Many cloud providers also include a list of exclusions to uptime guarantees, including emergency situations, outages of 15 minutes or less, and availability during certain times of day. "Buyer should expect small, but well-defined exclusion windows that don't count against downtime so the provider can perform routine maintenance," says Slaby.
Beware of overly broad exclusions. For example, telecom outages are typically excluded with no distinction between services purchased by the customer itself (a legitimate exclusion) and those of the provider who should provide redundant telecom architecture to prevent a single point of failure, says Dr. Jonathan Shaw, principal with outsourcing consultancy Pace Harmon. "You may see exclusions for 'emergency maintenance' with no constraints on when the provider can call a maintenance emergency, effectively giving them a 'get out of jail free' card for any outage," Shaw says.
3. What about "Acts of God"? Most cloud contracts also exclude force majeure events--those outside the reasonable control of the vendor such as natural disasters, war, and labor strikes. "An event of force majeure can allow a vendor to get out of commitments, including SLAs," says Schnaders' Taylor, "Customers should negotiate a narrow definition of force majeure."
4. How stable is your cloud environment? Shaw of Pace Harmon advises clients perform technical due diligence on any cloud solution to estimate the risk of major outages. Look at how the cloud is structured. Is there a data center on an earthquake fault line or in a country prone to political instability?
5. What's your disaster recovery plan? "Buyers should really be digging into this," says Slaby of HfS Research. Request site visits and audits to estimate the vendor's achievable recover time and recovery point and use that to calculate the impact on your business of a potential failure. "This analysis may simply preclude a cloud solution [if] it is not possible to recover the cloud application sufficiently quickly to avoid a business-jeopardizing event," says Shaw.
6. How often do you test that plan? "Having a disaster recovery and business continuity plan in place does not ensure that downtime will be minimized in the event of a disaster," says Fisher of K&L Gates. "Unfortunately, some providers don't regularly test their plan so they can't be sure it will be effective in the event of a disaster." Smart shoppers will include a contractual requirement for semi-annual disaster recovery testing, compelling the provider to disclose the results to the customer and correct any deficiencies uncovered.