Due Diligence and Cloud Service Agreements: Legal and Security Checklist

Due Diligence and Cloud Service Agreements

Contracts with cloud service providers (CSPs) are often the most critical component of cloud risk assessment, and they should be examined carefully before entering a cloud relationship.

A Cloud Service Agreement (CSA) must clearly describe the services offered, warranties, guarantees, limitations, liabilities, and the rights and responsibilities of each party.

Proper due diligence should investigate categories such as data security, performance, service limits, data migration, government and third‑party legal access, handling of trade secrets/confidential information, and exit plans.

Data Security

When managing operational risks associated with cloud services, organizations should verify the CSP’s data‑security posture, including:

Whether the CSP is obligated to protect customer data at the same level as the customer’s internal policies.

Who has access to customer data and their background.

Physical location of the CSP’s data centers and controls against unauthorized access (e.g., 24‑hour security).

Whether the CSP commits to keeping data within specific jurisdictions or avoiding certain jurisdictions.

Migration policies for moving data back in‑house or to an alternative provider.

Frequency of backup and recovery testing.

Compliance of the CSP’s security policies with applicable regulations.

Willingness to undergo on‑demand or periodic audits and certifications.

Procedures for investigating illegal or improper activity.

Disclosure obligations for new vulnerabilities affecting data confidentiality, integrity, or availability.

Backup availability and ease of reconstruction after loss or damage.

Data‑handling and access‑control policies to prevent unauthorized copying or deletion by the CSP or its employees.

Procedures for data deletion.

Handling of hardware replacement (e.g., server decommissioning).

When a CSP retains the unilateral right to change its privacy policy or terms of use, security and privacy risks increase; refusing such unilateral changes helps preserve negotiated risk allocations.

Performance

Continuous availability of cloud services is critical for many companies; loss of access can cause severe business disruption, revenue loss, and reputational damage. Before signing a CSA, obtain satisfactory answers to questions such as:

Does the provider have multiple power sources from different origins?

Does the provider have multiple network links from different carriers to prevent service interruptions?

Has the provider paid any service‑level credits in the past six months, and if so, for what?

Have any customers experienced service outages, and what was the duration?

Can the provider maintain service (and data access) during scheduled downtime?

Can the provider seamlessly transfer customer data to a backup provider if needed?

Are there known special circumstances (financial distress, dependent subcontractors, litigation) that make outages likely?

How quickly does the provider recover lost data?

What responsibility does the provider assume for force‑majeure events (war, sanctions, embargoes, power loss)?

What is the provider’s emergency plan for natural disasters, including rapid data transfer and redeployment?

What uptime warranties or guarantees does the provider contractually commit to?

Service Limitations

CSAs often contain exclusion clauses that can be a red flag for companies considering migration to the cloud. Review and, where possible, limit or delete the following common clauses:

Unilateral right to limit, suspend, or terminate service (with or without notice).

Disclaimer of liability for service quality and availability.

Disclaimer of all warranties, including implied warranties of merchantability and fitness for a particular purpose.

Disclaimer of liability for third‑party actions.

Limitation of remedies, such as caps on total loss (e.g., refund of fees) and exclusion of indirect damages (e.g., lost profits).

Broad exclusion clauses in many CSAs can effectively nullify the contract; if a provider refuses to provide quality or performance, consumer protection laws may deem the service ineffective.

Data Isolation

Most CSPs deliver services on shared servers. Ensure your company’s data is not unintentionally mixed with competitors’ data by asking:

What procedures does the provider have to prevent competitors from accessing your data even when hosted on the same server?

How frequently does the provider monitor servers to confirm proper data isolation?

Government and Third‑Party Legal Access

The CSA should specify how the CSP will respond to lawful information requests and what notice and objection rights the cloud user retains. Example questions include:

Will the provider notify the user if it receives a subpoena, search warrant, or other legal request?

Will the provider seek protective orders to limit or prevent disclosure of company data?

What procedures exist for handling litigation, ensuring data isolation and preservation?

How are e‑discovery requests handled, and how is metadata protected?

Which party bears the cost of processing data for discovery purposes?

Trade Secrets and Confidential Information

The CSA should contain provisions to maintain the confidentiality of a company’s trade secrets and proprietary information, though storing such information with a CSP still poses significant risk.

Under the Uniform Trade Secrets Act, a company must make reasonable efforts to keep its information secret. However, the transfer of trade secrets to a CSP has not been definitively adjudicated, and even with confidentiality promises, the secrecy may be lost.

If the CSP’s terms allow it to view, use, or disclose information, the claim that the information remains a trade secret may be undermined.

Exit Plan

The CSA should clearly define an exit plan that outlines each party’s obligations upon service termination, such as:

How soon after termination will customer data be returned, and in what format?

Whether the provider must assist the customer in transferring data to a new provider or back to an on‑premises platform.

Whether the provider must retain backup copies of customer data after termination or destroy all data within a specified timeframe.

How customer data is handled at the end of the relationship.

What happens to customer data if the provider ceases operations.

How encrypted data is decrypted when returned.

Whether the customer’s data and applications can be transferred at any time to avoid vendor lock‑in.

As cloud services consolidate among a few large vendors, negotiating CSA terms becomes more difficult, but the current competitive environment still gives organizations leverage to insist on strong data‑protection and risk‑mitigation clauses.

Because users often lack direct contracts with all involved parties, achieving contractual protection in the cloud can be complex; organizations should require that direct providers confirm due diligence on any downstream providers.

Conclusion

Adopting cloud services offers significant benefits, including cost reduction, reduced on‑site support needs, and scalability.

However, migration also introduces unique data‑security, privacy, legal, and regulatory compliance risks.

Thorough due diligence of service providers and carefully drafted service agreements that allocate rights, obligations, and liabilities are among the most critical risk‑mitigation steps before deploying to the cloud.

Disclaimer: The information provided does not constitute legal advice or opinion and is for general reference only; consult an attorney for advice tailored to your specific situation.