Unless you have managed to go fully off-grid, you will likely have seen if not been affected in some form by the Amazon Web Service (AWS) outage on Monday. AWS is a cloud computing service providing highly flexible, commercially attractive and readily scalable cloud computing capacity across cloud storage and database management. From social media platforms, online banking applications, to B2B SaaS providers, a diverse array of service providers have become reliant on AWS as a cloud provider.
So, what happens when one of the world’s largest cloud computing providers goes down? Until a week ago, the common answer to that question would have been “It’ll never happen.” And, what should organisations who use these cloud computing providers be considering when drafting and agreeing terms with their own customers?
Thinking through the dependencies on cloud providers such as AWS is a key part of managing risk and liability issues in lots of projects. Legally, AWS is often characterised as a subcontractor, providing hosted environments and cloud services which underpin lots of software and service deployments. In practice, however, AWS provides its services by reference to standard terms made available to everyone. If AWS suffers an outage, platforms or services hosted by the affected instances might well not operate properly, possibly triggering defaults against service levels or other legal remedies for suppliers who depend on AWS to host services. That isn’t necessarily treated as an unfortunate ‘force majeure’ event for which no one is liable if the arrangement is set up such that AWS is a subcontracted provider. In that case, a provider who relies on AWS may still be liable if it has taken on obligations or commitments which it then relies on AWS services to be able to fulfil. Most customers will expect their suppliers to take full responsibility for subcontractors as if they were supplying the services themselves, reflecting the standard legal position. This makes sense and seems fair – the chain of responsibility flows through the contracts to the end user with there being methods and avenues of recourse for the parties that can be pursued where your service goes down or is not provided as agreed. However, what if your subcontractor does not and seemingly cannot take responsibility for any outages or service availability?
Lots of people who deal with AWS do not pore into the details of AWS’ standard terms and conditions which are published in fully on Amazon’s website. These are available here https://aws.amazon.com/agreement/. Note that AWS provides its services on an “as is” basis and gives no warranties as to the availability or quality of service and accepting no liability should any of these events occur:
“THE SERVICES AND AWS CONTENT ARE PROVIDED “AS IS.” EXCEPT TO THE EXTENT PROHIBITED BY LAW, OR TO THE EXTENT ANY STATUTORY RIGHTS APPLY THAT CANNOT BE EXCLUDED, LIMITED OR WAIVED, WE AND OUR AFFILIATES AND LICENSORS (A) MAKE NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE REGARDING THE SERVICES OR AWS CONTENT OR THE THIRD-PARTY CONTENT, AND (B) DISCLAIM ALL WARRANTIES, INCLUDING ANY IMPLIED OR EXPRESS WARRANTIES (I) OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR QUIET ENJOYMENT, (II) ARISING OUT OF ANY COURSE OF DEALING OR USAGE OF TRADE, (III) THAT THE SERVICES OR AWS CONTENT OR THIRD-PARTY CONTENT WILL BE UNINTERRUPTED, ERROR FREE OR FREE OF HARMFUL COMPONENTS, AND (IV) THAT ANY CONTENT WILL BE SECURE OR NOT OTHERWISE LOST OR ALTERED”.
It also operates on a ‘devolved responsibility’ model whereby it is the user’s responsibility to ensure services are configured and designed appropriately from the various options made available by AWS.
The result of this is that it may be difficult to bring any legal claim for redress from AWS as a result of a serious outage. AWS’ rationale for these provisions will be that its services are priced and delivered on the basis this allocation of responsibility applies, and for many years lots of businesses have relied on the competitive pricing, reliability and technical excellence of their services rather than having robust and clearly defined legal remedies for non-performance.
The events of recent days may cause some businesses to consider their operating resilience. AWS is the latest tech giant to suffer a significant outage and may not be the last. If your organisation depends on cloud providers like AWS, now is the time to review your terms of service. Ensure they clearly outline the chain of responsibility, or include the right disclaimers, so you are not left exposed when outages occur. A well-drafted contract can make all the difference in managing risk and maintaining trust with your clients. Get in contact with us today to make sure your contracts are cloud-ready and legally robust.
