Cloud Services Agreements and their Impact upon the Outsourcing Market

January 7, 2022

In times gone by, IT infrastructure services were a staple of the outsourcing services market. Customers would find it cost effective to outsource the support and maintenance of their mainframes, servers and desktop IT infrastructure to specialist outsource service providers (initially dominated by the likes of IBM, HP/EDS and DXC, and thereafter also India based players such as HCL Technologies, Infosys, Wipro and TCS). Such contracts have however become increasingly less common, as companies look to take advantage of public cloud service providers and reduce their own IT infrastructure footprint. It seems ever more likely that the scope of cloud offerings will continue to expand and eat into other more traditional forms of outsourcing, particularly in the BPO world. If that is the case, we can expect to see more of the kinds of contract terms offered by the “hyperscale” cloud vendors for their IaaS and PaaS services being also proposed as the basis for such BPO “as a service” arrangements…but what will this mean in practice?

As those who have negotiated contracts for public cloud IT infrastructure services will know, the leading suppliers in that space (in particular the “hyperscale” suppliers such as Microsoft, AWS and Google) will expect to be able to contract off their own documentation. This can be an immediate shock to the system for larger customers who will be used to negotiating outsourcing contracts from the starting point of their own precedents.

More shocks will come when the customer looks to analyse the kinds of provisions contained in such standard form contracts. Given the values of outsourcing contracts and the tendency for them to be awarded via competitive procurement processes, medium to larger sized customer organisations at least will be used to enjoying a fair amount of bargaining leverage in their negotiation of outsourcing contracts, and having the balance of the contract clauses slanted in their favour. They will not see this replicated in the kinds of standard form cloud services terms offered up in the market today for IaaS and PaaS services (and which we can anticipate would be used as the basis for any extension by such cloud services players into the wider outsourcing services arena). Hence the norm may be to see – amongst other things – a number of “challenging” contract provisions, including the likes of:

  • Rights for the service provider to make adjustments to the Services (or to discontinue elements of them) with the Customer’s consent, and without the Customer having the right to exit the contract
  • Limited warranty commitments
  • Restricted Service Level offerings, with such service credits as may be on offer being framed as a sole and exclusive remedy
  • No or only very limited audit rights
  • Extensive rights for the service provider to suspend the provision of some or all of the services
  • Mutual termination rights, or perhaps even termination rights which are more extensive for the service provider than they are for the Customer
  • Extensive limitation and exclusion of liability provisions (often one way in favour of the service provider)

Many of these positions have their genesis in the nature of public cloud services that are offered on a commodity style “one to many” basis. Others perhaps result from the fact that many cloud services providers have not had to subject their contract terms to too much scrutiny, as deal values have not been high enough and the services being offered (or the functions that they would support) are not too business critical. However, this has certainly changed as more and more use has been made of public cloud infrastructure services, and would change still more as critical BPO services get recast on “as a service” models.

So, to what extent may the traditional outsourcing contract models and the newer cloud services ones reach some kind of accommodation…?

Looking first at the right of the service provider to make changes to its service offerings, this seems unlikely to be surrendered by cloud service providers. Their service model will likely continue to be based on having a common platform/solution which is then used to provide the relevant services to multiple clients. This is at the heart of the cost efficiencies which the customers ultimately benefit from, and the service providers will point out – with some considerable justification – that they would be unlikely to make commercially unreasonable or unnecessary changes to their services , for fear that it would make them less competitive in the wider marketplace. However, there is more scope for individual nuances and requirements in the BPO world as opposed to the ITO one, such that customers may be more significantly impacted by such changes. As a consequence they may push harder for at least some guard rails to constrain the application of such contract rights, including:

  • A confirmation that any changes are genuinely being applied across the wider customer base of the service provider, rather than being directed against the customer on a more discriminatory basis
  • A provision to provide for a reasonable adjustment to any minimum revenue commitments or similar commercial arrangements, if the changes have a negative impact upon the customer’s ability to consume the relevant cloud services
  • A right for the Customer to exit the cloud arrangement in the event that the changes have a negative impact upon its business or its costs of receiving the cloud services in question

The Customer may then turn its attention to the Service Levels which are on offer. In the IaaS/PaaS world, these can look good, but our own experience with clients suggest that when applied in practice, they only rarely result in any form of service credit reductions. In particular, the focus tends to be on out and out unavailability of a particular part of the cloud infrastructure, rather than the more likely “brown out” periods of service degradation.

I suspect that BPO related Service Levels in the new cloud world will be extended beyond pure service availability, and will relate to the same kind of metrics as are seen in BPO deals today, such as degrees of accuracy and speed of completion. However, I also anticipate that the service providers will continue to push for standardised approaches ( “commoditised” SLA offerings which are not then open for negotiation on an individual basis), and may also remain wedded to having them as a sole and exclusive remedy (albeit that we have seen some flexibility in this regard in the IaaS and PaaS market).

Another contentious area in the outsourcing market – particularly in relation to BPO deals – is the extent to which service providers will commit to ensure compliance with applicable laws (and especially those which extend beyond the laws and regulations which apply specifically to them as outsource service providers). The approaches of different service providers can vary significantly and depend on whether the laws and regulations in question are:

  • Specific to the service provider;
  • Specific to the Customer (and/or its business sector);
  • Specific to the type of outsourced services being provided; or
  • Generic in nature (that is applicable to all kinds of companies, regardless of what they are involved in doing)

Cloud service providers have historically taken the view that they can only commit to comply with the laws relevant to them as service providers, given the fact that their customers will frequently operate across various different jurisdictions and will come from multiple different business sectors. However, they may find this position subject to a greater degree of challenge as they extend their offerings into the BPO space; for example, if there is a cloud based HRO service, customers will expect that it will then be compliance with the relevant employment laws which are inherent to such activities.

Another area where cloud service providers may find an increased degree of push back as they take on more of the traditional outsource services market is related to suspension and termination rights. As things stand, and at least in relation to mid to larger sized outsourcing arrangements, these kinds of provisions would usually be slanted more heavily in favour of the Customer, for example the service provider would have no rights to suspend its provision of services short of an actual termination and its only termination right will often be linked to a material degree of non payment of undisputed fees (on the basis that any other breach by the Customer can instead be addressed by providing relief for the service provider vis a vis any impact upon the provision of the outsourced services, and potentially financial compensation).

By contrast, cloud services contracts have generally been far more supplier friendly. The service provider will often have broadly crafted suspension rights (including for any breaches of the contract or acceptable use policies, whether or not material in nature) and also broad termination rights, which will at the least be reciprocal/mutual in terms of scope vis a vis the Customer, but in some cases may actually be wider in the service provider’s favour.

Given the increased business criticality of many of the outsourced services which may come to be provided “as a service”, I anticipate that the balance of these provisions will shift somewhat. We have already seen cloud service providers agree to exit/termination assistance related provisions more familiar to outsource service market (to provide for the continuation of the services for a potentially lengthy time post the point where the contract would otherwise have been terminated or to allow for transition of the services to another platform or supplier), and I expect there to be a gradual process of restricting the scope of termination and suspension rights available to the service providers whilst also extending the termination triggers available to the Customer. For example, more concepts of materiality and/or the requirement for there to be some kind of risk or impact upon other third parties by reason of the one-to-many service delivery model may be incorporated), and triggers linked to service quality/SLA performance as opposed to just arguments as to “material” breach may be included).

Another area where I anticipate a significant degree of development in terms of market positions is in relation to liability clauses (which are always a subject to considerable attention during any outsource contract negotiation!).

Again, the “traditional” outsource and cloud services worlds come at this from opposite ends of the spectrum; contract provisions in outsourcing agreements will tend to be more favourable for the Customer, with more sizeable liability caps (often 150% or more of average annual charges) and longer lists of unlimited liabilities, whereas the liability provisions in commodity style IaaS and PaaS contracts have been far more restrictive, with limits often being tied to the amounts of charges relevant to the defective elements of the services, rather than the charges under the overall contract.

One particular challenge for the service providers here is that, if the problem giving rise to a claim is related to the core platform or solution, then the fact that it is offered in common to multiple clients will mean that it is more likely that it will simultaneously impact upon many or even all of them. If the service provider has then moved to accept more onerous liability provisions with some or even most of such clients during the course of its contract negotiations with them, the impact of such problems will then be magnified. However, against this is the fact that issues may relate to individual service locations from which the cloud service provider operates (e.g. just one data centre) or may relate to configurations or services which have been specifically provided to a particular Customer. In such cases, the Customer will argue that there is no reason why its limits of liability should not represent a fairer balance of risk vs reward by reference to the total amounts to be paid to the service provider under the contract in question, bearing in mind also the likelihood that some form of insurance cover as would be available to the service provider to protect against the impact of such claims.

It is not surprising, therefore, that we have already seen a considerable degree of negotiation (and prospects for amendment) in relation to such contracts even in relation to IaaS and PaaS services, and any further extension of the cloud services model to other forms of outsourced services (and in particular more business critical services and/or contracts for greater values) will certainly exacerbate that trend.

In terms of contract provisions which have seen movement in the context of cloud services agreements, it is also worth mentioning audit rights. For outsourcing agreements, audit rights are usually quite extensive, enabling the Customer to undertaken on-site verifications of the services being provided and compliance with the terms of the relevant contract provisions. By contrast, such rights are noticeable by their absence in standard cloud services contracts, a position justified by the one-to-many service delivery model and the practical difficulties of providing audit access to systems or facilities which are used to simultaneously support multiple clients.

However, the lack of audit rights has caught the eye of regulators in the financial services space in particular. At the same time they are increasingly viewing the provision of cloud services as a form of outsourcing in any event so as to bring the provision of such services within the scope of their usually quite extensive contracting requirements. These positions have progressively hardened in recent years, as witnessed by the audit requirements mandated by the FCA for the provision of cloud services in their FG 16/5 guidance, and the requirements similarly mandated by the EBA in relation to cloud services which could be seen to fall with the scope of their guidelines on outsourcing. With the financial services sector being such an important source of work, cloud services providers have been obliged to respond accordingly and accept that they will need to provide at least such audit rights as the regulators have mandated. Once this has been done, however, Pandora’s Box will have been opened as it then becomes clear to organisations in other sectors that such audit rights can be granted, albeit that the service provider does not want to do so. Whilst many cloud service providers we see seek to maintain the line that they will only grant such rights where mandated by law or regulation to do so, there is already latitude to move on larger deals, and this is again something which can be expected to continue as more more functions are outsourced onto cloud platforms.

Accordingly, the convergence of cloud solutions and the outsourcing services market looks set to provide lawyers with plenty of food for thought in the coming months, with a lot of scope for negotiation as revised market standards and expectations develop, and while service providers compete for business in relation to new and potentially lucrative types of cloud enabled outsourced services. I suspect that there will not be a “one size fits all” approach at the end of the day and that we may end up with a greater degree of variation in terms of contract clauses than was perhaps the case with a typical IT infrastructure outsourcing agreement 10+ years ago, which overall should be a good thing.

This article was first published in the Outsourcing Focus issue, December 2021, which you can download here.

profile picture of Kit Burden

Kit Burden, Partner, (Technology & Strategic Sourcing) Global Co-Head of Technology Sector, DLA Piper