary and integral to the customer’s operations.

Consider a scenario where a financial institution relies on a particular cloud service for managing its customer data and transactions. The cloud service is provided by a small cloud services company. The service, as offered to the financial institution, comes as a hosted service that the institution does not have the technical capability to manage or maintain—it’s dependent on the cloud services company for updates, data protection, and system adaptations.

Now, let’s say the cloud services company suddenly goes bankrupt. Without a source code escrow block, the financial institution would be in a critical situation. It would have no way to maintain the cloud service. If the service stops working or becomes incompatible with new systems, the financial institution might be unable to access critical customer data or transaction history. This could disrupt its operations and even jeopardize its compliance with regulatory requirements.

However, if the Cloud Services Agreement between the financial institution and the cloud services company includes a source code escrow block, the source code, related to the system would have been deposited with a neutral third party (the escrow agent). If the cloud services company goes bankrupt (which is one of the triggering events usually specified in the agreement), the escrow agent would release the source code to the financial institution. The financial institution could then use another provider to get things up and running again, ensuring continued customer data and service access.

Thus, a source code escrow block in a Cloud Services Agreement provides a crucial layer of protection for the customer, ensuring continuity of operations even if the cloud service provider is unable to continue supporting the service. It provides a level of assurance and risk mitigation in the dynamic and uncertain realm of cloud services.

Non-solicitation of key personnel

[View the detailed guide on non-solicitation of key employees ↗]

A non-solicitation of key employee block incorporated into cloud services agreements aims to deter one party from trying to hire or recruit the other party’s essential personnel during the contract period or for a predetermined time following its conclusion. These provisions aim to safeguard the interests of both parties involved in the provision of the cloud services and ensure the continued stability of their respective businesses.


[View the detailed guide on sub-contracting ↗]

This block outlines the terms and conditions under which a party can engage third-party contractors or subcontractors to perform specific tasks or parts of the project. It may include requirements for notifying and obtaining approval from the other party and may define the primary contractor’s liability for the work of the subcontractor.


[View the detailed guide on insurance ↗]

This block requires the parties to maintain adequate insurance coverage to protect against potential risks and liabilities arising from the project. It may specify the types and minimum amounts of insurance, such as professional liability, general liability, or cyber liability insurance.

Compliance with laws and regulations

[View the detailed guide on compliance with laws ↗]

This block requires the parties to adhere to all applicable laws, regulations, and industry standards related to the cloud services. This may include data protection laws, intellectual property laws, and employment laws. It ensures that the cloud services are compliant with the relevant legal requirements.


[View the detailed guide on boilerplate ↗]

Boilerplate bocks, while often considered standard, play a vital role in shaping the overall legal framework of a contract. As such, it is imperative to give these provisions careful consideration and ensure they align with the parties’ intentions and objectives. Neglecting the importance of boilerplate block can lead to unforeseen consequences and potential litigation.


Order form

Cloud service providers in the industry often use order forms to enter into Cloud Services Subscription Agreements with customers. An order form is a detailed, customer-specific document that outlines the specific terms of the cloud services to be provided under the agreement. The order form is typically incorporated into and forms part of the Cloud Services Agreement by reference.

Here are the typical parts of a cloud services order form:

  1. Cloud Services to be provided: This part of the order form identifies the specific cloud services that the cloud service provider will deliver to the customer. This may include, for example, Software-as-a-Service (SaaS) applications, Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), or other specific cloud-based solutions.

  2. Number of users: This section specifies the maximum number of users that the customer is allowed to have access to the cloud service. It may also detail different types of users, such as administrators or general users.

  3. Permitted use: This part outlines the allowed uses of the cloud services. For instance, it may state that the services may be used solely for the customer’s internal business purposes.

  4. Important dates: This includes the start date and the end date of the subscription term, as well as any other key dates, such as deadlines for renewals or cancellations.

  5. Financial aspects: This covers the currency in which payments should be made, the total cost of the service, and any applicable setup and configuration fees. It might also detail the monthly or annual subscription fees, as well as any provisions for annual escalations in price and any caps placed on such escalations.

  6. Third-party expenses: This section outlines any additional costs that the customer may incur from third parties as a result of using the cloud services.

  7. Limitations: This section may outline any restrictions on the use of the cloud services, such as geographical restrictions (territory), industry-specific usage restrictions, the number of allowed concurrent users, or the maximum number of transactions.

  8. Training: This part of the order form specifies any training that the cloud service provider will provide to help the customer’s users utilize the cloud services effectively.

  9. Support: This section outlines the technical support services that the cloud service provider will offer, such as a help desk, troubleshooting, and maintenance services.

Data protection schedule

[View the detailed guide on data protection ↗]

A data protection schedule should be integrated into a Cloud Services Agreement whenever the cloud service provider (the data processor) will have access to, or will be processing, personal data on behalf of their client (the data controller).

For instance, this might occur when the cloud service provider needs to work with customer data to provide or improve the cloud services, or if the cloud services will be transmitting, storing or analyzing personal data during their operation.

Incorporating a data protection schedule is important as it outlines the specific obligations and responsibilities of both parties in relation to data protection, ensuring that personal data is managed securely and in accordance with applicable data protection laws.

This is crucial to uphold the privacy rights of individuals, mitigate the risk of data breaches, and maintain trust between the data controller and processor. It also helps both parties avoid legal penalties for non-compliance with data protection regulations.

Take, for instance, a cloud-based Customer Relationship Management (CRM) service. The provider might need to access personal data to troubleshoot issues, optimize the system, or to perform other tasks. The data protection schedule in the agreement would dictate how this data can be accessed, used, stored, and protected, as well as the procedures for reporting any data breaches. This, in turn, ensures compliance with privacy laws like GDPR or CCPA, mitigates privacy risks, and maintains customer trust in both the client and the cloud service provider.

Error correction service levels

[View the detailed guide on service levels ↗]

Service Level Agreements (SLAs) pertaining to error correction are essential in Cloud Services Agreements as they establish a clear process and timeline for addressing and rectifying any disruptions or malfunctions in the cloud services.

The nature of cloud services is such that even with rigorous monitoring and quality assurance, issues can still occur once the services are operational. These issues can disrupt the client’s business, potentially resulting in financial losses and damage to their reputation.

For instance, imagine a cloud-based inventory management system that experiences a service outage, disrupting a retailer’s ability to track and manage their inventory. This could lead to significant operational challenges and potential lost sales for the retailer.

By establishing SLAs around error correction, both parties agree on the expected response times and corrective actions, thereby minimizing the impact of any cloud service issues on the client’s operations. These SLAs provide assurance to the client about the service provider’s commitment to maintaining the reliability and performance of their cloud services, which can foster trust and confidence in the business relationship.

For example, the Cloud Service Agreement might specify that the provider must begin addressing critical issues within one hour of being notified and resolve them within four hours. This gives the client a clear understanding of what to expect if problems arise and ensures the provider is committed to quickly addressing and resolving issues.

System response service levels

[View the detailed guide on service levels ↗]

System Response Service Levels, set forth the expected performance metrics for how quickly a cloud service provider’s system responds to requests from a customer’s applications or systems. These service levels can be crucial for a customer’s business that relies on rapid processing of requests facilitated by cloud services.

Imagine a business such as an e-commerce platform that relies heavily on a cloud-based system for processing customer transactions. When a customer places an order, the system must quickly respond to numerous requests – checking inventory, processing payment, confirming shipping details, etc. If the cloud service’s response time slows down significantly, it could cause delays in order processing. This could, in turn, frustrate customers, potentially causing lost sales and damaging the business’s reputation.

Similarly, consider a financial institution using a cloud service for real-time fraud detection. If the cloud service’s response time is slow, it could delay the fraud detection process, putting the financial institution and its customers at risk.

By establishing System Response Service Levels, both the client and the cloud service provider agree on the expected response times for processing requests. The Cloud Services Agreement might specify that the average response time for processing requests should not exceed a certain limit, such as 200 milliseconds. In case the service provider fails to meet these standards, the agreement may also outline potential remedies, like service credits.

In conclusion, System Response Service Levels are crucial for businesses relying on quick processing of requests through cloud services. They set the standards for service performance, ensure a smooth user experience, and mitigate the risk of operational disruptions that could negatively impact the customer’s business.

Uptime service levels

[View the detailed guide on service levels ↗]

Uptime service levels refer to the percentage of time that the cloud services are guaranteed to be available and operational for use by the customer. This is often represented as a percentage, for example, 99.9% uptime, which translates to a maximum of approximately 9 hours of downtime per year.

These service levels are critical, especially when the cloud services are integral to the customer’s business operations. For instance, let’s consider an online retail business that relies on a cloud-based e-commerce platform for its sales. An interruption in the cloud services would mean that the online store goes offline, directly impacting the business’s revenue and reputation. If the cloud services provider has committed to a high uptime service level, it means they are contractually obligated to ensure the platform remains available for use almost all the time.

In a practical sense, high uptime service levels can require the cloud services provider to invest in redundant systems, failover mechanisms, and robust infrastructure to prevent and mitigate any service interruptions. Furthermore, these service levels often come with remedies such as service credits if the provider fails to meet the agreed uptime, providing a level of financial compensation to the customer for any disruption.

In summary, uptime service levels in a cloud services agreement are crucial for businesses that heavily depend on cloud services for their operations. They provide assurance of service availability, enable smoother operations, and can directly impact a business’s bottom line and customer satisfaction.

User support service levels

[View the detailed guide on service levels ↗]

User Support Service Levels, detail the agreed upon quality and speed of support that a cloud service provider will offer to users of their service. These service levels become particularly crucial when the cloud services provided are technical in nature.

Consider, for example, a company that uses a complex cloud-based data analytics platform. The users – data analysts – may occasionally need guidance on how to use advanced features. If the cloud service provider’s user support is slow or unresponsive, the analysts’ work could be significantly disrupted, which could delay critical business insights and decisions.

To avoid this, the Cloud Services Agreement might specify User Support Service Levels that detail the speed and nature of support. For instance, it might state that the cloud service provider must acknowledge support tickets within one hour of submission. The agreement might also specify that support must be available 24/7, given the global nature and round-the-clock operations of many businesses today.

The agreement may additionally detail the medium of support – such as email, phone, or live chat – and might mandate the availability of resources like a helpdesk, tutorials, and user manuals.

In essence, User Support Service Levels are crucial in technical cloud services environments. They ensure timely resolution of user issues, minimize disruptions, and maximize productivity, while providing users the assurance that they can rely on a responsive and capable support team when needed. This fosters trust between the customer and the service provider, promoting a successful, long-term relationship.

Related articles

Contract Builder

Build Cloud Services Agreement now!

Ninja holding a laptop explaining tech contracts

Interested in our Contract Builder?

Table of Contents

Master contracts now
Elevate your career!

Try for free. No credit card required.

Elevate your legal game with ContractNinja.

Form part of the spearhead movement of shaping the global standard for tech contracts.