Data ownership is a concern of most SAAS cloud customers and is made even more complicated if multiple entities are involved. If a customer transfers their data to a SAAS provider who then outsources its infrastructure to another storage or process provider, who is responsible if the customer’s information is unavailable, lost or corrupted? As with most legal concerns we can reduce our initial anxiety by looking closely at the positions stated in the relevant terms in our agreements and contract documents so let’s take a look at a typical scenario.
First, some background: Ownership rights are generally covered by copyright, confidentiality and contract law. Essentially two types of data exist in the cloud. Data that is created by customers and then uploaded into the cloud by their SAAS or IAAS vendor, and data that is created in the cloud itself. We can assume that data created by the customer should belong to the customer, thanks to copyright law. However data created in the cloud, either by the customer or the provider is a different story. This is where a careful reading of specific terms and contract documents will make clear who owns the data.
A Common Scenario:
A customer contracts with a SAAS provider for online services. The SAAS provider is a software vendor and uses a leading commercial cloud vendor (AWS, Azure, Google, etc) as their IAAS to deliver their service. The contract between the SAAS vendor and its IAAS vendor will list the SAAS provider as their customer. Currently all major cloud vendors explicitly give ownership to all content uploaded to, stored in or created in the cloud to the customer. If the SAAS provider also explicitly gives the same ownership protection to their customer then the copyright and contract concerns are covered. And further, If the contract between the customer and the SAAS specifies agreed upon availability and uptime hours percentages (as well as penalties and when those penalties are enacted) along with security protocols and breach reporting, then confidentiality is also covered. With these situations defined and specified the bulk of the responsibility for data integrity, backup, security and confidentiality in the cloud reside with the SAAS. As with other business decisions customers choose their cloud solutions to create efficiencies and to control costs. SAAS and IAAS solutions provide predictable solutions with manageable costs and can be achieved in many forms. Other scenarios exist for cloud solutions where the customer deals directly with the IAAS vendor or where the customer’s solution is a hybrid of on-premise, SAAS and IAAS. In these cases the contract language between each entity may vary according to the defined “customer” but the resulting ownership of their data by the final customer is the same.
With our customers, 3-GIS clearly explains each software and infrastructure relationship to maintain trust and transparency. Together we carefully review contract terms and documentation to achieve a clear answer to our cloud data question “Is it yours?”, and that answer is an emphatic yes.
