You have a couple of options.

1. Setup parent-child QOS policy at the data center. Parent QOS policy will match traffic to each remote site, you can do this by using access-list matching remote IP subnet (yes lots of configuration). You would then shape each remote site class to the bandwidth that you have at the remote site and apply service-policy for the child qos policy. Child qos policy will do the actual queuing for each site. Even if all your remote sites have different banwidth sizes, you could potentially get away with a single child policy if you believe you can allocate bandwith using percentages. As a result, traffic from data center to the remote site will be shaped to the bandwidth of your remote site, and then child qos policy will prioritize your traffic accordingly.

2. The other option is to work with your MPLS provider and have them setup egress QOS policy on the PE-CE links according to your SLA. They might or might not be willing to be flexible with this request. I bet they already have their standard qos policy configured, you just need to find out what it is, and maybe ask them to adjust queues.

Either way, you should introduce scavenger class in your qos policy (or child qos policy if you go with option 1). At the dat center, mark any traffic that doesn't deserve bandwidth under 100% utilization as DSCP CS1 or IP Prec 1, and then give only 1% of bandwidth to that class. Network backup traffic, ftp transfers, and potentially http browsing traffic could fall into scavenger class, that's up to you.

If you need clarification on any of the above, let me know.

P.S. If you don't want to configure all those access-lists in the option 1 above, consider running DMVPN (without protection) on top of your MPLS cloud. You could then do per-tunnel QOS policy for DMVPN (http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_per_tunnel_qos.html). There are several great benefits from running DMVPN on top of MPLS. The only disadvantage is 5% overhead for IMIX traffic.