How to Structure Cloud Computing Industrial IoT-as-a-Service (IIoT-aaS) Contracts?
How to Structure Cloud Computing Industrial IoT-as-a-Service (IIoT-aaS) Contracts?
May 11, 2021
Internet of Things (IoT) Services include a range of “end-to-end services in which businesses contract with external providers to design, build, install and operate IoT solutions, including advisory consulting for IoT planning.”[1] Industrial IoT service providers build and deploy IoT solution applications for service providers supporting key vertical markets for IoT adoption such as manufacturing, healthcare, transportation and retail, etc.[2]
More specifically, prior to providing their customers with customized Industrial Internet-of-Things-as-a-Service Solutions (“IIoT-aaS Solutions”) on a subscription basis via their Software-as-a-Service (SaaS) and Data-as-a-Service (DaaS) cloud computing platform, IIoT-aaS Companies should sign a robust and comprehensive contract with such customers in order to be fully protected and covered against all possible risks.[3] The backbone of such a contract should basically be articulated around the following four (4) main elements:
1. DEFINITIONS
The two most central terms which must be defined carefully in any Cloud Computing IIoT-aaS Contract (“Agreement”) are:
“Customer’s Data” which means any and all data, information and content which are (i) uploaded, stored and processed by Customer onto the IIoT-aaS Company's Data-as-a-Service (DaaS) cloud computing platform; or (ii) created, realised or developed by the Customer while using the IIoT-aaS Solutions, including, without limitations, personal data, information, customer asset information, maintenance history logs, inventory, sensor data, software, data-base, documents, pictures, images, photographs, text, and files; and
“IIoT-aaS Solutions” which means the Industrial Internet-of-Things-as-a-Service software solutions which are provided by the IIoT-aaS Company to Customer via the IIoT-aaS Company's Software-as-a-Service (SaaS i.e. the provision of the IIoT-aaS Solutions remotely, without the need for Customer to install such IIoT-aaS Solutions) and Data-as-a-Service (DaaS i.e. the storage/processing of Customer’s Data in the cloud so as to enable Customer’s Data to be provided, on demand, to Customer and Customer's Personnel) cloud computing platform. IIoT-aaS Solutions include the electronic information systems and network of devices, machinery and sensors connected to each other and to the internet, comprising of any one or more hardware, robotics, medical devices, software-defined production processes, equipment, software, peripherals and communications networks owned, controlled, operated and/or used by the IIoT-aaS Company and provided to customers working in the industrial sectors for the purposes of collecting and analyzing data to continuously improve Customer’s processes.
2. IIOT-AAS SOLUTIONS’ TERMS OF USE
License Grant. The IIoT-aaS Company should grant Customer a non-exclusive, limited, non-transferable, non-sublicensable license to access the IIoT-aaS Company's Software-as-a-Service (SaaS) and Data-as-a-Service (DaaS) cloud computing platform (in accordance with the agreed upon Monthly Uptime), via which the IIoT-aaS Solutions will be provided by the IIoT-aaS Company to Customer for (i) Customer’s internal business purposes, and (ii) the Subscription Term/Duration.
Service Levels (Monthly Uptime & Service Credits). The IIoT-aaS Company should commit to using its commercially reasonable efforts to make the IIoT-aaS Solutions available to Customer at a minimum service level of e.g. ninety-nine percent (99%) uptime per month (“Monthly Uptime”). In the event that the IIoT-aaS Company fails to meet the Monthly Uptime during any given month, the IIoT-aaS Company typically awards Customer with a service credit (“Service Credit(s)”). Service Credits are calculated as a percentage of the monthly value of the IIoT-aaS Solutions Subscription Plan Fees paid by Customer.
Here is an example of how a ‘Service Level—Credit Sliding Scale’ can be structured => If, during any given monthly period, Monthly Uptime is:
- less than 99.90% but equal to or greater than 99% => then Customer is entitled to 10% Service Credit;
- less than 99.00% but equal to or greater than 95% => then Customer is entitled to 25% Service Credit; and
- less than 95.00% => then Customer is entitled to 100% Service Credit.
Service Credit Request Procedure. In order to receive a Service Credit, Customer should submit a written claim to the IIoT-aaS Company via email within, for instance, thirty (30) calendar days of the occurrence of an incident whereby the Customer experienced low Monthly Uptime. Customer’s failure to submit such a written claim should be deemed to be an irrevocable waiver of Customer’s right to claim and receive such Service Credit.
The Service Credit issued to Customer by the IIoT-aaS Company should (i) apply to set-off the Subscription Plan Fees payable by Customer for Customer’s selected IIoT-aaS Solutions only; (ii) be used within one (1) month from the date the Service Credit is made available to Customer by the IIoT-aaS Company; (iii) apply only to any outstanding or future invoices for Customer’s chosen Subscription Plan; (iv) be strictly non-refundable; and (v) be forfeited by Customer upon the termination or expiration of the Agreement.
Exclusion of Service Credit Issuance. The IIoT-aaS Company should not issue Customer with a Service Credit that:
(i) results from the suspension by the IIoT-aaS Company of the Agreement due to Customer’s failure to pay the Subscription Plan fees;
(ii) is caused by factors beyond the IIoT-aaS Company's control, including but not limited to a force majeure event;
(iii) results from a third party’s actions and/or omissions;
(iv) is a consequence of Customer not abiding and complying with the terms and conditions of the Agreement;
(v) results from Customer’s equipment, software or other technology and/or from third party equipment, software or other technology (other than the IIoT-aaS Company's third party equipment);
(vi) results from any scheduled maintenance of the IIoT-aaS Solutions; or
(vii) arises from Customer’s termination of the Agreement.
The Service Credit(s) issued by the IIoT-aaS Company to Customer for any failure of the IIoT-aaS Solutions should be Customer’s sole remedy.
Updates. The IIoT-aaS Company may, at its sole discretion, improve or update the IIoT-aaS Solutions to (i) fix defects, bugs, or errors in the IIoT-aaS Solutions; (ii) cure security vulnerabilities of the IIoT-aaS Solutions; and/or (iii) comply with applicable law. Should any improvement or update to the IIoT-aaS Solutions cause, directly or indirectly, a reduction in the functionalities or characteristics of the IIoT-aaS Solutions, the parties should agree on a fair and proportionate reduction of the Subscription Plan fees.
Use Restrictions. Customer should not permit or encourage any third party to, directly or indirectly (i) reverse engineer, decompile, disassemble or otherwise attempt to discover or derive the source code, object code, underlying structure, ideas, know-how or algorithms related to the IIoT-aaS Solutions; (ii) modify, translate, or create derivative works based on the IIoT-aaS Solutions; (iii) use the IIoT-aaS Solutions for timesharing or service bureau purposes; (iv) modify, remove or obstruct any proprietary notices or labels on the IIoT-aaS Solutions; or (v) use the IIoT-aaS Solutions in any manner so as to assist or take part in the development, marketing or sale of a product potentially competitive with IIoT-aaS Solutions.
3. CUSTOMER’S DATA
Ownership. Customer should own all rights, title and interest in and to all of Customer Data’s and should have sole responsibility for the legality, reliability, integrity, accuracy and quality of Customer’s Data. Any and all of Customer’s Data provided by Customer’s Personnel to the IIoT-aaS Company, are accurate, complete and reliable.
License Grant. Customer should grant the IIoT-aaS Company a limited, non-exclusive, non-transferable license to copy, store, configure, perform, display and transmit Customer’s Data solely to the extent necessary to provide the IIoT-aaS Solutions to Customer and Customer’s Personnel.
No Sensitive Data. Customer should not submit to the IIoT-aaS Company any data that is protected under a special legislation and requires a unique treatment, including for instance, without limitation, (i) categories of data enumerated in the European Union Regulation 2016/679, Article 9(1) or any similar legislation or regulation in other jurisdictions; (ii) any protected health information subject to the U.S. Health Insurance Portability and Accountability Act (“HIPAA”), as amended and supplemented, or any similar legislation in other jurisdictions, unless Customer and the IIoT-aaS Company separately enter into a HIPAA business associate agreement.
Security. The IIoT-aaS Company should use commercially reasonable measures, as required by applicable Law and/or as agreed upon by the Parties, to establish and maintain electronic and physical safeguards against unauthorized access, destruction, loss, accidental or unauthorized deletion, disclosure or alteration of Customer’s Data under the IIoT-aaS Company's control. Such measures should in no wise be less rigorous than applicable industry standards. Furthermore, the IIoT-aaS Company should ensure that the security, confidentiality and integrity of Customer’s Data transmitted through or stored on the IIoT-aaS Company's IIoT-aaS Solutions. For the avoidance of doubt, the IIoT-aaS Company should not be liable to Customer for any and all destruction, loss, accidental or unauthorized deletion, disclosure or alteration of Customer’s Data. In the event of any loss or damage to Customer’s Data, the Customer's sole and exclusive remedy should be for the IIoT-aaS Company to use reasonable commercial endeavours to restore the lost or damaged Customer’s Data from the latest back-up of such Customer’s Data as maintained by the IIoT-aaS Company.
Privacy. The IIoT-aaS Company should, while providing Customer with the IIoT-aaS Solutions, comply with its Privacy Policy relating to the privacy and security of Customer’s Data. Such Privacy Policy should govern the IIoT-aaS Company's use, storage and processing of any personal information Customer may provide to the IIoT-aaS Company when accessing and using the IIoT-aaS Solutions. Customer’s election to use the IIoT-aaS Solutions should be deemed to constitute Customer’s acceptance of the terms of the IIoT-aaS Company's Privacy Policy.
Termination. If the IIoT-aaS Company, reasonably believes in its sole discretion that Customer’s Data poses a possible serious risk to the IIoT-aaS Solutions, or Customer is participating in fraudulent or illegal activities, the IIoT-aaS Company may (i) immediately suspend or terminate Customer’s or Customer’s Personnel’s access to the IIoT-aaS Solutions; and/or (ii) remove the relevant Customer’s Data posing such serious risk.
4. CUSTOMER’S OBLIGATIONS
Responsibilities & Duties. Customer should:
(i) provide the IIoT-aaS Company with a list of Customer’s Personnel who will assist and cooperate with the IIoT-aaS Company so as to provide the necessary technical direction and approvals required by the IIoT-aaS Company in order to provide Customer with access to the IIoT-aaS Solution;
(ii) provide the IIoT-aaS Company with access to Customer’s Personnel, facilities, software and data for the sole purpose of the IIoT-aaS Company providing the IIoT-aaS Solutions. Such IIoT-aaS Company's access should include but not be limited to computer networks, infrastructure, and physical facilities/offices;
(iii) provide the IIoT-aaS Company with accurate and complete information, resources and Customer’s Data so as to assist the IIoT-aaS Company to successfully provide the IIoT-aaS Solutions under the Agreement. The IIoT-aaS Company's ability to deliver the IIoT-aaS Solutions in the manner provided under the Agreement may depend upon the accuracy and timeliness of such information, resources and Customer’s Data’
(iv) obtain all necessary documentation, information, materials, authorizations, permissions and licenses necessary in respect of any of Customer’s third party software or technology to enable the IIoT-aaS Company to provide Customer with access to the IIoT-aaS Solution;
(v) provide the IIoT-aaS Company with access to Customer’s Data in order for the IIoT-aaS Company to be able to provide the IIoT-aaS Solutions to Customer;
(vi) comply with all applicable local, state, national and international laws in connection with Customer’s use of the IIoT-aaS Solutions, including laws pertaining to the security, transfer, sharing and storage of Customer’s Data, data privacy, international communications, and the transmission of technical or personal data. The IIoT-aaS Company should have no control over the content of the information transmitted by Customer through the IIoT-aaS Solutions;
(vii) safeguard all electronic communications, including but not limited to business information, account registration, financial information, Customer’s Data, and all other data of any kind contained within emails or otherwise entered by Customer electronically while accessing and using the IIoT-aaS Solutions;
(viii) take commercially reasonable efforts to (a) promptly notify the IIoT-aaS Company of any unauthorized access to or use of the IIoT-aaS Solutions, and (b) cooperate with and assist the IIoT-aaS Company in preventing any such unauthorized access or use of the IIoT-aaS Solutions;
(ix) be solely responsible for the acts and omissions of Customer’s Personnel;
(x) maintain, at Customer’s expense, an appropriate and periodical back-up of Customer’s Data; and
(xi) be solely liable for any and all actions of Customer’s Personnel who were given access, by Customer, to the IIoT-aaS Solutions (for use thereof).
Restrictions & Limitations. When accessing and using the IIoT-aaS Solution, Customer should not:
(i) use any material or information which are made available by the IIoT-aaS Company as part of the IIoT-aaS Solutions in a manner that infringes upon any copyright, trademark, patent, trade secret, or other proprietary right of the IIoT-aaS Company and/or any third party;
(ii) upload files that contain Malicious Code, cancel bots, corrupted files, or any other similar software or programs that may damage the operation of the IIoT-aaS Company's and/or a third party’s computer or property;
(iii) download, reproduce, display, perform, and/or distribute any file posted to the IIoT-aaS Solutions by the IIoT-aaS Company that Customer knows, or reasonably should know, cannot be legally reproduced, displayed, performed, and/or distributed;
(iv) falsify or delete any copyright management information, such as author attributions, legal or other proper notices or proprietary designations or labels of the origin/source of the IIoT-aaS Solutions or other material included in the IIoT-aaS Solutions and made available by the IIoT-aaS Company to Customer;
(v) violate any applicable laws or regulations;
(vi) send or store infringing, obscene, threatening, abusive, defamatory, discriminatory or otherwise unlawful or tortious material, including material that violates privacy rights;
(vii) upload, post, reproduce, or distribute any information, software, or other material protected by copyright, privacy rights, or any other intellectual property right without first obtaining the permission of the owner of such rights; and
(viii) attempt to breach the security and/or authentication measures of the IIoT-aaS Solutions.
Dr. Ariel Humphrey & Dr. Rushmina Murtuza
[2] More on Industrial IoT at:https://www.oracle.com/za/internet-of-things/what-is-iot/
[3] Relevant Models, Templates or Examples of Cloud Computing Service Level Contracts/Clauses available at:
http://slalom-project.eu/sites/default/files/slalom/public/content-files/article/SLALOM%20Legal%20model_clauses%20only_v1.2.pdf
https://blog.ipleaders.in/essential-clauses-of-cloud-computing-agreement/