177
4.1.4
Definition of cases deemed to be violations on the part of the
contractor or the persons employed by the Cloud‐service user
against regulations for the protection of personal data, against the
provisions agreed in the order, that are subject to mandatory
disclosure to the purchaser.
4.1.5
Rules on legally permissible and mandatory information of the
contractor to the purchaser in case of access by law enforcement
agencies and other government bodies.
4.1.6
Rules on the purchaser's right to perform audits on the
contractor's or its subcontractors' premises, or to assign the right
of audit to a third party authorised by the purchaser.
Arrangements for (cumulative or as an alternative to audits by the
purchaser) periodic checks/audits and certifications, that ensure
data protection by the contractor and verify and certify its
obligations towards the purchaser. Rules governing the
contractor's obligation to participate in these activities and the
costs associated with this obligation.
4.2
Rules on IT security
The following items must be taken into account, confirmed and stated in
sufficient detail in the contract:
4.2.1
Description of the deployed IT security solutions, such as the use
of firewall systems, antivirus scanners for protection against
viruses, Trojans, malware, protection against DoS, etc.
4.2.2
Description of security checks and/or penetration testing to be
carried out by the contractor.
4.2.3
Description of the encryption methods and of key management
for the traffic between the purchaser and the contractor, the use
of encryption on the storage media and of end‐to‐end encryption,
which completely prevents insights into customer data by the
provider's staff.
4.2.4
Detailed description of secure authentication for the use of the
service, of the auditability of login actions (visible to the customer)
and the ability to integrate a customer's system for
authentication.
4.3
Rules concerning data backups and data erasure