|
+PI-02.01B |
1. ÜbersichtPI-02.01BIn contractual agreements, the following aspects are defined for provisioning of cloud service customer data following termination of the contractual relationship, insofar as these are applicable to the cloud service:1. Type, scope and format of the cloud service customer data the cloud service provider provides to the cloud service customer; 2. Methods for delivering the data to the cloud service customer; 3. Conditions and time frames for cloud service customer data provisioning throughout the duration of the contractual relationship; 4. Right of termination of the contract and definition of the time frame within which the cloud service provider makes the cloud service customer data available to the cloud service customer after termination of the contract; 5. Definition of the point in time as of which the cloud service provider makes the cloud service customer data inaccessible to the cloud service customer and deletes these after termination of the contract; 6. The cloud service customers' responsibilities and obligations to cooperate for the provision of the cloud service customer data; and 7. Cloud service customer data remains the property of the cloud service customer throughout the entire contractual relationship. After its termination, the data is once again the sole property and possession of the cloud service customer. The definitions are based on the needs of subject matter experts of potential customers who assess the suitability of the cloud service with regard to a dependency on the cloud service provider as well as legal and regulatory requirements. The type and scope of the data and the responsibilities for its provision depend on the service model of the cloud service or the services and functions provided: In the case of IaaS- and PaaS-like services, the cloud service customer is generally responsible for extracting and backing up the data which is stored in the cloud service before termination of the contractual relationship (cf. complementary requirement). The cloud service provider's responsibility is typically limited to the provision of data for the configuration of the infrastructure or platform that the cloud service customer has set up within its environment (e.g. configuration of networks, images of virtual machines and containers). With SaaS, the cloud service customer typically relies on export functions provided by the cloud service provider. Data created by the cloud service customer should be available in the same format as stored in the cloud service. Other data, including relevant log files and metadata, should be available in an applicable standard format, such as CSV, JSON or XML. Legal requirements can, for example, include the EU Data Act. In Germany, legal requirements for retention in particular can be found, for example, in the German Tax Code (§147 AO) and the German Commercial Code (§257 HGB). These provide for a retention obligation of six or ten years. If contractual agreements do not include the aspects listed in the basic criterion, and these are applicable due to the service model, the criterion is not met and a deviation is to be noted by the auditor. If the cloud service provider acts as a cloud service broker, special consideration should be given to contractual data-portability clauses that recognise the complexity of the particular cloud service broker scenario. This can include, but is not limited to, the definition of: 1. Responsibility for the export of cloud service customer data; 2. If there are multiple underlying cloud service providers, the export scope, the consolidated format, any completeness limits, and how cloud service broker generated artifacts such as aggregated logs are handled; 3. Whether cloud service customers can access the cloud services of underlying cloud service providers directly via APIs or have to rely on the cloud service broker's export interface, and whether there are any timing or usage restrictions; and 4. Time frames for the delivery of cloud service customer data exports to the cloud service customer.
1.1 Referenzen1.2 Identifizierte Anforderungen1.2 Related Regulation2. Identifizierte Anforderungen
3. Related Regulations
|