Technology Agreements

via Cloud Computing

Dan Anixt

Assistant General Counsel

Verizon/Terremark

May 7, 2013

Introduction:

What is the Cloud?

Three Basic Models of Service

Software as a Service

Platform as a Service

Infrastructure as a Service

Software as a Service

Allows users to access and utilize software installed by the cloud provider

Process is transparent to the user

An example is Google Aps

Platform as a Service

Providers deliver a platform to users with an operating system,

programming language environment, and server

Allows users to develop software without incurring underlying software and

hardware costs

Infrastructure as a Service

Providers deliver virtual and/or physical infrastructure to customers

Allows customers to deploy software applications and data into the

cloud

Allows scaling of services to accommodate customer needs

Provides the option of a public or private cloud depending on needs

and security requirements

The focus today will be on transactions involving Infrastructure as a

Service

Benefits of the Cloud

Reduced infrastructure costs reducing or eliminating the need to

maintain software and systems

Reduced capital expense by shifting it to operational costs

Reduced labor costs

The Verizon Terremark Model

ACCELERATING

INNOVATION

A market leader in infrastructure,

cloud and security services

3,000+ employees with facilities in 19

countries

Full portfolio of high value capabilities

ACCELERATING INNOVATION

10

Terremark Services Portfolio

Globally Delivered from World-Class Facilities

Challenges of Negotiating Cloud Agreements

Software Licenses

SLAs

Network Security

State and Federal Regulations

EU Regulations

Discovery

Software Licenses

The cloud offers major costs savings by outsourcing application and

data storage plans

The assumption that many make is that their existing enterprise

software application licenses can be ported to the cloud

This assumption can be costly

Issues that can arise when the terms of existing licenses are not

properly understood include:

Costly audits

License revocation

Potential breach of contract litigation for breaching the terms of the license

Software Licenses (continued)

Steps that can be taken to mitigate the risk of software licenses:

Know the licenses you have - how flexible are the terms when it comes to

porting software onto the cloud?

Understand the license rights that the cloud service provider has secured.

What does the provider’s license cover? More important, what does it not

cover?

Negotiating the Software License

If a new license proves necessary, the following strategies can

minimize/mitigate the cost:

See what credit can be applied from existing enterprise licenses with the

vendor

Look at alternative pricing models such as pricing that varies with usage

which nicely dovetails this with the flexible capacity of the cloud

Leverage the relationship with the cloud provider – often the provider can

secure better pricing terms with the software vendor due to its relationship

with the software vendor

SLAs

Like any outsourcing service level agreements (SLAs) are critical in

the cloud

At a minimum SLAs should provide for:

system uptime

redundancy of systems

data protection and backup

Note that the level of SLAs provided will depend on whether data and

applications are in a private or public cloud.

Private clouds which are dedicated to the customer are more secure

and tend to have stronger SLAs, but cost more than the public cloud

SLAs (continued)

In determining whether the public or private cloud is preferable, the

customer should look at how critical the data and applications are

Key data and applications should be in the private cloud

Less critical data and applications such as archives should be in the

public cloud

Intellectual Property (“IP”) Protection

In negotiating with a cloud provider, it is critical to negotiate IP

ownership rights particularly when using the cloud to develop

applications

Knowing what IP protections and rights to demand depends largely

on what the customer intends to use the cloud for once applications

and data are operating on it

When using the cloud carefully vet IP indemnity protections as cloud

providers will often disclaim liability for third party IP, such as third

party software

If the cloud provider does not provide third party software

indemnities (or only passes through limited indemnities), it may be

necessary to directly negotiate them with the software provider

Network Security Assurance

When selecting a cloud provider, due diligence of the level of security

of the provider is key

For example, Verizon/Terremark offers a full suite of network security

services in conjunction with its cloud offering

Carefully vet the physical and logical security of the cloud vendor

Questions to ask:

What security software is in place?

What network security standards are used?

What security audit rights are permitted?

What is the physical security like at the data centers?

State and Federal Laws and Regulations

When porting data onto the cloud, several state and federal

regulations come into play

Federal laws/regulations include:

Gramm-Leach-Bliley (“GLB”) which governs storage of private financial

data

The Health Insurance Portability and Accountability Act (“HIPAA”) which

covers storage and protections of medical records

Federal Trade Commission regulations on identity theft

Massachusetts data privacy regulations governing encryption of personal

information

EU Regulations

EU Directive 95/46/EC governs collection, processing, and transfers

of personal data and can present significant issues for multinational

companies using the cloud

Recent enhancements proposed in 2012 include even more stringent

penalties and rules for data protection

Handling Data – Legal and Regulatory Risks

Key questions to ask:

What data is going on the cloud? (e.g. financial, healthcare records, other

individual personal data)

Where is the data coming from and where is it going? (EU data protection

rules are critical here.)

What is the plan for securing and complying with data security and privacy

rules

When negotiating with the cloud provider, inquire about its baseline data

privacy and security policies to make sure they are sufficient

Once in the cloud, take steps to monitor and inventory what is going in the

cloud and make sure protections are in place to make the storage and

handling of data legally compliant

Discovery

As with all information in the possession of a company, data in the cloud is subject to e-discovery

It is key to know where data is stored and what data is stored in the cloud

The ability to fully retrieve and search data in the cloud is key

Many cloud providers, such as Verizon Terremark, provide e-discovery software services for the cloud

Carefully thought out procedures for litigation holds, document retrieval, and processing should mitigate the risk of discovery sanctions

Furthermore, once litigation commences, it may be advisable to maintain such discoverable data on a private cloud to enhance security

Questions