From Cloud to Compliance: Legal Essentials for Building and Operating AI-Ready Data Centers

Build, Lease or License a Data Center?

Companies have three options when creating an AI-ready data center: (1) building from scratch, (2) leasing space in an existing facility, or (3) licensing servers or cloud space from a third party. Whether building, leasing or licensing, the needs of the users will dictate the data center requirements and services offered. User needs are outlined in a customer agreement, sometimes called a “platform services agreement” or a “master services agreement.”

1. Building. Building an AI-ready data center is similar to constructing other facilities such as warehouses, factories or refineries. The construction is often managed by a contractor under an engineering, procurement and construction (“EPC”) contract. Key considerations under these EPC agreements are avoiding delays and managing unforeseen risks. Risks can typically be allocated to the contractor, but remedies for the contractor’s breach often are not sufficient to address the impact of the breach. For example, if an EPC contractor is eight months late completing construction, the downstream effects on agreements that rely on completion (such as obligations to provide services or to lease data center space to third parties) could be catastrophic. Therefore, risk assessments, project and resource management, and oversight are every bit, if not more, important than the EPC contract terms. Lastly, the power demands of AI computing and its associated environmental and regulatory requirements are important considerations in site planning and construction, which may require extensive permitting from federal, state, and local authorities.
2. Leasing. A partial lease of an AI-ready data center is typically governed by a co-location lease, in which a number of tenants place servers on the premises of the data center and operate the servers independently of other third-party tenants. Under a co-location lease, tenants may share power (including back-up generators and redundancy), heating, cooling, bandwidth, communications, monitoring, and physical security. Services provided under a lease can vary widely and range from power and environmental controls to full third-party management of the environment, servers, and IT staffing under a managed services agreement.
3. Licensing. In the fully outsourced model, all data center services may be licensed through a cloud computing model. Users subscribe either to a pay-as-you-go model or pay a monthly fee for access to data storage and processing. Licensing data center infrastructure uses a structure akin to licensing cloud-based software and is also known as “infrastructure-as-a-service”.

Don’t lose sight of the expectations for growth and the ability to expand, both physically and in computational capacity. Future expansion of a facility may be limited by geography, real estate availability, power, environmental factors, and regulatory hurdles. Hyperscalers overcome geographical and real estate limitations by combining multiple data centers into a large cloud, with infrastructure immediately expandable by allocating virtual computing space in the cloud. Independent of the selected data center model, expansion options, such as rights of first offer or refusal for more power or space, should be negotiated at the outset, not when they are needed.

Another consideration often overlooked when executing services agreements is the importance of understanding customer needs when planning services downstream that are dependent on the operation of the data center. With foresight, requirements set forth in a customer agreement can be covered through back-to-back parallel contractual obligations on service providers. This sometimes results in a catch-22 in which it may be necessary to negotiate customer terms before executing agreements with service providers and having service commitments in place. Without planning ahead, the data center operator could end up stuck between “high” customer expectations and “too-low” service provider commitments. In that scenario, the data center may be stuck, for example, covering the differences in liability caps and indemnity obligations, or simply unable to meet customer expectations.

For all practical purposes, it is impossible to avoid relying on third-party service providers when building and operating a data center. Some common service providers are discussed below.

Power, Network and Telecom Connectivity

AI-intensive computing demands a lot of power, and negotiating rates with power companies, provided doing so is legally permitted in the jurisdiction, is becoming commonplace. If purchasing power from multiple sources, software and hardware pricing and switching technology can be procured to streamline energy sourcing. Some data center projects aim to go completely off-the-grid, with a dedicated on-site power plant.

Even when constructing an AI-ready data center with a dedicated power source, Internet and other telecommunications connectivity are typically provided by third parties. Data center operators typically sign connectivity agreements with one or more Internet and telecom service providers. These agreements cover, among other things, bandwidth provisioning, performance standards, and redundancy plans. Some data center operators, including hyperscalers, offer peering arrangements, which enable direct private network connections between network operators within a data center or a cluster of nearby data centers. Peering avoids the need to compete for bandwidth on the public Internet, reducing transit fees, improving performance, enhancing reliability and improving communication speeds. Understanding customers’ present and future needs, including their business risks, is paramount when negotiating power, connectivity and peering agreements.

Servers and Software

When placing physical servers and software in a data center, the procurement, implementation and maintenance of the servers and software often involves several third-party relationships and agreements. Software may be licensed from software providers under an on-premise or cloud-accessible model. Servers may be purchased directly from the manufacturer, through distributors, or leased from intermediaries. Implementation, maintenance, and support services for the servers and software may be performed through agreements with the providers or by hiring an independent consultant. Outside of the largest data center providers, consultants are often critical to operations because there is significant integration required between the server infrastructure, software, and network and data connections.

When negotiating procurement, implementation, and maintenance agreements, it is important to avoid creating gaps in service obligations between the various providers and to avoid inconsistent terms. The typical structure of an equipment or software purchase agreement is an order form with a description of the products, a few key purchase terms, and the most critical terms often inconveniently concealed within a nested web of hyperlinks. Unless negotiated, general terms and conditions, product-specific terms and conditions, service level and support obligations, and software licenses, each provided under different hyperlinks, may be one-sided and subject to unilateral changes at a moment’s notice by the seller. Implementation, maintenance, and support services are usually set forth under a master services agreement with the service provider, accompanied by one or more statements of work attached that set out the service descriptions. The technical specifications, implementation deadlines, and maintenance schedules are often addressed in schedules. While these schedules are contractual terms and therefore require legal review, the business team will also need to review to ensure any technical and operational needs are met. This process often takes several months to complete.

The standard agreement under which support is provided to users is the Service Level Agreement (“SLA”). The SLA is typically part of the master services agreement (often via hyperlinks) and outlines the performance and reliability standards of the equipment and connectivity that customers receive. SLAs usually specify uptime guarantees for servers, mandatory staff response times in case of emergencies and outages, and penalties for a provider’s non-compliance with the SLA. While enough failures may lead to a material breach of a master services agreement, the principal remedy offered for a failure to meet a service level obligation is typically a service level credit on the next invoice. Service level credits act as liquidated damages, and provide small incremental discounts in exchange for resolving disputes over substandard performance. For example, a service level credit may be issued if the server uptime falls below the specific uptime requirement outlined in the SLA for a number of hours in a month. Without a clear credit structure, negotiating disputes with a key operational partner while services from the partner are needed can be a major business disruption. In a death by a thousand cuts, many instances of credited substandard performance will eventually lead to dissatisfied customers. It is critical to provide enough specificity in the list of service level obligations when negotiating the SLA to quickly categorize issues as they arise for response and remediation. It is also helpful to include a mechanism to regularly update issue and response criteria. Equally important is providing customers with a mechanism to easily track substandard performance, such as through monitoring software or vendor-generated reports. These tools can be mandated under the master service agreement and give customers a sense of trust in your infrastructure.

A word of caution for negotiating agreements with software providers: large enterprise software providers typically include audit provisions in software license and service agreements. While the audit provisions may appear at the back of the agreement, audit terms should be carefully reviewed and negotiated. Large software providers often conduct license audits of data centers, especially those that allow for scaling up of services on short notice. Frequent audits can be disruptive to the business and additional license fees resulting from the audits can be substantial.

Data center operators should also carefully consider pricing contracts, data access controls, and customer termination and extension rights.

AI Chips and Software

At this time, AI-ready data centers generally require thousands of sophisticated “AI chips.” As reported by the New York Times, Nvidia currently has more than 80% of the market share for these specialized processors. AI chips execute large scale-matrix operations and perform parallel processing faster than standard CPUs. These AI chips can perform tasks with less power consumption per operation than standard CPUs, and newer generations of AI chips are even more power-efficient. However, the demand for faster processing of large data sets often outweighs the benefits of power efficiency, as faster chips inevitably consume more power because they are used to perform ever more operations in the same time frame.

Recent AI software developments may potentially alleviate some demand for AI chips and place more focus on improvements in AI software efficiency, notably with respect to training and use of AI models. In the United States, OpenAI, Meta, Google, and Microsoft are well-known for their AI software and models that use large numbers of AI chips. DeepSeek, a Chinese AI startup, recently released its DeepSeek-R1 AI model, which it touts as being 20 to 50 times cheaper to use than OpenAI’s o1 model, depending on the specific task. Data center operators will need to keep close attention to developments in both AI hardware and software. Time will tell whether AI software improvements can quell the current demand for AI chips.

At present, AI chips remain a critical part of data center infrastructure. In the last few years, lead times on ordering high-end AI chips have ranged from a few months to the better part of a year. When new AI chips are released, lead times can be long. If you are looking to obtain AI chips for a data center located outside of the United States, restrictions may apply. For example, recent export control restrictions can be a significant obstacle to obtaining the latest and next-generation AI chips, depending on the country where the data center will be located. Interim export control restrictions limit the number of AI processors that can be exported from the United States to certain countries, and in some cases these restrictions prohibit sales entirely. To keep up with market demand, data centers will need to plan ahead for the continuous upgrade of AI chips.

Development Agreements and IP

Software development may be necessary to integrate and maintain equipment and to meet customer needs for connectivity, such as through application programming interfaces (“APIs”) and mobile and browser-based connections. Developers can design and implement custom hardware, such as dedicated processors, network switches, and environmental support systems. When contracting for these development services, it is important either to obtain ownership of the developed software or to receive a perpetual, irrevocable license to the developed software and access to any source code. Without these rights, projects may have to start from square one with a new developer in the event of a dispute.

Other Equipment and Services

While servers and AI chips are essential to an AI-ready data center, support systems such as power and HVAC systems are also critical to maintain optimal operating conditions and to prevent overheating equipment, ensuring reliable connectivity within the data center and to external networks. Software management tools are also helpful to monitor and manage servers. These environmental support services may be provided under a managed services agreement, staffed internally or contracted out to third parties. As with any managed service agreement, it is important to review these carefully and ensure that terms are fair and adequately cover a customer’s needs.

Compliance

Data centers will need to comply with a quickly evolving legal landscape and it is incumbent on the data center operator to stay informed. For example, U.S. data center operators must comply with state and federal data privacy and cybersecurity laws. Additionally, when housing data from persons and businesses outside the United States, the data center will also need to comply with the data laws of other jurisdictions. These regulations govern how personal data must be handled, stored, and protected by data center operators. Additionally, some countries have geolocation restrictions, which limit cross-border data transfers. Unless the collected data and proposed transfer of data meets certain exceptions, the data must remain in that country.

When providing cloud data services, customers often expect the customer agreement to include a data processing agreement and/or information security addendum outlining the types of access data center operators may have to customer data, if any; how it will be stored; and the responsibilities of each party to protect that data. Larger customers often insist on using their own protective forms, so it is important to understand obligations before setting up the infrastructure.

Several states have also implemented environmental restrictions related to data centers. For example, Virginia has proposed regulations focused on minimizing the environmental impact of data centers by requiring stricter energy efficiency and reporting standards. Similarly, California has implemented regulations mandating energy efficiency and renewable energy power sources for data centers. These regulations also encourage adoption of advanced cooling technologies to reduce water and energy consumption.

Building and operating a data center is often a complex and intricate process that requires careful planning and execution. Challenges can arise during development and management. At Vinson & Elkins, our Technology Transactions team has a wealth of experience in dealing with all types of data center agreements and navigating legal issues under these agreements when services fail to meet expectations. Our team is ready to assist you in navigating the complexities of developing and managing your data center.