Cloud services have become ubiquitous for small and large companies alike, with the benefits of low capital expenditure, incremental service agreements and reduced storage requirements all making it the obvious option for everything from accountancy services to email.

We all remember the days when IT upgrades required significant financial investment up front. Psychologically this forced end users to think long and hard about the contracts they were signing. On the flip side, the simplicity of the cloud often means that customers look a little less closely at the Ts & Cs. They are, however, still putting mission critical applications in the hands of a third party and as such contracts should be treated with no less caution than any other agreement negotiated within the business. Here are five things for customers to consider before signing on the dotted line:

how protected is my data?

Security is paramount and any cloud provider worth their salt should be bending over backwards to reassure you that your data is safe. Make sure that your provider can produce a comprehensive disaster recovery plan. What happens if their system goes down? What is their remedy procedure? Do they have suitable mirror sites in various locations to ensure that data remains accessible if the primary site fails? Is there sufficient distance between sites?

Similarly ask questions about the firewalls and anti-virus solutions that your supplier has in place – how often are these tested and benchmarked against newer solutions available in the market? How often are their systems penetration tested?

does the supplier comply with uk data protection legislation?

If you are a data controller in respect of personal data, and you store such personal data in the cloud, you need to ensure you are compliant with the Data Protection Act 1998. You also need to ensure that the country where your data is hosted offers an adequate level of protection which satisfies the Eighth Data Protection Principle under that Act. There are ways and means of achieving such compliance, but it is unlikely that your cloud provider (at least in a commodity deal) will give you assurances over the security surrounding that data. Which means you may be in breach of your obligations under the Act.

how many other customers’ data does the supplier have on the same servers?

You have every right to ask this question. It’s important not only from a credibility perspective but also because you can need to be absolutely sure that their other customers cannot access your data. Data segregation techniques are far more sophisticated than they were in the early days of cloud; nevertheless, consider whether having a ring-fenced server would grant you more comfort.

what payment terms am i signing up to?

More players in the market mean that prices are being squeezed in the cloud space, and there are deals to be done. Consider how you want a payment schedule to be structured. Will you be locked in or does the supplier offer a Pay As You Go option? Discounts are sometimes available for bulk buying across various applications.

how do i get out?

What happens when the current deal comes to an end or if you want to change providers? This is a key question to ask right from the outset. It is imperative that the contract states that you receive all of your data back, and in a native format. Vendor lock-in has been a big issue for customers trying to extract themselves from cloud contracts. Working with an outside provider or with a cloud provider that offers an open source or vendor independent programming language for example, could make it easier for you to negotiate an exit – and would actually help to instil trust in the relationship from the beginning.