Seite 177 - Cloud Migration Version 2012 english

177 
4.1.4 
Definition of cases deemed to be violations on the part of the 
contractor or the persons employed by the Cloud‐service user 
against regulations for the protection of personal data, against the 
provisions agreed in the order, that are subject to mandatory 
disclosure to the purchaser.  
4.1.5 
Rules on legally permissible and mandatory information of the 
contractor to the purchaser in case of access by law enforcement 
agencies and other government bodies. 
4.1.6 
Rules on the purchaser's right to perform audits on the 
contractor's or its subcontractors' premises, or to assign the right 
of audit to a third party authorised by the purchaser. 
Arrangements for (cumulative or as an alternative to audits by the 
purchaser) periodic checks/audits and certifications, that ensure 
data protection by the contractor and verify and certify its 
obligations towards the purchaser. Rules governing the 
contractor's obligation to participate in these activities and the 
costs associated with this obligation. 
4.2 
Rules on IT security  
The following items must be taken into account, confirmed and stated in 
sufficient detail in the contract: 
4.2.1 
Description of the deployed IT security solutions, such as the use 
of firewall systems, antivirus scanners for protection against 
viruses, Trojans, malware, protection against DoS, etc. 
4.2.2 
Description of security checks and/or penetration testing to be 
carried out by the contractor.  
4.2.3 
Description of the encryption methods and of key management 
for the traffic between the purchaser and the contractor, the use 
of encryption on the storage media and of end‐to‐end encryption, 
which completely prevents insights into customer data by the 
provider's staff.  
4.2.4 
Detailed description of secure authentication for the use of the 
service, of the auditability of login actions (visible to the customer) 
and the ability to integrate a customer's system for 
authentication. 
4.3 
Rules concerning data backups and data erasure