Questions to ask your cloud provider

Most organisations don’t leave the cloud because of a single failure. They leave because they realise too late that they never asked the right questions.

These questions are not accusations. They are due diligence. If the answers are clear, that’s a good sign. If they’re vague, defensive, or difficult to obtain, that’s also useful information.

Data ownership and access

  • Where, specifically, is our data stored (regions, jurisdictions, replicas)?
  • Who can access our data, under what conditions, and how is that audited?
  • Can access be compelled by third parties or governments, and how would we be notified?
  • Do we have complete, exportable access to our data at all times?

Exit and portability

  • What is the documented process for exiting this service?
  • How long would a full data export realistically take at our current scale?
  • What costs apply during data extraction (egress, API usage, support)?
  • Are there dependencies on proprietary services that prevent direct replacement?
  • Has this exit process been tested in practice?

If the answer is “most customers don’t leave”, that is an answer.

Costs and predictability

  • Which parts of our bill are fixed, and which are variable?
  • What events could cause costs to spike unexpectedly?
  • How easy is it to forecast spend 12–24 months ahead?
  • Which costs increase as we grow, and which do not?

Predictable infrastructure costs are a governance issue, not just a finance one.

Operational resilience

  • What happens if this service is degraded or unavailable?
  • What control do we have during an outage?
  • Which failure modes are our responsibility, and which are not?
  • How are incidents communicated, and on what timeline?

Regulatory and accountability

  • How does this service support regulatory inspections or audits?
  • What documentation can we provide to regulators about data access and controls?
  • If regulations change, how quickly can our architecture adapt?
  • Who ultimately remains accountable for compliance?

Outsourcing infrastructure does not outsource responsibility.

What to listen for

Healthy answers are specific, documented, and testable.

Warning signs include:

  • Vague reassurances instead of clear processes
  • Reliance on “industry standard” rather than evidence
  • Exit discussions being deferred or discouraged

These don’t automatically mean you should leave. They mean you should understand your position.

Want help interpreting the answers?

RefugeX helps organisations assess cloud dependency calmly — without pressure to move before they’re ready.

Start a conversation