* How and when is data deleted? Because every provider is different, it’s important to understand that there are storage complications given how much data is traversing the world nowadays. You will want to understand how much data is stored by your cloud provider and, in particular, how much of your specific data is stored. In addition, ask how long your data will be stored, when is it deleted, and how data deletion decisions are made.
* What is the data architecture? Specifically, ask how your data is isolated from that of other customers in a multi-tenant environment. Ask your provider to explain how your data is segmented from other customers’ data and how that may change in the future.
* What certifications and/or third-party audits are performed? Certifications will provide you with a better understanding of how mature the provider is, what things they are concerned about, and whether they are committed to continuous improvement. From a third-party audit perspective, you’ll want to know how frequently the provider is looking at changes and making sure that they are meeting the expectations of their customers and vendors.
Security and privacy are tightly intertwined, but there are a number of questions unique to privacy that you should ask your cloud provider. And privacy questions, while obviously rooted in compliance, aren’t limited only to regulatory issues.
* What data is collected from our organization and how is it kept private? Privacy is a little bit different for each organization, so it’s especially important to define what privacy means for your key stakeholders within your organization.
* What is the data used for? It’s often amazing to learn about the different uses for your data—some of which will surprise or perhaps even concern you. Be sure your cloud provider understands your governance policies on acceptable use of data.
* How long does the cloud provider retain that data? The terms and conditions may state that data is collected for 30 days or perhaps 90 days or even a year. But that does not necessarily dictate how long the organization may keep your data. This will be very different for every provider, for every service, and for every piece of data that’s collected. You could have data that is anonymized, stored, and utilized for testing for many, many years, so make sure to ask about retention.
* Does the provider encrypt your data and in what manner? This is important to know, to ensure that anything that you deem classified or private or that you’re otherwise concerned about, will not be leveraged for other uses by the cloud provider.
* Where is data stored? Do you have any geographical data storage rules or regulations that provider need to follow? Cloud service providers are storing data in a lot of different locations for a lot of different purposes, and you need to understand that and how it aligns with your business practices.
Sign up for CIO Asia eNewsletters.