Cloud tools are vital for SMEs, but their terms and conditions (T&Cs) regarding security and privacy can significantly impact how data is protected and managed. Below is a summary of the security and privacy provisions in the T&Cs of the most common cloud tools used by SMEs, based on their publicly available policies as of March 16, 2025. Note that these are high-level overviews and may evolve, so businesses should review the latest agreements directly.
1. Microsoft 365
- Security: Microsoft commits to safeguarding customer data with encryption in transit (TLS) and at rest (AES-256). The Shared Responsibility Model applies: Microsoft secures the cloud infrastructure, while users manage access controls and data classification. Compliance with ISO 27001, SOC 2, and GDPR is emphasized.
- Privacy: Microsoft states it does not use customer data for advertising. Data is processed in accordance with the user’s region (e.g., EU data stays in the EU where required). Users retain ownership of their data, but Microsoft may access it for support or legal compliance, with notice where feasible.
- Key Clause: “You are responsible for maintaining the security of your account credentials.”
2. Google Workspace
- Security: Google employs encryption in transit and at rest, with a zero-trust security model. Users are responsible for configuring security settings (e.g., 2FA). Compliance with standards like ISO 27001 and HIPAA is supported, with tools like Admin Console for oversight.
- Privacy: Google asserts it does not sell personal data but may use it to improve services unless opted out via settings. Data residency options are available for compliance. Google may share data with law enforcement if legally compelled, per its transparency reports.
- Key Clause: “Customer retains control over their data; Google processes it as a data processor under GDPR.”
3. Amazon Web Services (AWS)
- Security: AWS uses a Shared Responsibility Model—AWS secures the cloud (e.g., physical servers), while users secure their content (e.g., encryption keys). Data is encrypted by default in many services, with compliance to SOC, PCI DSS, and FedRAMP.
- Privacy: AWS does not access customer content unless required for service delivery or legal reasons. Users own their data and can choose data regions. AWS emphasizes customer control over data usage and deletion.
- Key Clause: “You are responsible for all activities under your account, including security misconfigurations.”
4. Dropbox Business
- Security: Dropbox encrypts data in transit (SSL/TLS) and at rest (AES-256). It offers recovery tools and two-step verification. Compliance with ISO 27001 and SOC 2 is maintained, but users must secure their endpoints.
- Privacy: Dropbox does not sell user data and processes it only to provide services. Data may be stored in the U.S. or other regions, with options for EU storage. Legal requests for data are handled per its privacy policy.
- Key Clause: “You retain ownership of your files; we act as a custodian.”
5. QuickBooks Online (Intuit)
- Security: Intuit encrypts data with AES-256 and uses multi-factor authentication. It adheres to SOC 1, SOC 2, and PCI DSS standards. Users are responsible for securing their login credentials and connected bank accounts.
- Privacy: Intuit may use anonymized data for analytics but does not sell personal data. Data is stored primarily in the U.S., with limited regional options. Legal compliance may require data disclosure, with user notification where possible.
- Key Clause: “You grant us a license to use your data to provide the service.”
6. Zoom
- Security: Zoom offers end-to-end encryption (optional) and AES-256 for meetings. Users must enable security features like waiting rooms. Compliance with GDPR and CCPA is supported, but endpoint security is the user’s responsibility.
- Privacy: Zoom does not sell user data but may collect it for service improvement. Data residency options exist for paid plans. Legal requests are addressed per its privacy statement, with transparency reports issued.
- Key Clause: “You control meeting content; we process it as directed.”
7. Salesforce Essentials
- Security: Salesforce encrypts data in transit and at rest, with compliance to ISO 27001 and SOC 2. The Shared Responsibility Model applies—Salesforce secures the platform, users manage access and data security.
- Privacy: Salesforce does not use customer data for advertising. Data residency options are available. Users own their data, but Salesforce may access it for support or compliance, with notice where required.
- Key Clause: “Customer data is yours; we process it under your instructions.”
Common Themes and Takeaways
Across these tools, security relies on a shared model where providers protect infrastructure, but SMEs must configure and secure their usage. Privacy policies emphasize data ownership by users, with providers acting as processors, though data may be accessed for legal or operational needs. SMEs should carefully review these T&Cs, enable available security features, and ensure compliance with local regulations to maximize protection.
