A Legal Analysis of Service
Level Agreements in a Grid and
Cloud Computing Environment
Going beyond Business Practices
Davide M. Parrilli, ICRI
Dagstuhl, 24 March 2009
http://www.law.kuleuven.be/icri
Agenda
•SLA: Introduction;
•SLA and Grid/Cloud computing;
•The business practice;
•SLA negotiation;
•Validity and enforceability of the SLA;
•Liabilities.
SLA: introduction
SLA: a contract between a user and a
provider of a service specifying the
conditions under which a service may be
used. It describes the provider’s
commitments and specifies the penalties
if those commitments are not met.
An SLA is a legally enforceable
contract (exceptions do exist in
academia).
SLAs and Grid/Cloud computing (I)
Legal assessment of the impact of
Grid/Cloud computing on SLAs
Question:
Is Grid able to influence the content of the
SLA(s)?
Topic relevant for all technologies that
adopt dispersed resources and increase
the quality of the offered services (Cloud!).
SLAs and Grid/Cloud computing (II)
Method of the research:
•Survey between the BEs of
BEinGRID. The BEs responded to
the above question: 20 % said ‘yes’,
the others have to think about that;
•Analysis of business practices.
SLAs and Grid/Cloud computing (III)
Scenarios
Grid/technology
provider
Service
provider
End user
SLA 1: Grid provider/Service provider
SLA 2: Service provider/End user
Often in the business practice the SLA must be read in
combination with other contracts (e.g. customer
agreement): we focus on the contractual
relationship between the parties regulating…
SLAs and Grid/Cloud computing (IV)
…
The content of the SLA (technology provider-service
provider, service provider-end user), i.e.:
•QoS: availability, system performance;
•Fees;
•Assistance and support service;
•Security;
•Liabilities and remedies (service credits);
•The use of the Grid and of the Grid/Cloud-based
services made by the customer: no gambling, child
pornography, discriminations, phishing, viruses, trojan
horses, etc. – liabilities to be negotiated on a case-bycase basis or imposed by the provider.
SLAs and Grid/Cloud computing (V)
In particular:
management on top of the
allocated resources: availability
(compute resources, storage
etc), network performance
(latency, throughput), etc.
SLAs and Grid/Cloud computing (VI)
Question of a typical customer:
Why should the SLA in a Grid/Cloud
environment be the same as in non
Grid/Cloud scenarios?
Better expected services = more
favorable SLA for the customer!
SLAs and Grid/Cloud computing (VII)
For instance (real needs!):
•Most clients of Xignite (financial Web
service provider that delivers market data
from the Cloud) are fine with 99.5 to 99.9
% availability. Some want as high as
99.99 %;
•Gary Slater (LiveOps): clients want their
system to work all the time.
SLAs and Grid/Cloud computing (VIII)
Gerry Libertelli (CEO Ready Techs):
“technically, there should be zero
downtime associated with a Cloud [and
Grid] instance, since almost everything in a
Cloud is redundant by nature and easily
reinstantiated in the case of a failure.”
MOSSO: “since we operate clusters of servers,
maintenance that causes downtime should be
rare.”
SLAs and Grid/Cloud computing (IX)
Thus….
Answer of the rational and informed
customer:
If I pay (more?) for a service that is
expected to be better than that I was used
to, I want to see this in the SLA I sign
(influence of technology on legal
agreements).
The business practice (I)
Example of ‘traditional’ standard
clause (long long time ago…?):
“The system will not be available
for 2 hours daily for scheduled
backups and system
maintenance”.
The business practice (II)
Amazon:
•S3 Simple Storage Service (storage in 1
bucket): service availability 99.9 %;
•EC2 Elastic Compute Cloud: 99.95 %
availability.
Grid/Cloud influence SLAs: better
services = different SLAs
The business practice (III)
Joyent:
“Cloud computing brought to you with
the power of the Joyent Accelerator”.
Accelerator hosting SLA (Grid
container hosting account services):
100 % availability for all users.
The business practice (IV)
Google:
SLA for Google Apps Premium Edition: 99
% availability.
Thus…
Performance may be the next focus in
Grid/Cloud computing SLAs (Stephane
Dubois, CEO Xignite).
SLA negotiation (I)
Phases:
1. SLA contract definition (template,
proposal);
2. Negotiation and signing of the
contract;
3. Monitoring;
4. Enforcement.
SLA negotiation (II)
E-negotiation: focus on agreeing on
the conditions of the SLA (QoS, price,
etc).
Human intervention combined with
computer-generated process.
E.g.: g-Forge SLA-negotiation: a plug-in is
used to decide whether an offer shall be
refused or accepted.
SLA negotiation (III)
E.g.: Web Services Agreement
Specification (WS-Agreement): the
protocol is based on a simple round “offer,
accept” message exchange.
As far as the parties can manage the
negotiations and the agreement
reflects their will, no legal contractual
barriers.
SLA negotiation (IV)
Entirely computer-controlled/generated
negotiations with no human intervention
(realistic scenario?):
doubts as regards the validity and
enforceability of the contract. Does the SLA
really represents the will of the parties? Is it
a real agreement?
Tip: prior agreement stating that the
parties will be bound by the computergenerated SLA.
SLA negotiation (V)
Legal/technical issues in enegotiations:
security and reliability of the
system and network: it is necessary
to be sure that all messages have
been received and the contract is
really in force.
Validity and enforceability of the SLA (I)
When is the SLA legally valid and
binding?
The principle (common law and civil
law countries) is that a contract is
deemed to come into existence when
acceptance of an offer has been
communicated to the offeror by the
offeree/when the offeror knows that
the offeree accepted.
Validity and enforceability of the SLA (II)
Need to check whether the contract shall be
made in written form!
Does an e-contract respect this requisite?
In the EU, all Member States should allow the
conclusion of e-contracts with electronic
signature (Directive 1999/93/EC).
Alternatives:
•E-mail with electronic signature;
•Paper-based contracts with ‘real’ signature.
NB: contracts with public authorities, check the standards set in the
specific country (e-signature, e-document).
Validity and enforceability of the SLA (III)
B2B SLAs
Which law will govern the contract
and will be applicable for the
(contractual) obligations arising
from the SLA?
Rome Convention 1980:
•A contract shall be governed by the
law chosen by the parties – Art. 3(1);
…
Validity and enforceability of the SLA (IV)
…
• In absence of choice, the contract shall
be governed by the law with which it is
most closely connected – Art. 4(1) – that
is…;
• …the country of the principal place of
business of fixed establishment of the
party (business) who is to effect the
performance which is characteristic of
the contract – Art. 4(2).
Validity and enforceability of the SLA (V)
The provision of the service is the
performance characteristic of the
contract.
The law of the country of the
technology provider or of the service
provider will be applicable (Rome
Convention 1980 is universal).
Validity and enforceability of the SLA (VI)
For instance:
1.US (California) Grid/Cloud provider – Spanish service
provider: American (Californian) law will be applicable;
2.Spanish service provider (SaaS) – Brazilian customer:
Spanish law will be applicable.
Law applicable to what?
(a) interpretation;
(b) performance;
(c) within the limits of the powers conferred on the court by its
procedural law, the consequences of breach, including the
assessment of damages in so far as it is governed by rules of
law;
(d) the various ways of extinguishing obligations, and
prescription and limitation of actions;
(e) the consequences of nullity of the contract.
Validity and enforceability of the SLA (VII)
B2C SLAs (with a consumer) – Article 5(2):
“a choice of law made by the parties shall not
have the result of depriving the consumer of the
protection afforded to him by the mandatory
rules of the law of the country in which he has
his habitual residence:
- if in that country the conclusion of the contract
was preceded by a specific invitation addressed
to him or by advertising, and he had taken in
that country all the steps necessary on his part
for the conclusion of the contract […]”
Validity and enforceability of the SLA (VIII)
Article 5(3):
if there is no choice the contract shall “be
governed by the law of the country in
which the consumer has his habitual
residence if it is entered into in the
circumstances described” in the previous
slide.
Validity and enforceability of the SLA (IX)
Problem: is it possible to say that
invitation/advertisement was carried on in
the customer’s state if the
invitation/advertisement was made in a web
site?
Back in 1980 it was said that if a “German
replies to an advertisement in American
publications, even if [the goods or services] are
sold in Germany, the rule does not apply unless
the advertisement appeared in special editions
of the publication intended for European
countries”.
Different possible solutions – case by case
basis – great uncertainty
Validity and enforceability of the SLA (X)
Formal Validity of the SLA – Article 9(2)
Rome Convention:
“A contract concluded between persons
who are in different countries is formally
valid if it satisfies the formal requirements
of the law which governs it under this
Convention or of the law of one of those
countries.”
Validity and enforceability of the SLA (XI)
Tip: the contractual regulation
should be as complete as possible.
Parties should state, in the SLA or in
a framework contract, which law will
be applicable and how potential
future conflicts will be solved
(competent court, ADR).
Liabilities (I)
Technology providers tend to limit their
liabilities as much as possible.
E.g.: “we and our licensors do not warrant that
the service offerings will function as described,
will be uninterrupted or error free, or free of
harmful components, or that the data you store
within the service offerings will be secure or not
otherwise lost or damaged… We…shall not be
responsible for any service interruptions,
including, without limitation, power outrage,
system failures or other interruptions.” (Amazon
Web Services Customer Agreement).
Liabilities (II)
Service (SaaS) providers do the same!
E.g.: “we are not liable to you…for any direct,
indirect, incidental, special or consequential
damages or losses arising out of access to or
use of the Service or inability to access or use
the Service or out of any breach of any warranty
including, without limitation, damages or losses
resulting from acts of god or events of similar
case or the consequences of viruses received
by you via the Service, even if we are advised
of the possibility of such damages or losses.”
(Business Professional).
Liabilities (III)
The risk, at the end, is shifted to the
final customer…
Technology provider
Service Provider
End user
Liabilities (IV)
Impact of Grid/Cloud failures in a SaaS scenario:
who is liable for what?
•The technology provider does not take liabilities;
•The SaaS provider does not take liabilities;
•The end use…the loser takes it all!
Legislative intervention to allocate risks and liabilities in
a fairer way?
In B2C, the application of the Rome Convention can
mitigate the risks for the customer.
Liabilities (V)
“The best strategy for dealing with the
risks of Cloud vendors is to mitigate
them before you move your
applications and data into the Cloud.
Do what you can to protect your
business before you sign a contract
with a Cloud or SaaS provider.” (Anne
Grubb).
Liabilities (VI)
In practice…
Distinction between (i) SLAs
negotiated between equals and (ii)
standard contracts imposed by big
players.
In the latter case, the customer (B2B)
takes the risk.
Liabilities (VII)
Rules of jurisdiction:
What if the customer is a consumer (B2C)?
Regulation 44/2001: in case of ‘active’ website of the supplier,
the special rules aimed to protect the consumer (who is a
consumer?) apply (Art. 15-16).
Consumer (domiciled in the EU) – Business (extra-EU)
Belgian consumer v. US company = judge ex Belgian rules
US company v. Belgian consumer = Belgian judge
Consumer (domiciled in the EU) – Business (EU)
Belgian consumer v. German company = German or Belgian
judge
German company v. Belgian consumer = Belgian judge
Liabilities (VIII)
In the field of B2C transactions,
substantial
(which
law?)
and
procedural rules (which judge?) limit
the unbalanced position between
Grid/Cloud provider and the customer.
However, these rules are often of
difficult
application:
need
for
clarifications.
Liabilities (IX)
Liability of the technology
provider/service provider towards third
parties:
E-commerce Directive (2000/31/EC).
Limitations of liability:
•Grid provider: hosting (Art. 14) – duty of
care;
•Service provider: mere conduit (Art. 12),
caching (Art. 13), depending on the case.
Thanks for you attention!
Davide M. Parrilli
ICRI-K.U. Leuven-IBBT
davide.parrilli@law.kuleuven.be