Anyone who is obliged to maintain professional or official secrecy must take additional precautions in their contract when commissioning a cloud provider or other IT provider, especially if the provider has a foreign nexus.
We have developed an additional clause for SMEs and smaller projects that covers the most important points that need to be provided for in the contract. For more critical and larger projects, more extensive provisions may be necessary and appropriate.
The clause assumes that a data processing agreement (DPA) already exists or is planned. It also assumes that appropriate technical and organizational measures for information security have been agreed and are in place. If you are unable to assess this yourself, you should consult a specialist to do so. This is advisable anyway, as the best clause is useless if the information security is not adequate.
The sample clause reads:
"Provider acknowledges that the processing of Customer Content may be subject to Swiss official, professional and other statutory secrecy obligations (e.g., Art. 320 et seqq. Swiss Penal Code) (the "Secrecy Laws"). Provider will keep Customer Content confidential for as long as required by such Secrecy Laws (even after the term of the Agreement) and use it only as necessary to maintain or provide Services, and will not disclose it to any third party, except as necessary to comply with Customer instructions, the obligations of the Agreement or a valid and binding order of a competent governmental body (such as a subpoena, warrant, or court order). In the event that Provider is confronted with an order to grant access to, or produce, Customer Content, Provider will, in addition to its other obligations, before complying with such order, (a) if legally permitted inform Customer (and if not attempt to obtain permission to inform) and permit Customer to challenge and limit such request and obtain confidential treatment, and (b) itself use all lawful efforts to challenge and limit such request on the basis of any legal deficiencies of the law of the requesting party, other applicable law and the principles of international comity and any conflicts with Swiss law, and in any event produce only the minimum Customer Content required to satisfy the order. Provider will impose upon its staff and subcontractors at least materially similar obligations as in this clause to the extent they may have access to Customer Content in clear text, and grant staff (including of its subcontractors) access to Customer Content in clear text only on a need-to-know basis and only (i) with Customer's prior approval [or insofar mandatory for the performance of the Agreement (and only for the staff of Provider, not its subcontractors)], (ii) as necessary to remedy a BCM emergency not permitting any delay, or (iii) as necessary to comply with a valid and binding order of a competent governmental body (such as a subpoena, warrant, or court order). If Provider uses third-party services, it will take reasonable measures that such providers will not have clear-text access to Customer Content. All provisions in the data processing agreement entered into between Customer and Provider, in particular the technical and organizational measures of Provider to protect personal data, the approval of new subprocessors and notification of breaches of information security, shall apply mutatis mutandis so to also protect Customer Content. Provider will evidence an adequate level of information security by providing to Customer, on an annual basis and at no extra cost, a SOC 2 Type 2 or equivalent audit report covering any processing of Customer Content. Findings are remedied without undue delay."
Our sample clause is available here in German and here in English, together with corresponding explanations. These can also be given to the respective provider so that they understand why the provisions are necessary.
The sample clause is drafted in such a way that a provider can also enter into it if it uses one of the hyperscalers (Microsoft, AWS, Google) to provide its services. They have their own contracts and will not agree to such a sample clause. However, the model clause is compatible with such hyperscaler contracts, i.e. a provider that uses such hyperscalers can pass on the obligations to the hyperscalers or take the necessary technical precautions so that it can comply with the model clause.
It should be noted that in the case of a foreign nexus, it must be checked whether there is reason to believe that there will be lawful access by foreign authorities. A Foreign Lawful Access Risk Assessment (FLARA) must be carried out for this purpose. A typical use case is the utilisation of hyperscalers. The FLARA is usually only done with regard to the U.S.A. (CLOUD Act). The established way to do so today is what is known as the "Rosenthal Method", developed by us. The relevant Excel is available here free of charge as open source (a FAQ is available here). If a larger number of FLARAs are to be carried out and an organization has already completed a regular FLARA, a "FLARA Light" can be obtained from us for further cases, in which an assessment can be carried out in just a few minutes by querying a few key parameters.
We are happy to help with any questions.
In this context, we refer you to our various other tools and checklists on this topic:
- CCRA-FI: Our tool with which Swiss banks and other financial institutions can check and document their more critical cloud projects for compliance and risks (perpetual license)
- CCRA-FI Light: Our tool for Swiss banks and other financial institutions for smaller and less critical cloud projects (pay-as-you-go or subscription license), demo video
- CCRA-PS: Our tool with which public institutions including hospitals can check and document their critical cloud projects for compliance and risks (free open source license)
- AI checklist for contracts with suppliers and partners
- Checklist for cloud contracts of banks (older, without "OpRisk" requirements)
- The article "M365 in the law firm: How it works" published in Anwaltsrevue 6/7/2023, in which David Rosenthal describes the steps necessary for a law firm to use M365 (suitable for all professional secrecy holders, but available only in German)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.