agreement : · Is the effective start date of the agreement clearly stated?
· Is there an explanation of circumstances in which the services could be suspended?
· Is there an explanation of circumstances in which the services could be terminated?
· Is there an explanation of notification, or an option to subscribe to a notification service, in the event of changes made to the terms governing the service?
(†1890)
confidentiality : Does the Provider have a confidentiality policy in regards to its employees, partners, and subcontractors? (†1898)
cross-border data flow : · Will you be notified if the data location is moved outside your jurisdiction?
· Is the issue of your stored data being subject to disclosure orders by national or foreign security authorities addressed?
· Does the Provider clearly state the legal jurisdiction in which the agreement will be enforced and potential disputes will be resolved? (†1904)
data location : · Do you know where your data and their copies are located while stored in the cloud service?
· Does it comply with the location requirements that might be imposed on your organization’s data by law, especially by applicable privacy law?
· Do you have the option to specify the location, in which your data and their copies will be stored?
· Do you know where metadata are stored and whether they are stored in the same location as your data?
(†1903)
data ownership : Do you retain ownership of the data that you store, transmit, and/or create with the cloud service?
· Does the Provider reserve the right to use your data for the purposes of operating and improving the services?
· Does the Provider reserve the right to use your data for the purposes of advertising?
· Does the Provider reserve the right to use, or make your data available as anonymized open data (through standard APIs)?
· Does the Provider’s compliance with copyright laws and other applicable intellectual property rights restrict the type of content you can store with the cloud service?
· Do the Provider’s terms apply to metadata?
· Do you gain ownership of metadata generated by the cloud service system during procedures of upload, management, download, and migration?
· Do you have the right to access these metadata during the contractual relationship? (†1891)
data preservation : · Are there procedures outlined to indicate that your data will be managed over time in a manner that preserves their usability, reliability, authenticity, and integrity?
· Are there procedures to ensure file integrity during transfer of your data into and out of the system (e.g., checksums)?
· Is there an explanation provided about how the service will evolve over time (i.e., migration and/or emulation activities)?
· Does the system provide access to audit trails concerning activities related to evolution of the service?
· Will you be notified by the Provider of changes made to your data due to evolution of the service?
· Can you request notification of impending changes to the system related to evolution of the service that could impact your data?
(†1894)
data storage : · Does the Provider create backups of your organization’s data?
· If your organization manages external records (e.g., customer data), does the Provider create backups of your customer’s data?
· Do the Provider’s terms apply to any backup created?
· In the event of accidental data deletion, does the Provider bear responsibility for data recovery?
(†1893)
privacy : · Does the Provider’s terms include privacy, confidentiality, or security policies for sensitive, confidential, personal or other special kinds of data?
· Is it clearly stated what information (including personal information ) is collected about your organization, why it is collected and how it will be used by the Provider?
· Does the Provider share this information with other companies, organizations, or individuals without your consent?
· Does the Provider state the legal reasons for which they would share this information with other companies, organizations, or individuals?
· If the Provider shares this information with their affiliates for processing reasons, is this done in compliance with an existing privacy, confidentiality, or security policy?
(†1900)
security : · Does the system prevent unauthorized access, use, alteration, or destruction of your data?
· Is your data secure during procedures of transfer into and out of the system?
· Does the system provide and give you access to audit trails, metadata, and/or access logs to demonstrate security measures?
· Will you be notified in the case of a security breach or system malfunction?
· Does the Provider use the services of a subcontractor?
· Does the Provider offer information about the identity of the subcontractor and its tasks?
· Are subcontractors held to the same level of legal obligations as the Provider of the cloud service?
· Is there a disaster recovery plan available?
· Does the Provider offer any information regarding past performance with disaster recovery procedures?
(†1896)
