Managed Cybersecurity
24/7 threat monitoring and response
Network Management
Business infrastructure built for reliability
Microsoft 365
Lifecycle management and hardening
Business Continuity
Instant recovery, verified daily
Compliance & Risk
CIS Controls v8 IG1, 56 safeguards
Security Awareness
Managed phishing simulations and training
AI Enablement
Vendor-neutral AI guidance, included
IT Consulting
Strategic advisory and business analysis
Sentry Platform
Nine security layers, one price
Construction & Trades
Field crews, project docs, compliance
Legal & Professional Services
Confidentiality, document-heavy workflows
Healthcare & Dental
Patient data, regulatory compliance
Manufacturing & Industrial
Mixed OT/IT, shift operations, uptime
First Nations & Government
Sovereignty, compliance, community service
Retail & Hospitality
POS systems, guest WiFi, payment security
About
Blog
Support
Contact
Get Started

(250) 562-0907

[email protected]

Blog

How to Evaluate a Cloud Vendor

Questions to ask before trusting a cloud vendor with your business data.

Practical
Guidance
Vendor
Neutral
No
Jargon
Cybersecurity
Threat landscape updates
Current risks facing Northern BC businesses and how to stay ahead of them.
Best Practices
IT management insights
Practical guidance on M365, backups, compliance, and infrastructure from senior engineers.
Compliance
Regulatory readiness
PIPEDA, CIS Controls, and cyber insurance guidance for Canadian SMBs.

Written by senior engineers with decades of experience managing IT and cybersecurity for Northern BC businesses.

Moving to the cloud means outsourcing data storage and processing to another organization. This is a necessary step for most businesses, but it requires careful evaluation. A vendor that makes big promises but deflects when asked specific questions is a red flag. The cloud doesn't eliminate security risk; it shifts responsibility for managing that risk to the vendor. Before signing a contract, ask the hard questions and expect clear answers. A reputable vendor welcomes scrutiny and provides documentation to back up their claims.

Where Is Your Data Stored?

This question matters more than many organizations realize. Ask which countries and specific data centres will host your data. Some vendors store everything in one location for cost efficiency, which creates concentration risk. If that data centre fails, your data is unavailable. If that country experiences a cyberattack or political instability, your data is exposed. Ask whether data is replicated across multiple regions for redundancy. Ask whether the vendor uses third-party data centres (like AWS or Azure) or operates their own. Neither answer is wrong, but you need to know and understand the implications.

What Security Certifications Do They Hold?

Reputable cloud vendors pursue third-party certifications that validate their security practices. Look for SOC 2 Type II, which certifies that an independent auditor has verified the vendor's security controls are working. ISO 27001 indicates compliance with international information security standards. Industry-specific certifications matter too: HIPAA for health data, PCI DSS for payment card data. Ask to see certification reports. If a vendor can't produce them or claims certification isn't necessary, question their commitment to security. Ask whether those certifications are current and how often they're renewed.

What Are Their Backup and Recovery Procedures?

Backup and recovery are not the same as redundancy. Ask how often data is backed up and where backups are stored. Ask how long recovery takes if data is corrupted or deleted. Ask whether they test recovery procedures regularly to ensure backups actually work. Ask what happens if you need to recover a single file deleted three months ago. The answers reveal whether the vendor treats backup as a critical control or an afterthought. A vendor that can't answer these questions clearly doesn't have a robust backup strategy.

What Happens to Your Data If the Vendor Fails?

Assume the vendor goes out of business tomorrow. What happens to your data? Ask whether you can export all your data in standard formats (CSV, JSON, XML) so you can move to another vendor. Ask how long they'll keep your data available if your account is inactive. Ask about their business continuity plan and insurance. A vendor with weak answers to this question may not be around when you need them, and you could lose access to your data entirely.

What Is Their Uptime SLA and Cyber Insurance?

An SLA, or service level agreement, is a contract promise about how long the service will be available. A 99% uptime SLA means the vendor promises the service will be down no more than 43 minutes per month. A 99.9% SLA allows 4.3 minutes of downtime per month. Ask what compensation you receive if they miss the SLA. Ask whether cyber insurance covers their services, so that if they're breached, there's financial recourse. A vendor without cyber insurance has no financial backstop if they are breached, and breaches are increasingly common.

Ask the Hard Questions Before You Sign

A vendor's answers to these questions should be confident, specific, and documented. If they deflect with "we use AWS, so it's safe" or "our security is proprietary and we don't discuss it," ask for specifics. Using AWS doesn't transfer all responsibility to Amazon; the vendor still controls how your data is handled within that infrastructure. Legitimate security practices can withstand direct questions and come with documentation. Before choosing a cloud vendor, ensure you understand who controls your data, where it lives, how it's protected, and what happens if something goes wrong. Compliance and risk assessment should include cloud vendor evaluation. Your IT team should help with the technical questions. The answers directly affect your security posture and business continuity.