CLOUD CONTRACTS WHAT PROVIDERS AND CUSTOMERS SHOULD DISCUSS

Similar documents
(a) the kind of data and the harm that could result if any of those things should occur;

INFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS Risk Assessment 357-7

Article 29 Working Party Issues Opinion on Cloud Computing

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Information security controls. Briefing for clients on Experian information security controls

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Managing Cloud Computing Risk

ECSA EuroCloud Star Audit Data Privacy Audit Guide

Data Protection Act Guidance on the use of cloud computing

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

NSW Government. Cloud Services Policy and Guidelines

Designtech Cloud-SaaS Hosting and Delivery Policy, Version 1.0, Designtech Cloud-SaaS Hosting and Delivery Policy

Cloud Computing. Introduction

InsightCloud. Hosted Desktop Service. What is InsightCloud? What is SaaS? What are the benefits of SaaS?

SERVICE SCHEDULE INFRASTRUCTURE AND PLATFORM SERVICES

Oracle Cloud Hosting and Delivery Policies Effective Date: June 1, 2015 Version 1.5

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Recommendations for companies planning to use Cloud computing services

Supplier IT Security Guide

T: +43-(0) F: +43-(0)

General Purchasing Conditions. R e v i s i o n 02 dated August 24,

General Terms and Conditions of Purchase and Cooperation for Services

Cloud Computing: Legal Risks and Best Practices

Technical Standards for Information Security Measures for the Central Government Computer Systems

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

THIS SERVICE LEVEL AGREEMENT DEFINES THE SERVICE LEVELS PROVIDED TO YOU BY THE COMPANY.

ADDITIONAL TERMS FOR VIRTUAL VOICE NETWORK SERVICES SCHEDULE 2L

G-CLOUD FRAMEWORK SERVICE DEFINITION. Kofax Model Office Bundle Proposal ISSUE 1

CCBE GUIDELINES ON THE USE OF CLOUD COMPUTING SERVICES BY LAWYERS

THIS SERVICE LEVEL AGREEMENT DEFINES THE SERVICE LEVELS PROVIDED TO YOU BY THE COMPANY ( Exchange My Mail ).

GiftWrap 4.0 Security FAQ

Newcastle University Information Security Procedures Version 3

Cloud Service Contracts: An Issue of Trust

INFORMATION TECHNOLOGY SECURITY STANDARDS

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Autodesk PLM 360 Security Whitepaper

Risk Management of Outsourced Technology Services. November 28, 2000

BUSINESS TERMS AND CONDITIONS FOR USE OF MONKEYDATA SERVICE

General Conditions of Purchase of WINGAS GmbH, WIEH GmbH & Co. KG and its Affiliated Companies Located in Germany for Standard Software 1.

Service Level Agreement

In these terms & conditions, the following terms are defined below.

PRIVACY POLICY. The effective date of this Privacy Policy is December 15, Last Updated September 29, Overview

RL Solutions Hosting Service Level Agreement

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

Use of The Information Services Active Directory Service (AD) Code of Practice

Projectplace: A Secure Project Collaboration Solution

TIBCO Nimbus Cloud Service

Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between

Standard business terms

By using the Cloud Service, Customer agrees to be bound by this Agreement. If you do not agree to this Agreement, do not use the Cloud Service.

Service: Contract Management (Software as a Service)

Guidance for Data Users on the Collection and Use of Personal Data through the Internet 1

Cloud Computing and Records Management

TERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation

RAUCH Terms and Conditions for the Purchase of Goods and Services

Georgia Institute of Technology Data Protection Safeguards Version: 2.0

Service Schedule for CLOUD SERVICES

Data Processing Agreement for Oracle Cloud Services

Cloud Computing Security Considerations

Ubertas Cloud Services: Service Definition

NYSED DATA DASHBOARD SOLUTIONS RFP ATTACHMENT 6.4 MAINTENANCE AND SUPPORT SERVICES

Service Description: Dell Backup and Recovery Cloud Storage

Woodcock-Johnson and Woodcock-Muñoz Language Survey Revised Normative Update Technical and Data Security Overview

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

CLOUD SERVICE SCHEDULE

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

Estate Agents Authority

Technology Risk Management

Blue Jeans Network Security Features

Oracle Cloud Enterprise Hosting and Delivery Policies Effective Date: June 1, 2015 Version 1.5

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects

Mitigating and managing cyber risk: ten issues to consider

GENERAL TERMS AND CONDITIONS OF PURCHASE

DATA SECURITY AGREEMENT. Addendum # to Contract #

Supplier Security Assessment Questionnaire

Cloud Software Services for Schools

REQUEST FOR EXPRESSIONS OF INTEREST 4887 EOI NETWORK BACKUP/ ARCHIVING

Enterprise level security, the Huddle way.

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

(1) Our offers are subject to change, unless they are explicitly designated as

Transcription:

CLOUD CONTRACTS WHAT PROVIDERS AND CUSTOMERS SHOULD DISCUSS Catalogue of recommended contractual components in General Terms and Conditions of Business (AGB) and Service Level Agreements (SLA) for Cloud Service Providers

Catalogue prepared by: EuroCloud.Austria The Vienna Economic Chamber Section for Business Consultancy and Information Technology Austrian Standards Institute Vienna IT Cluster, Vienna Business Agency Also recommended by: ADV, Arbeitsgemeinschaft für Datenverarbeitung Version 1.0 of 1 November 2012 2

index 1 Framework conditions for the cloud service 1.1 Rules on all companies involved in delivering the service 1.2 Rules on changes in the contractual terms and conditions for cloud services 1.3 Rules concerning the contract termination of cloud services 2 Cloud service delivery 2.1 Rules concerning the infrastructure used 2.2 Rules concerning the content of the services 2.3 Rules concerning the implementation of the services 2.4 Rules concerning operations of the services 2.5 Rules concerning the availability of the cloud service 3 Cloud service billing 4 Cloud service security 4.1 Rules relating to data protection 4.2 Rules on IT security 4.3 Rules concerning data backups and data erasure 6 6 7 7 8 8 8 9 9 10 10 11 11 13 14 3

4

purpose PURPOSE OF THIS CATALOGUE For the cloud service user, a cloud service is like classic outsourcing of IT Services. Therefore, a cloud services agreement should include some contractual elements that are also part of a standard IT outsourcing contract. This is a catalogue of recommended contractual elements that should be incorporated into the General Terms and Conditions (AGB) and Service Level Agreements (SLA) for cloud service providers. This list does not contain suggested legal wording for provisions as the specific wordings may vary substantially according to the respective cloud service context. For example, cloud services for private photo uploads should certainly contain different contractual provisions than cloud accounting software for enterprises. This list does not claim to be exhaustive. Dr. Tobias Höllwarth EuroCloud.Austri Vienna, November 2012 5

framework 1 FRAMEWORK CONDITIONS FOR THE CLOUD SERVICE List all essential information and necessary regulations important for drawing up the contract and terminating the cloud service agreement in this content area. In particular, this means information about the companies involved in providing the service. 1.1 Rules on all companies involved in delivering the service The following items should be taken into account, confirmed, or stated in sufficient detail in the contract: 1.1.1 Pertinent information on the company with which the contract is to be concluded as given by public registers, such as the company register, commercial registers or registers of associations. 1.1.2 Statement on where the service provider has its registered main office and what national laws may apply to this company (head office and branches). 1.1.3 Information on existing certifications of the contracting party. Detailed description of the existing, valid certifications of the data centre. 1.1.4 Information on businesses involved in providing the service. Also subcontractors, data centre providers or cloud services of third party companies integrated into providing the service. In particular, statements about which subcontractors are used in the local country or in countries with comparable data protection laws. For example: the legal system (even if only partially) to which the subcontractors are subject, what privacy rights the subcontractor must observe, the substantive insolvency laws that apply (access to data, separation rights, mandatory provisions, official receiver, etc.). 1.1.5 Commitment that subcontractors are bound by the contractor to the same obligations that the contractor agrees with the customer. 6

framework 1.2 Rules on changes in the contractual terms and conditions for cloud services The following items should be taken into account, confirmed and stated in sufficient detail in the contract: 1.2.1 Clarification of the form in which the contract will be made available (e.g., electronically signed PDF or printed document) as well as the approach to be taken in case of changes to the contract. 1.2.2 Confirmation that no unilateral changes to the terms of the contract will be made. 1.2.3 List of subcontractors whose replacement requires the express consent of the customer. 1.3 Rules concerning the contract termination of cloud services Rules on terminating the contract should be sufficiently taken into account, confirmed and clarified in the contract: 1.3.1 Statement of the term of the contract, rules relating to unequivocal reasons for termination and their deadlines for both sides. Contractor s special right of termination if the provider changes important subcontractors (if keeping the current subcontractor is not possible). 1.3.2 Statement of the provisions governing the participation of the contractor in providing data after termination. 1.3.3 Regulations for protecting the customer s data and the availability of the application in the event of insolvency of the contractor, e.g., through preventive measures. 1.3.4 Sufficiently detailed description of the processes at the end of the contract settlement, technical formats of the data transmission, handover of the electronic keys, etc. 7

service delivery 2 CLOUD SERVICE DELIVERY List all essential information and necessary regulations important for providing a cloud service in this content area. In particular, these include all information on the infrastructure used, service provision, its implementation and on operations. 2.1 Rules concerning the infrastructure used The following items should be confirmed or stated in sufficient detail: 2.1.1 Explicit listing of all data centres (including their addresses) to be used for the contracted services. The legal consequences of the use of data centres outside of the EU legal framework should be made transparent. 2.1.2 Statement of how the data centre will handle potential risks (e.g., natural disasters, technical problems, crime, and human errors) and what measures and processes are taken or used to minimise possible consequences. 2.1.3 Detailed statement of the availability of the infrastructure at the data centre, the connection to one or more Internet carriers, the management documents on operations and emergencies, certifications and the availability of back-up power and cooling. 2.2 Rules concerning the content of the services As an essential element of the contract, sufficient space should be dedicated to a detailed description of the statement of work. The following items should be taken into account, confirmed or stated in the contract in sufficient detail: 2.2.1 Sufficiently detailed description of the cloud service itself and the nature of the cloud service, e.g., Infrastructure as a Service (IaaS), etc. 8

service delivery 2.2.2 Information on the origin, manufacturer and existing certifications of the service. 2.2.3 Clear statements on provisions relating to the countries in which operation of the services is assured, of the available languages and localisations, of the deployed standards, which browsers and which interfaces are supported. 2.2.4 Clear description of the available options for management of the customer s own rights, of the authentication options and user management. 2.3 Rules concerning the implementation of the services The following items should be taken into account, confirmed or stated in sufficient detail in the contract: 2.3.1 Sufficiently detailed description of trial versions of the service (costs, duration, functions) and presentation of the migration scenarios for migrating to the full versions. 2.3.2 All service options for implementation and possibilities for customising and their associated costs. 2.3.3 Training concepts and operational as well as user manuals. 2.3.4 Acceptance processes and their consequences (e.g., commencement date, warranty, payment obligations). 2.4 Rules concerning operations of the services The following items should be taken into account, confirmed or stated in sufficient detail in the contract: 2.4.1 Sufficiently detailed representation of release management process (time, lead time, obligation to update, customer-specific configurations). 2.4.2 Sufficiently detailed representation of error or fault management processes (notification, communication strategy, such as ticketing system, telephony services [hotline], escalation processes, patch deadlines, etc.). 9

operations of the services 2.4.3 Sufficiently detailed statement on the assured availability levels, performance metering and how the purchaser is informed of the service fulfilment status (how are monitoring and reporting handled?). 2.4.4 Sufficiently detailed statement of what service levels (SLA) are offered and how compliance with the service levels is controlled, documented and communicated. 2.4.5 Sufficiently detailed statement on how troubleshooting is organised. 2.4.6 Sufficiently detailed statement on how capacity planning for the required infrastructure of services is handled. 2.4.7 Sufficiently detailed statement on all data export options, including the necessary interfaces and programs. 2.4.8 Rules for electronic documents (invoices and other business-relevant sup porting documents), which lead to obligations on the part of the purchaser vis-à-vis the relevant Tax Authorities. 2.5 Rules concerning the availability of the cloud service1 The following items should be taken into account, confirmed and stated in sufficient detail in the contract: 2.5.1 Detailed regulations for communication channels for support to end customers and rules on the available support languages. 2.5.2 Provisions for 1st and 2nd level support, their respective availability and guaranteed response times. 2.5.3 Description of customer support and the use of a supporting system, such as a ticketing system. 10

service billings 3 CLOUD SERVICE BILLING List in this content area all essential information and necessary regulations that are important for billing a cloud service. 3.1. Detailed report of the content and the form of service measurement and billing and of all possible deviations from these regulations, in particular for value added services that will be billed separately, volume discounts and the price of value added services. 3.2. Clarification of the process for future price adjustments. 3.3. Detailed description of the options in the case of disruptions, such as deductions, penalties and damages. 3.4. Detailed description of the provisions in the event of a dispute on service delivery or delayed payment. Exclusion of rules governing the retention or deletion of the customer s data without the express consent of the customer. 11

service security 4 CLOUD SERVICE SECURITY List all essential information and necessary regulations important for the security of the customer s data in a cloud service in this content area. 4.1 Rules relating to data protection The following items should be stated in sufficient detail in the contract to ensure data protection compliance: 4.1.1 Description of the service in terms of data protection aspects, description of the scope, nature and purpose of the planned data acquisition, processing or use; the nature of the data and the affected persons; definition of the processing duration and deletion of the data. 4.1.2 Statement of the rules for control of personal data (register entry or equivalent regulations). In particular, naming of contact persons within the contractor s organisation and for all subcontractors, who are available to to providing support in exercising rights of affected parties (information, permission, deletion of affected parties data). 4.1.3 Statement of how the employees of the contractor and all subcontractors who could have access to the data, will be bound to maintain data secrecy and observe other applicable confidentiality regulations. 4.1.4 Agreement on the responsibilities between the purchaser who bears the fundamental data protection responsibility and the contractor who is responsible for the implementation of data protection instructions from the purchaser and who must establish the technical protection measures, etc. 12

service security 4.1.5 Definition of cases deemed to be violations on the part of the contractor or the persons employed by him against regulations for the protection of personal data or against the provisions agreed in the order that are subject to mandatory disclosure to the purchaser. 4.1.6 Rules on legally permissible and mandatory information of the contractor to the purchaser in case of access by law enforcement agencies and other government bodies. 4.1.7 Rules on the purchaser s right to perform audits on the contractor s or its subcontractors premises, or to assign the right of audit to a third party authorised by the purchaser. Arrangements for (cumulative or as an alternative to audits by the purchaser) periodic checks/audits and certifications that ensure data protection by the contractor and verify and certify its obligations towards the purchaser. Rules governing the contractor s obligation to participate in these activities and the costs associated with this obligation. 4.2 Rules on IT security The following items should be taken into account, confirmed and stated in sufficient detail in the contract: 4.2.1 Description of the deployed IT security solutions, such as the use of firewall systems, antivirus scanners for protection against viruses, Trojans, malware, protection against DoS, etc. 4.2.2 Description of security checks and/or penetration testing to be carried out by the contractor. 4.2.3 Description of the encryption methods and of key management for the traffic between the purchaser and the contractor, the use of encryption on the storage media and of end-to-end encryption, which completely prevents insights into customer data by the provider s staff. 13

IT security 4.2.4 Detailed description of secure authentication for the use of the service, of the auditability of login actions (visible to the customer) and the ability to integrate a customer s system for authentication. 4.3 Rules concerning data backups and data erasure The following items should be taken into account, confirmed and stated in sufficient detail in the contract: 4.3.1 Sufficiently detailed rules on mirroring of application data, and failover procedures for ensuring permanent data availability. 14

IT security 4.3.2 Sufficiently detailed provisions on data backups and archiving (e.g., when, how often, how long, duration of the restore, storage of the storage media), rules for the safekeeping of the backup media (e.g., spatial separation, backup encryption schema, and provisions on customer access to data backups),rules for the deletion of the data and returning the data media after the termination of the agreement, provision for demonstrable deletion of customer data. 15

address EuroCloud EuroCloud.Austria - gemeinnütziger Verein für Förderung von Cloud Computing Museumstraße 5/14 1070 Wien info@eurocloud.at www.eurocloud.at ADV ADV Arbeitsgemeinschaft für Datenverarbeitung Trattnerhof 2 1010 Wien office@adv.at www.adv.at UBIT Professional Association of Management Consultancy and Information Technology Vienna Schwarzenbergplatz 14 A-1041 Vienna T: 01 514 50-3603 F: 01 512 95 48-3608 ubit@wkw.at www.ubit.at/wien 16

address IT Cluster IT-Cluster der Wirtschaftsagentur Wien Ebendorferstraße 2 A-1010 Wien info@wirtschaftsagentur.at www.clusterwien.at Austrian Standards Institute Austrian Standards Institute / Österreichisches Normungsinstitut (ON) Heinestraße 38 1020 Wien office@as-institute.at www.as-institute.at 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information