5 Reasons Why Cloud Contracts Should Scare You

5 Reasons Why Cloud Contracts Should Scare You

Marketing Hype ≠ Cloud Contract. Accepting the terms and conditions on a cloud provider’s website can be dangerous, and often the user doesn't have the option of negotiation. And face it, nobody reads those click thru agreements anyway (except lawyers). So, what do they say and why should they scare you?  Here are my top 5 typical terms:

  • We Don’t Do Security.

Confidential or sensitive data should not be transmitted over the Internet or stored on computers connected to the Internet,” warns a cloud contract. Perhaps this is sage advice, but how many computers aren't connected to the Internet? And where is your financial, health, tax, personal and proprietary data? In a closet behind your old shoes?

Cloud services contracts also directly state that the provider is not responsible for any type of security breach or disclosure of data. The contract may acknowledge that the customer’s data is confidential, yet still disclaim liability for disclosure. Good bye trade secrets.

Even when the company provides security services, boasting on their home page that they will “Make your business secure and HIPAA and PCI compliant,” they don’t do security. Here is another typical clause:

Company is not responsible and has no liability for any data that you post to the Service or send over the Service.

THE ALL CAPS DISCLAIMERS AND LIMITATIONS OF LIABILITY GO ON FOR PAGES. In meticulous detail, the agreements clarify that the provider is not liable for any unauthorized access to their servers, errors, inaccuracies of content, and much, much more. I've even seen companies who advertise their HIPAA compliance capabilities that have contract terms requiring the user to warrant that they will NOT put personal health information on their service.  Feeling warm and fuzzy yet? Let’s continue.

  • What Do You Get?

You may spend a lot of time researching the way the cloud service works and how it will meet your needs. But don’t look for any of that description in the contract. Much of the time, the description of the “Services” reads something like this:

“CloudCo.net provides the CloudCo.net service (the “Service”) through the CloudCo.net website.

That’s it. The “Service” could be cat photos or finance services. But that shouldn't worry you because the contract also states that they can change the “Service” and how they deliver it at any time, so what does it matter what the “Service” means today? You might draw a certain amount of comfort from the concept that the market will keep a provider from doing anything too stupid, but the provider’s plans and yours may not converge.

  • The SLA Scam

Our commitment is to maintain availability of the network 99.99% percent of the time.” Sounds good, eh? I challenge you to keep reading the rest of the paragraph after being dazzled by that 99.99% (or 100%!) in the first line. Then, do the math. If you aren't owed a credit until the service has been out for a full hour each month, the promised uptime percentage is really in the neighborhood of 99.8%, not 99.99% or 100%. Then, check the measurement scope. Is the SLA specific to your service or only applicable to the network or data center as a whole or to outages experienced by multiple customers? And remember this is just an up/down measurement. Quality doesn't count.

Ten-twelve years ago data centers competed with each other to deliver 99.999% (called “five nines”) reliability. No more. It was impossible – even with all the exclusions to calculations that providers always give themselves. The exclusions are numerous and unlimited, including things like “maintenance activities” and “equipment and service failures on systems we don’t own.”  So, the provider can shut down the system for maintenance at any time for any length of time (maybe because it’s about to fail?) and still meet the SLA.

Second news flash, many SaaS vendors don’t own the infrastructure they use. They use third party data centers and hosting providers. Even data centers can lease equipment and use other third party providers. So that exclusion for “equipment and systems we don’t own” eliminates a huge chunk of the delivery services.

The reality is that SLAs are not always offered, although they are the only warranty-like term ever tendered. And your remedy for failure is a tiny credit off your bill, but only if you request it in writing during a specific (short) time period.

  • So if you don’t like it, just move on, right?

A common myth is that cloud services are über flexible. If you don’t like them, cancel and move on. The truth is that many require a lot of time and money to implement, may tie you into proprietary data structures and formats that are not easily transferable when you’re ready to leave, AND HAVE EARLY CANCELLATION PENALTIES.

Most people are surprised when I tell them that unless the contract contains a right to terminate for failure to deliver the service, you cannot. Your legal recourse in that situation is to sue the provider for breach of contract, not stop payment. Even if the vendor fails on its SLAs every single month, they haven’t breached the contract and that doesn't give you a right to terminate or hold them responsible for the pain that’s caused you. Say thank you for that credit of 1% off your bill and keep paying.

On the flip side, most cloud contracts also say the provider can terminate the whole service at any time at their option. The assumption is that they would give notice and terminate everyone else too. But that’s rarely stated and really isn't helpful anyway. If you’re terminated, you’re terminated. That could leave you in a serious bind. The contract may also state that they will delete all information related to your account 30 days after termination. But when your access has been terminated it may be impossible to get back (without a fight). Or, you may only get back partial data or data in an unusable format.

Oh, and they can change the terms of the agreement unilaterally at any time too, so even if the contract has friendly data return terms or notice periods before termination, those can disappear.

  • Lost Data, Backup, Disasters and Such

Many customers move their data to the cloud because they think they can stop managing anything related to that data and process. Yet, cloud contracts always disclaim liability for lost data, state it’s the customer’s obligation to back up anything stored on their site, and say that they don’t have to perform if they experience a disaster such as a power failure, fire, flood, etc.

The lack of backup can take a bite from the savings a customer is hoping to get from moving to the cloud. But, it’s just common sense to have a backup solution that is unconnected to the cloud provider. What if the provider goes bankrupt and closes its doors, or the data center loses its lease or the building is foreclosed? What if they lose your data?  It happened to 40% of the companies in a recent Symantec survey. And what’s worse is that two thirds of those companies’ data recovery options failed. Would you ever pass an audit of a disaster recovery plan that says your failover is on the server to the left of the one with the production system? Don’t expect too much of a cloud provider.

What if the provider has a disaster (or a roof leak?) and the servers are toast? Data centers boast about their redundant power supplies, divergent internet connectivity, robust physical security systems and facilities which are built to withstand wild weather, fires and floods. Yet their contracts still include a “force majeure” clause which gives them a pass for all the things they brag they’ve protected themselves against. True that no one can be expected to continue performing when there is a real catastrophe, but why do cloud providers expect a pass for power failures or cable cuts?  Those may be the result of a natural disaster or act of war, but the mundane construction errors shouldn't shut them down.

The lessons are: you need to be prepared for the cloud provider to simply disappear and to lose your data. It happens.

The cloud is a wonderful tool, but it’s still in the Wild West. I hope I've convinced you to at least read (if not consult a lawyer about) your terms of service before putting any thing in the cloud that:

  • You need to access frequently

  • You don’t want the world to see

  • Is subject to privacy laws

  • Is mission critical to your business

  • You’d hate to lose.

By Cindy Wolf,



Cindy Wolf is a Colorado lawyer with more than 25 years experience representing large and small domestic and multinational companies. Her expertise is in helping companies enter the cloud safely, either as providers or users. She also practices in the areas of corporate law and commercial contracting, with an emphasis on international issues. She can be reached at: cindy@cindywolf.com.

(*This publication is provided for informational purposes only. It does not constitute legal advice. There is no implicit guarantee that this information is correct, complete, or up to date. This publication is not intended to and does not create an attorney-client relationship between you and the author.)


Established in 2009, CloudTweaks is recognized as one of the leading authorities in cloud connected technology information and consultancy services.

Are you a cloud services expert in a world of digital transformation? If so, contact us for information on how to become part of our growing cloud consultancy ecosystem.


Digital Identity Trends 2017 – Previewing The Year Ahead

Digital Identity Trends 2017 – Previewing The Year Ahead

Digital Identity Trends 2017 The lack of security of the Internet of Things captured public attention this year as massive ...
Will 2018 Be the Year Augmented Reality Moves Outside ‘Pokémon Go’?

Will 2018 Be the Year Augmented Reality Moves Outside ‘Pokémon Go’?

2018 Augmented Reality If you’ve never heard of “Pokémon Go” — or at least never had the concept explained to ...
Mitigating Cyberattacks: The Prevention and Handling

Mitigating Cyberattacks: The Prevention and Handling

Mitigating Cyberattacks New tools and technologies help companies in their drive to improve performance, cut costs and grow their businesses ...
The ID Federation: What Technology Can Displace The Password?

The ID Federation: What Technology Can Displace The Password?

The Future Password Many people shout that the password is dead or should be killed dead. The password could be ...
What You Need To Know About Choosing A Cloud Service Provider

What You Need To Know About Choosing A Cloud Service Provider

Selecting The Right Cloud Services Provider How to find the right partner for cloud adoption on an enterprise scale The ...
Mark Carrizosa

Despite Record Breaches, Secure Third Party Access Still Not An IT Priority

Record Breaches Research has revealed that third parties cause 63 percent of all data breaches. From HVAC contractors, to IT ...


Rackspace Extends Managed Security to Google Cloud Platform

Rackspace Extends Managed Security to Google Cloud Platform

SAN ANTONIO, March 21, 2018 (GLOBE NEWSWIRE) -- Rackspace® announced today that Managed Security and Compliance Assistance for Google Cloud Platform (GCP) is now available for preview to new and existing customers that use Rackspace Managed Services for GCP ...
Google classroom

Helping G Suite customers stay secure with new proactive phishing protections and management controls

Security tools are only effective at stopping threats if they are deployed and managed at scale, but getting everyone in your organization to adopt these tools ultimately hinges on how easy they are to use ...
Gartner Says Worldwide IoT Security Spending Will Reach $1.5 Billion in 2018

Gartner Says Worldwide IoT Security Spending Will Reach $1.5 Billion in 2018

By 2021, Regulatory Compliance Will Become the Prime Influencer for IoT Security Uptake Internet of Things (IoT)-based attacks are already a reality. A recent CEB, now Gartner, survey found that nearly 20 percent of organizations ...
BMW raises R&D spending for electric, autonomous cars

BMW raises R&D spending for electric, autonomous cars

Munich (Reuters) - German carmaker BMW (BMWG.DE) will increase research and development (R&D) spending to an all-time high of up to 7 billion euros ($8.6 billion) this year as part of efforts to bring 25 ...
Providers Benchmark Report: Cloud Spectator Releases Annual Top 10 Cloud IaaS

Providers Benchmark Report: Cloud Spectator Releases Annual Top 10 Cloud IaaS

Significant differences persist with price-performance across Public Clouds BOSTON, MA, March 20, 2018 — Cloud Spectator, the industry’s leading benchmarking and cloud consulting firm, today released its 2018 Top 10 Cloud IaaS Price-Performance Benchmark Report ...
Where's Zuck? Facebook CEO silent as data harvesting scandal unfolds

Where’s Zuck? Facebook CEO silent as data harvesting scandal unfolds

Amid calls for investigation and a #DeleteFacebook campaign, company releases an official statement but its figurehead keeps quiet The chief executive of Facebook, Mark Zuckerberg, has remained silent over the more than 48 hours since ...