Yes you make some valid points re the security of the data and also the possibility of running things against the wrong data set! I think I could do something along the lines of 'clientname-userlogon' to try and mitigate anyone logging onto wrong instance. So for example a login could be called 'healthservice-johndoeDBA' then 'phonecomany-johndoeDBA' for the other client.

I forgot to mention we have our servers in the cloud so, theft, hardware failure is not really a problem for us. In the case of a disc failing we switch automatically to another VM.

Thanks for your reply - interesting.!