Cloud Contract Review Questions

It’s cloud contract review time. You should know the right cloud contract review questions to ask, right?

Well, first, take a good look at the provider’s cloud service-level agreement (SLA). What is an SLA? An SLA defines what the customer will receive. It’s a contract between you, the customer, and a service provider (either internal or external), that defines the level of service expected, including security and compliance. Your signature on it affirms that you understand the terms and conditions of the service that you’ll receive from that provider.

If you think that SLAs and cloud contracts often contain vague language and some potential loopholes, you’d be right! Because transparency is not the forte of many cloud providers, here are seven key cloud contract review questions to ask:

How secure is the cloud provider?

Every provider will tell you that their cloud is secure. “How secure?” is the most important question. How does the cloud provider ensure security on an ongoing basis? Do they encrypt data in motion and at rest? Can they offer DDOS protection? Before you sign, these are things that you need to know. Also, ask the provider about their incident management process. Suggest that they walk you through a case study of an incident and how they responded to that incident.

Where will my data live?

Enterprise information is a strategic asset and yet many cloud service providers treat it like a replaceable good – a commodity. It’s not. Ask your provider to explain clearly where your data will be stored.  In the United States? Out of the country? Many cloud service providers won’t be able to tell you where your data is, because they just don’t know. With commodity coud providers, you never know where your data is because it may be in Taiwan (Google Apps data center location) or Tokyo (Amazon Web Services data center location) or Sao Paulo state (Azure data center location) or somewhere else entirely. Why ask about data location? Government regulations. For example, as part of their due diligence, financial institutions outsourcing IT are required by the Federal Financial Institutions Examination Council (FFIEC) to know where their information is physically being stored. And, if you cannot tell HIPAA/HITECH auditors where specific data are housed physically, you are non-compliant with HIPAA. To prevent leaks of classified information, federal regulations require that contractors working for federal agencies be able to identify the physical location of their data, including the data center in which it is housed and/or device on which it resides.

Does the cloud service provider have the necessary compliance certifications?

Does an independent auditor audit the provider for regulatory compliances such as HIPAA, FERPA, FISMA, PCI, CJIS and others? Check for those that you may require now or in the future. How does the provider guarantee its compliance? If your company has any customers that are subject to HIPAA/HITECH regulations, remember that you may need to ask your cloud service provider to sign a HIPAA/HITECH Business Associate Agreement (BAA) and understand fully its obligations under that BAA.

Does this cloud contract define what we’re paying for?

Understand what you’re paying for. Depending on the way in which you’re using the cloud, some providers may charge you on a pay-as-you-go basis and some may charge you for a pre-defined level of use. Regardless, you should understand what you’re paying for. Also, if you need to get your workload into the cloud, has the provider defined adequately the migration service fees?

What’s the penalty for SLA non-compliance?

If you, as the customer, experience downtime that exceeds the limits set forth in the SLA, what is the penalty and how will you be compensated? Many cloud service providers compensate through repayment credit for time lost. Is that enough for your needs?

How difficult will it be to get my data out of the cloud?

Moving in is a lot easier than moving out. If, for whatever reason, you may need to part ways with the cloud service provider, how costly and difficult will it be to extract your data and move it elsewhere?  Understand your obligations if you do this before the contract expires.

What performance guarantees are being offered?

Many cloud service providers avoid guaranteeing any metrics such as response times and other performance benchmarks. Know which ones are important to you and find out what the guarantees are, if any.


Laurie Head, is VP of Marketing Communications for AIS Network.