Davide M. Parrilli, ICRI Dagstuhl, 24 March 2009 A Legal Analysis of Service Level Agreements in a Grid and Cloud Computing Environment Going beyond Business.

Davide M. Parrilli, ICRI

Dagstuhl, 24 March 2009

A Legal Analysis of Service Level Agreements in a Grid and Cloud Computing Environment

Going beyond Business Practices

http://www.law.kuleuven.be/icri

Agenda

• SLA: Introduction;

• SLA and Grid/Cloud computing;

• The business practice;

• SLA negotiation;

• Validity and enforceability of the SLA;

• Liabilities.

SLA: a contract between a user and a provider of a service specifying the

conditions under which a service may be used. It describes the provider’s

commitments and specifies the penalties if those commitments are not met.

An SLA is a legally enforceable contract (exceptions do exist in

academia).

SLA: introduction

Legal assessment of the impact of Grid/Cloud computing on SLAs

Question:

Is Grid able to influence the content of the SLA(s)?

Topic relevant for all technologies that adopt dispersed resources and increase

the quality of the offered services (Cloud!).

SLAs and Grid/Cloud computing (I)

Method of the research:•Survey between the BEs of

BEinGRID. The BEs responded to the above question: 20 % said ‘yes’, the others have to think about that;

•Analysis of business practices.

SLAs and Grid/Cloud computing (II)

Scenarios

Grid/technology

provider

Service provider

End user

SLA 1: Grid provider/Service provider

SLA 2: Service provider/End user

Often in the business practice the SLA must be read in combination with other contracts (e.g. customer

agreement): we focus on the contractual relationship between the parties regulating…

SLAs and Grid/Cloud computing (III)

…The content of the SLA (technology provider-service

provider, service provider-end user), i.e.:•QoS: availability, system performance;

•Fees;•Assistance and support service;

•Security;•Liabilities and remedies (service credits);

•The use of the Grid and of the Grid/Cloud-based services made by the customer: no gambling, child

pornography, discriminations, phishing, viruses, trojan horses, etc. – liabilities to be negotiated on a case-by-liabilities to be negotiated on a case-by-

case basis or imposed by the providercase basis or imposed by the provider.

SLAs and Grid/Cloud computing (IV)

In particular:

management on top of the allocated resources: availability

(compute resources, storage etc), network performance (latency, throughput), etc.

SLAs and Grid/Cloud computing (V)

Question of a typical customer:

Why should the SLA in a Grid/Cloud environment be the same as in non

Grid/Cloud scenarios?

Better expected services = more favorable SLA for the customer!

SLAs and Grid/Cloud computing (VI)

For instance (real needs!):•Most clients of Xignite (financial Web

service provider that delivers market data from the Cloud) are fine with 99.5 to 99.9 % availability. Some want as high as 99.99 %;•Gary Slater (LiveOps): clients want their

system to work all the time.

SLAs and Grid/Cloud computing (VII)

Gerry Libertelli (CEO Ready Techs): “technically, there should be zero

downtime associated with a Cloud [and Grid] instance, since almost everything in a

Cloud is redundant by nature and easily reinstantiated in the case of a failure.”

MOSSO: “since we operate clusters of servers, maintenance that causes downtime should be

rare.”

SLAs and Grid/Cloud computing (VIII)

Thus….Answer of the rational and informed

customer: If I pay (more?) for a service that is

expected to be better than that I was used to, I want to see this in the SLA I sign (influence of technology on legal

agreements).

SLAs and Grid/Cloud computing (IX)

The business practice (I)

Example of ‘traditional’ standard clause (long long time ago…?):

“The system will not be available for 2 hours daily for scheduled

backups and system maintenance”.

Amazon:•S3 Simple Storage Service (storage in 1

bucket): service availability 99.9 %;•EC2 Elastic Compute Cloud: 99.95 %

availability.

Grid/Cloud influence SLAs: better services = different SLAs

The business practice (II)

Joyent:

“Cloud computing brought to you with the power of the Joyent Accelerator”.

Accelerator hosting SLA (Grid container hosting account services):

100 % availability for all users.

The business practice (III)

Google:

SLA for Google Apps Premium Edition: 99 % availability.

Thus…

Performance may be the next focus in Grid/Cloud computing SLAs (Stephane

Dubois, CEO Xignite).

The business practice (IV)

SLA negotiation (I)

Phases:

1. SLA contract definition (template, proposal);

2. Negotiation and signing of the contract;

3. Monitoring;

4. Enforcement.

E-negotiation: focus on agreeing on the conditions of the SLA (QoS, price,

etc).

Human intervention combined with computer-generated process.

E.g.: g-Forge SLA-negotiation: a plug-in is used to decide whether an offer shall be

refused or accepted.

SLA negotiation (II)

E.g.: Web Services Agreement Specification (WS-Agreement): the

protocol is based on a simple round “offer, accept” message exchange.

As far as the parties can managemanage the negotiations and the agreement

reflects their willwill, no legal contractual barriers.

SLA negotiation (III)

Entirely computer-controlled/generated negotiations with no human intervention

(realistic scenario?):

doubts as regards the validity and enforceability of the contract. Does the SLA really represents the will of the parties? Is it

a real agreement?

Tip: prior agreement stating that the parties will be bound by the computer-

generated SLA.

SLA negotiation (IV)

Legal/technical issues in e-negotiations:

security and reliability of the system and network: it is necessary to be sure that all messages have been received and the contract is

really in force.

SLA negotiation (V)

When is the SLA legally valid and binding?

The principle (common law and civil law countries) is that a contract is

deemed to come into existence when acceptance of an offer has been

communicated to the offeror by the offeree/when the offeror knows that

the offeree accepted.

Validity and enforceability of the SLA (I)

Need to check whether the contract shall be made in written form!

Does an e-contract respect this requisite?In the EU, all Member States should allow the

conclusion of e-contracts with electronic signature (Directive 1999/93/EC).

Alternatives:•E-mail with electronic signature;

•Paper-based contracts with ‘real’ signature.

NB: contracts with public authorities, check the standards set in the specific country (e-signature, e-document).

Validity and enforceability of the SLA (II)

B2B SLAs

Which law will govern the contract and will be applicable for the (contractual)

obligations arising from the SLA?

Rome Convention 1980:•A contract shall be governed by the law

chosen by the parties – Art. 3(1);

…

Validity and enforceability of the SLA (III)

…• In absence of choice, the contract shall

be governed by the law with which it is most closely connected – Art. 4(1) – that

is…;• …the country of the principal place of

business of fixed establishment of the party (business) who is to effect the

performance which is characteristic of the contract – Art. 4(2).

Validity and enforceability of the SLA (IV)

The provision of the service is the performance characteristic of the

contract.

The law of the country of the technology provider or of the service

provider will be applicable (Rome Convention 1980 is universal).

Validity and enforceability of the SLA (V)

For instance:1.US (California) Grid/Cloud provider – Spanish service provider: American (Californian) law will be applicable;

2.Spanish service provider (SaaS) – Brazilian customer: Spanish law will be applicable.

Law applicable to what? (a) interpretation; (b) performance; 

(c) within the limits of the powers conferred on the court by its procedural law, the consequences of breach, including the

assessment of damages in so far as it is governed by rules of law; 

(d) the various ways of extinguishing obligations, and prescription and limitation of actions; 

(e) the consequences of nullity of the contract.

Validity and enforceability of the SLA (VI)

B2C SLAs (with a consumer) – Article 5(2):

“a choice of law made by the parties shall not have the result of depriving the consumer of the protection afforded to him by the mandatory rules of the law of the country in which he has his habitual residence:

- if in that country the conclusion of the contract was preceded by a specific invitation addressed to him or by advertising, and he had taken in that country all the steps necessary on his part for the conclusion of the contract […]”

Validity and enforceability of the SLA (VII)

Article 5(3):

if there is no choice the contract shall “be governed by the law of the country in which the consumer has his habitual residence if it is entered into in the circumstances described” in the previous slide.

Validity and enforceability of the SLA (VIII)

Problem: is it possible to say that invitation/advertisement was carried on in

the customer’s state if the invitation/advertisement was made in a web

site? Back in 1980 it was said that if a “German replies to an advertisement in American publications, even if [the goods or services] are sold in Germany, the rule does not apply unless the advertisement appeared in special editions of the publication intended for European countries”.Different possible solutions – case by case

basis – great uncertainty

Validity and enforceability of the SLA (IX)

Validity and enforceability of the SLA (X)

Formal Validity of the SLA – Article 9(2) Rome Convention:

“A contract concluded between persons who are in different countries is formally valid if it satisfies the formal requirements of the law which governs it under this Convention or of the law of one of those countries.”

Tip: the contractual regulationcontractual regulation should be as complete as possibleas complete as possible. Parties should state, in the SLA or in a framework contract, which law will

be applicable and how potential future conflicts will be solved

(competent court, ADR).

Validity and enforceability of the SLA (XI)

Technology providers tend to limit their liabilities as much as possible.

E.g.: “we and our licensors do not warrant that the service offerings will function as described,

will be uninterrupted or error free, or free of harmful components, or that the data you store within the service offerings will be secure or not otherwise lost or damaged… We…shall not be

responsible for any service interruptions, including, without limitation, power outrage,

system failures or other interruptions.” (Amazon Web Services Customer Agreement).

Liabilities (I)

Service (SaaS) providers do the same!E.g.: “we are not liable to you…for any direct, indirect, incidental, special or consequential

damages or losses arising out of access to or use of the Service or inability to access or use

the Service or out of any breach of any warranty including, without limitation, damages or losses resulting from acts of god or events of similar case or the consequences of viruses received by you via the Service, even if we are advised of the possibility of such damages or losses.”

(Business Professional).

Liabilities (II)

The risk, at the end, is shifted to the final customer…

Technology provider Service Provider End user

Liabilities (III)

Impact of Grid/Cloud failures in a SaaS scenario: who is liable for what?

•The technology provider does not take liabilities;•The SaaS provider does not take liabilities;

•The end use…the loser takes it all!

Legislative intervention to allocate risks and liabilities in a fairer way?

In B2C, the application of the Rome Convention can In B2C, the application of the Rome Convention can mitigate the risks for the customer.mitigate the risks for the customer.

Liabilities (IV)

“The best strategy for dealing with the risks of Cloud vendors is to mitigate

them before you move your applications and data into the Cloud.

Do what you can to protect your business before you sign a contract

with a Cloud or SaaS provider.” (Anne Grubb).

Liabilities (V)

In practice…

Distinction between (i) SLAs negotiated between equals and (ii) standard contracts imposed by big

players.

In the latter case, the customer (B2B) takes the risk.

Liabilities (VI)

Rules of jurisdiction:

What if the customer is a consumer (B2C)?

Regulation 44/2001: in case of ‘active’ website of the supplier, the special rules aimed to protect the consumer (who is a

consumer?) apply (Art. 15-16).

Consumer (domiciled in the EU) – Business (extra-EU)

Belgian consumer v. US company = judge ex Belgian rules

US company v. Belgian consumer = Belgian judge

Consumer (domiciled in the EU) – Business (EU)

Belgian consumer v. German company = German or Belgian judge

German company v. Belgian consumer = Belgian judge

Liabilities (VII)

In the field of B2C transactions, substantial (which law?) and procedural rules (which judge?) limit the unbalanced position between Grid/Cloud provider and the customer.

However, these rules are often of difficult application: need for clarifications.

Liabilities (VIII)

Liability of the technology provider/service provider towards third

parties: E-commerce Directive (2000/31/EC).

Limitations of liability:•Grid providerGrid provider: hosting (Art. 14) – duty of

care;•Service providerService provider: mere conduit (Art. 12), caching (Art. 13), depending on the case.

Liabilities (IX)

Thanks for you attention!

Davide M. Parrilli

ICRI-K.U. Leuven-IBBT

[email protected]