TermScout Announces Top 2019 Cloud Service Provider Contract Ratings

Today, TermScout released its first semi-annual Cloud Services Provider Contract Ratings. These ratings represent the overall findings of TermScout’s analysis into the customer-friendliness of customer agreements in the cloud services industry.

TermScout started this project by interviewing and surveying more than 100 cloud customers to understand what issues matter most to them when purchasing and using cloud services.  TermScout then analyzed the standard customer agreements of Amazon Web Services, Google Cloud Platform, IBM Cloud, Microsoft Azure, and Oracle Cloud, using its proprietary reviewing and scoring methodologies, TermScores.  After analyzing these companies’ contracts, policies, exhibits, and appendices, which often exceed 100 pages of nested terms and complicated legalese, TermScout rated each company on the primary contract provisions that matter most to the typical cloud customer.  These ratings were then weighted according to the importance of each as determined by TermScout’s market research and legal team to arrive at an overall score for each company.  The results are displayed in Table 1 below.1

“We hope these results will help cloud customers make more informed decisions about what they’re signing up to,” said Otto Hanson, Chief Executive Officer at TermScout.  “These contracts determine what happens when something goes wrong with a cloud provider, such as a data breach.  Customers have many options when it comes to cloud providers – now for the first time ever they can factor contract fairness into their decision about which provider to choose.”

In a recent survey of 450 consumers, 95% said they believe a company’s contracts are a reflection of its values and attitudes towards customers, and 44% would be very likely to stop using a company’s services after learning that its contracts are less fair than its competitors.

Interestingly, TermScout noted an inverse relationship between favorability of contracts and market share (i.e. the higher the market share, the less-favorable the contracts).  See Table 2.  This suggests that companies trying to compete for market share may be doing so in part by offering better terms to their customers.2  This discovery, combined with TermScout’s market research, validates a central thesis of TermScout: that customers care what’s in the contracts they sign and companies offering fair contracts can gain a competitive advantage.

 

The TermScout analysis revealed that in addition to having the best terms overall, Oracle had the best terms in the Warranties and Data Security categories and tied for second in Risk Allocation – all fields with heavy weights in TermScout’s rating algorithm.  This consistency in providing customer-friendly terms throughout its agreements resulted in an overall score of 58/100, which was 9 points higher than the second-place finisher (IBM, at 49/100).  “While Oracle has the best contracts among the top five providers, its terms are still far from perfect,” said Hanson.  “For example, most customers would be disappointed to learn that Oracle does not exclude its indemnification obligations (or anything else) from the limitations on its liability.”

On the other end of the spectrum, Amazon Web Services (“AWS”), the leader in the industry by market share, had significantly worse terms than any of the competitors reviewed.  AWS’s terms were especially unfavorable to customers in the Risk Allocation (by signing AWS’s agreements, you agree that AWS will never be liable to you for anything, no matter what), Warranty (AWS does not offer any warranties whatsoever), and Data Security (AWS does not publish a breach notification policy and makes only vague contractual commitments to protect its customers’ data) categories.

Additional Information

You can purchase the complete Industry Report or full individual Company Reports here.  Each TermScout report includes simple explanations of complicated contract terms, detailed analysis of potential legal issues, and citations to the original agreements.  Additional comparative analysis and negotiating tips provide the reader with the ammunition needed to demand better terms when negotiating with cloud services providers.  The full Industry Report also includes complete category rankings for each of the companies.

About TermScout

TermScout’s mission is to help people and businesses understand the contracts they sign.  We started TermScout at the Global Legal Hackathon in 2018 (called LexLucid then).  After winning in Denver, regionals, and then finals, we knew we were onto something, so we pulled a team and some resources together and started building.  We’re based in Denver, Colorado, with a team of experienced and passionate attorneys, entrepreneurs, and engineers.

1 The TermScores mentioned here are based on the versions of the cloud company contracts that were current as of the date of this press release.  To see if any scores have changed, email .

2 Market share numbers found at https://www.canalys.com/newsroom/cloud-market-share-q4-2018-and-full-year-2018 on September 3, 2019.  TermScout did not independently verify this information.  Market share data for Oracle was not listed on Canalys article but is estimated to be close to IBM.

 

Authors

Otto Hanson

Founder & CEO, TermScout  

Ben Golopol

Contract Anayst, TermScout  

What Happens When Your Cloud Provider Causes a Data Breach?

On Monday, July 29, Capital One Financial Corporation (Capital One) announced one of the largest data breaches yet to hit a major bank. The hacker accused of perpetrating the breach, Paige Thompson, once worked as a software engineer at Amazon Web Services (AWS), the cloud services company that hosted Capital One’s breached database.1 We don’t yet know whether Thompson’s ability to hack Capital One had anything to do with her former involvement with AWS, but the possibility raises an interesting question:What happens when your cloud provider causes a data breach? The answer to this question depends in large part on what’s in your contracts with the cloud provider. While large companies like Capital One often have custom negotiated contracts, millions of businesses simply accept their cloud provider’s click-through agreement as offered. So what do those contracts say about what happens when the cloud provider causes a breach because a rogue employee of the cloud provider gains unauthorized access to a customer account? We looked at the click-through agreements for the top two cloud providers in the US and analyzed how this issue might be resolved under each. The results are astonishing. 
Did the provider violate the contract?*If so, can the customer recover damages?What it means
AWSMaybe.2 AWS does not promise a lot in its contracts, so there’s not a lot for it to violate.Probably not.3 In fact, AWS’s indemnification provision could be construed to require its customers to indemnify AWS against claims brought against AWS by victims of the breach.4Most customers would be pretty out of luck trying to recover damages from AWS, and may even have to defend AWS against lawsuits brought by victims of the breach.
Microsoft AzureProbably.5 Microsoft contractually promises that its personnel will not breach its customer’s data.Probably, but only for direct damages up to the amount the customer paid for the services in the 12 months preceding the breach.6Customers could probably recover the last 12 months of fees paid to Microsoft and would not have to defend Microsoft against lawsuits brought by victims of the breach.
*See citations for more detailed analyses. Sadly, data breaches can be extremely costly to businesses, so being able to recoup the amount of fees paid for the last 12 months of cloud services is not likely to make a business whole. Nonetheless, the possibility of recouping 12 months of fees from Microsoft is clearly better than the possibility of having to defend AWS against damages its employee caused.About Citizn Company: Citizn Company is a legal technology company in Denver, Colorado that is building tools to help individuals and businesses understand the contracts they sign. Founded by attorneys experienced in reviewing and negotiating contracts, Citizn Company cuts through the legalese that is pervasive in the contracts governing virtually everything we use. By providing concise, plain-language reports on complicated agreements, Citizn Company enables you to understand exactly what your rights and obligations are so you can maximize the value of your contracts. On August 14, 2019, Citizn Company will publish reports analyzing the contracts of the top five cloud service providers, including AWS and Microsoft Azure. We educate our customers on the meanings and differences of certain contract provisions, but we do not provide legal advice. To learn more go to www.termscout.io 

IMPORTANT DISCLAIMER

WE ARE NOT COMMENTING ON OR VERIFYING ANY OF THE ALLEGED FACTS REPORTED BY THE MEDIA INCLUDING WHETHER THE CAPITAL ONE BREACH WAS ACTUALLY CAUSED BY THOMPSON, WHETHER THE HACK WAS ACTUALLY ENABLED OR FACILITATED BY HER EMPLOYMENT RELATIONSHIP WITH AWS, WHETHER AWS IS ACTUALLY LIABLE OR IN ANY WAY RESPONSIBLE FOR THE HACK, WHETHER CAPITAL ONE SIGNED AWS’S STANDARD AGREEMENTS OR SOME OTHER AGREEMENTS, OR ANY OTHER ALLEGED FACTS RELATING TO THE CAPITAL ONE DATA BREACH. OUR RESEARCH AND THESE CONCLUSIONS ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND.THIS POST IS FOR INFORMATION PURPOSES ONLY AND SHALL IN NO WAY BE CONSTRUED AS LEGAL ADVICE.For additional information, email or call 520-850-9814.
1 See for example, CNN’s coverage. 2 Possible breach of contract claims would include breach of AWS’s contractual commitments (a) not to “access or use” customer’s data except as needed to provide the services (Section 3.2 of AWS Customer Agreement), and (b) to “implement reasonable and appropriate measures designed to help you secure Your Content against accidental or unlawful loss, access or disclosure” (Section 3.1 of AWS Customer Agreement). 3 If a customer did have a valid breach of contract claim, it would have to overcome AWS’s disclaimer of all possible liability whatsoever (first sentence of Section 11 of AWS Customer Agreement). 4 The standard AWS indemnification provision requires AWS customers to indemnify AWS against any claims arising from the customer’s “use of the [AWS services]” (Section 9.1 of AWS Customer Agreement). 5 Possible breach of contract claims could include breach of Microsoft’s commitments to (a) ensure “that its personnel engaged in the processing of [customer data] and [personal data] (i) will process such data only on instructions from customer, and (ii) will be obligated to maintain the confidentiality and security of such data even after their engagement ends (Processor Confidentiality Commitment, Data Protection Terms, Online Services Terms (available by downloading the English version at this link)), and (b) “implement and maintain appropriate technical and organizational measures to protect Customer Data and Personal Data” (Security Practices and Policies, Data Protection Terms, Online Services Terms). 6 We did not find any provisions that would require a customer to indemnify Microsoft in such a circumstance. Furthermore Microsoft allows claims for direct damages up to the amounts paid by the customer for the Microsoft services in the 12 months before the cause of action occurred (Section 6.a of the Microsoft Online Subscription Agreement).
Your Cart