1. AUP
2. MSA
2.1. Legal Research:
2.1.1. Data Center Agreements:
2.1.1.1. Common Provisions:
2.1.1.1.1. Price
2.1.1.1.2. Taxes
2.1.1.1.3. Power charges-->
2.1.1.1.4. Term-->
2.1.1.1.5. Meet-Me Rooms
2.1.1.2. SLAs-->
2.1.1.2.1. Overview:
2.1.1.2.2. Focus Points:
2.2. Review:
2.2.1. Client's Immediate Concern:
2.2.1.1. Avoid liability for lost/damaged customer hardware or data-->
2.2.1.1.1. Limitation of Liability
2.2.2. Key Business Issues:
2.2.2.1. Money
2.2.2.1.1. Fees
2.2.2.1.2. Timing of Payments
2.2.2.1.3. Taxes
2.2.2.1.4. Disputes
2.2.2.2. Risk
2.2.2.2.1. Indemnification
2.2.2.2.2. Insurance
2.2.2.2.3. Warranty
2.2.2.3. Control
2.2.2.3.1. Third party issues
2.2.2.4. Standards
2.2.2.5. Endgame
2.2.2.5.1. No major issues
2.2.3. Industry-Specific Issues:
2.2.3.1. Price
2.2.3.1.1. Pay based on amount of power used for your space, not the amount of space you are using
2.2.3.2. Taxes
2.2.3.2.1. Customers pay pass-through for taxes and operating costs (again, based on amount of power they are using)
2.2.3.2.2. Vendors often use carve-outs for capital costs (pass through cost to Cs, unlike other RE deals)
2.2.3.3. Power charges-->
2.2.3.3.1. C pays for power delivered to their space + charge to run cooling systems
2.2.3.3.2. "Power Usage Expenses (PUE )" Cost
2.2.3.4. Term-->
2.2.3.4.1. Wholesale-->min. 10 years
2.2.3.4.2. Colo-->as short as 3 yrs.
2.2.3.4.3. V wants to maximize term, keep C as long as possible (want to amortize)
2.2.3.5. Meet-Me Rooms
2.2.3.5.1. V wants to monetize use
2.2.3.5.2. Monthly charge for fiber connections
2.2.4. SLA
2.2.4.1. Focus Points:
2.2.4.1.1. Which services will be covered?
2.2.4.1.2. What are the performance standards for each?
2.2.4.1.3. Power availability + environmental service levels are always critical
2.2.4.1.4. Increasingly, other terms are included (e.g., security, connectivity) response time
2.2.4.1.5. "Uptime"=% of time when systems are available (typically, nothing less than 99.9% is typically considered acceptable)
2.2.4.1.6. How to count "downtime?"
2.2.4.1.7. Depends on which standard DC is built to (Tiers 1-4) (redundancy, n+1, etc.)
2.2.4.1.8. Credits (like liquidated damages)
2.2.4.1.9. Termination rights (often a 2 year horizon, but vesting might take an additional 2 years)
2.2.5. Stylistic Considerations:
2.2.5.1. Modern Contract Language
2.2.5.2. Consistency
3. TOS
3.1. Legal Research
3.1.1. Contracts Executed without Ink ("Wrap Agreements"):
3.1.1.1. Overview:
3.1.1.1.1. Nonnegotiable standard agreements
3.1.1.1.2. Prepared by V of products or services or website
3.1.1.1.3. Key issue=Enforceability
3.1.1.2. Types:
3.1.1.2.1. "Shrinkwrap"
3.1.1.2.2. "Clickwrap"
3.1.1.2.3. "Browsewrap"
3.1.1.2.4. Hybrids
3.2. Checklist:
3.2.1. Agreement:
3.2.2. Privacy:
3.2.3. Ownership:
3.2.4. Intended Audience:
3.2.5. Trademarks:
3.2.6. Site Use:
3.2.7. Compliance with Laws:
3.2.8. Indemnification:
3.2.9. Disclaimer:
3.2.10. Limitation of Liability:
3.2.11. Use of Information:
3.2.12. Copyrights and Copyright Agent:
3.2.13. Applicable Law:
3.2.14. Severability:
3.2.15. Waiver:
3.2.16. Termination:
3.2.17. Relationship of the Parties:
3.2.18. Entire Agreement:
3.2.19. Contact Information:
4. Data Privacy
4.1. P&Ps: Erasure Requests
4.1.1. GDPR Applicability:
4.1.1.1. Overview:
4.1.1.1.1. The GDPR applies to an organization's activities if those activities are within the GDPR's territorial scope and its material scope.
4.1.1.2. Territorial Scope:
4.1.1.2.1. Overview:
4.1.1.2.2. "Establishment Test"-->
4.1.1.2.3. If Established in EU-->
4.1.1.2.4. If not Established in EU-->
4.1.1.3. Material Scope:
4.1.1.3.1. NOCIX's activities are within the GDPR's territorial scope because it "monitors the behavior of" individuals in the EU (see above).
4.1.1.3.2. For the GDPR to apply, however, the activities must also be within its material scope.
4.1.1.3.3. This is a much simpler analysis.
4.1.1.3.4. Essentially, if none of the activities fall under one of the six excluded categories enumerated in Arts. 2(2)(a) and 2(2)(b), then the activities will be within the GDPR's material scope.
4.1.1.3.5. These categories mostly involve processing that deals with public security, defense, and national security.
4.1.1.3.6. Analysis-->NOCIX's activities do not fall under any of these categories; accordingly, they are within the GDPR's material scope.
4.1.1.4. Conclusion: Since they fall within the GDPR's territorial scope and material scope, NOCIX's activities are subject to the GDPR.
4.1.2. Right to Erasure/Right to be Forgotten
4.1.2.1. Historical Context:
4.1.2.1.1. The Costeja Case (2014)
4.1.2.1.2. GDPR (2018)
4.1.2.1.3. Scope of Memo:
4.1.2.2. Duty to Inform 3Ps [Art. 17.2]-->
4.1.2.2.1. Obligation triggered if the personal data is made public.
4.1.2.2.2. Assuming the PD is made public and the DS has requested erasure:
4.1.2.2.3. Guidance from ICO (under UK GDPR)-->
4.1.2.3. Exceptions [Art. 17.3]-->
4.1.2.3.1. Even if the DC is presumptively required to erase the PD under 17.1, it will not have to if any of the exceptions under 17.3.a through 17.3.e are present.
4.1.2.3.2. Look at 17.3.e as possible avenue--establishment or defense of legal claim based on "problematic customer."
4.2. Privacy Policy Review
4.2.1. What it should look like
4.2.1.1. Best Practices:
4.2.1.1.1. Conceptual Overview:
4.2.1.1.2. Say what you do; do what you say
4.2.1.1.3. Avoid bold statements
4.2.1.1.4. Draft with different audiences in mind:
4.2.1.1.5. Use plain English
4.2.1.1.6. Use "layered" policies:
4.2.1.2. Plan Language Checklist:
4.2.1.2.1. Use positive language and reduce negatives
4.2.1.2.2. Use Q&A format
4.2.1.2.3. Use active voice
4.2.1.2.4. Omit superflous words
4.2.1.2.5. Omit legal jargon
4.2.1.2.6. Omit technical jargon
4.2.1.2.7. Limit defined terms
4.2.1.2.8. Use personal pronouns
4.2.1.2.9. Avoid nominalization
4.2.1.3. Models:
4.2.1.3.1. P&G
4.2.1.3.2. Microsoft
4.2.1.3.3. USPS
4.2.2. What it does look like
4.2.3. Suggested revisions
4.2.3.1. First Layer: