A recent Microsoft-sponsored survey about cloud computing revealed that almost 60 percent of small businesses would make or break a cloud purchasing decision based on its private policy. The survey, which was conducted by 769 SMB decision makers, showed that SMBs are expressing interest in data protection and are using it as a way to evaluate potential cloud providers.
With Microsoft and other major cloud providers pushing into the cloud big time, offerings like Office 365 and associated services has demanded the creation of resources like Microsoft Office Trust Center that clearly explain cloud privacy, security and compliance. How, though, can SMBs protect their privacy and that of their business partners? A cloud contract is the safest bet.
A cloud contract is simply a proof of compliance with various privacy standards. Such a document would include the cloud provider’s own service level agreements (SLAs). Doing a back check of the cloud provider to see if it is listed in the Cloud Security Alliance’s Security, Trust & Assurance Registry (STAR) would also be a prudent move. STAR is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings to help users assess the security of cloud providers. As an SMB, these free resources allow you to make informed business decisions without spending a dime hiring a cloud consultant. A questionnaire with over 140 questions has been provided to help SMBs ask the right questions to a cloud provider, again at no cost.
Since most SMBs don’t have their own legal department, a good practice is to read all contracts end-to-end and audit them for cloud providers to ensure they are complete. Reading the fine print of each contract is crucial since this is where terms and conditions of termination and penalty clauses are buried. One thing you always want to do is have the flexibility to leave a contract. If the cloud provider does not have a contract, present your own. If they have one but you are not comfortable with the conditions, modify it. For example, what are their penalties for non-payment? Some vendors will try to charge you for the ‘expectancy’ of the contract, say for the entire 5 years in a 5-year contract if you want to get out after two years. Always ensure that your intellectual property rights, which include custom-built applications or data, remain yours and that the vendor cannot use or share them.
An often overlooked issue is the procedure for disagreements and arbitration. While most contracts contain these, as a small business, you want to look at the venue or location for disputes and arbitration. Ensure that the listed state is in your own home state. Travelling across states for court cases can be a costly undertaking which you may not be in a position to afford when things go bad. In case the vendor fails to bring this up, you have the responsibility of doing that.
Service Level Agreements (SLAs) should also be specifically addressed by the vendor. If not, insist that they be added, otherwise present your own. They can be written into an addendum that is attached and integrated into the contract. SLA agreements should state when cloud performance should be reviewed, quarterly or bi-annually, with the opportunity to amend based upon changing business conditions and mutual agreement.
Remember that cloud vendors are out to protect themselves. They will usually clearly explain the terms of entry into a service such as the price, time period and parties to the contract while neglecting exit strategies such as termination clauses and conditions. Always ensure that you engage your cloud vendor in a thorough discussion of the level of service and support you expect for your small business. When both parties understand the terms of a cloud contract, it becomes a pivotal point of reference and information source for an ongoing relationship and when problems arise with project coordination and execution.