"It's becoming an increasingly difficult question to answer, and that makes a lot of people uncomfortable," Overly says. Some users need to know where their data is physically located for compliance or reasons, particularly customers in the healthcare and financial industries. But there's a give and take: In an effort to guarantee highly available services, providers may spread data out across multiple sites as a disaster-recovery measure. But when data crosses borders into another country, different laws apply to who has access to the data and what it can be used for.

The burden remains on the customer to ensure they stay compliant with security certifications, Overly says. Some providers, such as , allow customers to dictate where their data is stored. It's not just about where the company's data centers are though, it's also important to ask who can access that data. If a support center is located outside the U.S. and they have copies of the customer data to provide support, the data may be going overseas without customers knowing it.

Overly says it's all about questioning your provider if these answers not outlined in the SLA. There are a variety of end-user "self-help" solutions, Overly says. Customers can encrypt data that's put in the cloud and hold on to the keys, for example. Or, they can choose to not store personally identifiable information (PII) in the cloud and keep that on their own premise instead.

Floating terms

Normally SLAs are paper documents signed by both parties with the terms of the agreement outlined in the document. One trend Overly has seen recently are SLAs that refer to specific terms that are published on a website. That should generally be a red flag to consumers, he says. Websites can change and vendors, unless specifically agreed to in the SLA, may not be required to inform customers of changes to the terms.