Here is How to Use of Your Contracts for Regulatory Compliance Purposes for Cloud Services
Once you have qualified your cloud vendors, next you have to maintain compliance to document your particular regulatory needs in a contract with the vendor in the form of SLAs or service level agreements. In many subjects, you will want to document the SLAs in the following areas, entailing what the vendor is committed to, and what happens if he fails to keep it, and who is responsible for what. Here is how to use contracts for regulatory compliance purposes.
Uptime or downtime
- What is the minimum percentage of uptime you are expecting?
- Are there specific times when downtime should be expected? If so, how often?
- If the downtime goes beyond what is agreed upon, will you be compensated in some way?
- If the system fails, how quickly will the system be back online?
Backup and recovery
- How frequently does the vendor take backups?
- Is it real-time mirroring or periodic snapshots?
- How quickly can lost data be restored?
- If any of your data is lost, will you be compensated in any way?
- What will the vendor do to proactively protect security?
- What will it do if security is breached in any way? This entails physical security, cyber security, employee sabotage, fraud, theft of data, etc.
Data storage, location, and ownership
- How long will your data be stored, and does that comply with the governing regulations?
- What exactly will the storage cost?
- Exactly where will the data be stored?
- Will your data be separated from or mixed with other companies’ data?
- Who owns the data (this needs to be you, in order to be regulatory compliant)?
- Do they have the right to keep a copy of your data?
- What performance thresholds does the vendor use?
- What is the response time when a threshold is breached?
- At what point capacity is added?
- Are you receiving any kind of performance related reports?
- If you terminate the cloud services, are you able to do it with no penalty?
- How will you be able to extract your data in a regulatory manner and format?
- What is the vendor’s escalation process for defects?
- How quickly will the issue be resolved?
- If another company reports a defect, will you be notified?