Terms and conditions for negotiating contracts for public cloud services
When negotiations are needed, these are terms and conditions that government organisations often consider — including the minimum areas they must consider.
Minimum areas to cover in negotiations
The Government Chief Digital Officer (GCDO) provides an example of a clause with the minimum areas that government organisations need to cover when negotiating contracts for public cloud services.
Providers of public cloud services can be known as ‘suppliers’ or ‘vendors’, too.
Government organisations are also called ‘affiliates’ or ‘customers’ in contracts.
Names for contracts
For contracts, you might also see names like ‘affiliate agreements’ or ‘customer agreements’.
Information sharing
Some questions in the risk discovery tool for public cloud services need to be answered by the provider. Contract clauses should allow service providers’ answers to the questions to be shared within the New Zealand public sector.
Be clear about payments for losses and disruptions
Negotiate these terms and conditions to be specific about who is responsible for paying for losses and disruptions.
Customer indemnifying provider
In contracts, providers of public cloud services often require customers to defend, hold harmless or indemnify the supplier or another entity, or both.
Advice for government organisations
Generally, under the Public Finance Act 1989 (PFA), government organisations cannot give indemnities and they should aim to exclude them from contracts.
If there needs to be a customer indemnity in the contract, before entering into it, you’ll need to get the contract approved to match the PFA.
Providers of public cloud services do not always indemnify their customers for defaults, acts or omissions of the provider that cause a loss to the customer.
Advice for government organisations
The provider should indemnify the government organisation for losses caused by significant events for which the provider is responsible.
Control of claims
If the provider does agree to indemnify the customer, the contract will often state that the provider has sole control of legal aspects — such as:
defence
settlement
counsel.
Advice for government organisations
However, government organisations may need to be able to approve any defence, settlement or counsel proposed by the provider. This need comes from the Cabinet Directions for the Conduct of Crown Legal Business 2016.
Contracts with providers of public cloud services often do not limit the liability of customers to the provider. ‘Limited’ may mean, for example, that either:
a maximum liability cap applies
indirect and consequential losses are not claimable, or
both apply.
Advice for government organisations
Government organisations will want their liability to be limited to help them quantify their exposure and so that risks under the contract are appropriately allocated.
It might, however, still be acceptable to a government organisation if some events give rise to unlimited liability — such as a:
violation of the provider’s intellectual property rights
breach of the government organisation’s confidentiality obligations.
Provider liability
Providers often exclude their own liability to the customer to the maximum extent allowed by law.
Advice for government organisations
Providers should accept liability for their acts or omissions to an extent that reasonably protects government organisations against losses caused by the provider.
The provider’s liability can be limited, but there may be exceptions where unlimited liability should apply too — such as:
wilful misconduct
violation of third party or customer intellectual property rights
unauthorised use or disclosure of customer data
breaches of the supplier’s confidentiality obligations.
Note that it is not always appropriate for the government organisation and provider’s liability to be equivalent or reciprocal. Areas that may be quite different from each other and call for different liabilities are different:
risks
likelihoods of breaching the contract
potential losses.
Guarantee options for your organisation
Negotiate these terms and conditions to make sure you have options instead of accepting contracts as set by providers.
Warranties
Some contracts leave out provider warranties or only state the service is provided ‘as is’. Other contracts may limit their:
scope
duration
remedies.
Advice for government organisations
Government organisations might want the provider to guarantee that it can perform the contract properly at all times. Warranties may cover that the provider:
supplies services that comply with technical and functional specifications — including security information
has the necessary intellectual property rights to provide the services
will supply the services with due skill and care
gives accurate information.
Service levels
Public cloud services may be subject to service levels. Often, these are standard across all of the provider’s customers. This makes it hard to negotiate contracts specific to your organisation.
Advice for government organisations
Without the option to negotiate, it’s important for government organisations to assess the provider’s service levels to see if they will meet their needs.
Exclusive remedies
Providers may try to limit the remedies that customers can use for breaches and other failures by the provider. For example, the contract may state that service credits are the only remedy in the case of a breach of service levels.
Advice for government organisations
It’s usually best to make sure government organisations have access to a range of remedies, such as:
damages
service credits
re-performance or re-supply
termination.
This is best practice because it allows for flexibility if providers breach or default on services in the contract.
An exception may be when a provider changes the service offered, in which case it’s common for termination to be the government organisation’s only remedy.
Dispute resolution
Some contracts do not include provisions for dispute resolution. When present, some contracts might require going through multiple escalating processes to deal with any issues between the provider and customer. This can include arbitration.
Advice for government organisations
It’s usually the best option for government organisations to use mediation when disputes cannot be resolved through standard:
relationship management
governance arrangements.
Nothing in the contract should prevent either the customer or provider from seeking urgent relief in a court of law. In the contract, government organisations should insist that New Zealand law and jurisdiction apply.
Make sure contracts allow for information to be secure
Negotiate these terms and conditions to be sure a provider’s service allows the information of NZ government and New Zealanders to be secure.
Governing law and jurisdiction
Contracts with providers may be governed by overseas laws. Customers are not usually familiar with overseas laws and the laws might:
make it expensive and time-consuming for customers to enforce their rights or the provider’s obligations
increase jurisdictional risks — that is, data sovereignty.
Advice for government organisations
It’s best practice for government organisations to insist that New Zealand law and jurisdiction apply to the contract. This is regardless of where the provider is based or from where the:
service is provided
data is stored.
Information security
Contracts do not always mention how security-related risks and incidents will be managed. Contracts sometimes do not state in any detail how customers will be notified:
when the risks happen
about the impacts of risks happening.
Advice for government organisations
It’s best practice for the contract to require the provider to:
let customers know when security incidents happen and their impacts
quickly, in a reasonable timeframe, fix issues at its own cost.
Data and privacy
Contracts do not always deal with how the provider will:
manage customer data — for example, personal information or data about the business operations of government organisations
work with the customer if any issues occur that affect customer data.
Advice for government organisations
The contract should describe how the provider deals with issues that affect customer data. This includes specifying that the provider:
gives written notice to customers before giving any of their data to a regulatory or other government organisation in any jurisdiction
complies with all applicable privacy laws when personal information is being used with the service
either returns or deletes customer data after the contract terminates or expires.
Confidentiality and Official Information
Contracts often include provisions for the provider’s confidentiality.
Advice for government organisations
For clauses covering the use and disclosure of confidential information, government organisations need to make sure the:
clauses are mutually expressed — that is, they do not apply only in favour of the provider
provider acknowledges that the government organisation may be subject to either the:
Contracts sometimes include clauses for intellectual property (IP) that are either:
worded broadly, with few details
explicitly worded in the provider’s favour.
For IP which government organisations would otherwise expect to keep, such clauses can mean that government organisations could end up not:
owning it
having rights to use it.
Advice for government organisations
Government organisations should make sure IP clauses are not over-reaching and allow them to:
own all their property — including client and operational data
keep appropriate use rights — including after the contract ends.
Entire agreement, applicable documents and precedence
Contracts often come with additional documents, such as:
policies
product terms
specifications
service level or support agreements.
The contract often states that these documents may be added to or changed over time.
Advice for government organisations
When the contract is made up of many documents, government organisations need to be clear which one applies if there’s a conflict or inconsistency between any of the documents. Setting this up is often called a ‘precedence clause’ and needs to:
identify all the applicable documents up front
set which documents have power over each other — an order of precedence
state that the applicable documents cannot be changed without government organisations agreeing to it — see ‘Amendment’ in the next section
declare that no documents outside of the contract can change the agreed document set or the order of precedence — for example, order forms or invoices cannot change the contract.
Amendment
Some contracts allow the provider, without first getting the customer’s agreement, to change:
the terms of the contract
any document in the agreed contract set.
Advice for government organisations
It’s best practice to make sure providers cannot change the previously agreed services without government organisations’ written approval.
Providers might disagree with this limitation because, for example, it might be too much administrative effort to get all customers’ written approvals before making changes to services. For all its users, providers might insist on being able to change, for example:
services
policies
standards.
If providers insist on having the ability to make changes to the previously agreed terms without getting approval, government organisations will usually be able to terminate the contract.
It’s best to state this in a clause stating that if a service changes, the government organisation can end the contract.
