Cloud computing has fundamentally reshaped how South African businesses store data, deliver services, and scale operations. Whether an organisation subscribes to a simple SaaS application or migrates its entire infrastructure to a hyperscale provider, the legal questions are consistent: where does the data reside, who controls it, and what happens when something goes wrong? For a broader overview of the legal issues affecting the technology sector, see our Software & Technology Law hub.
South Africa's regulatory environment for cloud computing is evolving rapidly. The Protection of Personal Information Act 4 of 2013 ("POPIA") sets the baseline for data processing, while the National Policy on Data and Cloud (gazetted in 2024) signals a decisive push toward data localisation for certain categories of government and critical-infrastructure data. Businesses that procure cloud services without addressing these layers of regulation expose themselves to compliance risk, contractual ambiguity, and potential enforcement action by the Information Regulator.
Cloud Computing Models -- IaaS, PaaS, SaaS from a Legal Perspective
Understanding the three principal cloud service models is a prerequisite for effective contract drafting. Each model shifts different levels of control -- and therefore different categories of legal risk -- between the customer and the provider.
Infrastructure as a Service (IaaS)
IaaS providers supply virtualised computing resources -- servers, storage, and networking -- over the internet. The customer retains full control over operating systems, applications, and data. From a legal standpoint, the customer bears most of the security and compliance burden. The contract must clearly allocate responsibility for patching, access management, and encryption. Examples include Amazon Web Services EC2, Microsoft Azure Virtual Machines, and Google Compute Engine.
Platform as a Service (PaaS)
PaaS provides a managed environment for developing, testing, and deploying applications. The provider manages the underlying infrastructure, while the customer manages its code and data. The legal grey area lies in middleware, runtime environments, and automated scaling -- whose configuration choices create liability if a data breach results from a misconfigured environment? The contract should specify which security controls the provider maintains and which fall to the customer.
Software as a Service (SaaS)
SaaS delivers fully functional applications over the internet. The provider controls the entire stack from infrastructure to user interface. The customer typically has the least control and the narrowest ability to influence security architecture. As a result, the SaaS agreement must be the most prescriptive about data handling, availability, exit rights, and subprocessor management. Most POPIA-related disputes will arise in SaaS contexts because the customer hands over personal information with limited visibility into how it is processed.
A growing number of deployments combine elements of all three models -- so-called "multi-cloud" or "hybrid cloud" architectures. In such environments, the contractual matrix becomes correspondingly more complex, and organisations must map each data flow to the correct service agreement and the correct set of regulatory obligations.
The National Policy on Data and Cloud (2024)
In 2024, the Department of Communications and Digital Technologies gazetted the National Policy on Data and Cloud ("the Cloud Policy"). This policy represents the South African government's clearest articulation to date of its position on data sovereignty, cloud procurement, and the strategic importance of local data infrastructure.
Key Pillars of the Cloud Policy
- Data classification: Government data is to be classified into categories (open, restricted, confidential, secret) with increasingly strict localisation requirements for higher classifications
- Mandatory local storage for high-sensitivity data: Confidential and secret government data must be stored within South African borders, in facilities that meet prescribed security standards
- Preferential procurement: The policy encourages -- and in some cases requires -- government entities to procure cloud services from local or localised providers
- Interoperability and portability: Providers must support open standards to prevent vendor lock-in and enable migration between platforms
Although the Cloud Policy is primarily directed at government departments, state-owned entities, and critical information infrastructure, its influence extends well beyond the public sector. Private companies that supply services to government or that process government data will need to align their cloud architectures with the policy's requirements. Furthermore, the policy's data classification framework is likely to be referenced in future subordinate legislation and industry-specific regulations.
The Cloud Policy also establishes the principle that South Africa should develop sovereign cloud capacity -- domestic data centres operated by South African entities with South African security clearances. This objective is consistent with the broader trend across Africa and the Global South, where governments are increasingly wary of the economic and strategic implications of storing national data in foreign jurisdictions.
Data Sovereignty -- Where Must Your Data Reside?
Data sovereignty refers to the principle that data is subject to the laws of the country in which it is physically stored or processed. For South African businesses, this raises two distinct legal questions: first, does South African law require certain data to remain within the country's borders? Second, if data is stored offshore, which country's laws will apply to disputes about access, disclosure, and enforcement?
POPIA does not impose a blanket prohibition on storing personal information outside South Africa. Section 72 permits transborder transfers provided certain conditions are met -- including that the recipient country has "adequate" data protection legislation, or that the data subject has consented, or that the transfer is necessary for the performance of a contract. However, POPIA's transborder provisions are only one piece of the puzzle. Sector-specific legislation adds further layers of complexity.
Sector-Specific Data Localisation Requirements
- Financial services: The South African Reserve Bank and Prudential Authority require banks and insurers to maintain certain records within the Republic and to obtain prior approval before outsourcing material functions to offshore cloud providers
- Healthcare: The National Health Act 61 of 2003 and the Health Professions Council require patient records to be maintained in accordance with prescribed standards, which practically favours local storage
- Government: The Cloud Policy (discussed above) mandates local storage for confidential and secret government data, and the Minimum Information Security Standards (MISS) impose physical security requirements on facilities that store classified information
- Telecommunications: The Electronic Communications Act 36 of 2005 and RICA impose data retention obligations on licensees that are most practically satisfied through local infrastructure
Even where no legal obligation to localise data exists, businesses may choose to store data in South Africa for practical reasons: lower latency, better alignment with local support teams, and avoidance of jurisdictional complexity in the event of a dispute or a law-enforcement data request. The growing availability of hyperscale data centre capacity in the Johannesburg and Cape Town regions makes local storage increasingly viable for workloads that previously required offshore hosting.
Key Clauses in Cloud Service Agreements
Cloud service agreements are notoriously one-sided. Hyperscale providers present standard terms that are often non-negotiable for smaller customers. Regardless of bargaining power, every customer should understand the following critical contractual areas and negotiate where possible.
Service Level Agreements (SLAs)
The SLA defines availability commitments -- typically expressed as a percentage (e.g., 99.95% uptime). Scrutinise the measurement methodology: does the provider measure availability per-region, per-service, or globally? What constitutes "downtime" -- total inaccessibility or degraded performance? The remedies for SLA breaches are almost always limited to service credits, rarely direct damages. Negotiate meaningful credit percentages and ensure they are automatic, not contingent on the customer filing a claim.
Data Location and Residency
The agreement should specify the geographic regions in which customer data will be stored and processed. Many providers offer region-selection features, but the contract must confirm that data will not be replicated to or processed in regions outside the customer's chosen jurisdiction without prior consent. This is especially important for POPIA compliance and sector-specific localisation requirements.
Data Portability and Exit Rights
Vendor lock-in is one of the most significant risks in cloud computing. The contract should guarantee the customer's right to export all data in a standard, machine-readable format at any time, and particularly upon termination. Negotiate a post-termination data retrieval period of at least 60 to 90 days. Confirm that the provider will certify destruction of customer data after the retrieval window closes.
Security Obligations
The contract should specify encryption standards (at rest and in transit), access control mechanisms, vulnerability management practices, and incident response timelines. Request evidence of independent certifications such as ISO 27001, SOC 2 Type II, or CSA STAR. For South African customers, confirm alignment with the security safeguards required by section 19 of POPIA.
Subprocessors and Subcontracting
Cloud providers routinely subcontract elements of their service delivery. The agreement should list current subprocessors, require advance notice of changes, and give the customer the right to object. Under POPIA, the responsible party remains liable for the conduct of its operators, including sub-operators -- making subprocessor transparency essential.
Liability and Indemnification
Standard cloud terms typically cap the provider's liability at the fees paid during the preceding 12 months. For enterprise customers processing high volumes of personal information or mission-critical workloads, this cap may be wholly inadequate. Negotiate carve-outs for data breaches, POPIA penalties, intellectual property infringement, and wilful misconduct.
Governing Law and Dispute Resolution
Hyperscale providers often specify foreign governing law (commonly Irish, Californian, or Washington State law). South African customers should push for South African governing law, or at minimum ensure that POPIA and other mandatory South African statutes are expressly preserved regardless of the governing law clause. Arbitration in South Africa is preferable to litigation in a foreign forum.
POPIA and Cross-Border Cloud Storage
Section 72 of POPIA restricts the transfer of personal information to a third party in a foreign country unless one of several conditions is satisfied. For cloud computing, the most commonly relied-upon grounds are:
- Adequate protection (s 72(1)(a)): The recipient country provides an "adequate level of protection" -- substantively similar to POPIA's conditions for lawful processing. The Information Regulator has not yet published an adequacy list, creating uncertainty for transfers to most jurisdictions.
- Binding agreement (s 72(1)(a)): The recipient is subject to a binding corporate rule, contract, or code of conduct that provides adequate protection. A well-drafted operator agreement or data processing addendum can satisfy this requirement.
- Consent (s 72(1)(b)): The data subject has consented to the transfer. However, relying on consent at scale is impractical and fragile -- consent can be withdrawn at any time.
- Contractual necessity (s 72(1)(c)): The transfer is necessary for the performance of a contract between the data subject and the responsible party. This ground is useful for cloud-hosted SaaS platforms where users sign up directly.
In practice, most cloud providers address section 72 by including a data processing addendum ("DPA") that contractually binds the provider to process personal information in accordance with POPIA's conditions. However, the effectiveness of a DPA depends on its enforceability in the provider's jurisdiction and on whether the provider's actual practices match its contractual commitments. Customers should conduct due diligence on the provider's data handling practices, request audit rights, and review independent certifications before relying on a DPA as the sole legal basis for cross-border transfers.
For a detailed discussion of POPIA operator agreements and how to structure data processing arrangements, see our guide to Data Processing Agreements under POPIA.
Government and Regulated Industries -- Additional Requirements
Government departments and entities in regulated industries face additional cloud procurement obligations beyond POPIA and the Cloud Policy. These layers of regulation reflect the heightened sensitivity of the data involved and the critical nature of the services delivered.
The State Information Technology Agency Act 88 of 1998 ("SITA Act") designates SITA as the central IT procurement agency for government. Cloud procurement by national and provincial departments typically requires SITA involvement, and SITA's procurement frameworks increasingly reflect the Cloud Policy's data sovereignty requirements. Departments that procure cloud services outside the SITA framework risk non-compliance with supply chain management regulations.
In the financial services sector, the South African Reserve Bank's Guidance Note 5/2023 on Cloud Computing and Offshoring requires banks to conduct comprehensive risk assessments before adopting cloud services. Banks must ensure that the cloud arrangement does not compromise the Prudential Authority's ability to access data, conduct on-site inspections, or exercise its supervisory powers. The Guidance Note also requires banks to have credible exit strategies that can be executed without material disruption to critical business functions.
The Cybercrimes Act 19 of 2020 adds further complexity. Section 26 requires electronic communications service providers (which may include certain cloud providers) to assist law enforcement in investigating cybercrimes. The interaction between a foreign cloud provider's obligations under the Cybercrimes Act and its obligations under its home jurisdiction's laws -- such as the US CLOUD Act -- creates potential conflicts that must be anticipated in the cloud service agreement.
Hyperscaler Presence in South Africa (Azure, AWS, Google Cloud)
The establishment of local cloud regions by the three major hyperscale providers has transformed the data sovereignty calculus for South African businesses.
Microsoft Azure
Microsoft launched its South Africa North (Johannesburg) and South Africa West (Cape Town) regions in 2019, making Azure the first hyperscaler with local data centre presence. Azure offers the full range of IaaS, PaaS, and SaaS services from these regions, including Azure Government for public sector workloads. Microsoft's data processing addendum addresses POPIA requirements and offers contractual commitments on data residency.
Amazon Web Services (AWS)
AWS launched its Africa (Cape Town) region in 2020 with three availability zones. The Cape Town region supports the majority of AWS services, although some specialist services may process data in other regions. AWS's Data Processing Addendum includes POPIA-aligned commitments, and its Customer Compliance Centre provides documentation for regulated-industry customers.
Google Cloud Platform
Google Cloud launched its Johannesburg region in 2024, joining Azure and AWS in offering local data processing capacity. Google's Cloud Data Processing Addendum addresses POPIA and offers configurable data residency controls. Google's Assured Workloads product provides additional compliance features for regulated customers.
The presence of local hyperscale regions does not automatically resolve data sovereignty concerns. Even when data is stored in a South African region, the provider's global terms of service may reserve the right to transfer data for support, troubleshooting, or legal compliance purposes. Customers must read the fine print, configure data residency controls correctly, and monitor for changes to the provider's subprocessor list.
Beyond the hyperscalers, a growing ecosystem of local cloud providers -- including Dimension Data / NTT, Teraco (which operates carrier-neutral data centres used by the hyperscalers), Africa Data Centres, and several boutique managed-service providers -- offers alternatives for organisations that prefer South African-owned and operated infrastructure.
Practical Negotiation Tips for Cloud Contracts
Negotiating a cloud service agreement requires a blend of legal, technical, and commercial expertise. The following practical tips are drawn from our experience advising South African businesses on cloud procurement.
Negotiation Checklist
- Classify your data first: Before approaching any provider, map your data by sensitivity and regulatory category. This determines which data can go offshore, which must stay local, and which requires enhanced security controls.
- Demand a POPIA-compliant DPA: Do not accept the provider's global data processing addendum without review. Ensure it references POPIA, specifies South Africa as the governing jurisdiction for data protection disputes, and includes meaningful breach notification timelines.
- Lock in data residency: Configure data residency at the contract level, not just in the console. Obtain a written commitment that data will be stored and processed only in specified regions unless you provide prior written consent to a change.
- Negotiate meaningful SLA remedies: Service credits of 5% to 10% for minor outages do not compensate for business losses. Push for tiered remedies, including early termination rights for repeated or prolonged SLA failures.
- Plan for exit from day one: Ensure the contract includes clear data export procedures, a post-termination retrieval period of at least 60 days, and a commitment by the provider to assist with migration to a successor platform at reasonable cost.
- Audit rights: Insist on the right to audit the provider's compliance with its contractual and regulatory obligations. If the provider resists direct audits, accept independent third-party audit reports (SOC 2, ISO 27001) but ensure they are recent and that the scope covers the services you consume.
- Review the change-of-terms clause: Many cloud contracts reserve the provider's right to change terms unilaterally with 30 days' notice. Negotiate a longer notice period and a right to terminate without penalty if the changes are materially adverse to your organisation.
Need Legal Advice on Cloud Contracts?
Cloud computing contracts sit at the intersection of technology, data protection, and commercial law. MJ Kotze Inc advises South African businesses on the full spectrum of cloud legal issues -- from reviewing and negotiating hyperscale service agreements to drafting bespoke POPIA-compliant data processing addenda, conducting cross-border transfer impact assessments, and advising on compliance with sector-specific cloud procurement regulations.
Related Topics
- Data Processing Agreements Under POPIA
How to structure operator agreements that satisfy POPIA's requirements for outsourced data processing
- ECTA & Electronic Contracts
The legal framework for electronic transactions and e-commerce in South Africa
- Software & Technology Law Hub
Our complete guide to legal issues in the South African technology sector