Just saw this TechTarget article regarding seizure notification or lack thereof for data on the cloud or SaaS. This is just one more thing to consider when moving applications and or sensitive data to a cloud environment. It’s still a hot topic whethere you’re provided with better security or not when following the SaaS model. If you don’t have an information security team and it’s not a focus in your organization SaaS could very well be a good alternative.
Make sure you assess any cloud providers security and make sure they will allow you to at least penetration test your applications.