Cloud Services Agreement (India)
CLOUD SERVICES AGREEMENT
Information Technology Act 2000 | Digital Personal Data Protection Act 2023 | Indian Contract Act 1872 | CGST Act 2017
This Cloud Services Agreement ("Agreement") is entered into on [Agreement Date] between:
CLOUD SERVICE PROVIDER (CSP): [Provider Name] (PAN: [Provider PAN]), GSTIN: [Provider GSTIN], registered at [Provider Address] (the "Provider"); and
CUSTOMER: [Customer Name] (PAN: [Customer PAN]), GSTIN: [Customer GSTIN], registered at [Customer Address] (the "Customer").
1. CLOUD SERVICES
1.1 The Provider shall provide the following cloud services (the "Services") to the Customer from [Service Start Date] for [Agreement Term]: [Services Description].
1.2 Cloud service model: [Service Type]. The allocation of security and compliance responsibilities between the Provider and Customer follows the Shared Responsibility Model set out in Schedule A.
1.3 The Provider shall provide the Services in accordance with CERT-In Cloud Security Guidelines 2023 and any applicable RBI/SEBI/IRDAI outsourcing guidelines relevant to the Customer's regulated business.
2. SERVICE LEVELS
2.1 The Provider guarantees monthly availability of [SLA Uptime]% for the Services, measured on a calendar month basis excluding planned maintenance windows (communicated at least 72 hours in advance via the Provider's status page).
2.2 Service credits: For each 0.1% shortfall in monthly availability below the guaranteed level, the Customer is entitled to a credit of 5% of the monthly service fee, up to a maximum of 30% of the monthly fee.
2.3 Incident response: The Provider shall classify incidents and respond in accordance with the incident management procedures in Schedule B, including RTO and RPO targets for disaster recovery scenarios.
3. DATA RESIDENCY AND SECURITY
3.1 Data residency: [Data Residency]. The Provider shall not transfer Customer Data to data centres outside the agreed jurisdiction without the Customer's prior written consent.
3.2 Security certifications: The Provider shall maintain the following security certifications throughout the term: [Security Certifications]. The Provider shall provide current certification evidence within 10 business days of a written request.
3.3 Security practices: The Provider shall implement security controls compliant with ISO 27001 and Section 43A of the IT Act 2000, including encryption at rest and in transit, access controls, vulnerability management, and penetration testing (at least annually).
3.4 Audit rights: The Customer (and any applicable regulator including RBI, SEBI, or IRDAI) shall have the right to audit the Provider's compliance with this Agreement and applicable law, with 30 days' advance written notice.
4. DATA PROTECTION — DPDP ACT 2023
4.1 The Customer is the data fiduciary and the Provider is the data processor under the Digital Personal Data Protection Act 2023 (DPDP Act). The Provider shall process personal data only on the Customer's documented instructions.
4.2 The Provider shall: (a) implement appropriate technical and organisational security measures under the DPDP Act and SPDI Rules 2011; (b) ensure that persons authorised to process personal data are bound by confidentiality; (c) notify the Customer within 72 hours of any personal data breach; (d) assist the Customer in responding to requests from data principals exercising rights under the DPDP Act; and (e) on termination, return or delete all personal data as instructed by the Customer.
4.3 RBI payment data: Where the Services process payment system data, the Provider shall ensure such data is stored exclusively within India in compliance with the RBI's Circular on Storage of Payment System Data (2018).
5. FEES AND GST
5.1 The Customer shall pay the Provider for the Services as follows: [Service Fee].
5.2 GST at 18% shall be charged in addition to all service fees under the CGST Act 2017 (SAC code 998313 or 998314). The Provider shall issue compliant GST tax invoices. The Customer may claim ITC on GST paid.
5.3 TDS: The Customer shall deduct TDS under Section 194J of the Income Tax Act 1961 on service fees as applicable, deposit it with the Income Tax Department, and issue Form 16A to the Provider.
5.4 Payment is due within 30 days of invoice date. Late payment attracts interest at 1.5% per month.
6. DATA PORTABILITY AND EXIT ASSISTANCE
6.1 During the term, the Customer shall have the right to export all Customer Data in a portable, machine-readable format at no additional charge.
6.2 Upon termination or expiry of this Agreement, the Provider shall: (a) provide a full export of all Customer Data within 30 days in a portable format (CSV, JSON, SQL dump as appropriate); (b) maintain Customer Data for a further 90-day transition period during which the Customer may retrieve it; and (c) provide reasonable transition assistance including API documentation and migration support.
6.3 Following the transition period, the Provider shall securely delete all Customer Data (including all backups and copies) and provide written certification of deletion within 15 days.
7. LIABILITY
7.1 Neither party shall be liable for indirect, special, consequential, or punitive damages. The Provider's total aggregate liability under this Agreement shall not exceed the total fees paid by the Customer in the 12 months preceding the claim.
7.2 These limitations do not apply to: (a) a party's fraud or wilful misconduct; (b) the Provider's obligations under the DPDP Act 2023 in respect of personal data breaches attributable to the Provider's negligence; or (c) the Provider's data residency obligations where RBI-mandated data localisation requirements are breached.
8. TERMINATION
8.1 Either party may terminate this Agreement without cause by giving [Notice Period] written notice.
8.2 Either party may terminate immediately upon written notice for material breach not remedied within 30 days of written notice.
8.3 If the Provider ceases to maintain required security certifications or is found to be in material breach of data residency requirements, the Customer may terminate with 15 days' written notice.
9. GOVERNING LAW AND DISPUTE RESOLUTION
9.1 This Agreement is governed by the laws of India and the laws of the State of [Governing State].
9.2 Any dispute shall be referred to and finally resolved by arbitration under the Arbitration and Conciliation Act 1996, seated at [Arbitration City]. A sole arbitrator shall be appointed by mutual agreement. The language of arbitration shall be English.
9.3 This Agreement shall be executed on non-judicial stamp paper as required under the Indian Stamp Act 1899 and the applicable state stamp act of [Governing State].
Cloud Service Provider
________________
Signature
Customer
________________
Signature
What Is a Cloud Services Agreement (India)?
A Cloud Services Agreement in India engages an independent contractor to supply services and records the scope of work, fees, timetable and ownership of any deliverables.
The IT Act 2000 is the foundational statute for digital transactions and data security in India. Section 43A of the IT Act imposes liability on body corporates for negligent handling of sensitive personal data or information, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (SPDI Rules) set minimum security standards. The DPDP Act 2023 introduces a thorough data protection framework, including obligations for data processors (typically the CSP) acting on the instructions of data fiduciaries (typically the cloud customer).
Cloud service agreements in India must address the 'shared responsibility model' — the allocation of security and compliance responsibilities between the CSP and the customer — and the data residency requirements that apply to regulated data types (payment data under RBI guidelines, financial records under SEBI rules). Data portability and exit rights are critical to prevent vendor lock-in and confirm compliance with the DPDP Act's data portability provisions.
GST at 18% applies to cloud services under the CGST Act 2017 (SAC code 998313 or 998314), and the CSP must issue compliant tax invoices. For Indian companies procuring cloud services from foreign CSPs, reverse charge GST at 18% applies and is self-assessed by the Indian customer.
The legal framework governing the Cloud Services Agreement (India) in India draws on several key statutes and regulatory bodies. Under Indian law, the Indian Contract Act 1872 governs contractual obligations, with Section 10 setting essential requirements for valid agreements. The Companies Act 2013 regulates corporate entities through the Registrar of Companies (ROC) and Ministry of Corporate Affairs (MCA). The Industrial Disputes Act 1947 and state labour commissioners govern employment disputes. The Information Technology Act 2000 and IT (Reasonable Security Practices) Rules 2011 protect personal data. The Income Tax Act 1961 and Goods and Services Tax Act 2017 govern tax obligations through the Central Board of Direct Taxes (CBDT) and GST Council. Parties executing a Cloud Services Agreement (India) in India should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Indian Contract Act, 1872 sets the foundational requirements.
When Do You Need a Cloud Services Agreement (India)?
You need a Cloud Services Agreement when you are procuring IaaS, PaaS, or SaaS cloud services for your business, or when you are providing cloud infrastructure or platform services to enterprise customers. This agreement governs the entire cloud service relationship.
You need this agreement when an enterprise is migrating business-critical systems to the cloud and needs a formal contract that clearly defines service levels, data residency, security obligations, shared responsibility, and exit rights.
You need this agreement when a cloud service provider is onboarding enterprise customers in India, particularly regulated entities such as banks, NBFCs, insurance companies, or payment service providers, where RBI, SEBI, or IRDAI outsourcing guidelines impose specific contractual requirements.
You need this agreement when the cloud service will process personal data of Indian residents, triggering DPDP Act 2023 obligations. The agreement must allocate the data fiduciary and data processor roles and specify the CSP's data processing, security, and breach notification obligations.
You also need this agreement to protect against vendor lock-in: a well-drafted cloud services agreement includes data portability rights, exit assistance obligations, and post-termination data return and deletion provisions that confirm the customer can migrate to a different provider without losing access to their data.
Parties in India should prepare a Cloud Services Agreement (India) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under Indian law, the Indian Contract Act 1872 governs contractual obligations, with Section 10 setting essential requirements for valid agreements. The Companies Act 2013 regulates corporate entities through the Registrar of Companies (ROC) and Ministry of Corporate Affairs (MCA). The Industrial Disputes Act 1947 and state labour commissioners govern employment disputes. The Information Technology Act 2000 and IT (Reasonable Security Practices) Rules 2011 protect personal data. The Income Tax Act 1961 and Goods and Services Tax Act 2017 govern tax obligations through the Central Board of Direct Taxes (CBDT) and GST Council. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your Cloud Services Agreement (India)
A thorough India Cloud Services Agreement should contain the following key elements.
Parties: Full legal names, addresses, PAN, and GSTIN of the cloud service provider and customer.
Service description: Precise description of the cloud services — whether IaaS, PaaS, or SaaS — the service tiers, compute/storage/bandwidth allocations, and any included support.
Service levels: Uptime guarantee, performance benchmarks, maintenance windows, incident response times, and service credit mechanism for SLA breaches.
Shared responsibility model: A clear matrix allocating security and compliance responsibilities between the CSP and customer, aligned with CERT-In Cloud Security Guidelines 2023.
Data residency: The data centres and regions where customer data will be stored and processed, and compliance with RBI payment data localisation, SEBI, and other applicable regulatory requirements.
DPDP Act compliance: Roles of CSP as data processor and customer as data fiduciary; processor obligations under the DPDP Act 2023; security safeguards; data breach notification procedure.
Security standards: Security certifications (ISO 27001, SOC 2 Type II, PCI DSS as applicable), vulnerability assessment and penetration testing rights, and incident response procedures.
Data portability and exit: Customer's right to export data during and after service, exit assistance obligations, post-termination data retention period, and secure deletion certification.
Subscription fees: Pricing model (reserved, on-demand, or consumption-based), GST at 18%, invoicing, and payment terms.
Audit rights: Customer's and regulator's right to audit the CSP's compliance with the agreement and applicable law.
Governing law and arbitration: Laws of India and arbitration under the Arbitration and Conciliation Act 1996.
Additional compliance elements for a Cloud Services Agreement (India) used in India include: Under Indian law, the Indian Contract Act 1872 governs contractual obligations, with Section 10 setting essential requirements for valid agreements. The Companies Act 2013 regulates corporate entities through the Registrar of Companies (ROC) and Ministry of Corporate Affairs (MCA). The Industrial Disputes Act 1947 and state labour commissioners govern employment disputes. The Information Technology Act 2000 and IT (Reasonable Security Practices) Rules 2011 protect personal data. The Income Tax Act 1961 and Goods and Services Tax Act 2017 govern tax obligations through the Central Board of Direct Taxes (CBDT) and GST Council. Forms-legal.com provides this template as a starting point for India-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Cloud Services Agreement (India) (India) [Legal document template]. Forms Legal. https://forms-legal.com/india/business/contracts/cloud-services-agreement-india
"Cloud Services Agreement (India) (India)." Forms Legal, 2026, https://forms-legal.com/india/business/contracts/cloud-services-agreement-india.
@misc{formslegal-cloud-services-agreement-india,
author = {{Forms Legal}},
title = {Cloud Services Agreement (India) (India)},
year = {2026},
howpublished = {\url{https://forms-legal.com/india/business/contracts/cloud-services-agreement-india}},
note = {Free legal document template. Based on Indian Contract Act, 1872}
}
Frequently Asked Questions
India's data residency and localisation requirements for cloud services come from multiple regulators and apply differently depending on the sector and type of data involved. Payment data (RBI): The Reserve Bank of India's 2018 Circular on Storage of Payment System Data requires all payment system operators (including card networks, payment aggregators, and payment gateways) to store all end-to-end transaction data related to payment systems operated by them in India only. This means that cloud services hosting payment processing infrastructure must use India-based data centres. The RBI periodically examines compliance and has penalised non-compliant entities. Financial sector data (RBI/SEBI/IRDAI): RBI guidelines on outsourcing by banks require that data held by service providers on behalf of banks (including cloud providers) be accessible to Indian regulatory and supervisory authorities and to the bank's own auditors without restriction. SEBI and IRDAI have similar requirements for their regulated entities. For cloud deployments, this typically means data must be accessible from India, though not necessarily stored exclusively in India (except for RBI payment data). Health data: India does not yet have sector-specific health data localisation requirements comparable to some other jurisdictions, but the DPDP Act 2023 may introduce cross-border transfer restrictions once the rules are notified. DPDP Act 2023: The Act empowers the Central Government to restrict the transfer of personal data to certain countries or territories by notification.
The shared responsibility model is a framework for allocating security and compliance responsibilities between a cloud service provider (CSP) and the cloud customer. The model recognises that in cloud computing, security responsibilities are divided — the CSP is responsible for the security 'of' the cloud (the physical infrastructure, hypervisor, and foundational services), while the customer is responsible for security 'in' the cloud (the customer's data, applications, access management, and configurations). The specific allocation of responsibility differs by cloud service model:
Infrastructure as a Service (IaaS — e.g., AWS EC2, Azure VMs, Google Compute Engine): The CSP is responsible for physical security, network infrastructure, hypervisor, and storage hardware. The customer is responsible for the operating system, middleware, runtime, application, and data — and for all security configurations within their virtual environment. Platform as a Service (PaaS — e.g., Azure App Service, Google App Engine, AWS Lambda): The CSP manages the infrastructure and platform (OS, middleware, runtime). The customer is responsible for application code and data. Software as a Service (SaaS — e.g., Salesforce, Microsoft 365): The CSP manages everything except the customer's data, user access management, and specific application configurations that the customer controls.
Data portability and exit rights are critical protections for cloud customers, preventing vendor lock-in and ensuring business continuity if the customer wishes to migrate to a different provider or bring services in-house. These rights are particularly important in the Indian context given the DPDP Act 2023's provisions on data principals' rights. The DPDP Act 2023 (Section 12) grants data principals the right to data portability — the right to receive their personal data from a data fiduciary in a commonly used, machine-readable format. This right will be elaborated in the Rules to be notified under the Act. For cloud services, this means customers must be able to export their data in a portable format. Cloud service agreements in India should include the following exit and portability provisions. Data export format: The formats in which the customer's data will be made available for export (CSV, JSON, SQL dumps, etc.) and whether the export includes all metadata necessary to use the data with another provider. Export during service: The customer's right to export their data at any time during the service term, without additional charge or technical restriction. Termination data return: Upon termination or expiry of the service agreement, the vendor's obligation to: (a) provide the customer with a full export of all customer data within a defined period (typically 30 days); (b) make the data available in a portable format; and (c) retain the data for an additional transition period (typically 60–90 days) during which the customer can retrieve it.
A Cloud Services Agreement (India) does not legally require a lawyer in India, and individuals and businesses may draft and execute the document independently. The Indian Contract Act, 1872 does not mandate legal representation for the creation or signing of this type of document. However, seeking independent legal advice from a qualified India lawyer is recommended for transactions involving substantial financial value, complex regulatory requirements, or cross-border elements where multiple legal jurisdictions may apply. A lawyer can verify that the document complies with all applicable statutory requirements, identify potential risks specific to the transaction, and confirm that the terms adequately protect the interests of all parties involved. The Supreme Court of India has jurisdiction over disputes arising from this type of document, and Registrar of Companies (ROC) may impose additional compliance obligations depending on the nature of the underlying transaction. Professional legal review is particularly advisable where the document will be submitted to government agencies or used as evidence in legal proceedings.
A Cloud Services Agreement (India) does not legally require a lawyer in India, though legal advice is recommended. Under Indian law, the Indian Contract Act 1872 governs agreements. The Companies Act 2013 and Registrar of Companies (ROC) regulate corporate documents. The Information Technology Act 2000 governs electronic contracts and data protection. The Consumer Protection Act 2019 provides consumer rights. The Income Tax Act 1961 requires tax compliance. Forms-legal.com provides this template as a starting point — always review with a qualified Indian advocate for significant transactions. Under India law, Indian Contract Act, 1872, parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under Indian law, the Indian Contract Act 1872 governs contractual obligations, with Section 10 setting essential requirements for valid agreements. The Companies Act 2013 regulates corporate entities through the Registrar of Companies (ROC) and Ministry of Corporate Affairs (MCA). Forms-legal.com provides this template as a starting point for India-compliant documentation.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
SaaS Agreement (India)
A SaaS Agreement for India, governed by the IT Act 2000 and Indian Contract Act 1872. Covers software access licence, subscription fees, SLA, data processing obligations under the DPDP Act 2023, IP ownership, acceptable use, and termination. Suitable for cloud software vendors and enterprise customers.
Service Agreement (India)
A comprehensive service agreement under the Indian Contract Act 1872, GST Act 2017, and Arbitration & Conciliation Act 1996. Covers scope of services, GST-inclusive fees, SLA, confidentiality, IP ownership, liability cap, force majeure, and MSME-friendly payment terms.
Non-Disclosure Agreement (India)
A legally enforceable non-disclosure agreement for India, governed by the Indian Contract Act 1872 (Sections 27 and 73), IT Act 2000, and SPDI Rules 2011. Available in mutual and unilateral forms. Includes confidential information definition, exclusions, return/destruction clause, injunctive relief, and arbitration under the Arbitration and Conciliation Act 1996.
Escrow Agreement (India)
An Escrow Agreement for India, governed by the Indian Contract Act 1872. Appoints a neutral escrow agent to hold funds, documents, or assets pending satisfaction of agreed conditions. Suitable for M&A transactions, real estate, software source code escrow, and commercial transactions.