5 Reasons Why Cloud Contracts Should Scare You

5 Reasons Why Cloud Contracts Should Scare You

5 Reasons Why Cloud Contracts Should Scare You

Marketing Hype ≠ Cloud Contract. Accepting the terms and conditions on a cloud provider’s website can be dangerous, and often the user doesn’t have the option of negotiation. And face it, nobody reads those click thru agreements anyway (except lawyers). So, what do they say and why should they scare you?  Here are my top 5 typical terms:

  • We Don’t Do Security.

Confidential or sensitive data should not be transmitted over the Internet or stored on computers connected to the Internet,” warns a cloud contract. Perhaps this is sage advice, but how many computers aren’t connected to the Internet? And where is your financial, health, tax, personal and proprietary data? In a closet behind your old shoes?

Cloud services contracts also directly state that the provider is not responsible for any type of security breach or disclosure of data. The contract may acknowledge that the customer’s data is confidential, yet still disclaim liability for disclosure. Good bye trade secrets.

Even when the company provides security services, boasting on their home page that they will “Make your business secure and HIPAA and PCI compliant,” they don’t do security. Here is another typical clause:

Company is not responsible and has no liability for any data that you post to the Service or send over the Service.

THE ALL CAPS DISCLAIMERS AND LIMITATIONS OF LIABILITY GO ON FOR PAGES. In meticulous detail, the agreements clarify that the provider is not liable for any unauthorized access to their servers, errors, inaccuracies of content, and much, much more. I’ve even seen companies who advertise their HIPAA compliance capabilities that have contract terms requiring the user to warrant that they will NOT put personal health information on their service.  Feeling warm and fuzzy yet? Let’s continue.

  • What Do You Get?

You may spend a lot of time researching the way the cloud service works and how it will meet your needs. But don’t look for any of that description in the contract. Much of the time, the description of the “Services” reads something like this:

“CloudCo.net provides the CloudCo.net service (the “Service”) through the CloudCo.net website.

That’s it. The “Service” could be cat photos or finance services. But that shouldn’t worry you because the contract also states that they can change the “Service” and how they deliver it at any time, so what does it matter what the “Service” means today? You might draw a certain amount of comfort from the concept that the market will keep a provider from doing anything too stupid, but the provider’s plans and yours may not converge.

  • The SLA Scam

Our commitment is to maintain availability of the network 99.99% percent of the time.” Sounds good, eh? I challenge you to keep reading the rest of the paragraph after being dazzled by that 99.99% (or 100%!) in the first line. Then, do the math. If you aren’t owed a credit until the service has been out for a full hour each month, the promised uptime percentage is really in the neighborhood of 99.8%, not 99.99% or 100%. Then, check the measurement scope. Is the SLA specific to your service or only applicable to the network or data center as a whole or to outages experienced by multiple customers? And remember this is just an up/down measurement. Quality doesn’t count.

Ten-twelve years ago data centers competed with each other to deliver 99.999% (called “five nines”) reliability. No more. It was impossible – even with all the exclusions to calculations that providers always give themselves. The exclusions are numerous and unlimited, including things like “maintenance activities” and “equipment and service failures on systems we don’t own.”  So, the provider can shut down the system for maintenance at any time for any length of time (maybe because it’s about to fail?) and still meet the SLA.

Second news flash, many SaaS vendors don’t own the infrastructure they use. They use third party data centers and hosting providers. Even data centers can lease equipment and use other third party providers. So that exclusion for “equipment and systems we don’t own” eliminates a huge chunk of the delivery services.

The reality is that SLAs are not always offered, although they are the only warranty-like term ever tendered. And your remedy for failure is a tiny credit off your bill, but only if you request it in writing during a specific (short) time period.

  • So if you don’t like it, just move on, right?

A common myth is that cloud services are über flexible. If you don’t like them, cancel and move on. The truth is that many require a lot of time and money to implement, may tie you into proprietary data structures and formats that are not easily transferable when you’re ready to leave, AND HAVE EARLY CANCELLATION PENALTIES.

Most people are surprised when I tell them that unless the contract contains a right to terminate for failure to deliver the service, you cannot. Your legal recourse in that situation is to sue the provider for breach of contract, not stop payment. Even if the vendor fails on its SLAs every single month, they haven’t breached the contract and that doesn’t give you a right to terminate or hold them responsible for the pain that’s caused you. Say thank you for that credit of 1% off your bill and keep paying.

On the flip side, most cloud contracts also say the provider can terminate the whole service at any time at their option. The assumption is that they would give notice and terminate everyone else too. But that’s rarely stated and really isn’t helpful anyway. If you’re terminated, you’re terminated. That could leave you in a serious bind. The contract may also state that they will delete all information related to your account 30 days after termination. But when your access has been terminated it may be impossible to get back (without a fight). Or, you may only get back partial data or data in an unusable format.

Oh, and they can change the terms of the agreement unilaterally at any time too, so even if the contract has friendly data return terms or notice periods before termination, those can disappear.

  • Lost Data, Backup, Disasters and Such

Many customers move their data to the cloud because they think they can stop managing anything related to that data and process. Yet, cloud contracts always disclaim liability for lost data, state it’s the customer’s obligation to back up anything stored on their site, and say that they don’t have to perform if they experience a disaster such as a power failure, fire, flood, etc.

The lack of backup can take a bite from the savings a customer is hoping to get from moving to the cloud. But, it’s just common sense to have a backup solution that is unconnected to the cloud provider. What if the provider goes bankrupt and closes its doors, or the data center loses its lease or the building is foreclosed? What if they lose your data?  It happened to 40% of the companies in a recent Symantec survey. And what’s worse is that two thirds of those companies’ data recovery options failed. Would you ever pass an audit of a disaster recovery plan that says your failover is on the server to the left of the one with the production system? Don’t expect too much of a cloud provider.

What if the provider has a disaster (or a roof leak?) and the servers are toast? Data centers boast about their redundant power supplies, divergent internet connectivity, robust physical security systems and facilities which are built to withstand wild weather, fires and floods. Yet their contracts still include a “force majeure” clause which gives them a pass for all the things they brag they’ve protected themselves against. True that no one can be expected to continue performing when there is a real catastrophe, but why do cloud providers expect a pass for power failures or cable cuts?  Those may be the result of a natural disaster or act of war, but the mundane construction errors shouldn’t shut them down.

The lessons are: you need to be prepared for the cloud provider to simply disappear and to lose your data. It happens.

The cloud is a wonderful tool, but it’s still in the Wild West. I hope I’ve convinced you to at least read (if not consult a lawyer about) your terms of service before putting any thing in the cloud that:

  • You need to access frequently

  • You don’t want the world to see

  • Is subject to privacy laws

  • Is mission critical to your business

  • You’d hate to lose.

By Cindy Wolf,



Cindy Wolf is a Colorado lawyer with more than 25 years experience representing large and small domestic and multinational companies. Her expertise is in helping companies enter the cloud safely, either as providers or users. She also practices in the areas of corporate law and commercial contracting, with an emphasis on international issues. She can be reached at: cindy@cindywolf.com.

(*This publication is provided for informational purposes only. It does not constitute legal advice. There is no implicit guarantee that this information is correct, complete, or up to date. This publication is not intended to and does not create an attorney-client relationship between you and the author.)

About CloudTweaks

Established in 2009, CloudTweaks is recognized as one of the leading authorities in connected technology information and services.

We embrace and instill thought leadership insights, relevant and timely news related stories, unbiased benchmark reporting as well as offer green/cleantech learning and consultive services around the world.

Our vision is to create awareness and to help find innovative ways to connect our planet in a positive eco-friendly manner.

In the meantime, you may connect with CloudTweaks by following and sharing our resources.

View All Articles

Sorry, comments are closed for this post.

CloudTweaks Comics
Lavabit, Edward Snowden and the Legal Battle For Privacy

Lavabit, Edward Snowden and the Legal Battle For Privacy

The Legal Battle For Privacy In early June 2013, Edward Snowden made headlines around the world when he leaked information about the National Security Agency (NSA) collecting the phone records of tens of millions of Americans. It was a dramatic story. Snowden flew to Hong Kong and then Russia to avoid deportation to the US,…

Security: Avoiding A Hatton Garden-Style Data Center Heist

Security: Avoiding A Hatton Garden-Style Data Center Heist

Data Center Protection In April 2015, one of the world’s biggest jewelry heists occurred at the Hatton Garden Safe Deposit Company in London. Posing as workmen, the criminals entered the building through a lift shaft and cut through a 50cm-thick concrete wall with an industrial power drill. Once inside, the criminals had free and unlimited…

The Fully Aware, Hybrid-Cloud Approach

The Fully Aware, Hybrid-Cloud Approach

Hybrid-Cloud Approach For over 20 years, organizations have been attempting to secure their networks and protect their data. However, have any of their efforts really improved security? Today we hear journalists and industry experts talk about the erosion of the perimeter. Some say it’s squishy, others say it’s spongy, and yet another claims it crunchy.…

Are Cloud Solutions Secure Enough Out-of-the-box?

Are Cloud Solutions Secure Enough Out-of-the-box?

Out-of-the-box Cloud Solutions Although people may argue that data is not safe in the Cloud because using cloud infrastructure requires trusting another party to look after mission critical data, cloud services actually are more secure than legacy systems. In fact, a recent study on the state of cloud security in the enterprise market revealed that…

Moving Your Email To The Cloud? Beware Of Unintentional Data Spoliation!

Moving Your Email To The Cloud? Beware Of Unintentional Data Spoliation!

Cloud Email Migration In today’s litigious society, preserving your company’s data is a must if you (and your legal team) want to avoid hefty fines for data spoliation. But what about when you move to the cloud? Of course, you’ve probably thought of this already. You’ll have a migration strategy in place and you’ll carefully…

What You Need To Know About Choosing A Cloud Service Provider

What You Need To Know About Choosing A Cloud Service Provider

Selecting The Right Cloud Services Provider How to find the right partner for cloud adoption on an enterprise scale The cloud is capable of delivering many benefits, enabling greater collaboration, business agility, and speed to market. Cloud adoption in the enterprise has been growing fast. Worldwide spending on public cloud services will grow at a…

5% Of Companies Have Embraced The Digital Innovation Fostered By Cloud Computing

5% Of Companies Have Embraced The Digital Innovation Fostered By Cloud Computing

Embracing The Cloud We love the stories of big complacent industry leaders having their positions sledge hammered by nimble cloud-based competitors. Saleforce.com chews up Oracle’s CRM business. Airbnb has a bigger market cap than Marriott. Amazon crushes Walmart (and pretty much every other retailer). We say: “How could they have not seen this coming?” But, more…

Maintaining Network Performance And Security In Hybrid Cloud Environments

Maintaining Network Performance And Security In Hybrid Cloud Environments

Hybrid Cloud Environments After several years of steady cloud adoption in the enterprise, an interesting trend has emerged: More companies are retaining their existing, on-premise IT infrastructures while also embracing the latest cloud technologies. In fact, IDC predicts markets for such hybrid cloud environments will grow from the over $25 billion global market we saw…

Update: Timeline of the Massive DDoS DYN Attacks

Update: Timeline of the Massive DDoS DYN Attacks

DYN DDOS Timeline This morning at 7am ET a DDoS attack was launched at Dyn (the site is still down at the minute), an Internet infrastructure company whose headquarters are in New Hampshire. So far the attack has come in 2 waves, the first at 11.10 UTC and the second at around 16.00 UTC. So…

Reuters News: Powerfull DDoS Knocks Out Several Large Scale Websites

Reuters News: Powerfull DDoS Knocks Out Several Large Scale Websites

DDoS Knocks Out Several Websites Cyber attacks targeting the internet infrastructure provider Dyn disrupted service on major sites such as Twitter and Spotify on Friday, mainly affecting users on the U.S. East Coast. It was not immediately clear who was responsible. Officials told Reuters that the U.S. Department of Homeland Security and the Federal Bureau…

The DDoS That Came Through IoT: A New Era For Cyber Crime

The DDoS That Came Through IoT: A New Era For Cyber Crime

A New Era for Cyber Crime Last September, the website of a well-known security journalist was hit by a massive DDoS attack. The site’s host stated it was the largest attack of that type they had ever seen. Rather than originating at an identifiable location, the attack seemed to come from everywhere, and it seemed…

Cloud Infographic – DDoS attacks, unauthorized access and false alarms

Cloud Infographic – DDoS attacks, unauthorized access and false alarms

DDoS attacks, unauthorized access and false alarms Above DDoS attacks, unauthorized access and false alarms, malware is the most common incident that security teams reported responding to in 2014, according to a recent survey from SANS Institute and late-stage security startup AlienVault. The average cost of a data breach? $3.5 million, or $145 per sensitive…


Sponsored Partners

Security Training Through Practical Experience
The Many Hats Of Today’s IT Managers
Competing Cloud Security Demands Call For Credentialed Professionals
The Benefits of Cloud-Based Phone Systems
The Value of Hybrid Cloud
Security: The Goodwill Virus That Keeps On Giving
Cyber Security: An Ounce of Prevention
Understanding The Importance Of A Flexible Hybrid Cloud Solution
Hybrid IT Matures Just In Time To Tackle Complex Challenges
Collaboration Clouds: The Logical Next Step To Cloud Computing
Help Your Business Improve Security By Choosing The Right Cloud Provider
Internet Performance Management In Today’s Volatile Online Environment