What to ask a cloud provider before you sign up

Signing up for a new cloud service is frictionless by design. A few clicks, a credit card, and you're in. The paperwork however, not so much. Terms of service, the privacy policy and data processing agreements are long, dense, and written to be agreed to rather than read.

That's fine for your personal email account. It's not fine when the service will hold your customers' personal data, your staff records, or sensitive information about the people you serve.

Before you commit your organisation's data to a cloud provider, there are questions worth asking. Some of them will be answered in documentation if you look for it. Others you'll need to ask directly. All of them tell you something useful about the provider and whether they're the right choice for your needs.

Where is our data stored, and who controls the infrastructure?

As we've written before, the physical location of data is only part of the picture. You want to know:

• In which countries are the servers?
• Who owns the company operating those servers?
• If it's a US-headquartered company, are they subject to FISA or similar legislation that could compel disclosure?

A European data centre run by a US company gives you less protection than you might think. A European data centre run by a company incorporated in Europe, with no US parent, is significantly more protective.

Will you sign a Data Processing Agreement?

Under UK GDPR, if a provider processes personal data on your behalf, you're legally required to have a written Data Processing Agreement (DPA) with them. A provider that's unwilling to sign one, or that only offers terms that don't meet the legal requirements, is a provider you shouldn't use for personal data.

Most established providers have a standard DPA available. What you want to check:

• Does it clearly describe the subject matter and duration of the processing?
• Does it specify the nature and purpose of the processing?
• Does it require the processor to only act on your documented instructions?
• Does it include appropriate security obligations?
• Does it address sub-processors?
• Does it support you in responding to data subject rights requests?

If the DPA is a take-it-or-leave-it document with no room for negotiation, that's normal for small organisations. Read it anyway and check whether the terms are acceptable.

Who has access to our data?

This question gets at something the data centre location question doesn't. Even if data is stored in an appropriate location, it may be accessible to people outside that jurisdiction.

Ask specifically: can your support staff access our data? Under what circumstances? From which locations? What controls are in place?

For some services, support access is necessary for the product to work. For others, it's avoidable. A provider who can give you clear, specific answers to these questions, and who defaults to zero access unless explicitly granted, is more trustworthy than one who gives vague reassurances.

What is your sub-processor list?

Cloud providers use other cloud providers. Your data processing agreement should require the provider to maintain a list of sub-processors and to notify you of any changes.

Ask for this list, and look at it. If your EU-hosted CRM is routing data through a US analytics platform or a US-based customer support tool, the "EU data" claim is more complicated than it might appeare.

What is your breach notification commitment?

You have 72 hours to report a notifiable breach to the ICO. If your cloud provider is breached and they take a week to tell you, you've already missed your reporting window.

Ask: within what timeframe do you commit to notifying us of a breach affecting our data? The answer should be 24 hours or less, enough time for you to assess the situation and report if necessary.

Another important question to ask: what is your incident response process? Have you had incidents before, and what happened? A provider who can answer these questions specifically and honestly is one who takes security seriously.

What happens to our data if we cancel?

Vendor lock-in is a real risk, and it's worth understanding before you sign up rather than after you've built dependencies.

Ask: what format can we export our data in? How long after cancellation can we retrieve our data? Do you delete it entirely after cancellation, and if so, when?

A provider who makes data export difficult or who holds your data hostage during a dispute has different interests from yours. The ability to leave, and to take your data with you, is a genuine indicator of a provider who's confident in the value they offer.

What certifications do you hold?

For security, relevant certifications include ISO 27001 (information security management) and SOC 2 (for US providers or those serving US clients). UK-specific, Cyber Essentials or Cyber Essentials Plus is a minimum baseline. For healthcare data, look at NHS DSPT compliance if relevant.

Certifications aren't sufficient on their own. A certification is a snapshot at a point in time, but their absence, especially for a provider handling sensitive data, is a warning sign.

Why these questions matter

Most cloud providers have never been asked most of these questions by a small business prospect. Asking them does several things: it tells you information you need, it signals to the provider that you're a sophisticated buyer, and it helps you to evaluate the answers comparatively across providers.

A provider who answers clearly, specifically, and without defensiveness is showing you something about how they operate. A provider who deflects, provides boilerplate, or struggles to answer basic questions about data access is also showing you something.

If you'd like help evaluating your current providers against these questions, or developing a supplier assessment process, get in touch.