Cloud Services Agreement (Philippines)

A Cloud Services Agreement in the Philippines records the terms under which a self-employed provider carries out work for a client, including scope, payment and confidentiality.

Cloud computing has become a core infrastructure component for Philippine enterprises, government agencies, banks, and technology companies. Major cloud providers operating in the Philippines include Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform, and Oracle Cloud, as well as local providers such as Globe telecom's G-XCHANGE cloud services, PLDT Enterprise Cloud, and Converge ICT. Philippine organizations use cloud services for enterprise resource planning (ERP), customer relationship management (CRM), data analytics, business continuity, and government digital transformation initiatives under the Government Cloud (G-Cloud) program of the Department of Information and Communications Technology (DICT).

Philippine cloud services agreements must comply with a multi-layered regulatory framework. The most significant statute is the Data Privacy Act of 2012 (Republic Act 10173) and its Implementing Rules and Regulations (IRR) administered by the National Privacy Commission (NPC). When a cloud provider processes personal data on behalf of a Philippine customer, the cloud provider acts as a personal information processor (PIP) under Section 3(l) of RA 10173, while the customer is the personal information controller (PIC). This creates statutory obligations: the cloud provider must implement appropriate security measures under Section 20 of RA 10173, notify the customer of data breaches within 72 hours under NPC Circular No. 16-03, and process personal data only pursuant to a Data Processing Agreement (DPA) that meets NPC requirements.

The Cybercrime Prevention Act of 2012 (Republic Act 10175) and the DICT's National Cybersecurity Plan impose obligations on providers of critical information infrastructure (CII). The NPC also issued NPC Advisory No. 2020-01 on outsourcing arrangements, which requires Philippine PICs to conduct due diligence on cloud providers, execute written data processing agreements, and conduct periodic compliance audits.

For tax compliance, cloud services provided to Philippine customers are subject to 12% Value Added Tax (VAT) under Section 108 of the NIRC (RA 8424), whether provided by domestic or foreign cloud providers. BIR Revenue Memorandum Circular No. 5-2021 clarified the VAT obligations of foreign digital service providers (including cloud services), requiring registration with the BIR and collection and remittance of VAT. Philippine customers paying foreign cloud providers that are not VAT-registered in the Philippines are required to withhold VAT at 12% under the reverse charge mechanism.

Security standards referenced in Philippine cloud services agreements include ISO/IEC 27001 (Information Security Management), ISO/IEC 27017 (Cloud Security), ISO/IEC 27018 (Protection of PII in Public Cloud), and the Payment Card Industry Data Security Standard (PCI DSS) for payment data. The Bangko Sentral ng Pilipinas (BSP) Circular No. 982 (Technology Risk Management) imposes specific cloud security requirements on BSP-supervised financial institutions using cloud services.

The Electronics Commerce Act of 2000 (Republic Act 8792) and the Electronic Documents Act (Republic Act 8792 Section 7) provide the legal basis for electronic contracts and digital signatures used in cloud services transactions in the Philippines. Cloud service level agreements (SLAs) executed electronically are legally binding under RA 8792. The Department of Trade and Industry (DTI) and the Department of Information and Communications Technology (DICT) jointly administer the Philippine e-Commerce Roadmap, which promotes cloud adoption by Philippine SMEs registered under the Barangay Micro Business Enterprises Act (Republic Act 9178).

A cloud services agreement is needed in the Philippines whenever a business, government agency, or institution subscribes to cloud computing services beyond a simple consumer-tier free account. Specific situations requiring a formal cloud services agreement include:

Enterprise SaaS Subscriptions: A Philippine corporation subscribing to enterprise-tier SaaS platforms such as Microsoft 365, Salesforce CRM, SAP SuccessFactors, or similar applications needs a cloud services agreement (or enterprise subscription agreement) governing uptime SLAs, data processing, security incident notification, and BIR-compliant invoicing.

BSP-Regulated Financial Institutions: Banks, quasi-banks, e-money issuers, and other BSP-supervised financial institutions using cloud services must comply with BSP Circular No. 982 (Technology Risk Management Guidelines), which requires a written outsourcing agreement with the cloud provider covering minimum contractual provisions prescribed by the BSP — including audit rights, business continuity, data sovereignty, and incident reporting. A standard terms-of-service click-through agreement is insufficient for BSP compliance.

NPC Data Processing Agreements: Under NPC Advisory No. 2020-01, Philippine organizations that are personal information controllers (PICs) and outsource data processing to cloud providers must execute a written Data Processing Agreement with the cloud provider as the personal information processor. The cloud services agreement should incorporate or attach the DPA.

Government Cloud Procurement: Philippine national government agencies and LGUs using cloud services under the Government Cloud (G-Cloud) program must comply with procurement rules under Republic Act 9184 (Government Procurement Reform Act) and DICT circulars on G-Cloud adoption. The procurement process typically requires a formal cloud services agreement.

Custom Cloud Development Projects: When a Philippine company engages a cloud provider to build a custom cloud-hosted application (e.g., a custom enterprise portal on AWS or Azure), the cloud services agreement combined with a statement of work defines the development scope, milestones, acceptance criteria, and IP ownership of the developed software.

A legally complete Philippines cloud services agreement requires careful drafting to address the technical complexity of cloud services, Philippine data privacy law, cybersecurity requirements, and tax compliance.

Parties and Service Description: Identify the cloud provider and customer with full legal names, addresses, TINs (for BIR compliance), and SEC or DTI registration numbers. Define clearly whether the services are SaaS, IaaS, PaaS, or a hybrid. Attach a detailed Service Description or Schedule of Services as an exhibit, listing all services subscribed, user/seat/resource limits, and included support tier.

Service Level Agreement (SLA): Define the uptime commitment (e.g., 99.9% monthly uptime, measured by the formula: (total minutes in month – downtime minutes) / total minutes). Specify what constitutes 'downtime' (service unavailability vs. degraded performance). Define remedies for SLA breach — typically service credits as a percentage of monthly fees, capped at a maximum (e.g., not to exceed one month's subscription fee). Exclude from SLA measurement: scheduled maintenance windows (with advance notice requirements), force majeure events, and customer-caused outages.

Data Privacy and Processing: Include a Data Processing Agreement (DPA) compliant with the Data Privacy Act (RA 10173) and NPC Advisory No. 2020-01. Key DPA provisions: the cloud provider processes personal data only on customer's documented instructions; the cloud provider implements appropriate organizational, physical, and technical security measures; the cloud provider notifies customer of data breaches within 72 hours of discovery (NPC Circular No. 16-03); the cloud provider permits customer audits or third-party audits of its security controls; and the cloud provider deletes or returns all customer personal data upon contract termination.

Data Location and Sovereignty: Specify the geographic location of data centers where customer data is stored (e.g., Singapore, Japan, or Philippines). Philippine government data may be subject to data residency requirements under DICT circulars. Financial institutions subject to BSP Circular No. 982 should confirm data location aligns with BSP requirements on critical data stored offshore.

Security Standards and Certifications: Require the cloud provider to maintain specified security certifications — ISO/IEC 27001, ISO/IEC 27017/27018, SOC 2 Type II, PCI DSS (if applicable for payment data), and compliance with the Cybercrime Prevention Act (RA 10175) security requirements. The agreement should require the cloud provider to notify the customer promptly of any security incidents affecting customer data.

Pricing, Subscription Fees, and BIR Compliance: Specify the subscription fee structure (monthly, annual, usage-based), billing cycle, and auto-renewal provisions. Include BIR compliance provisions: the cloud provider must issue BIR-registered official receipts for all service payments; the monthly fee is exclusive (or inclusive) of 12% VAT under Section 108 of the NIRC; if the customer is required to withhold creditable withholding tax, specify the applicable rate and the obligation to issue BIR Form 2307. For foreign cloud providers not VAT-registered in the Philippines, include provisions on the customer's reverse-charge VAT obligation.

Intellectual Property and Customer Data: The cloud provider may not use, access, or process customer data except as necessary to provide the contracted services. Customer data remains customer's property at all times. The cloud provider's platform software, tools, and infrastructure remain the cloud provider's IP. The customer is granted a non-exclusive, non-transferable subscription license to use the cloud services during the subscription term.

Business Continuity and Disaster Recovery: Specify the cloud provider's recovery time objective (RTO) and recovery point objective (RPO) commitments. For BSP-regulated entities, align these with BSP Circular No. 982 requirements. Require the cloud provider to maintain a documented Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) and to test these plans at specified intervals.

Term, Termination, and Data Portability: Specify the initial subscription term (typically 1 year, with auto-renewal), notice period for non-renewal or termination (e.g., 60-day written notice). On termination, the cloud provider must provide data export in a standard format (e.g., CSV, JSON, SQL dump) for a defined period (e.g., 30 days post-termination) before deleting customer data. Termination for cause (material breach, insolvency, security certification lapse) should allow immediate termination with pro-rated fee refund for prepaid periods.

Governing Law: The agreement is governed by the Civil Code of the Philippines (RA 386), the Data Privacy Act (RA 10173), and applicable DICT, NPC, and BSP regulations. For cross-border cloud services, include a choice of law clause selecting Philippine law and consenting to jurisdiction of Philippine courts.

Under Philippine law, the Civil Code of the Philippines (Republic Act No. 386) governs contractual obligations. The Revised Corporation Code (Republic Act No. 11232) regulates corporate entities through the Securities and Exchange Commission (SEC). The Labor Code of the Philippines (Presidential Decree No. 442) and Department of Labor and Employment (DOLE) govern employment matters. The Data Privacy Act of 2012 (Republic Act No. 10173) and the National Privacy Commission (NPC) protect personal data. The Bureau of Internal Revenue (BIR) administers tax obligations under the National Internal Revenue Code. The forms-legal.com Cloud Services Agreement (Philippines) template covers the mandatory elements under Revised Corporation Code (RA 11232, 2019).

Philippine organizations procuring cloud services under Republic Act 9184 (Government Procurement Reform Act) must comply with DICT Circular No 010 on Government Cloud adoption. The Department of Information and Communications Technology (DICT) administers the Philippine Government Cloud (G-Cloud) program under Executive Order No 2 (2016) on Freedom of Information, requiring agency data to be stored in government-approved cloud environments. Penalties for non-compliant cloud procurement by government agencies are enforced by the Commission on Audit (COA) and the Office of the Ombudsman under Republic Act 6713 (Code of Conduct and Ethical Standards for Public Officials).