Cloud Services Agreement
Template — South Africa

This section clearly defines the cloud services being provided, including the service model (SaaS, PaaS, or IaaS), specific functionality, service tiers, environments (production, staging, development), geographic regions where data is hosted, and any exclusions or limitations on the services. It establishes the baseline against which service performance will be measured and ensures both parties have a shared understanding of what is — and is not — included in the engagement.

Defines measurable uptime guarantees (typically ranging from 99.5% to 99.99% monthly availability), response time commitments for support requests categorised by severity, planned maintenance windows with advance notification requirements, and the methodology for measuring availability — including what constitutes "downtime" and the exclusions that apply (such as scheduled maintenance, force majeure, and customer-caused issues). This section is the cornerstone of cloud service accountability.

Establishes the financial remedies available to the customer when SLA targets are not met. This includes the service credit calculation formula (typically a percentage of the monthly fee based on the severity of the SLA breach), the claim procedure the customer must follow, maximum credit caps per billing period, and whether service credits are the customer's sole and exclusive remedy or whether additional remedies are available for chronic underperformance. Service credits provide meaningful accountability without requiring litigation.

Defines the roles of responsible party and operator under POPIA Section 21, the specific personal information to be processed, the purposes and scope of processing, the security measures the operator must implement under Section 19, breach notification timelines (the template specifies notification within 72 hours of discovery), sub-processor management and approval mechanisms, cross-border transfer safeguards under Section 72, and the customer's audit rights over the provider's data handling practices.

Specifies the technical and organisational security measures the provider must implement — including encryption standards (at rest and in transit), access controls and identity management, vulnerability management and patching schedules, penetration testing frequency, incident response procedures aligned with the Cybercrimes Act 19 of 2020, and the customer's right to conduct security audits or require third-party audit reports such as SOC 2 Type II or ISO 27001 certifications.

Covers backup frequency and retention periods, recovery time objectives (RTO) and recovery point objectives (RPO) for different service components, failover procedures to secondary infrastructure, geographic redundancy requirements, regular disaster recovery testing schedules, and the provider's obligation to maintain and share a documented business continuity plan. This section ensures the customer's data and services can be recovered within acceptable timeframes following a catastrophic event.

Confirms unequivocally that the customer retains full ownership of all data uploaded to or generated through the cloud service, defines the provider's intellectual property rights in the underlying platform, technology, and infrastructure, addresses the treatment of derivative data, aggregated analytics, and metadata, and establishes the customer's rights to export their data in standard, machine-readable formats at any time during the term of the agreement.

Sets out the subscription fees or usage-based pricing structure, billing cycles (monthly or annual), payment terms (typically 30 days from invoice), accepted payment methods, late payment consequences including interest and suspension rights, price escalation mechanisms (with CPA-required reasonable notice for consumers), and the treatment of taxes including VAT at 15% under the Value-Added Tax Act 89 of 1991.

Defines the initial term, automatic renewal provisions with advance notice of renewal, termination for convenience with the required notice period, termination for cause (material breach, insolvency, change of control), the critical data extraction period after termination (typically 30-90 days during which the customer can export their data), post-termination data deletion obligations, and transition assistance the provider must offer to facilitate migration to a replacement service.

Establishes liability caps (typically the total fees paid or payable in the 12 months preceding the claim), exclusions for indirect, consequential, and lost profit damages, carve-outs for matters that should not be subject to the cap (including wilful misconduct, data breaches caused by gross negligence, IP infringement indemnities, and confidentiality breaches), and the interaction with the CPA's provisions that limit the ability to exclude certain consumer protections under Section 51.

Mutual confidentiality obligations protecting each party's proprietary information, trade secrets, and commercial affairs. Defines what constitutes confidential information, the permitted uses and disclosures, the standard of care required, the return or destruction of confidential information on termination, and the survival of confidentiality obligations beyond the term of the agreement — typically for a period of 3-5 years after termination.

Specifies that the agreement is governed by the laws of the Republic of South Africa and establishes the dispute resolution process. The template provides for a structured escalation from informal negotiation between the parties' representatives, to formal mediation under the rules of the Arbitration Foundation of Southern Africa (AFSA), to binding arbitration as the final mechanism — with specific provisions for urgent interim relief through the High Court where necessary to protect data or prevent irreparable harm.