Cloud computing is now part of how most technology-driven businesses operate.
Whether you are using SaaS tools, building on a cloud platform, storing customer data, or running infrastructure through a third-party provider, the cloud often sits quietly behind your product, your operations, your customer experience and your compliance obligations.
But cloud does not remove risk, it moves it.
And that is where the contract, the data protection position and the practical setup really matter.
Cloud is not one thing
One of the first mistakes businesses make is treating all cloud arrangements in the same way, they are not. A SaaS product, where you access software through the internet, gives you a very different level of control from an infrastructure arrangement where you manage your own operating systems, applications and security configuration.
Broadly, cloud services usually fall into three categories:
Software as a Service
This is where the supplier hosts the application and you access it online. The supplier controls most of the underlying infrastructure. The customer usually has limited visibility and limited ability to change how the service is run.
Platform as a Service
This gives businesses a platform to build or deploy their own applications without managing the underlying hardware. It is often used by development teams that need flexibility without managing every layer themselves.
Infrastructure as a Service
This gives access to core computing resources such as servers, storage and processing power. The customer has more control, but also more responsibility for configuration, access controls and security decisions.
Why does this matter?
Because control and responsibility do not always sit in the same place.
A supplier may host the system, but your business may still be responsible for how data is used, how access is managed and whether the arrangement is suitable for your customers, regulators and commercial commitments.
Data protection is often the main risk
For many businesses, the biggest cloud risk is not downtime, it is data.
Most business-to-business cloud arrangements will involve the customer acting as controller and the cloud supplier acting as processor under UK GDPR.
That means the customer decides why and how personal data is used, while the supplier processes that data on the customer’s instructions.
The practical issue is this: even when the supplier is doing the processing, the customer still carries a significant part of the regulatory responsibility.
That means businesses need to know:
The contract should include the required processor terms under UK GDPR, but that alone is not enough.
The legal wording needs to match the operational reality.
If the supplier says data is only processed in the UK, but their support team, hosting provider or sub-processors sit elsewhere, that needs to be understood and dealt with properly.
“Take it or leave it” terms are not always the end of the conversation
Large cloud providers often work from standard terms.
For low-cost, off-the-shelf services, there may be very little room to negotiate. That does not mean businesses should ignore the terms.
It means they need to understand the risk before accepting them.
For higher-value contracts, business-critical systems or more bespoke cloud arrangements, there is usually more scope to ask for changes or clarification.
The areas worth looking at carefully include:
Service levels
Service levels should explain what level of availability the supplier is committing to and what happens if that level is not met.
Many cloud contracts offer service credits for downtime. These can be useful, but they rarely compensate the customer for the real impact of a serious outage.
If a system is business-critical, customers should look closely at whether there are termination rights for repeated failures or sustained poor performance.
Liability caps
Supplier liability is often capped by reference to fees paid, commonly 12 months’ fees.
That may be acceptable for a low-risk tool.
It may be nowhere near enough for a platform handling sensitive customer data, payments, confidential information or regulated workflows.
Businesses should check whether the cap works in practice, especially for data breaches, confidentiality breaches, security failures, indemnities and third-party claims.
The question is not just “what is the cap?”
It is “what could actually go wrong, and would this contract leave us exposed?”
Unilateral changes
Cloud providers often reserve the right to update services, features, terms, policies or technical requirements.
Some change is normal. Cloud services evolve constantly.
But customers need protection if a change materially reduces functionality, weakens security, affects compliance or disrupts their own customer commitments.
For business-critical services, notice periods and termination rights can be important.
Security is not just an IT issue
Security clauses in cloud contracts are often treated as technical detail, they are not, they are commercial protection.
Cloud security should cover more than firewalls and passwords. It should address encryption, access controls, incident response, personnel controls, physical security, vulnerability management, back-ups, disaster recovery and audit evidence.
Many suppliers will resist customer audit rights, particularly in multi-customer environments. That is not unusual.
But if direct audit is not available, businesses should ask what independent assurance is provided instead.
For example, suppliers may provide third-party certifications, audit reports or security documentation. These do not remove risk, but they can help customers assess whether the supplier’s controls are appropriate.
Your data, your content and your exit plan
Cloud contracts should be clear about ownership and use of customer data.
The customer should retain ownership of its data and content. The supplier should only be allowed to use it for defined purposes, such as providing and supporting the service.
This becomes even more important where suppliers are using analytics, AI features, product improvement data or aggregated insights.
Businesses should also think about exit from day one.
A bad exit clause can turn a supplier issue into an operational crisis.
Cloud risk is not just legal risk
The best cloud reviews do not look only at the contract. They look at how the cloud service fits into the business.
For example:
This is where legal, operational and technical thinking need to connect.
A contract may look acceptable in isolation, but still be unsuitable for how the business actually uses the service.
Final thought
Cloud computing can give technology businesses speed, flexibility and scale.
But the legal and operational basics still matter.
Before signing cloud terms, businesses should understand what they are buying, what they control, what the supplier is responsible for and what happens when something goes wrong.
The aim is not to slow the business down.
It is to make sure the foundations can support the way the business wants to grow.
If you would like support reviewing your cloud contracts, data protection position or supplier risk before you sign, please contact us at info@ethiqs.legal.