Citations
-
Bushey et al. 2016 (†755)
Bushey, Jessica, Marie Demoulin, Eliisa How, and Robert McLelland. "Checklist for Cloud Services Contracts" (ITrust, February 2016).
Existing Citations
- agreement : · Is the effective start date of the agreement clearly stated? · Is there an explanation of circumstances in which the services could be suspended? · Is there an explanation of circumstances in which the services could be terminated? · Is there an explanation of notification, or an option to subscribe to a notification service, in the event of changes made to the terms governing the service? (†1890)
- confidentiality : Does the Provider have a confidentiality policy in regards to its employees, partners, and subcontractors? (†1898)
- cross-border data flow : · Will you be notified if the data location is moved outside your jurisdiction? · Is the issue of your stored data being subject to disclosure orders by national or foreign security authorities addressed? · Does the Provider clearly state the legal jurisdiction in which the agreement will be enforced and potential disputes will be resolved? (†1904)
- data location : · Do you know where your data and their copies are located while stored in the cloud service? · Does it comply with the location requirements that might be imposed on your organization’s data by law, especially by applicable privacy law? · Do you have the option to specify the location, in which your data and their copies will be stored? · Do you know where metadata are stored and whether they are stored in the same location as your data? (†1903)
- data ownership : Do you retain ownership of the data that you store, transmit, and/or create with the cloud service? · Does the Provider reserve the right to use your data for the purposes of operating and improving the services? · Does the Provider reserve the right to use your data for the purposes of advertising? · Does the Provider reserve the right to use, or make your data available as anonymized open data (through standard APIs)? · Does the Provider’s compliance with copyright laws and other applicable intellectual property rights restrict the type of content you can store with the cloud service? · Do the Provider’s terms apply to metadata? · Do you gain ownership of metadata generated by the cloud service system during procedures of upload, management, download, and migration? · Do you have the right to access these metadata during the contractual relationship? (†1891)
- data preservation : · Are there procedures outlined to indicate that your data will be managed over time in a manner that preserves their usability, reliability, authenticity, and integrity? · Are there procedures to ensure file integrity during transfer of your data into and out of the system (e.g., checksums)? · Is there an explanation provided about how the service will evolve over time (i.e., migration and/or emulation activities)? · Does the system provide access to audit trails concerning activities related to evolution of the service? · Will you be notified by the Provider of changes made to your data due to evolution of the service? · Can you request notification of impending changes to the system related to evolution of the service that could impact your data? (†1894)
- data storage : · Does the Provider create backups of your organization’s data? · If your organization manages external records (e.g., customer data), does the Provider create backups of your customer’s data? · Do the Provider’s terms apply to any backup created? · In the event of accidental data deletion, does the Provider bear responsibility for data recovery? (†1893)
- privacy : · Does the Provider’s terms include privacy, confidentiality, or security policies for sensitive, confidential, personal or other special kinds of data? · Is it clearly stated what information (including personal information ) is collected about your organization, why it is collected and how it will be used by the Provider? · Does the Provider share this information with other companies, organizations, or individuals without your consent? · Does the Provider state the legal reasons for which they would share this information with other companies, organizations, or individuals? · If the Provider shares this information with their affiliates for processing reasons, is this done in compliance with an existing privacy, confidentiality, or security policy? (†1900)
- security : · Does the system prevent unauthorized access, use, alteration, or destruction of your data? · Is your data secure during procedures of transfer into and out of the system? · Does the system provide and give you access to audit trails, metadata, and/or access logs to demonstrate security measures? · Will you be notified in the case of a security breach or system malfunction? · Does the Provider use the services of a subcontractor? · Does the Provider offer information about the identity of the subcontractor and its tasks? · Are subcontractors held to the same level of legal obligations as the Provider of the cloud service? · Is there a disaster recovery plan available? · Does the Provider offer any information regarding past performance with disaster recovery procedures? (†1896)