Channel Insider content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

1Get the operation’s track record

A SAS 70 Type 2 audit will show a provider’s track record for data center operations, security and privacy, and asking to review such an audit is important, said Dan Druker, senior vice president of marketing and business development at Intacct. A SAS 70 audit forces a cloud apps provider to write a complete and thorough document on operational procedures.

2On the other hand

Eran Gil, vice president of business development at Cloud Sherpas, a software developer and professional services provider specializing in Google Apps, said the more cloud apps are finding their way into the enterprise, the less important SAS 70 reports are becoming. Providers are not asked very often for SAS 70 reports, he said.

3Misusing SAS 70

Whether you ask for a SAS 70 audit or not, it’s important to understand how the audit gets misused, Druker said. There’s no such thing as “SAS 70 Certified.” The audit doesn’t prove a provider is using the latest security and encryption. It only means they’ve thoroughly documented their policies and procedures.

4Understand security and privacy policies

The biggest question mark around cloud computing is related to security and privacy. VARs should understand if data stored in the cloud app is encrypted in the database and/or over the network, what the level of encryption is, what password controls are built in and what the privacy policies are (they should be published).

5Understanding the infrastructure

Some smaller cloud vendors don’t have robust technology infrastructures, Druker said. VARs should get information on the data center infrastructure. For instance, is it a Tier 1 data center?

6When things go wrong

A cloud app is likely to be available 24/7, but when things inevitably go wrong, are there people in place to make sure things get fixed right away? Nobody wants lengthy unplanned downtime.

7Read the SLA

The most important thing is to read the service level agreement (SLA), Druker said. The SLA outlines the expectations of uptime and response time when problems occur. It’s critical to understand what the vendor is guaranteeing.

8Different SLAs for different apps

Critical applications should have much stronger SLAs than applications that are less mission-critical, Gil said. Email going down is potentially crippling, but an add-on email app going down for a period of time may not be too troublesome.

9Support structure

Support functions should also be outlined, Gil said. Although the specific support functions vary by application, end-user customers are going to want to know that there will be support when they have problems.

10Support structure

Support functions should also be outlined, Gil said. Although the specific support functions vary by application, end-user customers are going to want to know that there will be support when they have problems.

11Who owns the data?

Read the fine print, said Druker. The end-user license agreement should outline who owns the client’s data. It should explicitly say that the VAR and the VAR’s client own the data rather than the vendor. There should also be an easy way to get the data out of the system if the customer decides the application is no longer appropriate for use.

12Outage track record

What happens if there’s an outage? Can the cloud application provider show a track record of responding to outages? This information should be available somewhere on the vendor’s website, Druker said.

13Getting credit for outages

If there is an outage, clients should expect to get credit, but some vendors only provide a credit if the customer notices the outage and files a complaint. Other vendors will automatically give a credit whenever there is an outage.

14What is an outage?

Different vendors have different definitions of “outage,” and that’s information that should be available to VARs and customers, Druker said. Some vendors say an outage isn’t an outage unless it’s longer than an hour, whereas others call it an outage if it’s greater than three seconds.

15Its all about transparency

Most cloud vendors will have transparency websites, Druker said. The site provides information outages, performance, response times, etc. If a vendor does a good job, it should want to publish that information so customers can see it.


One key thing for the channel is how partner-centric the cloud application provider is, Gil said. The best fit is with a 70/30 or better split between partner and direct sales.