- العربية
- 中文
- English
- Français
- Русский
- Español
DRAFT Notes on the Main Issues of Cloud Computing Contracts (prepared by the UNCITRAL secretariat, 2019): Security policy
Security of the system, including customer data security, involves shared responsibilities of the parties. The contract would need to specify reciprocal roles and responsibilities of the parties as regards security measures, reflecting obligations that may be imposed by mandatory law on either or both parties.
Usually, the provider will follow its security policies. In some cases, although not in standardized commoditized multi-subscriber solutions, it might be possible to reach an agreement that the provider will follow the customer’s security policies. The contract may specify security measures (e.g., requirements for sanitization or deletion of data in the damaged media, the storage of separate packages of data in different locations, the storage of the customer’s data on specified hardware that is unique to the customer). Excessive disclosure of security information in the contract may, however, be risky.
Some security measures do not presuppose the other party’s input but rely exclusively on the relevant party’s routine activities, such as inspections by the provider of the hardware on which the data is stored and on which the services run, and effective measures to ensure controlled access thereto. In other cases, allowing the party to perform its duties or evaluate and monitor the quality of security measures delivered may presuppose the input of the other party. The customer, for example, would be expected to update lists of users’ credentials and their access rights and inform the provider of changes in time to ensure the proper identity and access management mechanisms. The customer would also be expected to inform the provider about the level of security to be allocated to each category of data.
Some threats to security may be outside the contractual framework between the customer and the provider and may require the terms of the cloud computing contract to be aligned with other contracts of the provider and the customer (e.g., with Internet service providers).