The cloud service provider MUST enable client-side encryption of cloud service customer data. Whenever the cloud service customer data is transmitted, processed or stored inside the cloud environment, it MUST be encrypted with a private key that is only available to the cloud service customer outside of the cloud service provider environment.

If this criterion is only fulfilled for some cloud services, the cloud service provider MUST provide a list of these services to the cloud services customer.