A growing number of cloud and other technology agreements include grants to the vendor of broad and generally undefined rights to take \u201caggregated data\u201d derived from the engagement and use it for unspecified purposes. \u00a0Businesses should be aware of these clauses and revise them to accomplish two things: \u00a0ensure the data really is \u201caggregated\u201d and reduce risk. \u00a0\tAggregated Data. \u00a0The first step is to ensure \u201caggregated data\u201d is clearly defined as data that (i) is not identifiable to any person or entity (including the customer), (ii) does not contain any of the customer\u2019s confidential information or intellectual property, and (iii) is combined with similar data of the vendor\u2019s other customers. \u00a0In some instances, for example protected health information under HIPAA, there are specific requirements mandated by law for de-identifying data in this context. \u00a0If that type of data is at risk, the vendor must warrant it will ensure the data is properly de-identified in conformance with all applicable legal requirements.\tReducing Risk. \u00a0Even if the data is properly aggregated, there is still a possibility that some form of liability could arise from the vendor\u2019s use of the data (e.g., the vendor violates applicable law in using the data, fails to properly de-identify it, etc.) and a claim results against the customer. \u00a0This is why it is generally a good idea to require the vendor to indemnify and hold the customer harmless from any and all liability that arises from the vendor\u2019s use of the data, including failure to properly aggregate it. \u00a0As a further protection, customers should include language in the agreement that the customer is providing the data on an as-is basis, without warranties of any kind. \u00a0That is, customers should assume no liability or obligation whatsoever in providing the data to the vendor. \u00a0Put another way, the customer is doing the vendor a favor in providing the data. \u00a0The vendor should, therefor, assume all risks associated with its use of the data.