Cloud computing contracts
Types of contract
What forms of cloud computing contract are usually adopted in your jurisdiction, including cloud provider supply chains (if applicable)?
B2C and B2B cloud computing contracts are frequently concluded in Turkey and can be in different types depending on the provider, offerings, and customer. B2C cloud computing contracts are usually non-negotiable and include boilerplate clauses where consumers accept such contracts via click wrap. B2B cloud computing contracts are negotiable depending on the bargaining power and the types of cloud computing services offered. It is also custom that cloud computing contracts contain links to certain documents (eg, general terms and conditions, service level agreements (SLAs), user policy) that can be amended by the provider unilaterally. Cloud provider supply chains are also common in Turkey where the developers customise the cloud computing services to the customers’ needs. Since the Personal Data Protection Law No. 6698 (PDPL) entered into force, cloud computing contracts contain data protection clauses accordingly.
Typical terms for governing law
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering governing law, jurisdiction, enforceability and cross-border issues, and dispute resolution?
In B2B public cloud computing contracts, the law of the provider’s principal place of business or place of establishment is usually chosen. In most cases, any disputes arising from the cloud computing contracts are resolved by the local courts at the place that is selected as governing law. Arbitral clauses are sometimes incorporated to B2B public cloud computing contracts especially if such contracts are signed via secure electronic signatures or in handwriting. Selection of foreign governing law and referral of disputes to arbitration or foreign courts are subjects that need to be evaluated on a case-by-case basis, as there are restrictions of freedom to contract arising from the mandatory rules of Turkish law. Plus, the majority of B2B public cloud computing contracts are categorised as general terms and conditions that are regulated in the Turkish Code of Obligations and governing law and dispute resolution provisions may be subject to review of the Turkish courts thereunder.
In most cases, cross-border issues arise within the scope of data privacy. B2B public cloud contracts may include clauses authorising the provider to process data in a country other than the customer’s place of business. Clauses incorporated into the B2B public cloud contracts allow the cross-border transfer of personal data to the extent permissible by the applicable law. That said, the PDPL allows the cross-border transfer of personal data under certain circumstances. Similar to the GDPR, the PDPL permits cross-border data transfers to countries with adequate protection in principle. However, the Board has not published its list of countries with adequate protection as of writing. The PDPL sets out two additional methods to be followed for cross-border transfers; both require the Board’s authorisation, which are namely commitment letters (or undertaking letters) and binding corporate rules applications. Some B2B public cloud computing contracts also allow providers to use standard contractual clauses for cross-border transfers, which are not regulated in the PDPL. Instead, the PDPL only authorises cross-border data transfer provided that (1) data subjects explicitly consent to the cross-border transfer or (2) the Board approves the commitment letter application.
Typical terms of service
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering material terms, such as commercial terms of service and acceptable use, and variation?
It is common that cloud computing contracts include clauses on price and payment. Subscription-based fees are typically included either as flexible (pay-as-you-go) or annual fixed term. The service providers usually invoice the fees on a monthly basis. Usually, service providers reserve their right to change their prices unless indicated otherwise. Overdue payments typically result in the suspension of services.
Acceptable use policy
Most contracts refer to service providers’ acceptable use policies, which can be revised from time to time. Acceptable use policies (AUPs) usually contain restrictions to the use of services such as generating unsolicited bulk commercial emails, any unlawful, invasive, defamatory or fraudulent purposes, intentionally distributing viruses, etc, reselling services to third parties. Such policies tend to retain broad and catch-all phrases. In the case of violations to AUPs, service providers usually first notify the consumer and request rectification. If the breach is not corrected, the service provider may suspend or terminate the services.
Typically service providers reserve their rights to change the policies or services. In the case of substantial changes to terms or services, service providers usually inform the customers of such changes before entering into force.
Typical terms covering data protection
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering data and confidentiality considerations?
In B2B public cloud computing systems, it is common that service providers retain provisions allowing them the utmost flexibility in data protection within the borders of applicable law. Local service providers are more inclined to include provisions that would restrict the service providers’ actions in data transfers, security levels, etc.
Typically cloud computing contracts include clauses on data security stipulating that the service provider would not access or use customer data unless it is required by the law or it is necessary for providing services. It is standard for service providers to indicate that they take all technical and organisational measures to protect personal data. Customers usually have a right to audit by appointing a third-party auditor to inspect the security of data, however, it is advised that customers indicate standards of security in the contract (eg, ISO 27001, ISO 27018).
Data integrity and preservation
Cloud computing contracts usually state that customers’ data remain complete and valid. To achieve data integrity, cloud providers offer security walls, anti-virus protections, back-up and recovery services, penetration tests, etc. In terms of data preservation, contracts may include measures to be taken by the service provider in the case of accidental loss, unauthorised erasure of data. Such measures include, inter alia, back-up systems, uninterruptible power supplies in data centres and testing of emergency systems.
Location of servers and data or cross-border transfers
Standard terms of cloud computing contracts usually do not contain provisions on the location of servers but rather indicate that customer data can be stored and processed in any country that the service providers maintain facilities. Depending on the sector and the bargaining power, customers usually request to insert clauses restricting the cross-border transfers or determining location of servers. Due to the restrictions to cross-border transfer of personal data and sector-specific rules regarding data localisation, service providers offer specific cloud computing services to accommodate such needs.
Data disclosure and confidentiality (general)
In most cases, the confidentiality provisions are mutual. Confidentiality provisions generally include a definition of confidential information, level of protection and exemptions. These clauses apply to all confidential information exchanged before and during the contract term. Data disclosure is usually allowed only to agents or employees on a need-to-know basis or if required by law (court order, decision of governmental authorities).
Typical terms covering liability
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering liability, warranties and provision of service?
Generally, both parties warrant that they have the legal capacity to conclude the cloud computing contract, and they would act in compliance with all applicable laws and rules on the provision and use of services. In some contracts, service providers also warrant services to be in line with the contractual documents, and they would use reasonable care expected from other (global or local) service providers. In clickwrap cloud computing contracts, it is common that customers are liable for integrity and preservation of their data; thus, contracts do not contain warranty clauses in this regard. Most contracts contain a boilerplate disclaimer provision stating that no other warranties are provided to the customers except as expressly provided therein.
Limitation of liability
Limitation of liability clauses vary depending on the offering and customer. Most commonly, service providers exclude any indirect liability, including inter alia loss of profit, punitive damages, penalties, loss of reputation. Usually, liabilities are capped with the annual subscription fees. Exclusion and cap on liability are mutual in some contracts. Occasionally, service providers expressly exclude all liability if cloud services are offered for free. Commonly, cloud contracts do not limit liabilities if the obligations are breached: indemnifications, confidentiality obligations, data protection and security obligations due to unauthorised use or disclosure of data, damages arising from gross negligence or wilful conduct or payment obligations.
Generally, the scope of indemnifications varies widely. Indemnification clauses set forth that service providers will defend the customers (and in some cases its affiliates) in any proceeding arising from an allegation that the offerings infringe a third party’s IP rights or disclosure of trade secrets, and customers shall defend service providers in any proceeding arising from customer data or a breach of acceptable use policy. Indemnification obligations are sometimes exempted under certain circumstances, such as infringements arising from indemnified party’s breach. Indemnification can also be subjected to written notification of allegations to the other party or allowing the party to appoint its representative who also has an obligation to defend itself.
Service-level agreements and system availability
Some cloud computing contracts entail clauses or refer to a separate service level agreement (SLA) on system availability. Service providers sometimes guarantee a minimum percentage of system availability calculated based on total use time and downtime each month. In some cases, service providers provide credits to customers if the determined rate is not reached. Occasionally, credits can be deducted from the subscription fees. Typically, service providers request customers to notify if such rates are not achieved, whereas customers wish the service providers to monitor and notify. In rare cases and upon the customers’ request, the contract may be terminated by the customer if the system availability rate is not reached within a defined period. Moreover, SLAs usually determine the incident response times, backup and restoration measures.
Typical terms covering IP rights
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering intellectual property rights (IPR) ownership in content and the consequences of infringement of third-party rights?
Commonly, cloud computing contracts expressly state that customers own IP rights of their data and service providers own IP rights of their services. Service providers usually reserve their right to access or use customer data to the extent necessary for providing its cloud computing or professional services while taking measures to protect customer data. Indemnification clauses typically refer to the infringement of third-party IP rights. Such clauses usually state that service providers indemnify, defend and hold customers harmless if an allegation arises from IP infringements.
Typical terms covering termination
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering termination?
Cloud computing contracts can be terminated immediately by either party if the other party materially breaches the contract and fails to cure the breach within the defined period or if one party becomes insolvent or ceases its operations. In rare cases, customers do not have the right to terminate the contract for convenience. Upon the effective date of termination, customers do not have access to the services, and all unpaid due fees are to be paid to service providers. Rarely, service providers are obliged to refund fees depending on the terms of the contract. Usually, service providers define a period (eg, 180 days) for customers to migrate their data before denying access to the services.
Employment law considerations
Identify any labour and employment law considerations that apply specifically to cloud computing in your jurisdiction.
Cloud computing contracts typically contain no agency clauses stating that the contract does not establish any agency, partnership or joint venture between the parties. On the other hand, retaining cloud computing services can be defined as outsourcing as per the Labour Law and the Regulation on Subcontractors. These regulations differentiate outsourcing a part of main operations or auxiliary works that will be determined according to the customers’ field of activity. If retaining cloud computing services is to be deemed outsourcing, mandatory rules arising from the applicable law (eg, mandatory provisions to be inserted to the outsourcing contract) should be abided by. To the best of our knowledge, this issue has not been subjected to judicial review yet.