Hi I have been asked the following question about all of our cloud hosting by a potential customer. The customer has worries over the security of their client’s data.

I want to continue to use Zoho and need to convince this client its up to the job

Can you help me answer the following due diligence questions?  

Cloud Services

3 Briefly describe what type of cloud service model are you utilising with regard to company  (private, community, public, hybrid).

4 Briefly describe what service is being provided by the cloud service you utilise (data storage, infrastructure, etc.)

5 Where company data is involved, is the cloud service limited to the UK (see question 5 above)?  Is limiting data to the UK a contractual requirement you have with your cloud service provider?

6 What assurances have you sought from your cloud service provider that they can identify the location of a specific companies data at any given time?

7 In the event of a data compromise what assurances have you sought in the ability of your cloud service provider to identify all affected data related for a specific company?

8 How often does your cloud service provider perform IT security audits of their infrastructure and service offerings?

9 What Service Level Agreements and other assurances do you have in place with your cloud service provider to ensure confidentiality, integrity and accessibility of the services they supply?

10 What assurance have you sought over your cloud service providers adherence to UK legislative and regulatory compliance?

11 What assurance have you sought that your cloud service provider is UK Data Protection Act 1998 compliant?

12 What assurance have you sought that your cloud service provider is compliant to ISO 27001/2 or a comparable IT Security standard?

13 Is your cloud service provider a participant in the Cloud Industry Forum (CIF) Cloud Service Provider Code of Practice?