From vendor-privacy-management-skills
Assesses cloud service providers for privacy compliance using ISO 27018 controls, CSA STAR certification, SOC 2 Type II, shared responsibility models, data residency verification, and risk analysis. Useful for vendor due diligence in cloud adoption.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin vendor-privacy-management-skillsThis skill uses the workspace's default tool permissions.
Cloud service providers present unique privacy assessment challenges due to shared responsibility models, multi-tenancy architectures, global infrastructure, and the abstraction of physical processing locations. GDPR Article 28 obligations apply fully to cloud processing relationships, but the assessment approach must account for cloud-specific characteristics.
Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.
Guides building MCP servers enabling LLMs to interact with external services via tools. Covers best practices, TypeScript/Node (MCP SDK), Python (FastMCP).
Generates original PNG/PDF visual art via design philosophy manifestos for posters, graphics, and static designs on user request.
Cloud service providers present unique privacy assessment challenges due to shared responsibility models, multi-tenancy architectures, global infrastructure, and the abstraction of physical processing locations. GDPR Article 28 obligations apply fully to cloud processing relationships, but the assessment approach must account for cloud-specific characteristics.
ISO/IEC 27018:2019 provides the international standard for protecting personally identifiable information (PII) in public clouds, supplementing ISO 27001 with cloud-specific privacy controls. The Cloud Security Alliance (CSA) STAR program provides a cloud-specific security assurance framework. SOC 2 Type II with the Privacy trust services criterion addresses personal data handling controls.
At Summit Cloud Partners, cloud providers undergo enhanced assessment incorporating these cloud-specific frameworks alongside standard vendor due diligence.
| Aspect | Controller Responsibility | Provider Responsibility |
|---|---|---|
| Data encryption at rest | Configure and manage keys | Provide encryption infrastructure |
| Access management (app level) | Define and manage | Provide IAM platform |
| Network security (app level) | Configure security groups, firewall rules | Provide network infrastructure |
| Physical security | None | Full responsibility |
| Patch management (OS) | Controller (or managed service) | Hypervisor and below |
| Data backup | Configure and manage | Provide backup infrastructure |
| Incident detection (app) | Application-level monitoring | Infrastructure-level monitoring |
| Aspect | Controller Responsibility | Provider Responsibility |
|---|---|---|
| Application code security | Full responsibility | None |
| Data handling in application | Full responsibility | None |
| Runtime and middleware | Limited — configuration only | Manage platform components |
| OS and infrastructure | None | Full responsibility |
| Platform security patching | None | Full responsibility |
| Identity management | Configure | Provide identity platform |
| Aspect | Controller Responsibility | Provider Responsibility |
|---|---|---|
| Data entered by users | Determine what data to process | Process per controller instructions |
| Application security | None (except configuration) | Full responsibility |
| Infrastructure security | None | Full responsibility |
| Data portability | Define export requirements | Provide export functionality |
| Data deletion | Request deletion | Implement deletion per DPA |
| Access configuration | Configure user roles | Provide RBAC platform |
Assessment Questions:
| # | Question | Expected Evidence |
|---|---|---|
| 1.1 | In which regions/availability zones will personal data be stored at rest? | Architecture documentation specifying data storage locations |
| 1.2 | Can the controller restrict processing to specific geographic regions? | Configuration documentation showing region-locking capability |
| 1.3 | Are there any circumstances where data may be processed outside the selected region? | Disclosure of any cross-region processing (DR, support, analytics) |
| 1.4 | Where is metadata and telemetry data stored? | Often stored in provider's home jurisdiction — must be disclosed |
| 1.5 | Where do support staff access data from? | List of countries from which support personnel may access data |
| 1.6 | What government access or disclosure obligations apply in processing jurisdictions? | Legal analysis of government access powers per EDPB Recommendations 01/2020 |
| # | Question | Expected Evidence |
|---|---|---|
| 2.1 | How is tenant data isolated from other customers' data? | Architecture documentation — logical/physical separation details |
| 2.2 | Are encryption keys unique per tenant? | Key management architecture documentation |
| 2.3 | Can one tenant's operations affect another tenant's data? | Side-channel and cross-tenant risk assessment |
| 2.4 | How are shared infrastructure components secured? | Hypervisor security, shared storage controls |
| 2.5 | What tenant isolation testing has been performed? | Penetration test results covering cross-tenant attacks |
ISO/IEC 27018:2019 extends ISO 27001 with cloud-specific PII protection controls:
| Control | Requirement | Assessment Check |
|---|---|---|
| A.1 | PII processor consent — process only per controller instructions | Verify contractual terms and processing boundaries |
| A.2 | Purpose limitation — no processing beyond controller purpose | Review processing scope documentation |
| A.3 | Use for marketing — no use of PII for marketing without consent | Confirm no data monetization or marketing use |
| A.4 | Notification — notify controller of government access requests | Verify government access notification process |
| A.5 | Disclosure — document all disclosures of PII | Review disclosure logging mechanism |
| A.10 | Return, transfer, and disposal — secure data handling at termination | Verify deletion procedures and certification |
| A.11 | Confidentiality — binding confidentiality obligations on personnel | Verify personnel agreements cover cloud-specific risks |
| A.12 | Sub-contracting — notification of sub-processor engagement | Verify sub-processor management per Art. 28(2) |
The Cloud Security Alliance STAR (Security, Trust, Assurance, and Risk) program provides three levels:
| Level | Description | Assessment Method |
|---|---|---|
| Level 1: Self-Assessment | Provider completes CSA Consensus Assessments Initiative Questionnaire (CAIQ) | Review self-assessment for completeness and substantiation |
| Level 2: Third-Party Audit | Independent audit against CSA Cloud Controls Matrix (CCM) | Review audit report, scope, and findings |
| Level 3: Continuous Monitoring | Real-time monitoring of control effectiveness | Review continuous monitoring dashboard and alerts |
Key CCM Control Domains for Privacy:
| Domain | Controls | Privacy Relevance |
|---|---|---|
| DSP (Data Security & Privacy) | DSP-01 through DSP-19 | Data classification, retention, inventory, privacy by design |
| GRC (Governance, Risk, Compliance) | GRC-01 through GRC-08 | Governance framework, risk assessment, policy management |
| IAM (Identity & Access Management) | IAM-01 through IAM-16 | Access control, credential management, MFA |
| SEF (Security Incident Management) | SEF-01 through SEF-08 | Incident response, breach notification |
The AICPA Trust Services Criteria Privacy criterion evaluates:
| Criterion | Area | Assessment Focus |
|---|---|---|
| P1 | Notice | Provider discloses privacy practices to controllers |
| P2 | Choice and consent | Controller can configure privacy settings |
| P3 | Collection | Data collection limited to stated purposes |
| P4 | Use, retention, disposal | Processing per instructions; retention per DPA; certified deletion |
| P5 | Access | Controller can access and retrieve their data |
| P6 | Disclosure to third parties | Sub-processor disclosure and management |
| P7 | Security for privacy | Technical controls protecting PII |
| P8 | Quality | Data integrity and accuracy controls |
| P9 | Monitoring and enforcement | Compliance monitoring and breach response |
Document the shared responsibility boundary for every control domain:
| Control Domain | Controller Responsibility | Provider Responsibility | Gap/Risk |
|---|---|---|---|
| Data classification | Classify data before upload | Provide classification tools | [Gap?] |
| Encryption key management | [Depends on model] | [Depends on model] | [Gap?] |
| Access control (application) | [Depends on model] | [Depends on model] | [Gap?] |
| Vulnerability management | [Depends on model] | [Depends on model] | [Gap?] |
| Incident detection | [Depends on model] | [Depends on model] | [Gap?] |
| Data backup | [Depends on model] | [Depends on model] | [Gap?] |
| Compliance reporting | [Depends on model] | [Depends on model] | [Gap?] |
| Domain | Weight | Score (1-5) | Weighted |
|---|---|---|---|
| Data residency and sovereignty | 20% | ||
| Multi-tenancy and isolation | 20% | ||
| ISO 27018 compliance | 15% | ||
| CSA STAR level | 15% | ||
| SOC 2 Privacy criterion | 15% | ||
| Shared responsibility clarity | 15% | ||
| TOTAL | 100% |