The term “cloud” conjures up a fluffy, amorphous place in the sky where your data are held. When you store your data in a “cloud” service, you are simply storing your data on someone else's computer (or, more likely, computers).
If you are not paying for the service you are using beyond a trial period, have a think about how they are making money.
Running servers at scale is not cheap, and a common online business model is to use data relating to users of the services to make money — perhaps using it to target advertising, or even selling it (or insights based on it) to third parties.
A common mantra is that, if you are not paying, you are the product.
If you are not paying, you should also check what (if any) support is available to you, and whether you have any recourse if they decide one day to just switch off their services.
To mitigate this risk, take regular backups of your data and store them somewhere else. Test those backups, and check they are in a format which you can import into another service or piece of software.
Check your local rules of professional conduct regarding the use of subcontractors generally and cloud computing specifically.
Although this wiki is definitely not about legal advice, you might need to draw your clients' attention to the use of cloud computing systems, and are likely to need to carry out due diligence on your providers' confidentiality and resiliency practices.
British Columbia: Cloud computing checklist v. 2.0 [Updated May 2017]
The Law Society of England and Wales produced a practice note on cloud computing, but it appears to have been withdrawn.
Bar Council: Cloud computing – security issues to consider
Some providers build their services in a way that the only data stored on their platform are encrypted, with a key that only you hold.
Others operate by storing your data in a way which makes it accessible to them.
Check that they way in which they operate is suitable for your needs.
If the cloud service you are looking at is a file storage service (e.g. Dropbox), encrypt your files before you upload them to the service.
That way, you are not reliant on their encryption or security, and your data should be safe from unwanted access if their servers are compromised.
Well-resourced and competent providers will employ superb and dedicated security teams, far better than you could do yourself.
Similarly, their infrastructure more likely to be better maintained than yours and, if there is a problem, fixing it is their problem, and not yours.
Check their terms of service: do they permit unfettered rights to suspend your service, or lock you out of your account?
Frankly, even if they do not say that they can do this, you are better-protected if you work on the basis that, at any point, your access to the service could be suspended.
Before it happens:
If the service is critical to your firm (for example, a document management system, or matter management system), check their service level agreements:
What are the fallbacks if they fail to meet their servie level promises? Do you have any meaningful recourse?
Check how often they backup their systems, and how quickly they can restore them if they have a problem.
While having your own backups is essential, if you have to reload your data onto the service, you are limited by the speed of your Internet connection's upload. If you are talking about a significant volume of data, that could takes hours or even days.
Check that you can you export your data readily?
This might be the same as taking a backup, or it might be a separate, dedicated, way of exporting your data.
Check the format in which you can export your data — does it come out in a way which enables you to load it into another servie or piece of software.
If you cannot readily export your data, there is a strong risk of being locked into that service — if they change their prices, you might have no real option but to pay the increase, and, worse, if their service degrades, you may find yourself stuck with a sub-optimal experience.
Are their (or, perhaps more likely, their provider's) servers in a jurisdiction which could be problematic to you? (For example, where local laws might permit a third party to access your data without telling you?
Depending on your local legal requirements, you might need additional contractual protection, beyond their normal terms of service.