Module 1: Cloud Privacy Foundations

Cloud Customer Agreements

15 min
+50 XP

Cloud Customer Agreements

The contract between cloud service providers and customers is critical for PII protection. ISO 27018 specifies what must be included.

Essential Contract Elements

1. Data Processing Terms

What must be specified:

  • Types of PII processed
  • Processing purposes
  • Processing locations (data residency)
  • Duration of processing
  • Return/deletion procedures

Example Clause: "CSP will process Customer PII solely for the purpose of providing the Services, will store data in [regions], and will delete all PII within 30 days of contract termination unless legally required to retain."

2. Sub-processor Provisions

Requirements:

  • List of all sub-processors
  • Notification before changes
  • Customer right to object
  • Sub-processor obligations

Example Clause: "CSP maintains a current list of sub-processors at [URL]. CSP will notify Customer at least 30 days before engaging new sub-processors. Customer may object on reasonable privacy grounds."

3. Security Obligations

Must address:

  • Technical measures (encryption, access control)
  • Organizational measures (policies, training)
  • Regular security assessments
  • Certification maintenance

4. Audit Rights

Customer rights:

  • Audit CSP's compliance
  • Request compliance reports
  • On-site audits (with reasonable notice)
  • Third-party audit reports (SOC 2, ISO certifications)

Example Clause: "Customer may audit CSP compliance once annually with 30 days notice. CSP will provide current ISO 27018 certification and SOC 2 Type II report upon request."

5. Breach Notification

Requirements:

  • Notification timeframe (typically 24-72 hours)
  • Information to be provided
  • CSP assistance obligations
  • Customer notification responsibilities

Example Clause: "CSP will notify Customer within 24 hours of becoming aware of any PII breach, providing details of the incident, affected data, and remediation steps."

6. Data Subject Rights

Facilitating rights:

  • Access to PII
  • Correction of PII
  • Deletion ("right to be forgotten")
  • Data portability
  • Objection to processing

CSP Obligations:

  • Provide tools/APIs for rights fulfillment
  • Respond to customer requests within SLA
  • Maintain audit logs of requests

7. Data Return and Deletion

End-of-contract procedures:

  • Format for data return
  • Timeframe for return
  • Deletion verification
  • Certificate of destruction

Example Clause: "Upon contract termination, CSP will return all Customer PII in [format] within 15 days and permanently delete all copies within 30 days. CSP will provide a certified statement of deletion."

8. Liability and Indemnification

Coverage:

  • Data breach damages
  • Regulatory fines
  • Third-party claims
  • Caps and limitations

9. Jurisdiction and Governing Law

Considerations:

  • Where disputes are resolved
  • Which privacy laws apply
  • Cross-border data transfer mechanisms
  • Conflict of laws provisions

10. Transparency Obligations

CSP Disclosures:

  • Processing activities register
  • Security measures description
  • Certification status
  • Incident reports

Data Processing Agreement (DPA)

Many organizations use a separate DPA:

Structure:

Main Service Agreement
    ├── Technical specifications
    ├── SLAs
    └── Data Processing Agreement (DPA)
           ├── Processing details
           ├── Technical measures
           ├── Sub-processors
           └── Audit rights

ISO 27018 Certification Requirements

What the CSP must demonstrate:

  • Written policies aligned with ISO 27018
  • Implemented technical controls
  • Evidence of compliance
  • Third-party audit verification

Customer Due Diligence

Before signing, verify:

  • ISO 27018 certification current
  • Data processing locations disclosed
  • Sub-processor list provided
  • Security measures documented
  • Breach notification procedures clear
  • Data return process defined
  • Audit rights acceptable
  • Liability provisions adequate

Red Flags

Watch out for:

  • Vague data location terms ("globally distributed")
  • Unlimited sub-processor rights without notification
  • Excessive deletion timelines (>90 days)
  • No audit rights
  • Disclaimer of all liability
  • Unilateral contract modification rights

Multi-Cloud Considerations

Using multiple CSPs:

  • Each needs compliant agreement
  • Understand data flows between CSPs
  • Clarify responsibilities at boundaries
  • Ensure consistent protection levels

Next Lesson: Test your knowledge with the Module 1 quiz.

Complete this lesson

Earn +50 XP and progress to the next lesson

Previous

PII Processing Principles

Next

Module Quiz