Skip to main content

Terms and conditions for negotiating contracts for public cloud services

When negotiations are needed, these are terms and conditions that government organisations often consider — including the minimum areas they must consider.

Minimum areas to cover in negotiations

The Government Chief Digital Officer (GCDO) provides an example of a clause with the minimum areas that government organisations need to cover when negotiating contracts for public cloud services.

Example minimum clause in contracts for public cloud services

Situations for negotiating contracts are rare

Check to see if other options are available first.

When to negotiate direct contracts for public cloud services

Names for each group signing the contract

Providers of public cloud services can be known as ‘suppliers’ or ‘vendors’, too.

Government organisations are also called ‘affiliates’ or ‘customers’ in contracts.

Names for contracts

For contracts, you might also see names like ‘affiliate agreements’ or ‘customer agreements’.

Information sharing

Some questions in the risk discovery tool for public cloud services need to be answered by the provider. Contract clauses should allow service providers’ answers to the questions to be shared within the New Zealand public sector.

Risk discovery tool for public cloud services

Be clear about payments for losses and disruptions

Negotiate these terms and conditions to be specific about who is responsible for paying for losses and disruptions.

Customer indemnifying provider

In contracts, providers of public cloud services often require customers to defend, hold harmless or indemnify the supplier or another entity, or both.

Advice for government organisations

Generally, under the Public Finance Act 1989 (PFA), government organisations cannot give indemnities and they should aim to exclude them from contracts.

If there needs to be a customer indemnity in the contract, before entering into it, you’ll need to get the contract approved to match the PFA.

Public Finance Act 1989 — New Zealand Legislation

Provider indemnifying customer

Providers of public cloud services do not always indemnify their customers for defaults, acts or omissions of the provider that cause a loss to the customer.

Advice for government organisations

The provider should indemnify the government organisation for losses caused by significant events for which the provider is responsible.

Control of claims

If the provider does agree to indemnify the customer, the contract will often state that the provider has sole control of legal aspects — such as:

  • defence
  • settlement
  • counsel.

Advice for government organisations

However, government organisations may need to be able to approve any defence, settlement or counsel proposed by the provider. This need comes from the Cabinet Directions for the Conduct of Crown Legal Business 2016.

Cabinet Directions for the Conduct of Crown Legal Business 2016: CO (16) 2 — Department of the Prime Minister and Cabinet

Customer liability

Contracts with providers of public cloud services often do not limit the liability of customers to the provider. ‘Limited’ may mean, for example, that either:

  • a maximum liability cap applies
  • indirect and consequential losses are not claimable, or
  • both apply.

Advice for government organisations

Government organisations will want their liability to be limited to help them quantify their exposure and so that risks under the contract are appropriately allocated.

It might, however, still be acceptable to a government organisation if some events give rise to unlimited liability — such as a:

  • violation of the provider’s intellectual property rights
  • breach of the government organisation’s confidentiality obligations.

Provider liability

Providers often exclude their own liability to the customer to the maximum extent allowed by law.

Advice for government organisations

Providers should accept liability for their acts or omissions to an extent that reasonably protects government organisations against losses caused by the provider.

The provider’s liability can be limited, but there may be exceptions where unlimited liability should apply too — such as:

  • wilful misconduct
  • violation of third party or customer intellectual property rights
  • unauthorised use or disclosure of customer data
  • breaches of the supplier’s confidentiality obligations.

Note that it is not always appropriate for the government organisation and provider’s liability to be equivalent or reciprocal. Areas that may be quite different from each other and call for different liabilities are different:

  • risks
  • likelihoods of breaching the contract
  • potential losses.

Guarantee options for your organisation

Negotiate these terms and conditions to make sure you have options instead of accepting contracts as set by providers.


Some contracts leave out provider warranties or only state the service is provided ‘as is’. Other contracts may limit their:

  • scope
  • duration
  • remedies.

Advice for government organisations

Government organisations might want the provider to guarantee that it can perform the contract properly at all times. Warranties may cover that the provider:

  • supplies services that comply with technical and functional specifications — including security information
  • has the necessary intellectual property rights to provide the services
  • will supply the services with due skill and care
  • gives accurate information.

Service levels

Public cloud services may be subject to service levels. Often, these are standard across all of the provider’s customers. This makes it hard to negotiate contracts specific to your organisation.

Advice for government organisations

Without the option to negotiate, it’s important for government organisations to assess the provider’s service levels to see if they will meet their needs.

Exclusive remedies

Providers may try to limit the remedies that customers can use for breaches and other failures by the provider. For example, the contract may state that service credits are the only remedy in the case of a breach of service levels.

Advice for government organisations

It’s usually best to make sure government organisations have access to a range of remedies, such as:

  • damages
  • service credits
  • re-performance or re-supply
  • termination.

This is best practice because it allows for flexibility if providers breach or default on services in the contract.

An exception may be when a provider changes the service offered, in which case it’s common for termination to be the government organisation’s only remedy.

Dispute resolution

Some contracts do not include provisions for dispute resolution. When present, some contracts might require going through multiple escalating processes to deal with any issues between the provider and customer. This can include arbitration.

Advice for government organisations

It’s usually the best option for government organisations to use mediation when disputes cannot be resolved through standard:

  • relationship management
  • governance arrangements.

Nothing in the contract should prevent either the customer or provider from seeking urgent relief in a court of law. In the contract, government organisations should insist that New Zealand law and jurisdiction apply.

Make sure contracts allow for information to be secure

Negotiate these terms and conditions to be sure a provider’s service allows the information of NZ government and New Zealanders to be secure.

Governing law and jurisdiction

Contracts with providers may be governed by overseas laws. Customers are not usually familiar with overseas laws and the laws might:

  • make it expensive and time-consuming for customers to enforce their rights or the provider’s obligations
  • increase jurisdictional risks — that is, data sovereignty.

Advice for government organisations

It’s best practice for government organisations to insist that New Zealand law and jurisdiction apply to the contract. This is regardless of where the provider is based or from where the:

  • service is provided
  • data is stored.

Information security

Contracts do not always mention how security-related risks and incidents will be managed. Contracts sometimes do not state in any detail how customers will be notified:

  • when the risks happen
  • about the impacts of risks happening.

Advice for government organisations

It’s best practice for the contract to require the provider to:

  • let customers know when security incidents happen and their impacts
  • quickly, in a reasonable timeframe, fix issues at its own cost.

Data and privacy

Contracts do not always deal with how the provider will:

  • manage customer data — for example, personal information or data about the business operations of government organisations
  • work with the customer if any issues occur that affect customer data.

Advice for government organisations

The contract should describe how the provider deals with issues that affect customer data. This includes specifying that the provider:

  • gives written notice to customers before giving any of their data to a regulatory or other government organisation in any jurisdiction
  • complies with all applicable privacy laws when personal information is being used with the service
  • either returns or deletes customer data after the contract terminates or expires.

Confidentiality and Official Information

Contracts often include provisions for the provider’s confidentiality.

Advice for government organisations

For clauses covering the use and disclosure of confidential information, government organisations need to make sure the:

Intellectual property

Contracts sometimes include clauses for intellectual property (IP) that are either:

  • worded broadly, with few details
  • explicitly worded in the provider’s favour.

For IP which government organisations would otherwise expect to keep, such clauses can mean that government organisations could end up not:

  • owning it
  • having rights to use it.

Advice for government organisations

Government organisations should make sure IP clauses are not over-reaching and allow them to:

  • own all their property — including client and operational data
  • keep appropriate use rights — including after the contract ends.

Entire agreement, applicable documents and precedence

Contracts often come with additional documents, such as:

  • policies
  • product terms
  • specifications
  • service level or support agreements.

The contract often states that these documents may be added to or changed over time.

Advice for government organisations

When the contract is made up of many documents, government organisations need to be clear which one applies if there’s a conflict or inconsistency between any of the documents. Setting this up is often called a ‘precedence clause’ and needs to:

  • identify all the applicable documents up front
  • set which documents have power over each other — an order of precedence
  • state that the applicable documents cannot be changed without government organisations agreeing to it — see ‘Amendment’ in the next section
  • declare that no documents outside of the contract can change the agreed document set or the order of precedence — for example, order forms or invoices cannot change the contract.


Some contracts allow the provider, without first getting the customer’s agreement, to change:

  • the terms of the contract
  • any document in the agreed contract set.

Advice for government organisations

It’s best practice to make sure providers cannot change the previously agreed services without government organisations’ written approval.

Providers might disagree with this limitation because, for example, it might be too much administrative effort to get all customers’ written approvals before making changes to services. For all its users, providers might insist on being able to change, for example:

  • services
  • policies
  • standards.

If providers insist on having the ability to make changes to the previously agreed terms without getting approval, government organisations will usually be able to terminate the contract.

It’s best to state this in a clause stating that if a service changes, the government organisation can end the contract.

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated