Correct misalignment Corrected by on 12/4/2019 3:57:45 PM Original version Change languages order
Notes on the Main Issues of Cloud Computing Contracts关于云计算合同所涉主要问题的说明
(prepared by the secretariat of
the United Nations Commission on International Trade Law, 2019)(联合国国际贸易法委员会秘书处编拟,2019年)
UNCITRAL considered the topic of contractual aspects of cloud computing at its forty-seventh to fiftieth sessions, in 2014 to 2017, respectively, on the basis of proposals by Canada (A/CN.9/823 and A/CN.9/856), progress reports of Working Group IV (Electronic Commerce) and oral reports by the Secretariat.根据加拿大的建议(A/CN.9/823、A/CN.9/856)、第四工作组(电子商务)进度报告和秘书处的口头报告,贸易法委员会在2014年至2017年分别举行的第四十七届至第五十届会议上审议了关于云计算所涉合同方面的专题。
At those sessions, UNCITRAL requested the Secretariat and the Working Group to conduct preparatory work on the topic.在这些会议上,贸易法委员会请秘书处和工作组就这一专题开展准备工作。
The Working Group considered the topic in detail at its fifty-fifth session (New York, 24–28 April 2017) on the basis of a note by the Secretariat (A/CN.9/WG.IV/WP.142) and at its fifty-sixth session (New York, 16–20 April 2018) on the basis of a draft checklist on contractual aspects of cloud computing prepared with the input of experts, including during an expert group meeting convened by the Secretariat in Vienna on 20 and 21 November 2017 (A/CN.9/WG.IV/WP.148).在工作组第五十五届会议(2017年4月24日至28日,纽约)上根据秘书处的说明(A/CN.9/WG.IV/WP.142),并在工作组第五十六届会议(2018年4月16日至20日,纽约)上根据由专家提供投入——包括在秘书处于2017年11月20日和21日在维也纳召开专家组会议期间由专家提供的投入——编写的云计算所涉合同方面清单草案(A/CN.9/WG.IV/WP.148),工作组详细审议了这一专题。
Following its decision at its fifty-first session to review the draft notes on the main issues of cloud computing contracts prepared by the Secretariat before their publication, UNCITRAL, at its fifty-second session in 2019, approved the publication of the notes as amended at the session as Secretariat notes in the six official languages of the United Nations in the form of an online reference tool and a paper and electronic booklet.继委员会第五十一届会议决定在出版前审查秘书处编写的关于云计算合同所涉主要问题的说明草案之后,贸易法委员会在2019年第五十二届会议上核准作为秘书处的说明,以在线参考工具以及纸质和电子小册子的形式,以联合国六种正式语文出版经该届会议修订的说明。
This publication reproduces the Notes on the Main Issues of Cloud Computing Contracts as approved by UNCITRAL for publication in 2019.本出版物转载贸易法委员会核准于2019年出版的《关于云计算合同所涉主要问题的说明》。
Part One.第一部分 订约前的主要方面
Main pre-contractual aspects
Verification of mandatory law and other requirements核对强制性法律及其他要求
Data localization数据本地化存储
Choice of a contracting party订约方的选择
Pre-contractual risk assessment订约前风险评估
Verification of information about a specific cloud computing service and a selected contracting party核实关于特定云计算服务和所选订约方的信息
IP infringement risks知识产权侵权风险
Risks to data security, integrity, confidentiality and privacy数据安全、完整性、保密和隐私方面的风险
Penetration tests, audits and site visits渗透测试、审计和实地考察
Lock-in risks锁定风险
Business continuity risks业务连续性风险
Exit strategies撤出战略
Other pre-contractual issues其他订约前问题
Disclosure of information披露信息
Migration to the cloud云迁移
Part Two.第二部分 起草合同
Drafting a contract
General considerations一般考虑
Freedom of contract合同自由
Contract formation合同的成立
Contract form合同的形式
Definitions and terminology定义和术语
Usual contract content合同基本内容
Identification of contracting parties订约方身份识别
Defining the scope and the object of the contract界定合同范围和合同标的
Service level agreement服务级别协议
Performance measurement绩效测量
Acceptable use policy可接受的使用政策
Security policy安全政策
Data integrity数据完整性
Confidentiality clause保密条款
Data protection/privacy policy or data processing agreement数据保护/隐私政策或数据处理协议
Obligations arising from data breaches and other security incidents数据泄密及其他安全事件所产生的义务
Data localization requirements数据本地化存储要求
Rights to customer data and other content对客户数据及其他内容的权利
12 提供商为提供服务而对客户数据享有的权利 12 提供商为其他目的使用客户数据
Provider rights to customer data for the provision of services提供商使用客户名称、标志和商标
Provider use of customer data for other purposes提供商根据国家命令或为监管合规而就客户数据采取行动
Provider use of customer name, logo and trademark对云服务衍生数据的权利
Provider actions as regards customer data upon State orders or for regulatory compliance知识产权保护条
Rights to cloud service-derived data互操作性和可移植性
IP rights protection clause为法律目的检索数据
Interoperability and portability 14 Data retrieval for legal purposes 15
Data deletion数据删除
Audits and monitoring审计和监测
Monitoring activities监测活动
Audit and security tests审计和安全测试
Payment terms付费条款
Licensing fees许可证费用
Additional costs额外费用
Other payment terms其他付费条款
Changes in services服务变更
Changes in price价格变动
Degradation or discontinuation of services服务降级或中断
Notification of changes变更通知
Suspension of services暂停服务
Subcontractors, sub-providers and outsourcing分包商、分提供商和外包
Identification of the subcontracting chain确定分包链
Changes in the subcontracting chain分包链变更
Alignment of contract terms with linked contracts合同条款与关联合同挂钩
Liability of subcontractors, sub-providers and other third parties分包商、分提供商和其他第三方的责任
Statutory limitations to contractual freedom对合同自由的法定限制
Other considerations for drafting liability clauses起草赔偿责任条款方面的其他考虑
Providers’ standard terms提供商的标准条款
Possible variations of standard terms标准条款的可能变式
Liability insurance赔偿责任保险
Remedies for breach of the contract违约的补救办法
Types of remedies补救种类
Suspension or termination of services暂停或终止服务
Service credits服务积分
Formalities to be followed in case of the breach of the contract违约时应依循的程序
Term and termination of the contract合同期和解约
Effective start date of the contract合同开始生效的日期
Duration of the contract合同期
Earlier termination提前解约
Termination for convenience为方便而解约
Termination for breach因违约而解约
Termination due to unacceptable modifications of the contract因合同修改不可接受而解约
Termination in case of insolvency破产时解约
Termination in case of change of control控制权变更时解约
Inactive account clause闲置账户条款
End-of-service commitments服务终了承诺
Time frame for export导出的时限
Customer access to the content subject to export客户访问需导出的内容
Export assistance by the provider提供商协助导出
Data deletion数据删除
Post-contract retention of data合同结束后留存数据
Post-contract confidentiality clause合同结束后保密条款
Post-contract audits合同结束后审计
Leftover account balance账上余款
Dispute resolution争议解决
Methods of dispute settlement争议解决方法
Arbitral proceedings仲裁程序
Online dispute resolution网上争议解决
Judicial proceedings司法程序
Retention of data数据留存
Limitation period for complaints投诉时效期
Choice of law and choice of forum clauses法律选择和诉讼地选择条款
Considerations involved in choosing the applicable law and forum选择适用法律和诉讼地所涉及的考虑
Mandatory law and forum强制性法律和诉讼地
Provider or customer home law and forum提供商或客户本国的法律和诉讼地
Multiple options多选项
No choice of law or forum不选择法律或诉讼地
Miscellaneous clauses杂项条款
Amendment of the contract修正合同
The present Notes address the main issues of cloud computing contracts between business entities where one party (the provider) provides to the other party (the customer) one or more cloud computing services for end use.本《说明》述及商业实体之间云计算合同的主要问题,其中一方(提供商)向另一方(客户)提供终端使用的一种或多种云计算服务。
Contracts for resale or other forms of further distribution of cloud computing services are excluded from the scope of the Notes.云计算服务转售合同或其他形式的进一步分销不在《说明》范围之内。
Also excluded from the scope of the Notes are contracts with cloud computing service partners and other third parties that may be involved in the provision of cloud computing services to the customer (e.g., contracts with subcontractors and Internet service providers).与云计算服务伙伴以及与可能参与向客户提供云计算服务的其他第三方的合同(例如,与分包商和互联网服务提供商的合同)也不包括在《说明》范围之内。
Cloud computing contracts may be qualified under the applicable law as a service, rental, outsourcing, licensing, mixed or other type of contract.云计算合同可根据适用法律定性为服务合同、租赁合同、外包合同、许可合同、混合合同或者其他类型合同。
Statutory requirements as regards its form and content may vary accordingly.因此,关于云计算合同的形式和内容,可能有不同的法定要求。
In some jurisdictions, parties themselves may qualify their contract as a contract of a particular type if legislation is silent or vague on that issue;在一些法域,如果法律未就这一问题作出规定或者规定含糊不清,订约方本人可将合同定性为某一类型的合同;
the court would take such qualification into account in interpreting the terms of the contract unless this would contradict the law, court practice, the actual intention of the parties, the factual situation or business customs or practices.在对合同条款作出解释时,法院将考虑到这种定性,除非这样做会违反法律、法院实践、订约方实际意图、实际情况或者商业习惯或惯例。
These Notes address issues that may arise from cloud computing contracts regardless of the type of cloud computing services (e.g., infrastructure as a service (IaaS), platform as a service (PaaS) or software as a service (SaaS)), their deployment model (e.g., public, community, private or hybrid) and payment terms (with or without remuneration).本《说明》所涉及的问题可能产生于云计算合同,而不考虑云计算服务的类型(如基础设施即服务(IaaS)、平台即服务(PaaS)、软件即服务(SaaS))、部署模式(如公共云、社区云、私人云或混合云)和付费条款(有无报酬)。
The primary focus of the Notes is on contracts for the provision of public SaaS-type cloud computing services for remuneration.《说明》主要侧重点是提供软件即服务(SaaS)类型公共付酬云计算服务的合同。
The ability to negotiate cloud computing contract clauses would depend on many factors, in particular on whether the contract involves standardized commoditized multi-subscriber cloud solutions or an individual tailor-made solution, whether a choice of competing offers exists, and on the bargaining positions of the potential parties.谈判云计算合同条款的能力取决于多种因素,特别是合同涉及标准化商用型多订户云解决方案还是单个定制解决方案,是否存在选择相竞提议的可能性,而且还取决于潜在订约方的议价地位。
The ability to negotiate the terms of a contract, in particular clauses on unilateral suspension, termination or modification of the contract by the provider, as well as liability clauses, may be an important factor in choosing the provider where the choice exists.在有选择的情况下,谈判合同条款的能力,特别是关于提供商单方面暂停、终止或修改合同的条款以及责任条款,是选择提供商的一项重要因素。
Although prepared primarily for parties negotiating a cloud computing contract, the Notes may also be useful for customers reviewing standard terms offered by providers to determine whether those terms sufficiently address the customer’s needs.尽管《说明》主要为云计算合同谈判方编写,但对于客户研究提供商所提供的标准条款以确定其是否充分考虑到客户需要也不无益处。
The Notes should not be regarded as an exhaustive source of information on drafting cloud computing contracts or as a substitute for obtaining any legal and technical advice and services of professional advisers.各方不应将《说明》视为起草云计算合同方面详尽无遗的资料来源,也不应以此替代专业顾问的任何法律和技术咨询和服务。
The Notes suggest issues for consideration by potential parties before and during contract drafting, including shared responsibility for security measures, without intending to convey that all of those issues must always be considered.《说明》提出供潜在订约方在起草合同之前和期间应当考虑的问题,包括对安全问题的共同责任,但本意并非表示所有这些问题都必须加以考虑。
The various solutions discussed in the Notes will not govern the relationship between the parties unless they expressly agree upon such solutions, or unless the solutions result from provisions of the applicable law.《说明》中所讨论的各种解决方案将不会管辖订约方之间的关系,除非订约各方明确同意这种解决方案,或者除非解决方案产生于适用法律的规定。
Headings and subheadings used in the Notes and their sequence are not to be regarded as mandatory or as suggesting any preferred structure or style for a cloud computing contract.《说明》中使用的标题和小标题及其序列不应视为硬性要求,或者暗示云计算合同的任何首选结构或风格。
The form, content, style and structure of cloud computing contracts may vary significantly, reflecting various legal traditions, drafting styles, legal requirements and parties’ needs and preferences.云计算合同的形式、内容、风格和结构可能迥异,反映出各种不同的法律传统、起草风格、法律要求以及订约各方的需要和偏好。
Lastly, the Notes are not intended to express the position of the United Nations Commission on International Trade Law (UNCITRAL) or its secretariat on the desirability of concluding cloud computing contracts.最后,《说明》并非意在表示联合国国际贸易法委员会(贸易法委员会)或其秘书处对于订立云计算服务合同可取性的立场。
The Notes consist of two parts and a glossary:《说明》由两个部分和术语表组成:
part one addresses the main pre-contractual aspects that potential parties may wish to consider before entering into a cloud computing contract;
part two addresses the main contractual issues that negotiating parties may face while drafting a cloud computing contract;第一部分述及潜在订约方在订立云计算合同之前似宜考虑的订约前主要方面; 第二部分述及谈判各方起草云计算合同时可能面临的主要合同问题;
and the glossary describes some technical terms used in the checklist, to facilitate understanding.术语表对清单中使用的一些技术用语作出说明,以便于理解。
Part One.第一部分
Main pre-contractual aspects订约前的主要方面
Verification of mandatory law and other requirements核对强制性法律及其他要求
The legal framework applicable to the customer, the provider or both may impose conditions for entering into a cloud computing contract.适用于客户、提供商或两者的法律框架可以规定订立云计算合同的条件。
Such conditions may also stem from contractual commitments, including intellectual property (IP) licences.此类条件还可能产生于合同承诺,其中包括知识产权许可。
The parties should in particular be aware of laws and regulations related to personal data, consumer protection, cybersecurity, export control, customs, tax, trade secrets, IP-specific and sector-specific regulation that may be applicable to them and their future contract.订约方尤其应当了解可能对其本人和其未来合同适用的与个人数据、消费者保护、网络安全、出口管制、海关、税务、商业秘密、特定知识产权和特定部门条例有关的法律和条例。
Non-compliance with mandatory requirements may have significant negative consequences, including invalidity or unenforceability of a contract or part thereof, administrative fines and criminal liability.不遵守强制性要求会造成重大负面影响,包括合同或其中部分内容无效或无法执行、行政罚款和刑事责任等。
Conditions for entering into a cloud computing contract may vary by sector and jurisdiction.订立云计算合同的条件可能因部门和法域而不同。
They may include requirements to take special measures for the protection of data subjects’ rights, to deploy a particular model (e.g., private cloud as opposed to public cloud), to encrypt data placed in the cloud and to register with State authorities a transaction or a software used in the processing of personal data.这些条件可包括要求采取特别措施保护数据主体的权利、部署特定模式(例如,私人云而不是公共云)、对放入云中的数据加密,以及向国家机关登记交易或者在个人数据处理中使用的软件。
They may also include data localization requirements, as well as requirements regarding the provider.它们还可能包括数据本地化存储要求以及对提供商的要求。
Data localization数据本地化存储
Data localization requirements may arise in particular from the law applicable to personal data, accounting data, as well as public sector data and export control laws and regulations that may restrict the transfer of certain information or software to or from particular countries or a region.数据本地化存储要求尤其可能产生于适用于个人数据、财会数据和公共部门数据的法律,以及可能限制对某些信息或软件移入移出特定国家或区域的出口管制法律和条例。
Compliance with data localization requirements set forth in the applicable law would be of paramount importance for the parties.遵守适用法律中规定的数据本地化存储要求对于订约各方至关重要。
The contract would not be able to override those requirements.合同不能推翻这些要求。
Data localization requirements may also arise from contractual commitments (e.g., IP licences that require the licensed content to be stored on the user’s own secured servers).数据本地化存储要求还可能产生于合同承诺(例如,要求将特许内容存储于用户个人的保密服务器的知识产权许可)。
Data localization may be preferred for purely practical reasons, for example to reduce latency, which may be especially important for real-time operations, such as stock exchange trading. (On contractual data localization safeguards, see part two, paras. 74–75 and 78.)(关于合约要求的数据本地化存储保障措施,见第二部分,第74-75、78段。
Choice of a contracting party订约方的选择
The choice of a contracting party may be restricted, in addition to market conditions, by statutory requirements.除市场条件外,订约方的选择可能受到法定要求的限制。
There may be a statutory prohibition on entering into a cloud computing contract with foreign persons, persons from certain jurisdictions or persons not accredited/certified with competent State authorities.法律可能禁止与外籍人员、某些法域人员或未取得国家主管机关认可/核证的人员订立云计算合同。
There may be a requirement for a foreign person to form a joint venture with a national entity or to acquire local licenses and permissions, including export control permissions, for the provision of cloud computing services in a particular jurisdiction.可能要求外籍人员为在某一法域提供云计算服务与本国实体组建合营企业或取得当地执照和许可证,包括出口管制许可。
Data localization requirements (see paras. 10–11 above) as well as statutory obligations on either party to disclose or provide access to the data and other content to foreign State authorities may also influence the choice of a contracting party.数据本地化存储要求(见上文第10-11段)以及每一方向外国国家机关披露数据及其他内容或提供其访问权的法定义务也会影响到订约方的选择。
Pre-contractual risk assessment订约前风险评估
The applicable mandatory law may require a risk assessment as a precondition to entering into a cloud computing contract.适用的强制性法律可能要求将风险评估作为订立云计算合同的一项先决条件。
Even in the absence of statutory requirements, the parties may decide to undertake a risk assessment that might help them to identify risk mitigation strategies, including the negotiation of appropriate contractual clauses.即使没有法定要求,订约双方亦可决定进行风险评估,这可能有助于他们确定减少风险战略,包括谈判适当的合同条款。
Not all risks arising from cloud computing contracts would be cloud-specific.并非所有产生于云计算合同的风险都是云业务特有的。
Some risks would be handled outside a cloud computing contract (e.g., risks arising from online connectivity interruptions) and not all risks could be mitigated at an acceptable cost (e.g., reputational damage).有些风险将在云计算合同以外加以处理(例如,网络连接中断所引发的风险),而且并非所有风险都能够以可接受的费用减轻(例如,名誉损失)。
In addition, risk assessment would not be a one-off event before concluding a contract.此外,风险评估不是订约前的一次性活动。
Risk assessment could be ongoing throughout the duration of the contract, and risk assessment outcomes may necessitate amendment or termination of the contract.风险评估可能会在整个合同期间持续进行,风险评估结果出来后可能要求修正或终止合同。
Verification of information about a specific cloud computing service and a selected contracting party核实关于特定云计算服务和所选订约方的信息
The following information may be relevant to the parties when they consider employing a specific cloud computing service and selecting a contracting party:当订约方考虑采用某项云计算服务和选择订约方时,以下信息可能与订约方相关:
IP licenses required for using a specific cloud computing service;使用特定云计算服务所需要的知识产权许可证;
The privacy, confidentiality and security policies in place, in particular as regards prevention of unauthorized access, use, alteration or destruction of the data during processing, transit or transfer using the cloud computing infrastructure;所确立的隐私、保密和安全政策,特别是关于防止在使用云计算基础设施进行处理、中转或转移期间擅自获取、使用、翻改或销毁数据的政策;
Measures in place to ensure the ongoing access to metadata, audit trails and other logs demonstrating security measures;所建立的确保持续获取元数据、审计记录以及显示安全措施的其他记录的措施;
The existing disaster recovery plan and notification obligations in the case of a security breach or system malfunction;发生泄密或系统故障时的现有灾难恢复计划和通知义务;
Policies in place as regards migration-to-the-cloud and end-of-service assistance as well as interoperability and portability;所确立的关于云迁移和服务终了援助以及互操作性和可移植性的政策;
The existing measures for vetting and training of employees, subcontractors and other third parties involved in the provision of the cloud computing services;对雇员、分包商和参与提供云计算服务的第三方进行背景审查和培训的现有措施;
Statistics on security incidents and information about past performance with disaster recovery procedures;安全事件统计数字,以及关于灾难恢复程序以往运行情况的资料;
Certification by an independent third party on compliance with technical standards;独立第三方进行技术标准合规情况核证;
Information indicating regularity and extent of audit by an independent body;表明独立机构审计经常性和范围的信息;
Financial viability;财务可行性;
Insurance policies;保险合同;
Possible conflicts of interest;可能的利益冲突;
Extent of subcontracting and layered cloud computing services;分包和分层云计算服务的范围;
Extent of isolation of data and other content in the cloud computing infrastructure;数据及其他内容在云计算基础设施中的隔离程度;
Expected reciprocal roles and shared responsibilities of the parties for security measures.订约双方对采取安全措施的预期分工和共同职责。
IP infringement risks知识产权侵权风险
16. IP infringement risks may arise if, for example, the provider is not the owner or developer of the resources that it provides to its customers, but rather uses them under an IP licence arrangement with a third party.可能发生知识产权侵权风险,例如,提供商不是向其客户提供的资源的所有人或开发人,而是根据与第三方的知识产权许可安排使用这些资源。
IP infringement risks may also arise if the customer is required, for the implementation of the contract, to grant to the provider a licence to use the content that the customer intends to place in the cloud.如果为执行合同而要求客户准予提供商一项使用客户打算放入云中内容的许可,也有可能出现知识产权侵权风险。
In some jurisdictions, storage of the content on the cloud even for backup purposes may be qualified as a reproduction and require prior authorization from the IP rights owner.在有些法域,即使为备份目的而在云上存储内容可能也会定性为复制,要求事先取得知识产权所有人的授权。
It is in the interests of both parties to ensure before the conclusion of the contract that the use of the cloud computing services would not constitute an infringement of IP rights and a cause for the revocation of the IP licences granted to either of them.为了双方的利益,应在订立合同之前确保云计算服务的使用不会构成侵犯知识产权并成为撤销授予其中任何一方的知识产权许可的理由。
Costs of IP infringement may be very high.知识产权侵权的代价可能极高。
The right to sublicense may need to be arranged, or a direct licence arrangement may need to be concluded with the relevant third-party licensor under which the right to manage the licences will be granted.可能需要就次级许可做出安排,或者可能需要与有关的第三方许可人订立直接许可安排,以根据这种安排准予对许可的管理权。
The use of open source software or other content may necessitate obtaining an advance consent from third parties and disclosing the source code with any modifications made to open source software or other content.开源软件或其他内容的使用可能必须事先取得第三方的同意,并披露源代码和对开源软件或其他内容做出的任何修改。
Risks to data security, integrity, confidentiality and privacy数据安全、完整性、保密和隐私方面的风险
Migration of all or part of data to the cloud leads to the customer’s loss of exclusive control over that data and of the ability to deploy the necessary measures to guarantee data integrity and confidentiality or to verify whether data processing and retention are being handled adequately.数据全部或部分迁移到云中会导致客户失去对该数据的专属控制,无法部署必要措施来保证数据的完整性和机密性,也无法验证数据处理和留存是否得到充分处置。
The extent of the loss of control will depend on the type of cloud computing service.失控程度将取决于云计算服务的类型。
Inherent features of cloud computing services such as broad network access, multi-tenancy and resource pooling may require from the parties more precautions to prevent interception of communications and other cyberattacks that may lead to the loss or compromise of credentials for access to cloud computing services, data loss and other security breaches.诸如广泛网络接入、多租户安排和资源集合等云计算服务的固有特性可能要求各方采取更多防范措施,以防止拦截通信和其他网络攻击,这可能导致云计算服务访问证书丧失或受损、数据丢失以及其他安全漏洞。
Adequate isolation of resources and data segregation and robust security procedures are especially important in a shared environment such as cloud computing.在云计算等共享环境中,充分隔绝资源和隔离数据以及强大的安全程序尤为重要。
Security measures will be the shared responsibility of the parties in the cloud computing environment regardless of the type of cloud computing services employed.无论采用何种云计算服务,安全措施都将是云计算环境中双方的共同责任。
Pre-contractual risk assessment provides a good opportunity for the parties to eliminate any ambiguity in defining their roles and responsibilities related to data security, integrity, confidentiality and privacy.订约前风险评估为双方提供了良好机会,可籍此消除在界定双方与数据安全、完整性、保密和隐私相关的作用和职责方面的任何模糊之处。
Contractual clauses will play an important role in reflecting the agreement of the parties on the mutual allocation of risks and liabilities related to those and other aspects of the provision of cloud computing services (see part two, paras. 125–137).合同条款将发挥的重要作用是,反映双方就提供云计算服务的这些方面及其他方面彼此分担风险和责任达成的协议(见第二部分,第125-137段)。
Those clauses will not be able to override mandatory provisions of law.这些条款不能凌驾于强制性法律条款之上。
Penetration tests, audits and site visits渗透测试、审计和实地考察
Steps may be taken at the pre-contractual stage to verify the adequacy of isolation of resources, data segregation, identification procedures and other security measures.可在订约前阶段采取步骤,对资源隔绝和数据隔离、身份识别程序以及其他安全措施是否充分进行核证。
They should aim at identifying possible additional precautions that may need to be taken by the parties to prevent data security breaches and other malfunctions in the provision of the cloud computing services to the customer.这些步骤应当着眼于查明各方可能还需采取哪些可能的补充措施,以防向客户提供云计算服务出现数据安全漏洞及其他故障。
Laws and regulations may require audits, penetration tests and physical inspection of data centres involved in the provision of the cloud computing services, in particular to ascertain that their location complies with statutory data localization requirements (see paras. 10–11 above).法律和条例可能要求对参与提供云计算服务的数据中心进行审计、渗透测试和实地检查,目的主要是确定其所在地符合数据本地化存储法定要求(见上文第10-11段)。
The parties would need to agree on conditions for undertaking those activities, including their timing, allocation of costs and indemnification for any possible damage caused by those activities.双方需商定开展这些活动的条件,其中包括时间安排、费用分担以及对这些活动可能造成的任何损失的补偿。
Lock-in risks锁定风险
Avoiding or reducing lock-in risks, often arising from the lack of interoperability and portability, may be one of the most important considerations for the parties.锁定风险通常由于缺乏互操作性和可移植性而产生,避免或减少这种风险是双方的最重要考虑之一。
Higher lock-in risks may arise from long-term contracts and from automatically renewable short- and medium-term contracts.长期合同以及自动延期的中短期合同可能导致锁定风险升高。
Risks of application and data lock-ins are especially high in SaaS and PaaS.软件即服务(SaaS)和平台即服务(PaaS)中的应用程序和数据锁定风险尤其高。
Data may exist in formats specific to one cloud system that will not be usable in other systems.数据可能以某一云系统特有的格式存在,而这种格式不能在其他系统中使用。
In addition, a proprietary application or system used to organize data may require adjustment of licensing terms to allow operation in a different network.此外,组织数据所使用的专有应用程序或系统可能要求调整许可条款才能在另一不同网络中操作。
Programs to interact with the application programming interfaces (API) may need to be rewritten to take into account the new system’s API.与应用程序编程接口(API)交互的程序可能需要重写,以考虑到新系统的API。
High switching costs may also arise from the need to retrain end users.还可能由于需要重新培训终端用户而产生很高的转换成本。
In PaaS, there could also be runtime lock-in since runtimes (i.e., software designed to support the execution of computer programs written in a specific programming language) are often heavily customized (e.g., aspects such as allocating or freeing memory, debugging, etc.).平台即服务(PaaS)中还可能存在运行时锁定,因为运行时(即为支持执行用特定编程语言编写的计算机程序而设计的软件)通常是高定制的(如记忆分配或释放、调试等方面)。
In IaaS, lock-in varies depending on the specific infrastructure services consumed.基础设施即服务(IaaS)中的锁定因所使用的特定基础设施服务而不同。
Like in PaaS, some infrastructure services may lead to application lock-in if the service depends on specific policy features (e.g., access controls).同平台即服务一样,一些基础设施服务如果依赖于某一政策特征(如访问控制)有可能导致应用程序锁定。
Some infrastructure services may also lead to data lock-in if more data are moved to the cloud for storage.如果有更多数据移入云中存储,一些基础设施服务也可能导致数据锁定。
At the pre-contractual stage, tests could be run to verify whether data and other content can be exported to another system and made usable there.在订约前阶段,可以为验证数据及其他内容是否能够被导入另一系统并可在该系统上使用而进行测试。
Synchronization between cloud and in-house platforms and replication of data elsewhere may be needed.云平台与内部平台之间可能需要同步,还可能需要异地复制数据。
Transacting with more than one party and opting for a combination of various types of cloud computing services and their deployment models (i.e., multi-sourcing), although possibly with cost and other implications, may be an important part of the mitigating strategy against lock-in risks.与不止一方进行交易并选择组合各类型的云计算服务及其部署模式(即多来源),即使可能会造成费用及其他影响,可能不失为防范锁定风险的缓减战略的一个重要部分。
Contractual clauses may also assist with mitigating lock-in risks (see part two, in particular, paras. 84–86 and 144).合同条款也可有助于减轻锁定风险(见第二部分,特别是第84-86段和144段)。
Business continuity risks业务连续性风险
The parties may be concerned about business continuity risks not only in anticipation of the scheduled termination of the contract, but also of its possible unilateral suspension or earlier termination, including when either party may no longer be in business.双方可能担心业务连续性风险,不仅预期合同按预定时间终止,而且预期合同可能单方面暂停或提前终止,包括其中一方可能不再经营。
The law may require putting in place in advance an appropriate strategy to ensure business continuity, in particular in order to avoid the negative impact of termination or suspension of the cloud computing services on end users.法律可能要求提前确立一种确保业务连续性的适当战略,主要是为了避免终止或暂停云计算服务给终端用户造成不利影响。 合同条款也可有助于减轻业务连续性风险(见第二部分,第109-111、114-115、153、173、182段)。 撤出战略 29. 为确保撤出战略成功,双方可能需要从一开始就明确以下几点: (a) 必须撤出的内容(例如,只撤出客户输入云中的数据,还是也撤出云服务衍生数据);
Contractual clauses may also assist with mitigating business continuity risks (see part two, paras. 109-111, 114–115, 153, 173 and 182).(b)为能够在另一系统使用该内容而要求对知识产权许可作出的任何修改;
Exit strategies(c)对解密钥匙及其使用权的控制;
For successful exit strategies, parties may need to clarify from the outset: (a) the content that will be subject to exit (e.g., only the data that the customer entered in the cloud or also cloud service-derived data);服务终了合同条款通常反映双方就这些问题达成的协议(见第二部分,第157-167段)。
(b) any amendments that would be required to IP licenses to enable the use of that content in another system;C.
(c) control of decryption keys and access to them;其他订约前问题
(d) the time period required to complete the exit.30.
End-of-service contractual clauses usually reflect the agreement of the parties on those issues (see part two, paras. 157–167).适用法律可能要求订约双方相互提供信息,使对方能够就订立合同作出知情选择。
Other pre-contractual issues31.
Disclosure of information有些法域可能将订约前提供的信息视为合同不可分割的组成部分。
The applicable law may require the parties to a contract to provide to each other information that would allow them to make an informed choice about the conclusion of the contract.双方还需处理的关切是,订约前披露信息给合同执行阶段的灵活性和创新带来的影响。
The absence, or the lack of clear communication to the other party, of information necessary to make the object of the obligation determined or determinable prior to contract conclusion may make a contract or part thereof null and void or entitle the aggrieved party to claim damages.保密
In some jurisdictions, pre-contractual information may be considered an integral part of the contract.订约前阶段披露的信息可能被视为机密信息,特别是关于安全、身份识别和认证措施、分包商的信息,以及关于数据中心所在地和类型的信息(这种信息又可确定存储于该地点的数据类型以及本国或外国国家机关对数据的访问权)。
In such cases, the parties would need to ensure that such information is appropriately recorded and that any mismatch between that information and the contract itself is avoided.双方可以商定,订约前阶段披露的某些信息应作为机密信息对待。
The parties would also need to deal with concerns over the impact of pre-contractually disclosed information on flexibility and innovation at the contract implementation stage.可能还需由参与订约前尽职调查的第三方(如审计师)提供书面保密承诺或签订不披露协议。
Some information disclosed at the pre-contractual stage may be considered confidential, in particular as regards security, identification and authentication measures, subcontractors and the location and type of data centres (which in turn may identify the type of data stored there and access thereto by local or foreign State authorities).在云迁移之前,通常预期客户会对迁入云中的数据分类,并根据其敏感度和关键度对其进行安全处理,然后告知提供商每一类数据所需要的保护级别。
The parties may agree that certain information disclosed at the pre-contractual stage should be treated as confidential.还可能预期客户为所提供的服务(如客户数据留存和处分时间表、用户身份和访问管理机制以及必要时获取密钥程序)而向提供商提供其他必要信息。
Written confidentiality undertakings or non-disclosure agreements may be required also from third parties involved in pre-contractual due diligence (e.g., auditors).34.
Migration to the cloud除了将数据及其他内容转移到提供商的云中,云迁移还可能涉及安装、配置、加密、测试以及客户工作人员及其他终端用户的培训。
Before migration to the cloud, the customer would usually be expected to classify data to be migrated to the cloud and secure it according to its level of sensitivity and criticality and inform the provider about the level of protection required for each type of data.可能会产生额外费用。
The customer may also be expected to supply to the provider other information necessary for the provision of the services (e.g., the customer’s data retention and disposition schedule, user identity and access management mechanisms and procedures for access to the encryption keys if necessary).参与迁移各方通常商定各自在迁移期间的作用和职责、参与条件、数据或其他内容迁入云中拟使用的格式、迁移时间、确认迁移按协议实施的接收程序,以及迁移计划的其他细节。
33.第二部分 起草合同
In addition to the transfer of data and other content to the provider’s cloud, migration to the cloud may involve installation, configuration, encryption, tests and training of the customer’s staff and other end users.
Those aspects may be part of the customer contract with the provider or be the subject of a separate agreement of the customer with the provider or third parties, such as cloud computing service partners.A.
Extra costs may arise.一般考虑
Parties involved in the migration would normally agree on their roles and responsibilities during migration, terms of their engagement, the format in which the data or other content is to be migrated to the cloud, timing of migration, an acceptance procedure to ascertain that the migration was performed as agreed and other details of the migration plan.合同自由
Part two.
Drafting a contract35.
General considerations对合同自由的限制可能产生于就某些类型合同所适用的不可谈判条款制定的立法,或者产生于制裁滥用权利行为和损害公共秩序和道德等方面行为的规则。
Freedom of contract不遵守这些限制所造成的后果包括合同或其中的部分内容不可执行以及承担民事、行政或刑事责任。 合同的成立
34. The widely recognized principle of freedom of contract in business transactions allows parties to enter into a contract and to determine its content. Restrictions on freedom of contracts may stem from legislation on non-negotiable terms applicable to particular types of contract or rules that sanction abuse of rights and harm to public order, morality and so forth. The consequences of non-compliance with those restrictions may range from unenforceability of a contract or part thereof to civil, administrative or criminal liability. Contract formation36.
The concepts of offer and acceptance have traditionally been used to determine whether and when the parties have reached an agreement as regards their respective legal rights and obligations that will bind them over the duration of the contract.适用法律可能规定了为使一项订立合同的提议构成有约束力的最终要约而必须满足的某些条件(例如,该提议应在所涵盖的云计算服务和付费条款方面具有足够确定性)。
The applicable law may require certain conditions to be fulfilled for a proposal to conclude a contract to constitute a final binding offer (e.g., the proposal is to be sufficiently definite as regards the covered cloud computing services and payment terms).37.
The contract is concluded when the acceptance of the offer becomes effective.对提供商来说,开始或继续提供服务;
There could be different acceptance mechanisms (e.g., for the customer clicking a check box on a web page, registering online for a cloud computing service, starting to use cloud computing services or paying a service fee; for the provider starting or continuing to provide services; and for both parties signing a contract online or on paper). Material changes to the offer (e.g., as regards liability, quality and quantity of the cloud computing services to be delivered or payment terms) may constitute a counteroffer that requires acceptance by the other party for a contract to be concluded.对双方来说,网上或书面签署合同)。
Standardized commoditized multi-subscriber cloud solutions are as a rule offered through interactive applications (e.g., “click-wrap” agreements).标准化商用型多订户云解决方案一般通过交互式应用程序(如“点击完成”协定)提供。 标准要约可能没有谈判和调整余地,或余地极少。 点击“我接受”、“好的”或“我同意”,是订立合同预期采取的唯一步骤。 在涉及合同谈判时,合同的成立可能包含一系列步骤,其中包括初步交换信息、谈判、发出和接受要约以及合同制备。
There may be no or very little room for negotiating and adjusting the standard offer.合同的形式
Clicking “I accept”, “OK” or “I agree” is the only step expected to be taken to conclude the contract. Where negotiation of a contract is involved, contract formation may consist of a series of steps, including preliminary exchange of information, negotiations, delivery and acceptance of an offer and the contract’s preparation. Contract form39.
38.云计算合同一般在网上订立。 云计算合同可能有不同称谓(云计算服务协议、主服务协议或服务条款),可包含一项或多项文件,如可接受的使用政策(AUP)、服务级别协议(SLA)、数据处理协议或数据保护政策、安全政策和许可协议等。
Cloud computing contracts are typically concluded online.40.
They may be called differently (a cloud computing service agreement, a master service agreement or terms of service (TOS)) and may comprise one or more documents such as an acceptable use policy (AUP), a service level agreement (SLA), a data processing agreement or data protection policy, security policy and license agreement.适用于云计算合同的法律规则可能规定合同必须为书面形式,特别是如果涉及个人数据处理; 所有以提及方式纳入的文件都必须附于主合同附件。
The legal rules applicable to cloud computing contracts may require that the contract be in writing, especially where personal data processing is involved, and that all documents incorporated by reference be attached to the master contract.41.
Even when written form is not required, for ease of reference, clarity, completeness, enforceability and effectiveness of the contract, the parties may decide to conclude a contract in writing with all ancillary agreements incorporated thereto.
40.适用法律可能为特定目的(如税收目的)而要求在纸张上签署合同,不过在日趋无纸化的环境中鲜有此类要求。 定义和术语
The signing of a contract on paper may be required under the applicable law for specific purposes such as tax purposes, although that type of requirement is becoming rare in an increasingly paperless environment.42.
Definitions and terminology鉴于云计算服务的性质,云计算合同必然包含许多技术术语。 合同可以列入术语表,也可以列入合同全文所使用的主要术语定义,以避免出现模棱两可的解释。 为确保一致性和法律明确性,订约方不妨考虑采用国际公认术语。 合同基本内容 43.
Due to the nature of cloud computing services, cloud computing contracts contain by necessity many technical terms.(a)
The glossary of terms may be included in the contract, as may definitions of main terms used throughout the contract, to avoid ambiguities in their interpretation. The parties may wish to consider using internationally established terminology for the purpose of ensuring consistency and legal clarity. Usual contract content确定订约方;
A contract normally:(d)确定合同期以及合同终止和续订条件;
identifies the contracting parties;及(f)指明终止合同的效力。
(b) defines the scope and object of the contract;合同通常还载有争议解决条款以及法律选择和诉讼地选择条款。
(c) specifies rights and obligations of the parties, including payment terms;合同内容、风格和结构可能迥异,反映出各种不同的法律传统、起草风格、法律要求以及订约方的需要和偏好。
(d) establishes the duration of the contract and conditions for its termination and renewal;B.
(e) identifies remedies for breach and exemptions from liability;订约方身份识别
and (f) specifies the effects of termination of the contract.44.
It also usually contains clauses on dispute resolution and choice of law and choice of forum.正确识别订约方的身份会对合同的成立和可执行性产生直接影响。
The content, style and structure of contracts may vary significantly, reflecting various legal traditions, drafting styles, legal requirements and parties’ needs and preferences.适用法律会就确定企业实体法律人格及其订立合同的能力所需要的信息作出具体规定。
Identification of contracting partiesC.
The correct identification of contracting parties may have a direct impact on the formation and enforceability of the contract.
The applicable law would specify the information needed to ascertain the legal personality of a business entity and its capacity to enter into a contract.45.
The law may require additional information for specific purposes, for example, an identification number for tax purposes or power of attorney to ascertain the power of a natural person to sign and commit on behalf of a legal entity.鉴于云计算服务的范围,云计算合同标的在类型和复杂性上差别极大。
Defining the scope and the object of the contract合同标的可以包括提供核心服务、辅助服务和任选服务。
44. Objects of cloud computing contracts vary substantially in their type and complexity given the range of cloud computing services. Within the duration of a single contract, the object may change: some cloud computing services may be cancelled and other services may be added. The object of the contract may comprise the provision of core, ancillary and optional services.46.
The description of the object of the contract usually includes a description of a type of cloud computing services (SaaS, PaaS, IaaS or a combination thereof), their deployment model (public, community, private or hybrid), their technical, quality and performance characteristics and any applicable technical standards.组成合同的若干文件可能与确定合同标的有关(见上文第38段)。
Several documents comprising the contract may be relevant for determining the object of the contract (see para. 38 above). Service level agreement47.
The service level agreement (SLA) contains performance parameters against which the delivery of the cloud computing services, the extent of the contractual obligations and possible contractual breaches of the provider will be measured.信息技术专家通常参与制定绩效参数。
Information technology specialists are normally involved in the formulation of the performance parameters.48.
Quantitative performance parameters usually relate to capacity (a specified capacity of data storage or specified amount of memory available to the running program), downtime or outages, latency, persistency of data storage, uptime, support services (e.g., during the customer’s operating hours or 24/7), and incident and disaster management and recovery plans.后面一项可包括解决事件的最长时间、最长第一反应时间、恢复点目标和恢复时间目标。
The latter may include the maximum incident resolution time, the maximum first response time, recovery point objectives and recovery time objectives.
Qualitative performance parameters may relate to data deletion, data localization requirements, portability, security and data protection/privacy.质量方面的绩效参数可能与数据删除、数据本地化存储要求、可移植性、安全以及数据保护/隐私有关。
Some aspects of service may be measured against both qualitative and quantitative performance parameters. For example, elasticity and scalability may be defined with reference to both the maximum available resources within a specified minimum period and the quality and security of the measures that may need to be adapted to the varying degrees of sensitivity of the stored customer data.
Encryption may be expressed as a defined bit value at rest, in transit and in use.某些服务方面可根据质量和数量方面的绩效参数衡量。
In addition to or instead of such a quantitative parameter, encryption may be measured against a qualitative parameter (e.g., the provider is to ensure that customer data are encrypted whenever they are transported over a public communication network and whenever they are at rest in data centres used by the provider).例如,弹性和伸缩性可参照规定最短期限内可用资源最大量以及措施的质量和安全性加以界定,就后者而言,可能需调整措施使之适合所存储客户数据的不同敏感度。 加密可表述为闲置、中转和使用时的一定位值。 除了用数量参数衡量之外,或者如果不用数量参数衡量,还可以参照质量参数衡量加密情况(例如,提供商应确保,任何时候客户数据经由公开通信网络传输,以及任何时候客户数据在提供商所使用的数据中心处于闲置状态,这些数据都是加密的)。
Different commitments (i.e., obligations of result or of best efforts) could be agreed upon depending in particular on the terms of payment and whether standardized commoditized multi-subscriber solutions are provided.可以商定不同承诺(即保证结果的义务或保证最佳努力的义务),这主要取决于付费条款以及是否提供标准化商用型多订户云解决方案。 承诺的类型将产生影响,包括对发生争议时的举证责任产生影响。
The type of commitment would have implications, including for the burden of proof in case of dispute.绩效测量
Performance measurement51.
The parties may include in the contract a measurement methodology and procedures, specifying in particular a reference period for the measurement of services (daily, weekly, monthly, etc.), service delivery reporting mechanisms (i.e., the frequency and form of such reporting), the role and responsibilities of the parties and metrics to be used (e.g., metrics at the point of provision or at the point of consumption of services).订约方可商定独立测量绩效的方法以及如何分担相关费用。
The parties may agree on an independent measurement of performance and how the related costs are to be allocated.
The customer is normally interested in measuring services during peak hours, i.e., when they are most needed.客户通常希望测量高峰时段——即最需要服务时段——的服务情况。 客户一般有能力进行测量(或核实提供商或第三方提供的测量数据),但仅限于那些基于消费点绩效的计量数据,而不是那些基于服务提供点系统绩效的计量数据。 客户或许有能力根据提供商或第三方提供的报告评估服务提供点的绩效。
The customer is usually able to measure (or verify the measurements provided by the provider or third parties) only those metrics that are based on performance at the point of consumption, but not those based on system performance at the point of provision of services. The customer may be able to evaluate the performance at the point of provision of services based on reports provided by the provider or third parties. The provider may agree to provide the customer with performance reports on demand, either periodically (daily, weekly, monthly, etc.) or following a particular incident.提供商可能同意根据客户要求为其提供绩效报告,或定期提供(每日、每周、每月等),或在某一特定事件之后提供。
Alternatively, the provider may agree to grant the customer the right to review the provider’s records related to the service-level measurements.或者,提供商可能同意准予客户审查提供商服务级别测量相关记录的权利。
Some providers enable customers to monitor data on service performance in real time.有些提供商支持顾客实时监测服务绩效数据。
The contract may oblige either or both parties to maintain records about the provision and consumption of services for a certain time.
Such information may be useful in negotiating any amendments to the contract and in case of disputes.这类资料可有助于谈判合同的任何修正和处理争议。 可接受的使用政策
Acceptable use policy
An acceptable use policy (AUP) sets out conditions for use by the customer and its end users of the cloud computing services covered by the contract.
It aims at protecting the provider from liability arising out of the conduct of their customers and customers’ end users.可接受的使用政策(AUP)载明客户和其终端用户使用合同所涵盖的云计算服务的条件。
Any potential customer is expected to accept such a policy, which will form part of the contract with the provider.其目的是保护提供商不因客户和其终端用户的行为而承担赔偿责任。 预期任何潜在客户都会接受这种政策,这种政策将成为与提供商合同的一部分。 对于提供商认为属于不当或非法使用云计算服务的一系列一贯性活动,绝大多数标准的可接受的使用政策(AUP)都予以禁止。 可接受的使用政策(AUP)不仅可限制允许放入云中的内容种类,还可限制客户准许第三方(即某些国家的国民或列入制裁名单的个人)访问云中数据及其他内容的权利。
The vast majority of standard AUPs prohibit a consistent set of activities that providers consider to be improper or illegal uses of cloud computing services. AUP may restrict not only the type of content that may be placed on the cloud but also the customer’s right to give access to data and other content placed on the cloud to third parties (e.g., nationals of certain countries or persons included in sanctions lists). The parties may agree to remove some prohibitions to accommodate specific business needs of the customer to the extent that such removal would be permissible under law.订约方可同意取消某些禁令以顾及客户的特定业务需要,但以法律允许取消此种禁令为限。
It is usual for provider’s standards terms to require that customer’s end users also comply with AUP and to oblige the customer to use its best efforts or commercially reasonable efforts to ensure such compliance.常见做法是,提供商的标准条款要求客户的终端用户也遵守可接受的使用政策(AUP),并要求客户必须尽其最大努力或作出商业上合理的努力确保这种遵守。 有些提供商可能要求客户积极防止第三方未经授权使用或不当使用合同下所提供的云计算服务。
Some providers may require customers to affirmatively prevent any unauthorized or inappropriate use by third parties of the cloud computing services offered under the contract.订约方可以约定一些有限的义务,例如,客户向已知终端用户传达可接受的使用政策(AUP),不授权或者不故意允许此种使用,并向提供商通知客户所了解的一切未经授权的使用或不当使用。
The parties may agree on limited obligations, for example, that the customer will communicate AUP to known end users, not authorize or knowingly allow such uses, and notify the provider of all unauthorized or inappropriate uses of which it becomes aware.56.
In a few jurisdictions, the law could impose duties on the provider as regards the content hosted on its cloud computing infrastructure, e.g., the duty to report illegal material to public authorities. Those duties may be non-transferrable to the customer or to end users by AUP or otherwise.此等义务不可通过可接受的使用政策(AUP)或其他方式转移给客户或终端用户。 这些义务可能涉及隐私及其他影响,将是选择适当提供商时所考虑的因素之一(见第一部分,第12段)。 安全政策
They might have privacy and other ramifications and would be among factors considered in choosing a suitable provider (see part one, para. 12). Security policy57.
Security of the system, including customer data security, involves shared responsibilities of the parties.系统安全,包括客户数据安全,涉及订约双方的共同责任。
The contract would need to specify reciprocal roles and responsibilities of the parties as regards security measures, reflecting obligations that may be imposed by mandatory law on either or both parties.合同需要具体指明订约双方对安全措施的分工和职责,以反映强制性法律对其中一方或双方规定的义务。
Usually, the provider will follow its security policies.提供商依循自己的安全政策乃是通常做法。 在有些情况下,也有可能就提供商依循客户的安全政策达成协议,不过这不包括标准化商用型多订户解决方案。
In some cases, although not in standardized commoditized multi-subscriber solutions, it might be possible to reach an agreement that the provider will follow the customer’s security policies.合同可以具体规定安全措施(例如,对受损媒介数据杀毒或删除的要求、在不同地点存储单独成套数据的要求、在客户独有的规定硬件上存储客户数据的要求)。
The contract may specify security measures (e.g., requirements for sanitization or deletion of data in the damaged media, the storage of separate packages of data in different locations, the storage of the customer’s data on specified hardware that is unique to the customer).
Excessive disclosure of security information in the contract may, however, be risky.不过,在合同中过度披露安全信息可能会有风险。
Some security measures do not presuppose the other party’s input but rely exclusively on the relevant party’s routine activities, such as inspections by the provider of the hardware on which the data is stored and on which the services run, and effective measures to ensure controlled access thereto.在其他情况下,如果允许一方履行其义务或评估和监测所执行安全措施的质量,就会预先假定对方提供投入。 例如,将预期客户更新用户证书及其访问权清单并向提供商及时通知变更情况,从而确保适当的身份和访问管理机制。 还将预期客户向提供商告知将分配给每一类数据的安全级别。
In other cases, allowing the party to perform its duties or evaluate and monitor the quality of security measures delivered may presuppose the input of the other party. The customer, for example, would be expected to update lists of users’ credentials and their access rights and inform the provider of changes in time to ensure the proper identity and access management mechanisms.60.
The customer would also be expected to inform the provider about the level of security to be allocated to each category of data.一些安全威胁可能超出客户与提供商之间的合同框架,并可能要求调整云计算合同条款,使之与提供商和客户的其他合同(例如,与互联网服务提供商的合同)协调一致。 数据完整性
Some threats to security may be outside the contractual framework between the customer and the provider and may require the terms of the cloud computing contract to be aligned with other contracts of the provider and the customer (e.g., with Internet service providers). Data integrity提供商的标准合同可载有一般免责声明,即保全客户数据完整性的最终责任在于客户。
Providers’ standard contracts may contain a general disclaimer that the ultimate responsibility for preserving the integrity of the customer’s data lies with the customer.有些提供商可能愿意作出数据完整性承诺(例如,定期备份),这可能是为了收取额外费用。
61.不论与提供商的合同安排如何,客户似宜考虑是否有必要获取其数据至少一份可用复制件的访问权,此种访问权是在提供商及其分包商的控制、触及或影响范围之外,且独立于提供商及其分包商的参与。 保密条款
Some providers may be willing to undertake data integrity commitments (for example, regular backups), possibly for an additional payment.
Regardless of the contractual arrangements with the provider, the customer may wish to consider whether it is necessary to secure access to at least one usable copy of its data outside the provider’s and its subcontractors’ control, reach or influence and independently of their participation. Confidentiality clause63.
The provider’s willingness to commit to ensuring the confidentiality of customer data depends on the nature of services provided to the customer under the contract, in particular whether the provider will be required to have unencrypted access to data for the provision of those services.有些提供商可能愿意对客户在合同谈判期间披露的数据承担保密责任,但不对提供服务期间所处理的数据承担责任。
Some providers may not be in a position to offer a confidentiality or non-disclosure clause and may expressly waive any duty of confidentiality regarding customer data. Other providers may be willing to assume liability for confidentiality of data disclosed by the customer during contract negotiations, but not for data processed during service provision. Some standard confidentiality clauses offered by providers may not be sufficient to ensure compliance with applicable law.提供商的一些标准保密条款可能不足以确保遵守适用法律。
In the absence of contractual commitments and statutory obligations on the provider to maintain confidentiality, the customer may have full responsibility for keeping data confidential (e.g., through encryption).
Where it is not possible to negotiate a general confidentiality clause applicable to all customer data placed in the cloud, the parties may agree on confidentiality commitments as regards some sensitive data (with a separate liability regime for breach of confidentiality of such data).在没有关于提供商保守机密的合同承诺和法定义务的情况下,客户可能要对数据保密(例如,通过加密)承担全部责任。
The customer may in particular be concerned about its trade secrets, know-how and information that it is required to keep confidential under law or commitments to third parties.如果不可能谈判一项适用于放入云中所有客户数据的一般保密条款,订约双方可以就某些敏感数据商定保密承诺(此类数据泄密适用单独赔偿责任制度)。
The parties may agree to restrict access to such data to a limited set of personnel and to require individual confidentiality commitments from them, in particular from those with high-risk roles (e.g., system administrators, auditors and persons dealing with intrusion detection reports and incident response). In those cases, the customer would normally specify to the provider such information, the required level of protection, any applicable law or contractual requirements and any changes affecting such information, including any changes in the applicable law.客户可能特别担心其商业秘密、专门知识以及根据法律或对第三方承诺必须保密的信息。 订约双方可以商定限制此种数据的访问权,只允许有限人员接触此种数据,同时要求这些人员作出个人保密承诺,特别是那些承担高风险职责的人员(例如,系统管理员,审计师以及处理侵入侦测报告和事件对策的人员)。 在这些情况下,客户通常向提供商具体指明此种信息、所要求的保护级别、任何适用法律或合同要求,以及影响此类信息的任何变化,包括适用法律的任何变化。
In some cases, the disclosure of customer data may be necessary for the fulfilment of the contract.在有些情况下,披露客户数据可能是履行合同所必需的。
In other cases, the disclosure may be mandated by law, for example, under the duty to provide information to competent State authorities (see para. 82 below).在其他情况下,法律可能要求必须披露数据,例如,根据向国家主管机关提供信息的义务(见下文第82段)。
Appropriate exceptions to confidentiality clauses would thus be warranted.因此,保密条款是可以有适当例外情形的。
The provider may in turn impose on the customer the obligation not to disclose information about the provider’s security arrangements and other details of services provided to the customer under the contract or law.
Data protection/privacy policy or data processing agreement67.
66.个人数据在许多法域受到法律特殊保护。 适用于个人数据处理的法律可能不同于合同适用法律,并将优先于任何不合规的合同条款。
Personal data are subject to special protection by law in many jurisdictions.68.
Law applicable to personal data processing may be different from the law applicable to the contract. It will override any non-compliant contractual clauses.
The contract may include a data protection or privacy clause, data processing agreement or similar type of agreement, although some providers may agree only to the general obligation to comply with applicable data protection laws.在一些法域,这种一般承诺可能还不够:合同需要至少规定所涉事项和期限、个人数据处理的性质和目的、个人数据类型和数据主体种类,以及数据控制人和数据处理人的义务和权利。
In some jurisdictions, such general commitment may be insufficient: the contract would need to stipulate at a minimum the subject matter and the duration, nature and purpose of the personal data processing, the type of personal data and categories of data subjects and the obligations and rights of the data controller and the data processor. Where it is not possible to negotiate a data protection clause in the contract, the customer may wish to review standard terms to determine whether the provisions give the customer sufficient guarantees of lawful personal data processing and adequate remedies for damages.如果不可能在合同中谈判一项数据保护条款,客户似宜审查标准条款,以确定相关规定是否给予客户对合法个人数据处理的充分保障以及适当的损害补救办法。
The customer will likely be the data controller and will assume responsibility for compliance with the data protection law in respect of personal data collected and processed in the cloud.
The parties may agree on contractual clauses aimed at ensuring compliance with the applicable data protection regulations, including requests related to the data subjects’ rights.客户很有可能就是数据控制人,将对云中收集和处理的个人数据承担遵守数据保护法律的责任。
The parties may also agree on separate remedies should those clauses be breached, including unilateral termination of the contract and compensation for damages.双方还可以商定一旦违反这些条款时的单独补救办法,其中包括单方面解约以及赔偿损失。
Providers’ standard contracts usually stipulate that the provider does not assume any data controller role.提供商的标准合同通常规定提供商不承担数据控制人的任何职责。
The provider will likely act as the data processor only when it processes the customer’s data according to instructions of the customer for the sole purpose of providing the cloud computing services.只有当提供商完全为提供云计算服务目的而依照客户指示处理客户数据时,提供商才有可能作为数据处理人行事。
In some jurisdictions, the provider may, however, be regarded as the data controller, regardless of contractual clauses, when it further processes data for its own purposes or upon instructions of State authorities and could thus assume full responsibility for personal data protection in respect of that further personal data processing (see para. 125 below).但是,在有些法域,不论合同条款如何规定,如果提供商为自身目的或按照国家机关的指示进一步处理数据,就可被视为数据控制人,并可能因此而在这种进一步的个人数据处理方面对保护个人数据承担全部责任(见下文第125段)。 数据泄密及其他安全事件所产生的义务
Obligations arising from data breaches and other security incidents71.
The parties may be required under law or contract (or both) to notify each other immediately of a security incident of relevance to the contract or any suspicion thereof that becomes known to them.可在法律可能规定的安全事件一般通知义务之外规定这项义务,要求通知所有利益攸关方(包括数据主体、保险公司和国家机关或公共大众),以防止或尽量减轻安全事件的影响。
That obligation may be in addition to general notification of a security incident that may be required under law to inform all relevant stakeholders (including data subjects, insurers and State authorities, or the public at large) in order to prevent or minimize the impact of security incidents.72.
71.法律可能载明具体的安全事件通知要求,包括通知时间,并确定负责遵守这些要求的人。 在不违反这些强制性规定的前提下,双方可在合同中具体规定通知期(例如,一方得知事件或威胁后一天内)以及安全事件通知的形式和内容。
The law may contain specific security incident notification requirements, including the timing of notification, and identify the persons responsible for complying with them.后者通常包括各种情形和事件原因、受影响数据类型、解决事件拟采取的步骤、预期事件得到解决的时间,以及解决事件期间拟采用的任何应急计划。 这方面还可包括关于未成功泄密行动、针对特定目标(特定客户用户、特定应用程序、特定物理机)的攻击、趋势和统计数据的信息。
Subject to those mandatory provisions, the parties may specify in the contract the notification period (e.g., one day after the party becomes aware of the incident or threat), the form and content of the security incident notification.任何通知要求通常都考虑到不披露任何可能导致受影响方系统、业务或网络受损的敏感信息的必要性。
The latter usually includes circumstances and the cause of the incident, type of affected data, the steps to be taken to resolve the incident, the time at which the incident is expected to be resolved and any contingency plan to employ while the incident is being resolved. It may also include information on failed breaches, attacks against specific targets (per customer user, per specific application, per specific physical machine), trends and statistics. Any notification requirements normally take into account the need not to disclose any sensitive information that could lead to the compromise of the affected party’s system, operations or network.
The provider, the customer, or both, including by involving a third party, may be required by law or contract to take measures after a security incident (so-called “post-incident steps”), including the isolation or quarantine of affected areas, the performance of root cause analysis and the production of an incident analysis report.法律或合同可能要求提供商或客户或者要求这两者,包括在有第三方参与的情况下,在安全事件后采取措施(所谓“事件后步骤”),其中包括隔绝或隔离受影响区域、进行根源分析并出具事件分析报告。 事件分析报告可由受影响方或由受影响方会同另一方出具,也可由独立第三方出具。
The incident analysis report may be produced by the affected party or by the affected party jointly with the other party or by an independent third party.
Post-incident steps may vary depending on the categories of data stored in the cloud and other factors.74.
A serious security incident resulting in, for example, a loss of data may lead to the termination of the contract.数据本地化存储要求
Data localization requirements75.
Providers’ standard terms may expressly reserve the right of the provider to store customer data in any country in which the provider or its subcontractors operate.这是最有可能采取的做法,即使没有明确规定的合同权利也是如此,因其暗含于云计算服务的安排中,即:作为一般规则,可以从不止一个地点提供云计算服务(例如,备份和防病毒保护可以是远程的,并可按照“跟着太阳走”的全球模式提供支持)。 这种做法可能不符合适用于一方或双方的数据本地化存储要求(见第一部分,第10-11段)。 76. 可在合同中包括确保遵守数据本地化存储要求的保障措施,例如,禁止将数据及其他内容移出规定地点,或要求事先取得另一方对此种转移的批准。
Such a practice will most likely be followed even in the absence of an explicit contractual right, since it is implicit in the provision of cloud computing services that they are provided, as a general rule, from more than one location (e.g., backup and antivirus protection may be remote, and support may be provided in a global “follow-the-sun” model).举例来说,可以列入服务级别协议(SLA)的质量绩效参数,以确保唯一存储客户数据(包括其任何复件、元数据和备份)的数据中心实际位于合同中指明的法域并且由在这些法域建立的实体拥有和运营。
That practice may not comply with data localization requirements applicable to either or both parties (see part one, paras. 10–11).还比如说,参数可以具体规定,永远不得将数据移出某国或某区域,但可在一特定第三国或其他地方复制,但永远不得在某国复制。
Safeguards ensuring compliance with data localization requirements may be included in the contract, such as a prohibition on moving data and other content outside the specified location or a requirement of prior approval of such moves by the other party.提供商为提供服务而对客户数据享有的权利
For example, an SLA qualitative performance parameter may be included to ensure that the customer data (including any copy, metadata and backup thereof) would be stored exclusively in data centres physically located in the jurisdictions indicated in the contract and owned and operated by entities established in those jurisdictions.77.
Alternatively, the parameter may specify, for example, that data should never be moved outside a specific country or region but may be duplicated in a particular third country or elsewhere, but never in a specific country.提供商通常在“需要知道”的基础上保留访问客户数据的权利。
Rights to customer data and other content订约双方可以商定准予提供商对客户数据访问权的情形以及确保客户数据保密性和完整性的措施。
Provider rights to customer data for the provision of services78.
Providers usually reserve the right to access customer data on a “need-to-know” basis.例如,如果要求提供商定期备份客户数据,完成这项任务就必须获得复制数据的权利。
That arrangement would allow access to customer data by the provider’s employees, subcontractors and other third parties (e.g., auditors) where necessary for the provision of the cloud computing services (including maintenance, support and security purposes) and for monitoring compliance with applicable AUP, IP licences, SLA and other contractual documents.同样,如果分包商想要处理客户数据,提供商必须能够向其转移数据。
The parties may agree on circumstances when the provider’s access to customer data would be allowed and measures that would ensure confidentiality and integrity of customer data.79.
Certain rights to access customer data can be considered to be implicitly granted by the customer to the provider by requiring a certain service or feature: without those rights, the provider would not be able to perform the services.当数据根据法律不能离开某国或某区域时,地域限制可能特别重要(见第一部分,第10-11段)。
For example, if the provider is required to regularly back up customer data, the fulfilment of that task necessitates the right to copy the data.合同一般规定客户是否能够撤销被准予的权利或暗含的权利以及在何种条件下可以撤销。
Likewise, if subcontractors are to handle customer data, the provider must be able to transfer the data to them.由于按规定质量水平提供服务的能力可能取决于客户赋予的权利,撤销某些权利所带来的直接影响可能是修正或终止合同。
The contract may explicitly indicate which are the rights concerning data required for the performance of the contract that the customer grants to the provider, whether and to what extent the provider is entitled to transfer those rights to third parties (e.g., its subcontractors) and the geographical and temporal extent of the granted or implied rights.80.
The geographical limitations could be particularly important when data cannot leave a certain country or region under law (see part one, paras. 10–11).大多数法域并不自动准予提供商为其自身目的而使用客户数据的权利。
Contracts typically state whether the customer is able to revoke granted or implied rights and if so, under what conditions.除了与根据合同提供云计算服务有关的目的之外,提供商还可为其他目的(例如,广告、生成统计数据、分析和预测报告、从事其他数据挖掘工作)请求使用客户数据。
Since the ability to provide the services at the required level of quality may depend on the rights granted by the customer, the direct impact of revocation of certain rights could be the amendment or termination of the contract.这方面要考虑的问题可包括:
Provider use of customer data for other purposes(a)
Most jurisdictions do not grant the provider automatic rights to use the customer data for the provider’s own purposes.(b)是否会与其他组织、公司或个人共享这些信息,如果是,这样做的理由,以及这样做是否将取得客户同意;
The provider may request use of customer data for purposes other than those linked to the provision of the cloud computing services under the contract (e.g., for advertising, generating statistics, analytical or predictions reports, engaging in other data mining practice).
The questions to consider in that context may include:(c)如果提供商与第三方共享这一信息,如何确保遵守保密和安全政策。
which information about the customer and its end users will be collected and the reasons for and purposes of its collection and use by the provider;
(b) whether that information will be shared with other organizations, companies or individuals and if so, the reasons for doing so and whether this will be done with or without the customer’s consent;81.
and如果合同准予提供商为其自身目的使用客户数据的权利,合同还可列出此种使用的理由,载明对客户数据去身份化和匿名化的义务,以确保遵守任何适用的数据保护条例和其他条例,并规定对复制内容和对外公开的限制。 通常,在合同存续期间或之后准许提供商为自身目的使用客户数据,但仅限于匿名化开放数据或采用汇总和去身份化形式。
(c) how compliance with confidentiality and security policies will be ensured if the provider shares that information with third parties.提供商使用客户名称、标志和商标
Where the provider’s use of customer data will affect personal data, the parties would normally be expected to carefully assess their regulatory compliance obligations under applicable data protection laws.
80. Where the contract gives the provider rights to use the customer data for the provider’s own purposes, the contract may also list permissible grounds for such use, include obligations regarding de-identification and anonymization of customer data to ensure compliance with any applicable data protection and other regulations and impose limits on reproduction of content and communication to public. It is common to permit the provider to use customer data for its own purposes only as anonymized open data or in aggregated and de-identified form during the term of the contract or beyond. Provider use of customer name, logo and trademark82.
The providers’ standard terms may grant the provider the right to use customer names, logos and trademarks for the purposes of the provider’s publicity.双方可以就删除或修改这些规定达成协议,包括将允许使用范围限于客户名称,并要求事先取得客户对使用其名称、标志和商标的批准。 提供商根据国家命令或为监管合规而就客户数据采取行动
The parties may agree on the deletion or modification of such provisions, including limiting the permissible use to the customer’s name and requiring prior approval of the customer for the use of its name, logo and trademark. Provider actions as regards customer data upon State orders or for regulatory compliance83.
The providers’ standard terms may reserve the right for the provider, at its discretion, to disclose, or provide access to, customer data to State authorities (e.g., by including such wording as “when doing so will be in the best interests of the provider”).这些条款通常还规定,在提供商得知或了解非法内容后,或者当提供商必须执行数据主体被遗忘权时,提供商有权立即去除或封锁客户数据,以避免法律规定的赔偿责任(“通知后下架”程序(见下文第128段))。
They also usually provide for the right of the provider to remove or block customer data immediately after the provider gains knowledge or becomes aware of illegal content or when it has to enforce the right of data subjects to be forgotten, in order to avoid liability under law (the “notice and take down” procedure (see para. 128 below)).订约双方可以就缩窄提供商能够采取这些行动的情形达成协议,例如,限于法院或其他国家机关责令提供商提供数据访问权或删改数据的情形。
The parties may agree to narrow down the circumstances in which the provider can perform those actions, for example when the provider faces an order from a court or other State authority to provide access to, or to delete or change, data.84.
The parties may agree, at a minimum, that the customer will be notified without delay of State orders or the provider’s own decisions as regards customer data with a description of the data concerned, unless such notification would violate law.如果预先通知和客户参与都不可行,合同可以要求提供商立即向客户发出相同信息的事后通知。 双方还可以就保持关于客户数据的所有命令、请求和其他活动的记录并为客户提供这些记录的访问权的规定达成协议。
Where the advance notification and involvement of the customer is not possible, the contract may require the provider to serve an immediate ex-post notification to the customer of the same information.对云服务衍生数据的权利
The parties may also agree on provisions as regards keeping and providing customer access to and logs of all orders, requests and other activities as regards customer data. Rights to cloud service-derived data85.
The parties may agree on customer rights to cloud service-derived data and how such rights can be exercised during the contractual relationship and upon termination of the contract.订约双方可以就客户对云服务衍生数据的权利以及如何在合同关系存续期间并在合同终止时行使这类权利达成协议。
IP rights protection clause
Some types of cloud computing contracts may result in the creation of objects of IP rights, either jointly by the provider and the customer (e.g., service improvements arising from the customer’s suggestions) or by the customer alone (new applications, software and other original work).
The contract may contain an express IP clause that will determine which party to the contract owns IP rights to various objects deployed or developed in the cloud and the use that the parties can make of such rights.某些类型的云计算合同可能导致产生知识产权客体,或者是由提供商与客户共同产生这种客体(例如,通过顾客建议改进服务),或者由客户单独产生这种客体(新的应用程序、软件和其他原创工作)。
Where no option to negotiate exists, the customer may wish to review any IP clauses to determine whether the provider offers sufficient guarantees and allows the customer appropriate tools to protect and enjoy its IP rights and avoid lock-in risks (see part one, paras. 23–26).
Interoperability and portability合同可以载列一项明确的知识产权条款,其中将确定合同哪一方拥有对云中部署或开发的各种客体的知识产权以及双方可对这类权利作何使用。
There may be no statutory requirements to ensure interoperability and portability.互操作性和可移植性
The onus might be completely on the customer to create compatible export routines, unless the contract provides otherwise, for example, by including contractual commitments as regards interoperability and portability and assistance with the export of data upon termination of the contract (see para. 161 below).87.
The contract may require the use of common, widely used standardized or interoperable export formats for data and other content or provide choice among available formats.
Contractual clauses may also be included to address rights to joint products and applications or software, without which the use of the data and other content in another system may be impossible (see para. 85 above).在确保互操作性和可移植性方面可能没有法定要求。
Data retrieval for legal purposes合同可以要求为数据及其他内容使用普通、广泛使用的标准化或互通导出格式,或者在可用格式当中提供选择。
Customers may need to be able to search and find data placed in the cloud in its original form in order to meet legal requirements (for example, in investigations).为法律目的检索数据
The electronic records may need to meet auditing and evidentiary standards.88.
Some providers may be in a position to offer customers assistance with the retrieval of data in the format required by law.客户可能需具备以原件形式搜索和查找放在云中的数据的能力,以便(在调查等方面)满足法律要求。
The contract may define the form and terms of such assistance. Data deletion电子记录可能需满足审计和取证方面的标准。 有些提供商可能有能力协助客户按法律要求的格式检索数据。 合同可能需界定这种援助的形式和条件。 数据删除
Data deletion considerations may be applicable during the term of the contract, but particularly upon its termination (see para. 162 below). For example, certain data may need to be deleted according to the customer’s retention plan. Sensitive data may need to be destroyed at a specified time in its lifecycle (e.g., the destruction of hard disks at the end of the life of equipment on which such data was stored).例如,可能需要根据客户的留存计划删除某些数据。
Data may also need to be deleted in order to comply with law enforcement deletion requests or after confirmed IP infringement cases (see para. 82 above).敏感数据可能需在其寿命周期某一规定时间销毁(例如,在存有此类数据的设备寿命终止时销毁硬盘)。
The providers’ standard terms may contain only statements to delete customer data from time to time.订约双方可以就按照数据留存和处置计划或按照客户发给提供商的其他形式授权或请求立即、有效、不可逆转地永久性删除数据及其备份和元数据达成协议。
The parties may agree on the deletion of data, its backups and metadata immediately, effectively, irrevocably and permanently, in compliance with the data retention and disposition schedules or other form of authorization or request communicated by the customer to the provider.合同可以涉及数据删除的时间期限和其他条件,其中包括在删除完成后确认数据删除并提供删除活动审计记录访问权的义务。 91. 可以根据数据的性质和敏感性指明删除数据所使用的具体标准或方法。 可以要求提供商从不同地点和媒介删除数据,包括从分包商和其他第三方的系统中删除数据,分不同级别删除数据,例如,数据杀毒以在彻底删除数据或销毁硬件之前确保数据的保密性。
The contract may address the time period and other conditions for data deletion, including obligations as regards a confirmation of the data deletion upon its completion and access to audit trails of the deletion activities.涉及销毁设备而不是重新部署设备的删除虽然更安全,但成本可能更高,而且不一定总是可行(例如,如果同一硬件上存有他人数据的话)。
Particular standards or techniques for deletion may be specified, depending on the nature and sensitivity of the data.E.
The provider may be required to delete data from different locations and media, including from subcontractors’ and other third-parties’ systems, with different levels of deletion, such as data sanitization ensuring confidentiality of the data until their complete deletion or hardware destruction.监测活动
More secure deletion involving destruction rather than redeployment of equipment may be more expensive and may not always be possible (if, for example, data of other persons is stored on the same hardware).92.
Those aspects may trigger the inclusion of contractual requirements to use an isolated infrastructure for storing the customer’s particularly sensitive data.订约双方可能需要监测彼此的活动,以确保遵守条例和合同(例如,客户及其终端用户遵守可接受的使用政策(AUP)和知识产权许可的情况,提供商遵守服务级别协议(SLA)和数据保护政策的情况)。
Audits and monitoring93.
Monitoring activities合同可以确定定期或经常性监测活动,并确定负责执行这些活动的一方和对方为监测提供方便的义务。
The parties may need to monitor activities of each other to ensure regulatory and contractual compliance (e.g., compliance of the customer and its end users with AUP and IP licenses and compliance of the provider with SLA and data protection policy).合同也可规定对另一方的报告要求以及与这种监测活动有关的任何保密承诺。
Some monitoring activities, such as those related to personal data processing, may be mandated by law.94.
The contract may identify periodic or recurrent monitoring activities, together with the party responsible for their performance and the obligations of the other party to facilitate monitoring.合同可以规定在某些情况下必须暂停监测,例如,在监测实质上不利于履行服务的情况下。
The contract may also anticipate any exceptional monitoring activities and provide options for handling them.要求近实时履行的服务尤其可能存在这种担忧。
The contract may also provide for reporting requirements to the other party as well as any confidential undertakings in conjunction with such monitoring activities.审计和安全测试
Excessive monitoring may affect performance and increase costs of services.审计和安全测试经常进行,特别是检验安全措施效能的审计和安全测试。
The contract may provide for the requirement to suspend monitoring in certain circumstances, e.g., where monitoring is materially detrimental to the service performance.有些审计和安全测试可能是法律要求必须进行的。
That concern may be present particularly in case of services requiring near real-time performance.合同可包括涉及双方审计权、审计范围、重复率、手续和费用的条款。
Audit and security tests合同还可要求双方相互交换各自委托进行的审计或安全测试结果。
Audit and security tests, in particular to check the effectiveness of security measures, are common.96.
Some audits and security tests may be mandated by law.双方可商定只能由专业组织进行审计或安全测试,或者商定提供商或客户可以选择由专业组织进行审计或安全测试。
The contract may include clauses that address the audit rights of both parties, the scope of audits, recurrence, formalities and costs.合同可具体规定第三方需满足的资格要求以及第三方的聘用条件,包括费用分担办法。
It may also oblige the parties to share with each other the results of the audits or security tests that they commission.双方可在事件发生后,根据事件严重性和类型,商定对审计或安全测试的特别安排(例如,事件责任方可能必须部分或全部赔偿费用)。
The contractual rights or statutory obligations for audit and security tests may be complemented in the contract with corresponding obligations of the other party to facilitate the exercise of such rights or fulfilment of those obligations (e.g., to grant access to the relevant data centres).F.
Parties may agree that audits or security tests may be performed only by professional organizations or that the provider or the customer may choose to have the audit or security test performed by a professional organization.随用随付
The contract may specify qualifications to be met by the third party and conditions for their engagement, including allocation of costs.
Special arrangements may be agreed upon by the parties for audits or security tests subsequent to an incident and depending on the severity and type of the incident (for example, the party responsible for the incident may be obliged to partially or fully reimburse costs).97.
Payment terms价格是一项必不可少的合同条款,合同中不列明价格或没有一种定价机制,可能致使合同无法执行。
96. Price is an essential contractual term, and failure to include the price or a mechanism for determining the price in the contract may render the contract unenforceable.98.
The on-demand self-service characteristic of cloud computing services is usually reflected in the pay-as-you-go billing system. It is common for the contract to specify the price per unit for the agreed volume of supply of the cloud computing services (e.g., for a specified number of users, number of uses or time used).通常做法是,合同具体规定云计算服务商定供应量(例如,规定用户数、使用次数或使用时间)的单位价格。 可以设计价格表或其他价格调整办法,包括批量折扣,以此作为对任何一方的奖惩办法。 免费试用很常见。
Price scales or other price adjustments, including volume discounts, may be designed as incentives or penalties for either of the parties.还经常有个别服务不收费的做法。
Free trials are common. It is also common not to charge for some services. Although there could be many variations for price calculation, a clear and transparent price clause, understood by both parties, may avoid conflict and litigation. Licensing fees尽管价格计算会有多种变式,但制定可为双方理解的清晰、透明的价格条款可避免争议和诉讼。 许可证费用
The parties may wish to clarify in the contract whether the payment for the cloud computing services encompasses licensing fees for any licences the provider may grant to the customer as part of the services.
SaaS, in particular, often involves the use by the customer of software licensed by the provider.特别是,软件即服务(SaaS)往往涉及客户使用提供商许可的软件。
The licensing fees may be calculated on a per-seat or per instance basis and fees may vary depending on the category of users (e.g., professional users, as opposed to non-professional users, may fall in one of the most expensive categories).不同付款结构会产生不同影响。 例如,如果按开机次数收取软件费用,每次连接一台新机器,即使客户在同一时段内使用同样的开机次数,客户的许可证费用也可能显著增加。
Different payment structures may have different implications.101.
For example, a customer’s licence costs may increase exponentially if software is charged on a per instance basis each time a new machine is connected, even though the customer is using the same number of machine instances for the same duration.合同可以确定许可安排所涵盖软件的潜在用户数目、每一类别(如雇员、独立承包商、供应商)的用户数目以及准予每一类别用户的权利。
100.合同还可以确定将归入许可范围的访问权和使用权,以及可能导致许可范围扩大并因此造成许可证费用增加的客户及其终端用户的访问和使用情形。 额外费用
The contract may identify the total number of potential users of software covered by the licence arrangement, the number of users in each category (e.g., employees, independent contractors and suppliers) and the rights to be granted to each category of users.102.
The contract may also identify access and use rights that will be included in the scope of the licence and cases of access and use by the customer and its end users that may lead to an expanded scope of the license and consequently to increased licensing fees. Additional costs价格可能还包括一次性费用(例如,配置和云迁移费用)(见第一部分,第32-33段)。
The price may cover also one-off costs (e.g., configuration and migration to the cloud (see part one, paras. 32–33)).
There could also be additional services offered by the provider against separate payment (e.g., support after business hours charged per time or provided for a fixed price).103.
Cloud computing services may fall within the category of taxable services or goods in some jurisdictions.其他付费条款
The parties may wish to address in the contract the impact of taxes on payment terms. Other payment terms104.
一些法域的税务机关可能不接受电子发票(不过这在日趋无纸化环境中越来越少见),也可能要求使用一种特殊格式,其中包括,凡与云计算服务有关的税项可能需单独列明。 105. 除其他付费条款外,订约双方似应列明付费到期日、货币、适用汇率、付款方式、迟付制裁办法以及付费争议解决程序。
Payment terms may cover invoicing modalities (e.g., e-invoicing) and the form and content of the invoice, which may be important for tax compliance.G.
Tax authorities of some jurisdictions may not accept electronic invoices (although this is becoming rare in an increasingly paperless environment) or may require a special format, including that any tax applicable to the cloud computing services may need to be stated separately.服务变更
The parties may wish to include, among other payment terms, payment due date, currency, the applicable exchange rate, manner of payment, sanctions in case of late payment and procedures for resolving disputes over payment claims.106.
Changes in services云计算服务的弹性、伸缩性和按需自助服务特征通常是通过合同规定的多个选项来实现的,客户可利用这些选项根据其需要来调整服务的消费方式,从而可避免客户每次要求变更服务消费方式时重新谈判合同的必要性。
105. Cloud computing services are by nature flexible and fluctuating. The elasticity, scalability and on-demand self-service characteristics of cloud computing services are usually enabled through many contractual options that the customer may use to adjust the consumption of services according to its needs. This prevents the need for renegotiation of the contract each time the customer requires a change in the consumption of services.
The provider in turn may reserve the right to adjust its service portfolio at its discretion.反过来,提供商可保留酌情调整其服务组合的权利。
Different contractual treatment may be appropriate depending on whether changes concern the core services or ancillary services and support aspects.可能适合采取不同的合同处理办法,需视变更涉及核心服务还是辅助服务及配套方面而定。
Different contractual treatment may also apply to changes that might negatively affect services as opposed to changes that lead to service improvements (e.g., a switch from a standard offering to an enhanced cloud computing offering with higher security levels or shorter response times).如果变更有可能对服务产生不利影响,而不是改进服务,也可适用不同的合同处理办法(例如,从提供标准服务转换为提供安全级别更高、反应时间更短的加强型云计算服务提议)。
The consequences of some unilateral changes of the terms and conditions of the contract by the provider may be severe for the customer, in particular translating into high costs of migration to another system. Changes in price提供商单方面更改合同条款和条件可能给客户造成严重后果,特别是导致向另一系统迁移的高昂成本。 价格变动
The provider may reserve the right to unilaterally modify the price or price scales.
The parties may agree to specify in the contract the pricing methodology (e.g., how frequently the provider can increase prices and by how much). The prices may be capped to a specific consumer price index, to a set percentage or to the provider’s price list at a given moment.双方可以商定在合同中具体规定定价方法(例如,提供商可以提价的频度和幅度)。
The contract may provide for advance notice of a price increase and the consequences of non-acceptance of the price increase by the customer. Upgrades价格上限可定为某一消费价格指数、预先设定的百分比或提供商某一特定时刻的价目表。 合同可以规定预先通知提价以及客户不接受提价的后果。 升级
Although upgrades may be in the customer’s interests, they may also cause disruptions in the availability of cloud computing services since they could translate into relatively high downtime during normal working hours even if the service is to be provided on a 24/7 basis.尽管升级可能符合客户利益,但也会对云计算服务的提供造成干扰,因为即使在每周7天每天24小时基础上提供服务,升级也有可能变为正常工作时间内的较高宕机时间。
The parties may agree on advance notification to the customer of pending upgrades and the implications thereof and that upgrades, as a rule, will take place during periods of little or no demand for the customer.双方可以商定提前通知客户即将进行的升级及其影响,并且升级一般都安排在对客户需求量低或没有需求的时段。
The contract may also provide for procedures for reporting and solving possible problems.合同还可规定报告和解决可能出现的问题的程序。
Upgrades may have other negative impacts, for example, requiring changes to customer applications or information technology systems or the retraining of customer users.合同可以规定升级所产生费用的分配办法。 双方还可以商定,如果对旧版本作出重大修改,所提供服务的旧版本应当在商定期间与新版本并行保留,以确保客户业务的连续性。
The contract may provide for the allocation of the costs arising from upgrades.合同也可涉及提供商可协助对客户应用程序或信息技术系统作出修改并根据请求对客户的终端用户进行再培训。
The parties may also agree that the older version of the provided service should be retained in parallel with the new version for an agreed period of time in cases where significant changes are to be made to the previous version, in order to ensure the customer’s business continuity. The contract may also address assistance that may be offered by the provider with changes to customer applications or information technology systems and with retraining of the customer’s end users, when required. Degradation or discontinuation of services服务降级或中断
Technological developments, competitive pressure or other causes may lead to the degradation of some cloud computing services or their discontinuation with or without their replacement by other services.不论是否以其他服务取而代之,技术发展、竞争压力或其他原因都可能导致一些云计算服务降级或中断。
The provider may reserve in the contract the right to adjust the service portfolio offering (e.g., by terminating a portion of the services).不过,提供商即使只是中断部分云计算服务,也可能使客户面临对其终端用户的赔偿责任。
Discontinuation of even some cloud computing services by the provider may, however, expose the customer to liability to its end users.112.
The contract may provide for an advance notification of those changes to the customer, the customer’s right to terminate the contract in the case of unacceptable changes and an adequate retention period to ensure the timely reversibility of any affected customer data or other content.有些合同禁止会对所提供服务的性质、范围或质量产生不利影响的修改,或者将可允许的变更限于“商业上合理的修改”。
Some contracts prohibit modifications that could negatively affect the nature, scope or quality of provided services, or limit permissible changes to “commercially reasonable modifications”.
Notification of changes变更通知
The providers’ standard terms may contain an obligation on the provider to notify the customer about changes in the terms of services.提供商的标准条款可以载明提供商向客户通知服务条款变更的义务。
If not, customers may be required to check regularly whether there have been any changes in the contract.若非如此,客户可能需定期查看合同有无任何变化。 合同可以由多份文件构成(见上文第38段)。 有些文件可能以提及方式纳入载于其他文件的条款和政策,而这些其他文件可能又以提及方式纳入补充条款和政策,所有这些文件都可能由提供商单方面修改。 提供商网站上可能在不止一处托放这些不同文件。 因此,可能不易注意到提供商对合同作出的改动。 114. 鉴于客户继续使用服务被视为接受经修改的条款,订约双方可以商定,在修改生效之前将服务条款变更事宜充分提前通知客户。
Documents forming the contract may be numerous (see para. 38 above). Some may incorporate by reference terms and policies contained in other documents, which may in turn incorporate by reference additional terms and policies, all of which may be subject to unilateral modification by the provider. Those different documents may not necessarily be hosted in one place on the provider’s website.双方还可以商定,客户有权访问服务变化过程的审计记录,所有商定条款以及参照某一版本或版次对服务作出的界定都将予以保存。
Changes introduced by the provider to the contract may therefore not be easy to notice.H.
Since the continued use of services by the customer is deemed to be acceptance of the modified terms, the parties may agree that the customer will be notified of changes in the terms of services sufficiently in advance of their effective date.115.
The parties may also agree that the customer will have access to audit trails concerning the evolution of services and that all agreed terms and the definition of the services by reference to a particular version or release will be preserved.“不可预见事件”是提供商单方面暂停服务的一个常见理由。
Suspension of services116.
The providers’ standard terms may contain the right of the provider to suspend services, at its discretion, at any time.因不可预见事件而暂停服务的权利可能是以适当执行一项业务连续性和灾难恢复计划为条件。
“Unforeseeable events” is a common justification for unilateral suspension of services by the provider.合同可以要求这类计划针对提供云计算服务方面的共同威胁包含防范措施并将计划提交另一方征求意见和批准。
Such events are usually defined as broadly encompassing any impediments beyond the provider’s control, including failures of subcontractors, sub-providers and other third parties involved in the provision of the cloud computing services to the customer, such as Internet network providers.这些防范措施可以包括在另一地域分设一个能够无缝转移的灾难恢复站点,并使用不间断电源和备用发电机。
The parties may agree that suspension of services may occur only in limited cases identified in the contract (e.g., in case of fundamental breach of the contract by the customer, for example, non-payment).分包商、分提供商和外包
The right of suspension due to unforeseeable events may be conditioned on properly implementing a business continuity and disaster recovery plan.确定分包链
The contract may require that such a plan contains protections against common threats to the provision of the cloud computing services and be submitted for comment and approval by the other party.
Those protections may include a geographically separate disaster recovery site with seamless transition and the use of an uninterruptible power supply and backup generators.117.
Subcontractors, sub-providers and outsourcing提供商的标准条款可以明确保留提供商使用第三方向客户提供云计算服务的权利,或者,由于所提供服务的性质,这项权利可能是默示性的。 提供商可能有意尽可能多保留这方面的灵活性。
Identification of the subcontracting chain118.
116. Subcontracting, layered cloud computing services and outsourcing are common in cloud computing environment. The providers’ standard terms may explicitly reserve the provider’s right to use third parties for the provision of the cloud computing services to the customer, or that right may be implicit because of the nature of services to be provided. The provider may be interested in retaining as much flexibility as possible in that respect.法律可能要求订约双方在合同中确定参与提供云计算服务的任何第三方。
The law may require the parties to identify in the contract any third parties involved in the provision of the cloud computing services.119.
Such identification may also be beneficial to the customer for verification purposes, in particular of compliance of third parties with security, confidentiality, data protection and other requirements arising from the contract or law and of the absence of conflicts of interest on the part of third parties.此种信息还可用于减轻提供商由于第三方故障而无法履行合同的风险。
That information may also be used for mitigation of risks of non-performance of the contract by the provider due to failures of third parties.客户还可以尝试与关键第三方谈判其在提供商未能根据合同履约的情况下——包括提供商破产——的介入义务。
For example, the customer may opt to contract directly with third parties instrumental to the performance of the cloud computing contract, in particular on such sensitive issues as confidentiality and personal data processing. The customer may also try to negotiate with key third parties obligations to step in if the provider fails to perform under the contract, including in case of the provider’s insolvency.
The provider may be in a position to identify those third parties playing key roles but not all third parties.提供商或许能够指明那些发挥关键作用的第三方,但未必能够指明所有第三方。 参与提供云计算服务第三方的组成情况有可能在合同期间发生变化(见下文第120-121段)。
The pool of third parties involved in the provision of cloud computing services may change during the contract (see paras. 120–121 below).
Changes in the subcontracting chain121.
120.分包链常发生单方面变化。 合同可以具体规定是否允许对分包链进行变更以及在哪些条件下允许变更(例如,客户可以保留在实施变更之前对参与向客户提供云计算服务的任何新的第三方进行背景审查并予以否决的权利)。
Unilateral changes in the subcontracting chain are common.再有一个选择是先做变更尔后需取得客户批准,在未获此种批准的情况下,将由先前批准或其他预先批准的第三方继续提供服务,或由双方将商定的另一第三方继续提供服务;
The contract may specify whether changes in the subcontracting chain are permitted and if so, under which conditions (e.g., the customer may reserve the right to vet and veto any new third party involved in the provision of the cloud computing services to the customer before the change is implemented). Alternatively, the contract may include the list of third parties pre-approved by the customer, from which the provider can choose when the need arises. Another option is to subject the change to subsequent approval by the customer, in the absence of which services would need to continue with the previous or other pre-approved third party or with another third party to be agreed by the parties. Otherwise, the contract may be terminated.否则可以解约。
Mandatory applicable law may stipulate circumstances in which changes in a provider’s subcontracting chain may require termination of the contract.合同条款与关联合同挂钩
Alignment of contract terms with linked contracts
The law or the contract may require the parties to align the terms of the contract with existing or future linked contracts to ensure confidentiality and compliance with data localization and data protection requirements.合同还可以要求双方为核证目的相互提供关联合同副本。
The contract may oblige parties to supply each other with copies of linked contracts for verification purposes.分包商、分提供商和其他第三方的责任
Liability of subcontractors, sub-providers and other third parties124.
Although third parties instrumental to the performance of the cloud computing contract may be listed in the contract, they would not be parties to the contract between the provider and the customer.他们将对各自在合同下与提供商的义务承担责任。
They would be liable for obligations under their contracts with the provider.在关联合同中为客户设定第三方受益人权利,或使客户成为关联合同的一方,将允许客户在第三方未根据关联合同履约的情况下对该第三方享有直接追索权。 125. 在适用法律或合同之下,对于提供商让其参与履行合同的任何第三方的责任范围内的任何问题,可以要求提供商对客户承担责任。
The creation of third-party beneficiary rights for the benefit of the customer in linked contracts, or making the customer a party to linked contracts, would allow the customer’s direct recourse against the third party in case of that third party’s non-performance under a linked contract.特别是,法律可以根据分包商参与数据处理的程度,规定提供商及其分包商对个人数据处理所引起的任何问题承担连带责任。
Under applicable law or contract, the provider may be held liable to the customer for any issue within the responsibility of any third party whom the provider involved in the performance of the contract.对合同自由的法定限制
In particular, the joint liability of the provider and its subcontractors may be established by law for any issues arising from personal data processing, depending on the extent of subcontractors’ involvement in processing.126.
Statutory limitations to contractual freedom例如,个人数据处理风险和赔偿责任分配方面的一个重要因素是,每一方对放入云中个人数据所承担的责任。
125. While most legal systems generally recognize the right of contracting parties to allocate risks and liabilities and to limit or exclude liability through contractual provisions, this right is usually subject to various limitations and conditions. For example, an important factor in risk and liability allocation in personal data processing is the role that each party assumes as regards personal data placed in the cloud. The data protection law of certain jurisdictions imposes more liability on the data controller than on data processors of personal data. Notwithstanding contractual provisions, the factual handling of such data will generally determine the legal regime to which the party would be subject under applicable law. Data subjects who have suffered loss resulting from unlawful processing of personal data or any act incompatible with domestic data protection regulations may be entitled to compensation directly from the data controller.在个人数据方面,某些法域的数据保护法律对数据控制人规定的赔偿责任比对数据处理人规定的赔偿责任更多。
In addition, in many jurisdictions a total exclusion of liability for a person’s own fault is not admissible or is subject to limitations.由于非法处理个人数据或任何不符合国内数据保护条例的行为而遭受损失的数据主体可能有权直接从数据控制人获得赔偿。
It might not be possible to exclude altogether liability related to personal injury (including sickness and death) and for gross negligence, intentional harm, defects, breach of core obligations essential for the contract or non-compliance with applicable regulatory requirements.127.
Some types of limitation clauses, such as waiver of liability by the provider for security incidents in cases where the customer has no control or ability to effect security, may be found to be “abusive” and therefore invalid.
The terms of contracts of adhesion, which are typically not negotiated but pre-established by one of the parties, may be subject to particular scrutiny.也许不可能完全排除与人身伤害(包括患病和死亡)有关的赔偿责任,以及对于严重过失、故意伤害、缺陷、违反对于合同至关重要的核心义务或不遵守适用的监管要求的赔偿责任。 某些类型的赔偿责任限制条款可能因被认为带有“滥用性”而无效,例如,在客户无法控制或无法实施安全措施的情况下提供商免除对安全事件的赔偿责任的条款。 附和合同的条款通常不是谈判达成,而是由一方预先确定,因而可能会受到特别审查。 此外,无限赔偿责任可能产生于法律规定的某些类别的缺陷(例如,有缺陷的硬件或软件)。
In addition, unlimited liability may flow from certain types of defects under law (e.g., defective hardware or software).128.
The ability of public institutions to assume certain liabilities may be restricted by law, or public institutions would need to seek prior approval of a competent State body for doing so.还可能禁止公共机构接受完全排除或限制提供商的赔偿责任,或者禁止公共机构接受排除或限制对于法律所定义的作为或不作为的赔偿责任。
They may also be prohibited from accepting exclusion or limitation of a provider’s liability altogether or for acts or omissions defined in law.
The applicable law may, on the other hand, provide for exemption from liability if certain criteria are fulfilled by a party that would otherwise face a risk of liability.例如,根据某些法域的“通知后下架”程序(见上文第82段),如果提供商一得知在其云基础设施上有非法内容即将其删除,提供商托管这些非法内容的责任将予以免除。
For example, under the “notice and take down” procedure (see para. 82 above) in some jurisdictions, the provider will be released from liability for hosting the illegal content on its cloud infrastructure if it removed such content once it became aware of it.130.
In some jurisdictions, to be enforceable, the clauses containing disclaimers and limitations of liability agreed upon by the parties must be included in the contract.在某些法域,为了得以执行,必须在合同中纳入载有订约双方商定的免责声明和责任限制的条款。
The applicable law might impose form or other requirements for the validity and enforceability of those clauses.适用法律可能对这些条款的有效性和可执行性规定形式上的要求或其他要求。 起草赔偿责任条款方面的其他考虑
Other considerations for drafting liability clauses131.
130.在就风险和赔偿责任分配进行谈判时,将考虑到云计算服务的任何收费数额以及提供这些服务所涉及的风险。 尽管双方一般倾向于排除或限制对其无法控制或控制程度有限的因素(例如,终端用户行为、分包商作为或不作为)的赔偿责任,但控制程度并非总是一个决定性考虑因素。
The amount, if any, charged for the cloud computing services and the risks involved in the provision of the services would all be considered in negotiating the allocation of risks and liabilities. Although parties generally tend to exclude or limit liability as regards factors that they cannot control or can control only to a limited extent (e.g., behaviour of end users, actions or omissions of subcontractors), the level of control would not always be a decisive consideration.一方准备对不受其控制的要素承担风险和赔偿责任,可能是为了使其在市场上与众不同。
A party may be prepared to assume risks and liability for elements that it does not control in order to distinguish itself in the market place.但很有可能的是,该方所承担的风险和赔偿责任是与受其控制部分成比例逐渐增加的。
It is nevertheless likely that the party’s risks and liabilities would increase progressively in proportion to the components under its control.
For example, in SaaS involving the use of standard office software, it is likely that the provider would be responsible for virtually all resources provided to the customer, and liability of the provider could arise in each case of non-provision or malfunctioning of those resources.例如,在涉及使用标准办公软件的软件即服务(SaaS)模式下,提供商很可能对提供给客户的几乎所有资源负责,每次发生这些资源不到位或出现故障的情况,提供商可能都要承担赔偿责任。
Nevertheless, even in those cases, the customer could still be responsible for some components of the services, such as encryption or backups of data under its control.尽管如此,即使在这些情况下,客户可能仍然要对服务的某些部分负责,例如,对其控制下的数据加密或备份。 如果不能确保适当备份,一旦数据丢失可能导致丧失对提供商的追索权。 另一方面,在基础设施即服务(IaaS)和平台即服务(PaaS)模式下,提供商仅对所提供的基础设施和平台(如硬件资源、操作系统或中间设备)负责,而客户将对所有属于客户的部分承担责任,例如,使用所提供的基础设施或平台及其中所含数据运行的应用程序。 提供商的标准条款
The failure to ensure adequate backups might lead to the loss of the right of recourse against the provider in case of the loss of data. On the other hand, in IaaS and PaaS, the provider could be responsible only for the infrastructure or platforms provided (such as hardware resources, operating system or middleware), while the customer would assume responsibility for all components belonging to it, such as applications run using the provided infrastructure or platforms and data contained therein. Providers’ standard terms133.
Providers’ standard terms may exclude any liability under the contract and take the position that liability clauses are non-negotiable.或者,提供商可能愿意接受对提供商的可控性违反事件(例如,违反客户准予提供商的知识产权许可)的赔偿责任,包括无限赔偿责任,但不愿意接受对由于超出提供商控制范围而可能发生的违反事件(例如,不可预见的事件或泄露机密数据)的赔偿责任。
Alternatively, the provider may be willing to accept liability, including unlimited liability, for breaches controllable by the provider (e.g., a breach of IP licenses granted to the provider by the customer) but not for breaches that may occur for reasons beyond the provider’s control (e.g., unforeseeable events or leaks of confidential data).134.
Providers’ standard terms generally exclude liability for indirect or consequential loss (e.g., loss of business opportunities following the unavailability of the cloud computing service).此外,提供商往往对合同规定的赔偿责任设定一个总上限,与之有关的可能是合同下预期得到的收入、提供商营业额或保险范围。
Where liability is accepted generally or for certain specified cases, providers’ standard terms often limit the amount of losses that will be covered (per incident, per series of incidents or per period of time). In addition, providers often fix an overall cap on liability under the contract, which may be linked to the revenue expected to be received under the contract, to the turnover of the provider or insurance coverage.135.
Providers’ standard terms usually impose liability on the customer for non-compliance with AUP.标准条款的可能变式
Possible variations of standard terms136.
Some events (e.g., personal data protection violations and IP rights infringement) could expose either party to the potentially high liability to third parties or give rise to regulatory fines.
It is common to agree on a more stringent liability regime (unlimited liability or higher compensation) when those events occur due to the fault or negligence of the other party.137.
136.合同或法律可以限制或排除订约双方对其无法控制的第三方行动的赔偿责任(例如,客户对终端用户行动的赔偿责任,或提供商对客户或其终端用户行动的赔偿责任)。 赔偿责任保险 138. 合同可以载明双方或其中一方的保险义务,特别有关的是对保险公司的质量要求以及所寻求的最低保险额。
Liability of the parties for actions of third parties that they cannot control (e.g., of the customer for actions of end users or of the provider for actions of the customer or its end users) may be limited or excluded by contract or law.K.
Liability insurance违约的补救办法
The contract may contain insurance obligations for both or either party, in particular as regards quality requirements for an insurance company and the minimum amount of insurance coverage sought.139.
It may also require parties to notify changes to the insurance coverage or provide copies of current insurance policies to each other.订约双方可以在适用法律规定的限度内自由选择补救办法。
Remedies for breach of the contract合同可以对违约种类加以区分并规定相应补救办法。
Types of remedies暂停或终止服务
The parties are free to select remedies within the limits of applicable law.暂停或终止向客户提供云计算服务是提供商针对客户违约或客户终端用户违反可接受的使用政策(AUP)通常采取的补救办法。
Remedies may include in-kind remedies aimed at providing the aggrieved party with the same or equivalent benefit expected from contract performance (e.g., replacement of the defective hardware), monetary remedies (e.g., service credits) and termination of the contract.合同可载明针对广泛暂停权或终止权的合同保障。
The contract could differentiate between types of breaches and specify corresponding remedies.例如,提供商暂停或终止向客户提供云计算服务的权利可限于客户有重大违约行为的情形、对提供商的系统安全或完整性构成严重威胁的情形以及适用法律规定的情形。
Suspension or termination of services提供商的暂停权或终止权也可仅限于受违约影响的服务,而这种可能性是存在的。
Suspension or termination of the provision of the cloud computing services is a usual remedy of the provider for the customer’s breach of a contract or violation of AUP by the customer’s end users.141.
The contract may include safeguards against broad suspension or termination rights.针对提供商不履约经常使用的客户赔偿机制是服务积分制度。
For example, the right of the provider to suspend or terminate the provision of the cloud computing services to the customer may be limited to cases of fundamental breach of the contract by the customer, significant threats to the security or integrity of the provider’s system and cases stated in the applicable law.这些积分采取的形式是,在接下来的一定时期内根据合同提供的服务减少收费。
The provider’s right to suspend or terminate may also be restricted only to those services that are affected by the breach, where such a possibility exists.可以适用浮动费率,即减费百分比可取决于提供商根据合同提供服务在多大程度上未达到服务级别协议(SLA)或合同其他部分确定的绩效参数。
Service credits还可以适用服务积分总上限。
An often-used mechanism to compensate the customer for non-performance by the provider is the system of service credits.有些提供商也可能愿意退还已付费用,或在接下来的一定时期内提供增强服务包(例如,免费提供信息技术咨询)。
Those credits take the form of a reduced fee for the services to be provided under the contract in the following measured period.如果存在一系列选项,提供商的标准条款可以规定由提供商选择对其不履约的任何补救办法。
A sliding scale may apply (i.e., a percentage of reduction may depend on the extent to which the provider’s performance under the contract falls short of the performance parameters identified in SLA or other parts of the contract).142.
An overall cap for service credits may also apply.将服务积分定为对提供商未履行其合同承诺的唯一或全部补救办法可能会限制客户对于其他补救办法的权利,包括提起损害赔偿诉讼或解约。
Providers may limit the circumstances in which service credits are given to those, for example, where failures arise from matters under the provider’s control or where credits are claimed within a certain period of time.此外,如果合同即将终止,在接下来的一定时期内减费或提供增强服务包,这种形式的服务积分可能并无益处。
Some providers may also be willing to offer a refund of fees already paid or an enhanced service package in the following measured period (e.g., free information technology consultancy).如果从合同一开始就认为过高的服务积分是一种不合理的损害估算方法,则可能无法执行服务积分办法。
If a range of options exists, providers’ standard terms may stipulate that any remedy for provider non-performance will be at the choice of the provider.诸如罚款(可接受情况下)或预定损失赔偿金等其他措施可为确保守约提供更适当的激励办法。
Fixing service credits as the sole and exclusive remedy against the provider’s non-performance of its contractual commitments may limit the customer’s rights to other remedies, including suing for damages or terminating the contract.143.
In addition, service credits in the form of fee reduction or an enhanced service package in the following measured period may be useless if the contract is terminated.合同可以载明违约情况下应依循的程序。
Excessive service credits may be unenforceable if they have been considered as an unreasonable approximation of harm at the outset of the contract.例如,合同可以规定,一旦任何合同条款被视为违反,一方即应通知对方并提供机会补救此种声称的违约。
Other measures, such as penalties (where admissible) or liquidated damages, may provide more appropriate incentives for ensuring contractual compliance.还可设定要求补救的时限。
Formalities to be followed in case of the breach of the contractL.
The contract may set forth procedures to be followed in cases of breach.合同开始生效的日期
For example, the contract could require a party to notify the other party when any terms of the contract are deemed to be violated and to provide a chance to remedy such asserted violation.
Time limits for claiming remedies may also be set.144.
Term and termination of the contract提供商向客户提供的云计算服务的到位日期可视为合同开始生效的日期,即使客户还没有实际使用云计算服务。
Effective start date of the contract客户缴纳云计算服务第一笔费用的日期也可视为合同开始生效的日期,即使提供商为客户提供的服务尚未到位。
143. The effective start date of the contract may be different from the signature date, the date of acceptance of the offer or the date of acceptance of configuration and other actions required for the customer to migrate to the cloud. The date when the cloud computing services are made available to the customer by the provider, even if they are not actually used by the customer, may be considered the effective start date of the contract. The date of the first payment by the customer for the cloud computing services, even if they are not yet made available to the customer by the provider, may also be considered the effective start date of the contract. For those reasons and to avoid uncertainties, the parties may indicate in the contract its effective start date. Duration of the contract出于这些原因,并为了避免不确定性,订约双方可以在合同中注明其开始生效的日期。
The duration of the contract could be short, medium or long. It is common in standardized commoditized multi-subscriber cloud solutions to provide for a fixed initial duration (short or medium), with automatic renewals unless terminated by either party.145.
The provider may agree to serve the customer an advance notification of the upcoming expiration of the term of the contract.合同期可分为短期、中期或长期。
Various considerations, including risks of being lock-in and missing better deals, may impact a decision on renewal.提供商可能同意向客户发出合同即将期满的预先通知。
Earlier termination各种考虑因素都会影响就展期作出决定,其中包括锁定风险和可能错过更好交易。
Contracts usually address reasons for termination other than upon expiration of its fixed term, such as for convenience, breach or other reasons.合同通常除合同固定期期满之外还涉及其他解约理由,如出于方便、违约或其他原因。
The contract may provide modalities for earlier termination, including requirements for a sufficiently advance notice, reversibility and other end-of-service commitments (see paras. 157–167 below).合同可以规定提前解约的方式,包括对充分预先通知、可逆性以及其他服务终了承诺的要求(见下文第157-167段)。 为方便而解约
Termination for convenience147.
Providers’ standard terms, especially for provision of standardized commoditized multi-subscriber cloud solutions, usually reserve the right of the provider to terminate the contract at any time without customer default.
The parties may agree to limit the circumstances under which such a right could be exercised and oblige the provider to serve the customer with sufficiently advance notice of termination.148.
The customer’s right to terminate the contract for convenience (i.e., without the default of the provider) is especially common in public contracts.客户为方便(即无需提供商违约)而解约的权利尤其多见于公共合同。
The provider may demand payment of early termination fees in such cases.在这种情况下,提供商可以要求支付提前解约费。
Payment of early termination fees by public entities may however be restricted by law. In contracts of indefinite duration, providers may be more inclined to accept termination by the customer for mere convenience without compensation, but that might also lead to a higher contract price. Termination for breach不过,公共实体支付提前解约费可能受到法律限制。
Fundamental breach usually justifies termination of the contract. To avoid ambiguities, the parties may define in the contract the events that constitute a fundamental breach of the contract. Fundamental breach of the contract by the provider may include data loss or misuse, personal data protection violations, recurrent security incidents (e.g., more than a certain number of times per any measured period), confidentiality leaks and non-availability of services at certain time points or for a certain period of time.因违约而解约
Non-payment by the customer and violation of AUP by the customer or its end users are among the most common reasons for termination of the contract by the provider.149.
The party’s right to terminate the contract may be conditional on serving a prior notice, holding good faith consultations and providing a possibility to remedy the situation.重大违约通常是解约理由。 为避免含糊不清,订约双方可以在合同中界定构成重大违约的事件。 提供商的重大违约可包括数据丢失或误用、违反个人数据保护规定、重复性安全事件(例如,任何一段衡量期内超过一定次数)、泄密以及某些时间点或某一时段未提供服务。
The party may be obliged under the contract to restore contract performance within a certain number of days after remedial action has been taken.该订约方的解约权可能有附加条件:发出事先通知、举行诚信协商并提供纠正状况的可能性。
The contract may address the provider’s end-of-service commitments that would survive the customer’s fundamental breach of the contract, including the reversibility of customer data and other content (see paras. 157–167 below).合同可以涉及提供商在发生客户重大违约后兑现服务终了承诺,包括客户数据及其他内容的可逆性(见下文第157-167段)。 因合同修改不可接受而解约
Termination due to unacceptable modifications of the contract151.
Certain modifications to the contract by one party may not be acceptable to the other party and may justify termination of the contract. Those modifications might include modifications to data localization requirements or subcontracting terms.这些修改可以包括对数据本地化存储要求或分包条款的修改。
The contract may provide for the customer’s right to terminate the entire contract if modifications to the contract due to the restructuring of the provider’s service portfolio lead to termination or replacement of some services (see paras. 105–124 above and para. 155 below).如果对合同的修改是因为重构提供商的服务组合并因此而导致终止或更换一些服务,则合同可以规定客户有权终止整个合同(见上文第105-124段,下文第155段)。
Termination in case of insolvency破产时解约
Risks of insolvency may be identified during the risk assessment (see part one, para. 15(j)) and during the contract, for example, if periodic reporting about the financial condition of the parties is required under the contract.
Clauses allowing termination of the contract in the event of insolvency of either party are common.对于破产风险,可以在风险评估期间确定(见第一部分,第15段(j)项),也可以在合同期间确定,例如,如果合同要求定期报告双方的财务状况。
允许在任何一方破产时终止合同的条款是常见的。 破产法中的强制性条款可优先于这些条款。
Mandatory provisions of insolvency law may override those clauses.153.
An insolvent customer may need to continue using the cloud computing services while resolving its financial difficulty.订约双方可以限制在客户没有合同规定的拖欠付款情形时援用破产作为唯一解约理由的权利。
The parties may restrict the right to invoke the insolvency as the sole ground for termination of the contract in the absence of, for example, the customer’s default in payment under the contract.
The parties may specify in the contract, or the law may provide for, mechanisms for the retrieval of customer data in case of the provider’s insolvency (e.g., an automatic release of the source code or key escrow allowing access to the customer data and other content).如果由于对提供商财务状况的信任危机而出现大规模撤出和撤离内容的情况,破产提供商或破产管理人可以限制特定期间内可撤出内容(数据和应用代码)的数量,或者决定在“先来先得”的基础上兑现服务终了承诺。 控制权变更时解约
Otherwise, the customer may face difficulties and delays with retrieval of its data and other content from the insolvent provider’s cloud infrastructure. Where a mass exit and withdrawal of content occurs due to a crisis of confidence in the provider’s financial position, the insolvent provider or an insolvency representative may limit the amount of content (data and application code) that can be withdrawn in a given time period or decide that end-of-service commitments should proceed on a “first come, first served” basis. Termination in case of change of control155.
The change of control may, for example, involve a change in the ownership or the capacity to determine, directly or indirectly, the operating and financial policies of the provider, which may lead to changes in the provider’s service portfolio.
The change of control may also involve the assignment or novation of the contract, with rights and obligations or only rights under the contract transferred to a third party.控制权变更还可能涉及合同的转让或更新,导致合同下的权利和义务或者只是合同下的权利转移给第三方。
As a result, an original party to the contract may change, or certain aspects of the contract, for example payments, may need to be performed to a third party.因此,合同原订约方可能发生变化,或者合同的某些方面(如付费)可能需改为对第三方履行。
The applicable law may require termination of the contract if as a result of the change of control, mandatory requirements of law (e.g., data localization requirements or prohibition to deal with certain entities under international sanctions regime or because of national security concerns) cannot be fulfilled.156.
Public contracts may, in particular, be affected by statutory restrictions on the change of control.如果由于控制权变更而无法满足强制性法律要求(例如,数据本地化存储要求,或者对与置于国际制裁制度下的某些实体打交道的禁令或由于国家安全考虑对与某些实体打交道的禁令),适用法律可能要求终止合同。 公共合同尤其可能受到控制权变更法定限制的影响。
In addition, the parties may agree about termination of the contract in case of change of control, in particular if, as a result of such change, the provider or the contract is taken over by the customer’s competitor or if the takeover leads to discontinuation of, or significant changes in, the service portfolio.此外,在控制权发生变更的情况下,订约双方也可以商定终止合同,特别是如果提供商或合同由于此种变更而被客户的竞争对手接管,或者接管导致服务组合中断或发生重大改变。
Requiring an advance notice of an upcoming change of control and its expected impact on the contract is common.通常做法是要求预先通知即将发生的控制权变更及其对合同的预期影响。 闲置账户条款 157. 合同规定的某一时期内无客户活动,可以是提供商单方面解约的一个理由。
Inactive account clause不过,在为取酬而订立的商对商云计算合同中,这种闲置账户条款并不多见。
Customer inactivity for a certain time period specified in the contract may be a ground for unilateral termination of the contract by the provider.
The inactive account clause is unusual in business-to-business cloud computing contracts provided for remuneration.服务终了承诺不仅会引起合同问题,还会引起监管问题。
End-of-service commitments159.
157. End-of-service commitments may raise not only contractual but also regulatory issues. The parties may be concerned about achieving a balance between the customer’s interest in continuous access to its data and other content, including during the transition period, and the provider’s interest in ending any obligation towards the former customer as soon as possible.服务终了承诺可以不论解约原因一概而论,也有可能根据解约是因为违约或其他原因而有所不同。 以下各段论及双方似宜在合同中处理的问题。
End-of-service commitments may be the same regardless of the cause of termination of the contract or may be different depending on whether termination is for breach of contract or other reasons.160.
The following paragraphs discuss issues that parties may wish to address in the contract. Time frame for export订约双方可以在合同中具体规定导出的时间范围,这个时间范围需要足够长方可确保客户将其数据及其他内容顺利导出至另一系统。
The parties may specify in the contract a time frame for export, which may need to be sufficiently long to ensure a smooth export by the customer of its data and other content to another system.客户访问需导出的内容
Customer access to the content subject to export161.
The contract would specify data and other content subject to export and ways of gaining customer access thereto, including any decryption keys that may be held by the provider or third parties (see part one, para. 28).合同将指明需导出的数据及其他内容以及客户获取其访问权的方式,包括可能由提供商或第三方持有的任何解密钥匙(见第一部分,第28段)。
To facilitate the export of the customer’s data with the minimal involvement of the provider, the parties may agree on an escrow arrangement (i.e., involvement of a third party authorized to automatically release to the customer the source code, decryption keys or other elements allowing access to the customer data and other content upon occurrence of certain events, such as termination of the contract (see also para. 153 above)). The contract may also specify export options, including their formats and processes, to the extent possible, recognizing that they may change over time.为了便利在提供商最少参与的情况下导出客户数据,双方可以商定一项托管安排(即由第三方参与,授权其在发生某些事件——如终止合同——时自动向客户发放源代码、解密密钥或其他允许访问客户数据及其他内容的要件(另见上文第153段))。 合同还可以尽量列明导出选项,包括其格式和流程,同时需认识到它们可能随时间变化。
Export assistance by the provider提供商协助导出
The provider may not always agree to be actively involved in assisting the customer with exporting its data to another system, but it may be expected under law to ensure that such export is possible and simple.162.
Where the parties agreed on the provider’s involvement in the export of customer data to another system, the contract may specify details, such as the extent, procedure and time period for export assistance.
The provider may require separate payment for the provision of export assistance.如果订约双方就提供商参与向另一系统导出客户数据达成协议,合同可指明具体细节,如协助导出的范围、程序和期限。
In such case, the parties may fix the amount of the payment in the contract or agree to refer to the provider’s price list at a given time. Alternatively, the parties may agree that such assistance is included in the contract price or that no extra payment will be charged if the contract termination follows the provider’s breach of contract. Data deletion提供商可以要求为协助导出单独付费。 在这种情况下,双方可以在合同中确定付费数额,或者商定参照提供商在某一特定期间的价目表。 另一种做法是,双方可以商定将这种协助计入合同价格,如果在提供商违约后解约不额外收费。
The contract may need to specify rules for data deletion from the provider’s cloud infrastructure upon export or expiration of the period specified in the contract for export.163.
The data deletion may be done automatically by the provider, for example, upon occurrence of certain events, expiration of time periods that were agreed upon by the parties or as required by law. Alternatively, data may be deleted only upon a specific customer’s request and instructions.合同可能需要具体规定导出完成后或合同规定的导出期期满时提供商云基础设施的数据删除规则。
The parties may agree that the customer will be notified about the upcoming data deletion and will be served with an attestation, report or statement of data deletion, including data deletion from third parties’ systems.数据删除可以由提供商自动完成,例如,某些事件发生之时双方商定的时间期限到期,或依从法律的要求。
Post-contract retention of data双方可以商定,将向客户通知即将进行的删除并提供删除数据——包括从第三方系统删除数据——的证明、报告或声明。
The provider might be required to retain customer data by law, in particular a data protection law, which may also address a time period during which the data must be retained.164.
Specific issues and requirements may arise from the need to retain and store digital signature certificates, especially in the cross-border context.法律特别是数据保护法律可能要求提供商留存客户数据,其中还可能涉及数据必须留存的期限。
The parties may agree on the retention of customer data by the provider after the termination of the contract.订约双方可以商定由提供商在合同终止后留存客户数据。
Some providers may offer a post-contract retention period at additional cost.一些提供商可能为提供合同结束后留存期而另外收费。
The parties may include special requirements as regards data that are not or cannot be returned to the customer and whose deletion would not be possible.订约双方可以列明关于不退回或无法退回客户的数据以及无法删除的数据的特殊要求。 例如,合同可以规定,所有个人信息必须去身份化,数据应以加密格式留存或以可使用、可互操作的格式留存,以便于需要时检索。 双方还可以商定各自对于合同结束后按规定格式留存数据的责任。
For example, the contract may specify that all personal information must be de-identified and that the data are to be retained in an encrypted form or in a usable and interoperable format to allow its retrieval when required.合同结束后保密条款
The parties may also agree on their respective responsibilities for post-contractual retention of the data in the specified format.
Post-contract confidentiality clause166.
The parties may agree on a post-contract confidentiality clause.合同结束后审计
Confidentiality obligations may survive the contract for a specified number of years after the contract is terminated (e.g., five or seven years), or may continue indefinitely, depending on the nature of the customer data and other content that was placed in the provider’s cloud infrastructure. Post-contract audits167.
166.合同结束后的审计可以是双方商定的,也可以是法律规定的。 订约双方可以商定进行此类审计的条款,包括时间范围和费用分配。 账上余款 168.
Post-contract audits may be agreed by parties or imposed by law.订约双方可以商定将提供商账上余款退还客户的条件或用这些余款抵消客户需付给提供商的任何额外费用的条件,其中包括服务终了活动的费用或补偿损失的费用。
The parties may agree on terms for carrying out such audits, including the time frame and allocation of costs.N.
Leftover account balance争议解决
The parties may agree on conditions for the return to the customer of leftover amounts on its account or for the offset of those amounts against any additional payments that the customer would need to make to the provider, including for end-of-service activities or to compensate damage.订约双方可以商定合同争议的解决方法。
Dispute resolution不同类型争议可能需要采取不同争议解决程序。
Methods of dispute settlement例如,财务和技术方面的争议可诉诸第三方专家(个人或机构)有约束力的裁定,而其他一些类型的争议可通过双方直接谈判更有效地处理。
The parties may agree on the method to settle their contractual disputes.对于数额较高的索赔,特定云部门的网上解决机制可提供有管辖权的专门法庭并有助于司法程序。
Dispute settlement methods include negotiation, mediation, online dispute resolution (ODR), arbitration and judicial proceedings.有些法域的法律可能规定了某些非诉讼争议解决机制,双方需穷尽这些机制方可将争议诉诸法院。
Different types of dispute may justify different dispute resolution procedures.仲裁程序
Disputes over financial and technical issues, for example, may be referred to a binding decision by a third-party expert (individual or body), while some other types of disputes may be more effectively dealt with through direct negotiations between the parties.170.
In case of smaller claims, ODR-assisted negotiations or mediation may offer fast and cost-effective methods for the parties to reach consensual agreement online.争议未能以友好方式解决的,可以诉诸仲裁程序,前提是双方做出这样的选择。
For higher-level claims, cloud sector-specific ODR may offer a competent specialized forum and be helpful for judicial processes.然而,并非所有争议问题都可诉诸仲裁;
The law of some jurisdictions may prescribe certain alternative dispute resolution mechanisms that the parties would need to exhaust before being able to refer a dispute to a court.有些问题可能需依法交由法院裁决。
Arbitral proceedings因此,各方不妨在选择仲裁之前核实其争议的可仲裁性。
Disputes that are not amicably settled may be referred to arbitral proceedings if the parties opted for it.合同可以列入一个标准争议解决条款,指明使用国际公认规则(如《贸易法委员会仲裁规则》)进行争议解决程序。
Not all issues may, however, be referred to arbitration;在未作此种指明的情况下,通常由程序进行地所在国的程序法管辖仲裁程序,或者,如果双方选择某一仲裁机构,由该机构的规则管辖。
some may be reserved by law for adjudication by a court.网上争议解决
The parties may therefore wish to verify the arbitrability of their disputes before opting for arbitration.171.
An arbitration clause in a contract would usually refer to a set of arbitration rules to govern arbitral proceedings.订约双方可选择网上解决机制来解决因其合同而产生的某些或所有类型争议,但须在法律规定的限度内。
A contract can include a standard dispute resolution clause referring to the use of internationally recognized rules for the conduct of dispute resolution proceedings (e.g., the UNCITRAL Arbitration Rules).合同可具体规定诉诸网上解决机制的问题范围以及拟在程序中使用的网上解决平台和规则。
In the absence of such specification, the arbitral proceedings will normally be governed by the procedural law of the State where the proceedings take place or, if an arbitration institution is chosen by the parties, by the rules of that institution.在有些情况下,可在提供商提供的云服务包中嵌入网上解决办法和选择退出的可能性。
Online dispute resolution172.
The parties may opt for an ODR mechanism for some or all categories of disputes arising from their contract subject to limitations imposed by law.(a)
The contract may specify the scope of issues subject to ODR and the ODR platform and rules to be used in the proceedings.双方通过网上解决平台进行谈判;
In some cases, ODR could be embedded in the cloud service package offered by the provider with an opt-out possibility.(b)协助下调解,指定一名中立人,由其与双方沟通以设法达成和解;
The ODR process usually consists of:网上解决的结果可能对双方不具约束力,除非合同或适用法律另有规定。
negotiation conducted between the parties via the ODR platform;173.
(b) facilitated settlement, where a neutral is appointed and communicates with the parties to try to achieve a settlement;如果由于云计算服务的性质而需进行司法程序,可能会有若干国家声称拥有管辖权。
and (c) a final stage, in which the ODR administrator or a neutral informs the parties of the nature of the final stage, and of its form.可能的话,订约双方可以商定一个管辖权条款,双方必须根据这一条款将争议提交某一特定法院(见下文第175-181段)。
The result of ODR may be non-binding on the parties unless the contract or the applicable law states otherwise.数据留存
Judicial proceedings174.
If judicial proceedings are to take place, due to the nature of cloud computing services, several States might claim jurisdiction.合同可以具体规定,双方发生争议时,客户数据将由提供商留存,客户可在一段合理时间内访问其数据,而不论争议的性质如何。
Where possible, parties may agree on a jurisdiction clause under which they are obligated to submit disputes to a specific court (see paras. 175–181 below).双方还可以商定一种托管安排(见上文第160段)。
Retention of data投诉时效期
During the dispute resolution phase, continued access by the customer to its data, including metadata and other cloud service-derived data, may be vital, apart from for business continuity, for the customer’s participation in dispute resolution proceedings (e.g., to substantiate a claim or counterclaim).订约双方可以在合同中规定提出索赔的时效期。
The contract may specifically provide that, in case of disputes between the parties, the customer’s data will be retained by the provider and the customer will have access to its data for a reasonable period of time, regardless of the nature of the dispute.法律规定的时效期可能适用,并将推翻不合规的合同条款。
The parties may also agree on an escrow arrangement (see para. 160 above).O.
Limitation period for complaints法律选择和诉讼地选择条款
The parties may specify in the contract the limitation period within which claims may be brought.合同自由(见上文第34段)一般允许订约方选择其合同适用的法律并选择审理争议的管辖地或诉讼地。
Limitation periods stipulated in the law may be applicable and will override non-compliant terms of the contract.不过,强制性法律(如数据保护法)可能优先于订约方拟定的法律选择和诉讼地选择条款,视争议事项而定。
Choice of law and choice of forum clauses选择适用法律和诉讼地所涉及的考虑
Freedom of contract (see para. 34 above) usually allows parties to choose the law that will be applicable to their contract and the jurisdiction or forum where disputes will be considered.法律选择条款和诉讼地选择条款相互关联。
The mandatory law (e.g., data protection law) may, however, override the choice of law and the choice of forum clauses made by the contracting parties, depending on the subject of the dispute.所选定和商定的法律最终是否适用,取决于在哪个诉讼地向法院或另一裁决机构(如仲裁庭)提出法律选择条款。
In addition, regardless of the choice of law and choice of forum, more than one mandatory law (e.g., data protection law, insolvency law), including from different jurisdictions, may be applicable to the contract.该诉讼地的法律将决定这一条款是否有效以及该诉讼地是否尊重订约方对适用法律的选择。
Considerations involved in choosing the applicable law and forum鉴于诉讼地法律关乎法律选择条款的命运,载有此种条款的合同通常还包括一个诉讼地选择条款。
The choice of law and choice of forum clauses are interconnected.在选择诉讼地时,订约方通常考虑所选择的适用法律或其他适用法律的影响,以及在该诉讼地作出的司法裁定将在多大程度上在可能寻求执行所在国得到承认并可执行。
Whether the selected and agreed-upon law will ultimately apply depends on the forum in which the choice-of-law clause is presented to a court or another adjudicating body, e.g., an arbitral tribunal.保持执行选项灵活性可能是一项重要考虑,特别是在云计算环境下订约方在拟定法律选择条款和诉讼地选择条款时通常会考虑的许多因素可能都不确定,包括提供服务所涉资产的所在地以及提供商和客户的所在地。
It is the law of that forum that will determine whether the clause is valid and whether the forum will respect the choice of applicable law made by the parties.强制性法律和诉讼地
Because of the importance of the forum law for the fate of the choice of law clause, a contract with such a clause usually also includes a choice of forum clause.179.
In choosing the forum, the parties usually consider the impact of the chosen or otherwise applicable law and the extent to which a judicial decision made in that forum would be recognized and enforceable in the countries where enforcement would likely be sought.(a)
Preserving flexibility in enforcement options may be an important consideration, especially in the cloud computing settings where many factors that parties usually take into account in formulating choice of law and choice of forum clauses may be uncertain, including the location of assets involved in the provision of services and the location of the provider and the customer.在某国境内开通云计算服务,即可成为适用该国数据保护法的充分条件;
Mandatory law and forum(b)
The law and the forum of a particular jurisdiction may be mandatory on various grounds, for example:以及
The accessibility of the cloud computing services in the territory of a particular State may be sufficient for the application of the data protection law of that State;活动发端地(设备所在地)的法律或活动获利指向地的法律可导致适用该地法律。
The nationality or residence of the affected data subject or the contracting parties, in particular the data controller, may trigger the application of the law of that data subject or the party;提供商或客户本国的法律和诉讼地
The law of the place in which the activity originated (the location of the equipment) or to which the activity is directed for the purpose of extracting benefits may trigger the application of the law of that place.这些合同一般准予该国法院对合同引起的任何争议的专属管辖权。
The use of a given country top-level domain associated with a particular place, a local language in the website, pricing in local currency and local contact points are among the factors that might be taken into account in making such determination.客户可能倾向于首选本国的法律和管辖权。
Provider or customer home law and forum公共机构对其同意外国法律和管辖权的能力作出重大限制。
Contracts for standardized commoditized multi-subscriber cloud solutions often specify that they are governed by the law of the provider’s principal place of business or place of establishment.多选项
They typically grant the courts of that country exclusive jurisdiction over any disputes arising out of the contract.181.
The customer may prefer the law and jurisdiction of its own country.订约双方还可以就合同的不同方面规定法律和诉讼地选择的各种选项。
Public institutions would face significant restrictions on their ability to consent to the law and jurisdiction of foreign countries.双方也可选择被告的管辖地,以消除本国诉讼地给原告带来的优势,从而鼓励以非正式方式解决争议。
Providers that operate in multiple jurisdictions may be flexible as regards accepting the choice of the law and forum of the country where the customer is located.不选择法律或诉讼地
Multiple options182.
The parties may also specify various choice of law and forum options for different aspects of the contract.这或许可以看作是某些情况下唯一可行的解决办法。
They may also opt for a defendant’s jurisdiction to eliminate the home forum advantage for a plaintiff and thus encourage informal resolution of disputes.网上解决也可以是管辖权和适用法律问题解决办法的一部分(见第170-171段)。
No choice of law or forumP.
The parties may prefer no choice of law or forum clause in their contract, leaving the question open for later discussion if and when needed.183.
That might be considered the only viable solution in some cases.通知条款通常涉及通知的形式、语言、接收人和方式,以及通知何时生效(发出时、送达时或确认收讫时)。
ODR may also be part of the solution for the questions of jurisdiction and applicable law (see paras. 170–171).在没有任何强制性法律规定的情况下,订约双方可以商定通知手续,通知手续可以是统一的,也可以根据重要性、紧迫性和其他因素而有所不同。
Notification clauses usually address the form, language, recipient and means of notification, as well as when the notification becomes effective (upon delivery, dispatch or acknowledgment of receipt).184.
In the absence of any mandatory legislative provisions, parties may agree upon formalities for notification, which could be uniform or vary depending on the importance and urgency and other considerations.双方可以选择向合同中指明的联系人的物理地址或电子地址发出书面通知。
More stringent requirements may be made applicable, for example, in case of suspension or unilateral termination of the contract, as compared to routine notifications.合同可以规定不予通知以及对要求答复的通知不予答复的法律后果。
The parties may agree on the deadlines, keeping in mind reversibility and business continuity needs.Q.
The contract may contain references to any notifications and deadlines imposed by law.杂项条款
The parties may opt for written notification to be served at the physical or electronic address of the contact persons specified in the contract.订约双方通常把不属于合同其他部分的规定放在杂项条款下。
The contract may specify the legal consequences of a failure to notify and of a failure to respond to a notification that requires such a response.其中一些条款可能包含载于各类商业合同中的标准案文(所谓“样板条款”)。
Miscellaneous clauses合同条款置于杂项条款中并不削弱其法律重要性。
Parties often group under miscellaneous clauses provisions that do not fall under other parts of the contract.R.
Some of them may contain a standard text appearing in all types of commercial contracts (so called “boilerplate provisions”).修正合同
Examples include a severability clause allowing the removal of invalid provisions from the contract or a language clause identifying a certain language version of the contract as prevailing in case of conflicts in interpretation of various language versions.186.
Placing contractual clauses among miscellaneous provisions does not diminish their legal significance.任何一方均可提出修正合同。
Some of them may be tailored by the parties to the specifics of cloud computing services.合同将涉及提出修正并使之生效的程序。
Amendment of the contract187.
Amendments to the contract could be triggered by either party.例如,客户使用一开始就在合同中提供的任何选项并不一定构成对初始合同的修正,而由于合同所涵盖的提供商例行维护及其他活动而发生的服务变化也是如此(见上文第105-106段)。
The contract would address the procedure for introducing amendments and making them effective.另一方面,如果增加的特性未在最初商定的条款中涵盖并因此需要调整价格,则可能构成对合同的修正。
The contract may also need to address the consequences of rejection of amendments by either party.任何导致先前商定条款和政策发生实质性变化的更新也可构成对合同的修正。
In the light of the nature of cloud computing services, it might be difficult to differentiate changes that would constitute amendment of the contract from those changes that would not.允许对公共合同修改的程度可能受公共采购规则的限制,即对于必须经过公开招标程序的合同,通常限制订约双方重新谈判合同条款的自由。
For example, the customer’s use of any options made available from the outset in the contract would not necessarily constitute an amendment of the initial contract, nor would changes in services resulting from routine maintenance and other activities of the provider covered by the contract (see paras. 105–106 above).189.
The addition of features not covered by the originally agreed terms and thus justifying changes in price may, on the other hand, constitute amendment of the contract.鉴于最初商定条款的频繁修改,每一方似应独立存放一套完整的最初商定条款及其修正。
Any updates leading to material changes to previously agreed terms and policies may also constitute an amendment of the contract.术语表
The extent of permissible modifications to public contracts may be limited by public procurement rules that usually restrict the freedom of parties to renegotiate terms of a contract that were subject to public tendering proceedings.审计:审查合同要求和法定要求以及技术标准遵守情况的过程。
In the light of frequent modifications of the originally agreed terms, each party may wish to independently store the complete set of the originally agreed terms and their modifications.审计可以是内部审计或外部审议,也可以是提供商或客户分别指定或双方共同指定的独立第三方进行的审计。
Acceptable use policy (AUP): Part of the cloud computing contract between the provider and the customer that defines the limits of use by the customer and its end users of the cloud computing services covered by the contract. Audit:云计算服务:网络服务具有以下特点:
The process of examining compliance with contractual and statutory requirements or technical standards.(a)
It may cover technical aspects, such as the quality and security of hardware and software; compliance with any applicable industry standards; and the existence of adequate measures, including isolation, to prevent unauthorized access to and use of the system and to assure data integrity.广泛网络接入,指可从任何提供网络(如通过互联网)的地点,使用各种装置(如移动电话、平板电脑和膝上型计算机等),在网络上利用服务;
The audit may be internal or external or be done by an independent third party appointed by either the provider, the customer or both.(b)
The service level agreement (SLA) may contain specific performance parameters related to audit, e.g., that the services provided under the contract are certified at least annually by an independent auditor against a security standard identified in the contract.计量化服务,允许监测资源使用情况并按用量收费(随用随付制);
Cloud computing services: online services characterized by:(c)
Broad network access, meaning that services can be accessed over the network from any place where the network is available (e.g., through the Internet), using a wide variety of devices, such as mobile phones, tablets and laptops;(d)
Metered delivery, allowing usage of the resources to be monitored and charged by reference to level of usage (on a pay-as-you-go basis);(e)
Multi-tenancy, meaning that physical and virtual resources are allocated to multiple users whose data are isolated and inaccessible to one another;(f)
On-demand self-service, meaning that services are used by the customer as needed, automatically or with minimal interaction with the provider;(g)
Elasticity and scalability, meaning the capability for rapidly scaling up or down the consumption of services according to the customer’s needs, including large-scale trends in resource usage (e.g., seasonal effects);基础设施即服务(IaaS)、平台即服务(PaaS)或软件即服务(SaaS)是云计算服务的各种类型。
Resource pooling, meaning that physical or virtual resources can be aggregated by the provider in order to serve one or more customers without their control or knowledge over the processes involved;云审计师对提供和使用云计算服务的情况进行审计。
A wide range of services from the provision and use of simple connectivity and basic computing services (such as storage, emails and office applications) to the provision and use of the whole range of physical information technology infrastructure (such as servers and data centres) and virtual resources needed for the customer to build its own information technology platforms, or deploy, manage and run customer-created or customer-acquired applications or software.云服务衍生数据:客户使用提供商的云计算服务所产生的处于该提供商控制之下的数据。
Infrastructure as a service (IaaS), platform as a service (PaaS) or software as a service (SaaS) are types of cloud computing services.包括元数据以及提供商所生成的其他任何记录数据,其中包含何人、何时使用服务以及涉及哪些功能和哪类数据的记录。
Cloud computing service partners (e.g., cloud auditors, cloud service brokers and system integrators): Persons engaged in support of, or auxiliary to, activities of either the provider or the customer or both.还可包括关于获授权用户及其身份标识、任何配置、定制和修改的信息。
Cloud auditors conduct an audit of the provision and use of cloud computing services.数据控制人:确定个人数据处理目的和手段的人。
Cloud service brokers or system integrators assist parties with a wide range of issues, e.g., with finding the right cloud solution, negotiating acceptable terms and migrating the customer to the cloud.数据删除:旨在不可逆转地从云计算基础设施(物理设施和虚拟设施)清除数据(包括其备份和元数据)及其他内容的一系列操作。
Cloud service-derived data: Data under the control of the provider that are derived as a result of the use by the customer of the cloud computing services of that provider.在某些情况下,数据删除可要求销毁存储数据的物理基础设施(如服务器)。
It includes metadata and any other log data generated by the provider containing records of who used the services, at what times, which functions and which types of data are involved.服务级别协议(SLA)可以包含与数据删除相关的具体绩效参数,例如,提供商确保在客户提出请求的任何情况下,在合同确定的某一期限内,按照合同确定的标准或方法,有效、不可撤销地永久删除数据。
It can also include information about authorized users, their identifiers and any configuration, customization and modification.数据本地化存储要求:与数据及其他内容所在地或与数据中心或提供商所在地有关的要求。
Data controller: A person that determines the purposes and means of the processing of personal data.这些规定可禁止某些数据(包括元数据和备份)在某个地区或法域驻留或移入移出,或要求事先就此取得国家主管机构的批准。
Data deletion: A sequence of operations designed to irreversibly erase data, including its backups and metadata, and other content from the cloud computing infrastructure (physical and virtual).这些规定通常见诸于数据保护法律和条例,其中可能特别禁止个人数据驻留或移入不遵守某些个人数据保护标准的法域。
In some cases, data deletion may require the destruction of the physical infrastructure (e.g., the servers) on which the data were stored.数据处理人:代表数据控制人处理数据的人。
The service level agreement (SLA) may contain a specific performance parameter related to data deletion, e.g., that the provider ensures that the customer’s data are effectively, irrevocably and permanently deleted wherever requested by the customer within a certain time period identified in the contract and in compliance with the standard or method identified in the contract.数据主体:可通过数据直接或间接识别的自然人,包括参照诸如姓名、识别号码、所在地等标识以及与该人的身体、基因、心理、经济、文化或社会特质有关的任何因素进行识别。
Data localization requirements: Requirements relating to the location of data and other content or data centres or the provider.在一些法域,数据主体在数据保护或数据隐私条例下对能够识别他们的数据享有某些权利。
They may prohibit certain data (including metadata and backups) from residing in or transiting into or out of a certain area or jurisdictions or require that prior approval be obtained from a competent State body for that.这些条例可导致在服务级别协议(SLA)中列入数据保护方面的绩效参数,例如,根据合同提供的服务至少每年由独立审计师根据合同中确定的数据保护/隐私标准进行核证。
They are often found in data protection law and regulations, which may in particular prohibit personal data from residing in or transiting into jurisdictions that do not adhere to certain standards of personal data protection.(另见数据主体的权利和个人数据)
Data processor: A person that processes the data on behalf of the data controller.数据主体的权利:与数据主体的个人数据相关联的权利。
Data subject: A natural person who can be identified, directly or indirectly, by data, including by reference to such identifiers as name, an identification number, location and any factors specific to the physical, genetic, mental, economic, cultural or social identity of the person.法律规定的数据主体可享有对与其个人数据相关的所有重要事实——包括数据所在地、第三方使用情况以及数据泄露或其他数据泄密行为——的知情权。
In a number of jurisdictions, data subjects enjoy under data protection or data privacy regulations certain rights with respect to the data that can identify them.数据主体还可享有随时访问其个人数据的权利、清除其个人数据的权利(根据被遗忘权)、限制其个人数据处理的权利,以及对其个人数据可移植性的权利。
Those regulations may trigger the inclusion in the service level agreement (SLA) of data protection-specific performance parameters, such as that the services provided under the contract are certified at least annually by an independent auditor against the data protection/privacy standard identified in the contract.部署模式:根据物理资源或虚拟资源的控制和共享情况对云计算服务采用的各种组织方式:
(See also data subject’s rights and personal data).(a)
Data subjects’ rights: Rights associated with data subjects’ personal data.公共云,云计算服务有可能提供给任何感兴趣的客户,资源由提供商控制;
Data subjects under law may enjoy the right to be informed about all significant facts related to their personal data, including data location, use by third parties and data leaks or other data breaches.(b)
They may also have the right to access their personal data at any time, the right to erasure of their personal data (pursuant to the right to be forgotten), the right to restrict processing of their personal data and the right to portability of their personal data.社区云,云计算服务专门向互相关联、有共同要求的特定客户群体提供支持,资源至少由该群体一名成员控制;
Deployment models: The various ways in which cloud computing services are organized, based on the control and sharing of physical or virtual resources:(c)
Public cloud, where cloud computing services are potentially available to any interested customer and resources are controlled by the provider;(d)
Community cloud, where cloud computing services exclusively support a specific group of related customers with shared requirements and resources are controlled by at least one member of that group;宕机时间或中断时间:无法向客户提供云计算服务的时间。
Private cloud, where cloud computing services are used exclusively by a single customer and resources are controlled by that customer;维护和升级时间通常计入宕机时间。
Hybrid cloud, where at least two different cloud deployment models are used.第一反应时间:从客户报告事件到提供商初次作出反应的时间。
Downtime or outages: The time when the cloud computing services are not available to the customer.跟着太阳走:为更有效平衡资源与需求而将工作量分布在不同地域。
That time is excluded from the calculation of uptime or availability.这种模式的目的可以是提供昼夜服务并最大限度减少服务器与终端用户之间的平均距离,从而减少时延并最大限度提高数据从一台设备传输到另一台设备的速度(数据转移速率(DTR)或吞吐量)。
Time for maintenance and upgrades is usually included in downtime.基础设施即服务(IaaS):客户用以获得并使用处理资源、存储资源或连网资源的各类云计算服务。
It may be defined in the service level agreement (SLA) as a number of permissible outages of a specified time duration for a given period, e.g., not more than one outage of one hour per day and not between 8:00 and 17:00.客户并不管理或控制基础物理资源或虚拟资源,而是对使用物理资源或虚拟资源的操作系统、存储器或所部署的应用程序进行控制。
First response time: The time between when the customer reports an incident and the provider’s initial response to it.客户也可享有控制某些连网部件(如主防火墙)的有限能力。
Follow-the-sun: A model in which the workload is distributed among different geographical locations to more efficiently balance resources and demand.破产管理人:破产程序中被授权对破产债务人受破产程序管辖的资产的重整或清算进行管理的人或机构。
The purpose of the model may be to provide round-the-clock services and to minimize the average distance between servers and end users in an effort to reduce latency and maximize the speed with which data can be transmitted from one device to another (data transfer rate (DTR) or throughput).互操作性:两个或多个系统或应用程序交换信息并相互使用所交换信息的能力。
Infrastructure as a service (IaaS): Types of cloud computing services with which the customer can obtain and use processing, storage or networking resources.知识产权许可(证):知识产权所有人(许可人)与获授权使用这些知识产权的人(被许可人)之间的协议。
The customer does not manage or control the underlying physical or virtual resources, but does have control over operating systems, storage and deployed applications that use the physical or virtual resources.这些许可证通常对被许可人或第三方使用获许可财产的程度和方式规定各种限制和义务。
The customer may also have limited ability to control certain networking components (e.g., host firewalls).例如,软件和视像内容(设计、布局和图像)的许可证可限于特定用途,不允许复制、修改或增强,并且限于某一特定媒介。
Insolvency representative: A person or body authorized in insolvency proceedings to administer the reorganization or the liquidation of the assets of the insolvent debtor that are subject to the insolvency proceedings.许可证可限于特定市场(如国家或(分)区域市场)、某一用户数量或某一设备数量,也可能有时限。
Interoperability: The ability of two or more systems or applications to exchange information and to mutually use the information that has been exchanged.可能不允许次级许可。
Intellectual property (IP) licences: Agreements between an IP rights owner (the licensor) and a person authorized to use those IP rights (the licensee).许可人可要求每次使用知识产权必须报备知识产权所有权人。
They usually impose restrictions and obligations on the extent and manner in which the licensee or third parties may use the licenced property.时延:从用户提出请求到提供商回应请求迟滞的时间。
For example, software and visual content (designs, layouts and images) may be licensed for specific use, not allowing copying, modification or enhancement, and be restricted to a certain medium.时延影响到云计算服务有多大实际功用。
The licences may be limited to a particular market (e.g., national or (sub)regional), a number of users or a number of devices, or may be time-bound.服务级别协议(SLA)中通常以微秒表示时延。
Sub-licensing may not be permitted.分层云计算服务:提供商不是其用以向客户提供云计算服务的全部或任何计算资源的所有人,但其本身是全部或部分云计算服务的客户。
The licensor may require reference to be made to the IP rights owner each time the IP rights are used.例如,平台即服务(PaaS)或软件即服务(SaaS)类型服务的提供商可以利用另一实体拥有或提供的存储器和服务器基础设施(数据中心、数据服务器)。
Latency: The delay between a user’s request and a provider’s response to it.因此,可以有一个或多个分提供商参与向客户提供云计算服务。
It affects how usable the cloud computing services actually are.客户可能并不知道在特定时间提供的服务涉及哪一层面,这就使得难以确定和管理风险。
In the service level agreement (SLA), the latency is usually expressed in milliseconds.分层云计算服务在软件即服务(SaaS)中特别普遍。
Layered cloud computing services: Where the provider is not the owner of all or any computing resources that it uses for the provision of the cloud computing services to its customers but is itself the customer of all or some cloud computing services.锁定:客户因切换到另一提供商的费用颇巨而依赖于单一提供商。
For example, the provider of platform as a service (PaaS) or software as a service (SaaS) types of service may use storage and server infrastructure (data centres, data servers) owned or provided by another entity.这方面的费用应作最广义理解,不仅包括金钱方面的费用,还包括花费的努力和时间以及相关方面。
As a result, one or more sub-providers may be involved in providing the cloud computing services to the customer.元数据:关于数据的基本信息(如作者、何时创建数据、何时修改数据以及文件大小)。
The customer may not know which layers are involved in the provision of services at a given time, which makes identification and management of risks difficult.元数据使得数据寻找和使用更加容易,同时可能需要确保记录的真实性。
Layered cloud computing services are common in SaaS in particular.客户或提供商均可生成元数据。
Lock-in: Where the customer is dependent on a single provider because the costs of switching to another provider are substantial.绩效参数:数量参数(数字指标或规格,或绩效范围)或质量参数(服务质量保证)。
Costs in this context are to be understood in the broadest sense as encompassing not only monetary expenses but also effort, time and relational aspects.绩效参数可依据与适用标准的一致性,其中包括任何一致性核证的到期日(例如,提供商已按照合同中确定的国际标准执行一项关键的管理政策)。
Metadata: Basic information about data (such as author, when the data were created, when they were modified and file size).为求实效,绩效参数应允许客户以方便、可审计的方式衡量对客户具有重要意义的绩效。
It makes finding and using the data easier and may be required to ensure the authenticity of the record.绩效参数可能各不相同,取决于所涉风险和业务需要(例如,某些数据、服务或应用程序的关键性,以及恢复的相应优先性)。
It can be generated by the customer or the provider.例如,旨在为存档目而使用云的非任务型关键系统,将不需要与任务型关键操作或实时操作相同的正常运行时间或其他服务级别协议(SLA)条款。
Performance parameters: Quantitative parameters (numerical targets or metrics or a performance range) or qualitative parameters (service quality assurances).数据存储持久性:云中存储的数据不会在合同期间丢失的概率。
They may refer to conformity with applicable standards, including the date of expiry of any conformity certification (e.g., that the provider has implemented a key management policy in compliance with the international standard identified in the contract).可在合同中将数据存储持久性表述为一种可衡量的指标,客户将据此衡量提供商为确保数据存储持久性(例如,某一确定时期(如一个日历月)内的完好数据/完好数据+丢失数据)而采取的步骤。
To be meaningful, the parameters should allow the customer to measure performance that is important to the customer in an easy and auditable way.数据类型(如文档、数据库、代码应用程序等)和衡量单位(文档数、位长),都需要在合同中确定。
They could be different depending on the risks involved and business needs (e.g., the criticality of certain data, services or applications and the corresponding priority for recovery).个人数据:可用以识别自然人身份的与其相关的敏感数据和非敏感数据。
For example, a non-mission critical system that is designed to use the cloud for archival purposes will not need the same uptime or other service level agreement (SLA) terms as mission critical or real-time operations.在一些法域,个人数据定义可包含与身份已识别的个人或身份可识别的个人(见数据主体)直接或间接关联或相关的任何数据或信息。
Persistency of data storage: The probability that data stored in the cloud will not be lost during the contract period.个人数据处理:个人数据的收集、记录、整理、存储、改编或翻改、检索、咨询、使用、通过传输披露、传播或以其他方式提供、挂钩或组合、封锁、清除或销毁。
It can be expressed in the contract as a measurable target against which the customer will measure steps taken by the provider to ensure persistency of data storage (e.g., intact data/intact data + lost data during an identified period of time (e.g., a calendar month)).平台即服务(PaaS):客户使用提供商支持的一种或数种现有编程语言和执行环境,用以在云中部署、管理和运行由客户创建或由客户获取的应用程序的各类云计算服务。
The type of data (e.g., files, databases, codes, applications) and the unit of measurement (the number of files, bit length) would need to be defined in that formula.可移植性:从一系统向另一系统方便地(即低费、最少干扰且无需重新输入数据、重新设计流程或重编应用程序)转移数据、应用程序及其他内容的能力。
Personal data: Sensitive and non-sensitive data that can be used to identify the natural person to whom such data relate.如果能够以另一系统接受的格式检索数据,或者能够借助通用工具通过简单、直接的转换检索数据,即有可能实现可移植性。
The definition of personal data in some jurisdictions may encompass any data or information directly or indirectly linked or relating to an identified or identifiable individual (see the data subject).服务级别协议(SLA)可载明与可移植性相关的参数,例如,客户可经由单一下载链接或已载入的应用程序编程接口(API)检索客户数据;
Personal data processing: The collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction of personal data.数据格式的架构和载入方式足以允许客户再次使用客户数据或将其重构为另一种需要的格式。
Platform as a service (PaaS): Types of cloud computing services with which the customer can deploy, manage and run in the cloud customer-created or customer-acquired applications using one or more existing programming languages and execution environments supported by the provider.恢复点目标(RPOs):容许在计划外中断服务之前因恢复而丢失数据更改内容的最长时间期限。
Portability: The ability to easily transfer data, applications and other content from one system to another (i.e., at low cost, with minimal disruption and without being required to re-enter data, re-engineer processes or re-program applications).如果合同将恢复点目标(RPO)定为服务中断前两小时,这就意味着可在恢复后以所有数据在中断发生前两小时这一时间点存在的形式调取所有数据。
This might be achieved if it is possible to retrieve the data in the format that is accepted in another system or with a simple and straightforward transformation using commonly available tools.恢复时间目标(RTO):必须在计划外中断后恢复所有云计算服务和数据的时间期限。
The service level agreement (SLA) may contain performance parameters related to portability, e.g., the customer data is retrievable by the customer via a single download link or documented application programming interfaces (API);可逆性:客户从云中检索其数据、应用程序及其他相关内容的过程,以及提供商在商定的期限后删除客户数据及其他相关内容的过程。
or the data format is structured and documented in a sufficient manner to allow the customer to re-use it or to restructure it into a different data format if desired.特定部门条例:金融、卫生、公共部门条例或其他具体部门或行业条例(例如,律师-委托人特权、医疗专业保密)以及机密信息处理规则(广义理解为法规条例规定限于特定类别人员访问的信息)。
Recovery point objectives (RPOs): The maximum time period prior to an unplanned interruption of services during which changes to data may be lost as a consequence of recovery.安全事件:表明系统或数据已经受损的事件,或表明为保护系统或数据而建立的措施已经失灵的事件。
If RPO is specified in the contract as two hours before the interruption of services, that would mean that all data would be accessible after recovery in the form those data existed two hours before the interruption occurred.
Recovery time objectives (RTO): The time period within which all cloud computing services and data must be recovered following an unplanned interruption.安全事件的例子包括未经授权的来源试图进入系统或访问数据、计划外中断服务、服务被拒、擅自处理或存储数据,以及擅自更改系统的基础设施。
Reversibility: The process for the customer to retrieve its data, applications and other related content from the cloud and for the provider to delete the customer data and other related content after an agreed period.服务级别协议(SLA):提供商与客户之间的云计算合同中确定合同所涵盖的云计算服务以及根据合同预期提供或应实现的服务级别的部分(见绩效参数)。
Sector-specific regulations: Financial, health, public sector or other specific sector or profession regulations (e.g., attorney-client privilege, medical professional secrecy) and rules for handling classified information (broadly understood as information to which access is restricted by law or regulation to particular classes of persons).软件即服务(SaaS):客户用以使用提供商的云中应用程序的各类云计算服务。
Security incident: An event that indicates that the system or data have been compromised or that measures put in place to protect them have failed.标准化商用型多用户云解决方案:按不可谈判的提供商标准条款,作为海量产品或商品提供给无限数量客户的云计算服务。
A security incident disrupts normal operations.对于提供商的赔偿责任,这种解决方案普遍包含广泛免责声明和弃权条款。
Examples of security incidents include attempts from unauthorized sources to access systems or data, unplanned disruption to a service or denial of a service, unauthorized processing or storage of data and unauthorized changes to system infrastructure.客户能够比较不同提供商及其合同并从市场现有提供商中选出最适合其需要者,但客户不能谈判合同。
Service level agreement (SLA): Part of the cloud computing contract between the provider and the customer that identifies the cloud computing services covered by the contract and the level of service expected or to be achieved under the contract (see the performance parameters).正常运行时间:云计算服务可访问和可使用时间。
Software as a service (SaaS): Types of cloud computing services with which the customer can use the provider’s applications in the cloud.可表示为数量或百分比、详细公式或具体日期或天数,以及提供某项应用服务的关键时段。
Standardized commoditized multi-subscriber cloud solutions: Cloud computing services provided to an unlimited number of customers as a mass product or commodity on non-negotiable standard terms of the provider.书面或书面形式:可调取以供日后查询时使用的信息。
Broad disclaimers and waivers of the provider’s liability are common in this type of solution.包含纸面信息和电子通信信息。
The customer may be in a position to compare different providers and their contracts and select among those available on the market the most suitable for its needs, but not to negotiate a contract.“可调取”指计算机数据形式的信息应为可读和可释义,还指应保留使这种信息可读而可能需要的软件。
Uptime: The time when the cloud computing services are accessible and usable.“使用”涵盖人使用和计算机处理。
It may be expressed as the amount or percentage, a detailed formula or specific dates or days and time when availability of the service of a particular application is critical.[1]
Written or in writing: Information accessible so as to be usable for subsequent reference.《大会正式记录,第六十九届会议,补编第17号》(A/69/17),第150段;
It encompasses information on paper and in an electronic communication.同上,《第七十届会议,补编第17号》(A/70/17),第358段;
“Accessible” means that information in the form of computer data should be readable and interpretable and that the software that might be necessary to render such information readable should be retained.同上,《第七十一届会议,补编第17号》(A/71/17),第229段。
“Usable” covers both human use and computer processing.[2]
Official Records of the General Assembly, Sixty-ninth Session, Supplement No. 17 (A/69/17), para. 150;同上,《第七十二届会议,补编第17号》(A/72/17),第127段。
ibid., Seventieth Session, Supplement No. 17 (A/70/17), para. 358;[3]
and ibid., Seventy-first Session, Supplement No. 17 (A/71/17), para. 229.同上,《第七十三届会议,补编第17号》(A/73/17),第150段。
Ibid., Seventy-first Session, Supplement No. 17 (A/71/17), paras. 235 and 353;同上,《第七十四届会议,补编第17号》(A/74/17),第151段。
and ibid., Seventy-second Session, Supplement No. 17 (A/72/17), para. 127.1
Ibid., Seventy-third Session, Supplement No.17 (A/73/17), para. 150.另见贸易法委员会秘书处编写的解释性案文,标题为“增进对电子商务的信心:国际使用电子认证和签名方法的法律问题”,查阅网址: en/texts/ecommerce。
Ibid., Seventy-fourth Session, Supplement No. 17 (A/74/17), para. 151.
For UNCITRAL texts addressing electronic signatures, see the United Nations Convention on the Use of Electronic Communications in International Contracts (New York, 2005), the UNCITRAL Model Law on Electronic Commerce (1996) and the UNCITRAL Model Law on Electronic Signatures (2001).
See also an explanatory text prepared by the UNCITRAL secretariat entitled “Promoting confidence in electronic commerce: legal issues on international use of electronic authentication and signature methods (2007)”, available at