Data Sovereignty or Cloud Convenience?
Practical lens for business
I was asked to research the differences between running an AI Large Language Model locally and using premium cloud-based services, focusing on T&Cs, and coming up with some practical suggestions for business users.
When I started down this road I started by asking ChatGPT to do some deep research to help me make a frame for my research. However, this put me on a path to some surprising and concerning discoveries. During this research we (GPT and me) only just started to scratch the surface of the implications and I didn't even start looking at the cybersecurity side.
The short and sweet of it
Locally Hosted AI |
The Cloud Reality |
|
Local AI - On-Premise /potentially Air-Gapped: The organisation runs the model on its own hardware, keeps prompts and outputs internal, no internet dependency. |
Cloud/Provider-Hosted AI: Prompts and data go off premise, to a third-party provider’s servers (e.g. OpenAI, Google, Microsoft). |
Trade-offs: AI may lag behind the latest cloud-only models. It requires you to manage updates, optimisation, integration and maintenance yourself, offers no vendor SLA (unless you set one up yourself). Performance is based on your infrastructure choices (GPUs, storage, etc). |
Trade-offs: Almost zero control of your data, which always leaves your environment, is most often processed and stored overseas. Bound by provider T&Cs (e.g. OpenAI, Google, Microsoft) and subject to foreign legal regimes (e.g. U.S. CLOUD Act, Patriot Act, conflicts with GDPR etc). Sensitive information must be very carefully handled to avoid compliance or contractual breaches. |
But on taking a closer look at the T&Cs
Non-Negotiable Contracts
For most businesses, cloud AI providers offer non-negotiable ‘take-it-or-leave-it’ contracts. These standard form agreements set terms such as governing law, liability limits, and data usage. Only very large enterprises typically have the leverage to negotiate bespoke arrangements. These are often long and wordy. Further, studies have found that customers usually accept these lengthy contracts without negotiation or full awareness of the terms
"Most users do not actually read these voluminous T&Cs – one study found 91% of people consent without reading, and some popular apps’ terms would take 17 hours to read in full – so businesses need to be extra vigilant to understand what rights they might be signing away."
Data Beyond Borders – Australian Data Stored in Non-Australian Cloud Environments - Australian Cyber Security Magazine
Data Ownership and Usage Rights
Column Three
Card
Cards are a place for small groups of content.
Liability Limitations and Security
Column Three
Card
Cards are a place for small groups of content.
The Reality of Liability Cap Clauses
| Provider |
Liability Cap Clause |
Source |
| OpenAI |
“Our total liability for any claim arising out of or relating to these Terms is limited to the greater of $100 or the amount you paid
for the Services in the 12 months preceding the event.” |
OpenAI Terms of Use |
| Google Cloud |
“Google’s total liability under these Terms is limited to the amount Customer paid during the 12 months before the event giving rise to
liability.” |
Google Cloud Terms of Service |
| Microsoft (Azure Online Services Terms) |
“Our maximum liability is limited to direct damages up to the amount you paid for the Services during the 12 months before the cause of
action.” |
Microsoft Online Services Terms |
our content here.
