Finance & Accounting Articles

What You Need to Know on Privacy Practices for Your Business Cloud Applications

by Christophe Primault
Published on 8 November 2011

When you are choosing an application for your business, it is important to get transparent and easy-to-understand information about the privacy practices of the provider and to know how your corporate data will be handled. Small businesses should have privacy concerns when moving to the cloud and it is our role in, as well as our partners to remove these concerns. Client privacy, confidentiality and security are central to us.

The cloud is a convenient world for a small business. You can test a new app for free before choosing. You only pay as you go. It is easy to change provider and there is an app for almost any business need. But any small business owner should also consider the cloud's privacy implications.

Should you be afraid of cloud privacy and security

Privacy concerns from cloud applications users are centered around the collection, storage, ownership, rights and management of their data in the cloud.

Transparency and accountability issues are also generating fears around cloud adoption, but is it justified?

Of course, all cloud applications vendors will guarantee the safety and privacy of your data and won't claim any ownership of the content you are sharing with them. But privacy and security obligations are fuzzy and it is often difficult to understand what is ruling and governing online privacy. Cloud computing makes it even worse as in most cases, you don't even know where your data will be hosted and therefore can't determine which laws apply.

Most SaaS vendors don't have their own dedicated data centres, and when they do, they are often co-located. It is even more complex when you think that typically a SaaS vendor is using a development platform (PaaS) hosted in a different location that the infrastructure (IaaS) provider. You can end up having your data hosted in three layers in three countries. You will have absolutely no visibility on where is your precious business information.

Let's face it, when your data is in the cloud it is difficult to figure where it is and who's responsible for its security and privacy. Add to this that most counties don't have specific cloud data privacy laws and you will start thinking: uncertainty and risk.

But does it matter? Yes and no. It depends on how sensitive is your information, how paranoid you are and if you have a strong cloud culture. As an example, at we have all our information in the cloud. Some of it is even hosted by one of our main competitor. Does it keep us awake at night ? Not really. We don't consider our data as hyper sensitive. We are not highly regulated. We operate on a global basis and more importantly, we are "born in the cloud" so it is not a cultural shock for us. We do however take a serious look at these issues before choosing a new supplier.

Select your providers carefully

The benefits of using cloud applications in terms of cost and productivity are to obvious to be missed but you need to select your providers carefully.

As a start, we check if the solution has been certified by a trusted body for good privacy practices. Knowing that an application is certified should give you some piece of mind that your provider do care about your privacy, and that proper policies are in place to protect you.

As an example, at we have recently announced a partnership with TRUSTe, a leading online privacy provider that has designed a solution, TRUSTed Cloud, to meet specific privacy needs for cloud-based applications. We felt it was importnat to give the users of our Business Applications Marketplace a quick way to evaluate an application's data privacy practices, so they could determine if it is appropriate for their particular usage or not. When a vendor is certified and therefore offers good privacy guarantees, we will show the TRUSTe trustmark next to the application description, such as in this NetSuite example.

Up to now, about 200 cloud vendors have adopted a Cloud Data Privacy Certification and we are committed at to encourage more vendors to prove that they have adopted best practices to protect the security and privacy of their user's data.

Perform these 10 checks

Before choosing a cloud vendor, this is what should be doing:

  1. check is they have a clear and accurate disclosure of their privacy practices and policies
  2. check is they comply with a third party certification based on privacy, transparency and accountability
  3. understand what are the guarantees offered in terms of data collection, sharing and usage
  4. ask who owns data and where it will be located
  5. ask what rights the provider keeps over your data
  6. try to know whose laws govern your contract with the provider
  7. make sure that you are not locked-in
  8. understand how easy it will be to move your data to another provider
  9. ask if they will keep your data when you terminate the service
  10. read reviews and check with your network about their experience with this vendor

Certifications such as TRUSTe Cloud are good trust indicators, but you should always challenge your provider about privacy, transparency and accountability issues before subscribing to a cloud service for your business.


Apps mentioned in this article