It is pretty well-established that users can expect public cloud service vendors to provide some form of service credits in the event of system downtime. “Downtime” may be classified as time that critical infrastructure, network, and/or server hosts are unavailable. In the event the vendor fails to meet certain uptime guarantees, users may be entitled to receive a percentage of their monthly service fee as a credit against future month’s service fees. The amount of the credit, and the exceptions for when the credits apply, widely vary.
Lately, however, I’ve seen a few vendors try to expand the application of service credits to service issues beyond downtime, to include the vendor’s breach of confidential data, the vendor’s failure to maintain its network, failure of the vendor to give users’ notice of scheduled maintenance, and other problems that are wholly independent of system downtime. And unless users read the terms of the cloud service agreement carefully, they may be unwittingly agreeing to accept monthly service credits as their exclusive remedy for these types of breaches by the vendor.
As an example, say the vendor fails to apply a security patch and that misstep results in the unauthorized disclosure of the user’s company’s sensitive and confidential data. The damage to the user’s business may be truly significant and costly, but if the vendor has incorporated service credits as the user’s exclusive remedy for such a breach, the user’s only recourse is to get a discount on their next monthly bill.
Whether or not these clauses are negotiable can certainly depend upon the nature of the cloud service, the parties’ relative negotiating strength, and how much the user is paying for the service. As part of any vetting process with any new cloud services vendor, it is well-advised to include how the service level agreement is applied on the user’s checklist.