CloudTop Office

Application Cloud Hosting

How to Know If Your Cloud Hosting Provider Is Actually Secure (Or Just Saying They Are)

Category:

“We take security seriously.” Every cloud hosting provider says this. It is on their website, in their sales deck, and in the welcome email you get after signing up. It costs nothing to say and means almost nothing without specifics to back it up.

The harder question is what security actually looks like in practice. Whether the provider you’re trusting with your QuickBooks data, your customer records, and years of financial history has the infrastructure, the certifications, and the processes to actually protect it. Most small businesses never ask. They assume “in the cloud” means automatically safer. That assumption has a habit of being tested at the worst possible time.

Here are the questions worth asking, and the answers that should make you pause.

99%
of cloud security failures are the customer’s fault, not the provider’s (Gartner)
59%
of organisations cite insecure identities and risky permissions as their top cloud risk
65%
of organisations struggle to track risks from third-party apps and misconfigurations

Worth understanding first

Security in cloud environments works on a shared responsibility model. The provider secures the infrastructure. You are responsible for how that infrastructure is configured and used. A good provider helps you get the configuration right. A bad one never brings it up.

The 7 questions worth asking before you sign anything

These are not trick questions. Any provider running a properly secure environment will answer them without hesitation. The ones who can’t are telling you something important.

1

Where does my data actually live?

This sounds basic, but a surprising number of businesses have no idea. Your data should be stored in a specific, disclosed location, not floating vaguely in “the cloud.” Ask for the physical data center location. Ask if it’s in the US. For businesses in regulated industries, data residency requirements may dictate where your information can legally be stored. A provider that can’t tell you where your data lives is not a provider you should be trusting with it.

Good answer: A specific named data center location, ideally with an address or at minimum a city and region.

2

What certifications do you hold?

Certifications are the closest thing to independently verified security standards in this industry. SOC 2 Type II means a provider has been audited on its security controls over time, not just at a single snapshot. ISO 27001 covers information security management. HIPAA matters if your business handles any health-related data. A provider with real certifications will reference them clearly and produce documentation without being asked twice.

Good answer: “We hold SOC 2 Type II” with documentation available. Or a specific named standard with a certificate to show for it.

3

How is access to my environment controlled?

Ask specifically whether multi-factor authentication is enforced, not just available. Ask who on their team can access your data and under what circumstances. Ask whether access logs are maintained and for how long. Loose access controls are how most compromises start. Google Cloud’s Threat Horizons Report found that in the latter half of 2025, 44.5% of initial access vectors in cloud breaches came through third-party software vulnerabilities, with credential-based attacks still accounting for more than a quarter. 

Good answer: MFA enforced by default. Staff access to customer environments is logged, restricted to named individuals, and requires a documented reason.

4

What happens when there is a security incident?

Every serious provider has a documented incident response process. Ask what it looks like. Ask how long they take to notify customers of a breach. Ask what their obligations are under relevant data protection laws. Then ask if they’ve had any incidents in the past two years. That last question is the most revealing. A provider that becomes evasive here is showing you how they would handle an actual incident.

Good answer: A specific incident response policy, a defined notification window (24-72 hours is standard), and a straightforward answer about past incidents, whatever they are.

5

How is my data backed up and how often?

Ask whether backups are automated, how frequently they run, whether they are stored off-site and separate from your primary environment, and whether the provider has ever had to do a full restore. “Backups run nightly to a separate location and are tested monthly” is a very different answer from “we have backups set up.” Both technically count as having backups. Only one actually protects you.

Good answer: Automated, off-site, tested on a regular schedule. Bonus points if they can tell you how long a full restore takes.

6

Is my environment shared or dedicated?

Some providers run multiple clients on shared infrastructure, meaning your data sits alongside other companies’ data on the same servers. Others provide dedicated environments where your setup is fully isolated. In a shared environment, a misconfiguration or security issue affecting one tenant can potentially affect others. In a dedicated environment, your data is separate. Ask which model your provider uses and what the actual implications are for your setup.

Good answer: Dedicated infrastructure with your environment logically and physically isolated from other customers.

7

What does your uptime history look like?

Reliability and security are more closely linked than most people realise. Providers with frequent outages are often running infrastructure that isn’t well-maintained, and poorly maintained infrastructure is more vulnerable. Ask for uptime statistics and ask whether they are self-reported or verified by a third-party monitoring service. Industry standard for business-critical hosting is 99.9% or better.

Good answer: 99.9% or higher, ideally verified by a third-party status page rather than self-reported figures.

The answers that should give you pause

A few specific responses are worth flagging as genuine warning signs, not minor quibbles.

Red flags in a sales conversation
 
“We use enterprise-grade security”
Enterprise-grade is not a standard. It is a marketing phrase. Push for what it actually means.
 
“Our platform is ISO certified” with no specifics
ISO has dozens of standards. The relevant one for information security is ISO 27001. Ask which standard and ask to see the actual certificate.
 
Hesitation or deflection on any of the seven questions above
A provider with a solid security posture knows it and is comfortable talking about it. Discomfort with specific questions almost always points to a gap.
 
“We’ve never had an incident”
Either very lucky or not being straight with you. Every serious operation has had something go sideways at some point. What matters is how it was handled.

What this looks like at CloudTop

We host QuickBooks, Sage, Act!, and QuoteWerks in a US-based dedicated environment. Your data is not on a shared server alongside other companies. Our team can answer every question above directly, and we’d rather you ask them upfront than find a gap later.

CloudTop has completed Intuit’s security assessment, which covers infrastructure, access controls, and data handling practices in detail. Multi-factor authentication is standard across our environment. Backups are automated, off-site, and tested. And when things have gone wrong historically, we’ve told customers directly rather than quietly hoping nobody noticed.

Our honest take

The best thing a hosting provider can do for a prospective customer is make it easy to ask hard questions before signing. The providers who discourage scrutiny are the ones who can’t withstand it. We’d rather earn your business with straight answers than lose it because you found a gap after the fact.

The bottom line

Moving your business software to a hosted cloud environment is a solid decision for most small businesses. It removes the burden of local infrastructure, enables remote access, and when set up properly, genuinely improves your security compared to a server gathering dust in the office.

The phrase “when set up properly” is doing a lot of work in that sentence. The difference between a provider that actually protects your data and one that just claims to comes down to specifics. None of the questions in this post are unreasonable. They are just rarely asked. Ask them before you sign, not after something goes wrong.

If you’re running QuickBooks, Sage, Act!, or QuoteWerks and aren’t sure how your current hosting provider stacks up, that is worth a conversation. The answers to these seven questions should take less than 15 minutes to get, and they tell you a lot.

Want to ask us the hard questions?

We’re happy to walk through every question on this list and tell you exactly how our setup holds up. No jargon, no pressure, just straight answers.

(713) 662-3994

CloudTop Office has been providing secure, managed cloud hosting for small and medium-sized businesses across the US since 2000. Learn more at cloudtopoffice.com.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *