A head start through scalability

Cloud computing is the new standard. Aitava understands the commercial and technological pitfalls of cloud tools, in addition to the legal challenges – especially cloud compliance. We offer interdisciplinary consulting at the highest level from a single source.

Aitava is your strong partner in drafting and negotiating cloud contracts. We provide comprehensive support on all topics related to Software as a Service, Platform as a Service, Infrastructure as a Service and XaaS.

Cloud Compliance

Protection of secrets

Confidential information often flows from the customer to the cloud provider.

The German Law on the Protection of Trade Secrets (Geschäftsgeheimnisgesetz) , which came into force in 2019, sets requirements for handling data. If these are not met, the data is no longer considered a protected trade secret. In addition, certain holders of secrets are subject to a special risk of criminal liability under Section 203 German Criminal Code (Strafgesetzbuch) when secrets are disclosed.

The use of cloud services should therefore be secured by technical measures (e.g. encryption) and contractual measures (esp. the conclusion of a non-disclosure agreement). Aitava supports you comprehensively in this regard.

Data protection

Many cloud tools can only be used if personal data is transferred to the cloud provider. The GDPR, which has been in force since 2018, places high demands on all parties involved.

Cloud providers are often processors. These must then provide sufficient guarantees that suitable technical and organizational measures are implemented in such a way that processing is carried out in compliance with data protection. In addition, the conclusion of an data processing agreement (DPA) is necessary. If certain risk thresholds are exceeded, the customer must also conduct a data protection impact assessment. A transfer of personal data to third countries (e.g. USA) must be measured against the additional hurdles of Art. 44 et seq. GDPR.

IT security

The use of cloud tools must increasingly be measured against IT security requirements. The central obligation is the implementation of technical and organizational measures that correspond to the “state of the art” (cf. Section 8a Act on the Federal Office for Information Security (BSI-Gesetz), Art. 32 GDPR). What does this mean in concrete individual cases? Important orientation is provided, among other things, by the Cloud Computing Criteria Catalog (C5) of the German Federal Office for Information Security (BSI).

A particular challenge is often the tension between individual IT security requirements of customers and standardized processes and contractual terms of the IT service provider. The best way forward is smart contract design. Keyword: Regulatory Annex.

Special sectoral requirements for insurance companies

  • EIOPA Guidelines on outsourcing to cloud service providers
  • Digital Operational Resilience Act (DORA)
  • Art. 274 Delegated Regulation (EU) 2015/35
  • Section 32 Act on the Supervision of Insurance Undertakings (Versicherungsaufsichtsgesetz)
  • Insurance Supervisory Requirements for IT (VAIT)
  • Guidance on outsourcing to cloud providers by the Federal Financial Supervisory Authority (BaFin)

Special sectoral requirements for banks

  • EBA guidelines on outsourcing
  • Digital Operational Resilience Act (DORA)
  • Section 25b Banking Act (Kreditwesengesetz)
  • Minimum Requirements for Risk Management (MaRisk (BA))
  • Banking Supervisory Requirements for IT (BAIT)
  • Guidance on outsourcing to cloud providers by the Federal Financial Supervisory Authority (BaFin)

… and many more.

Aitava advises on all cloud compliance issues. We help you identify regulatory risks and implement appropriate controls based on best practices. Our consulting approach: first, we need to gain a technical understanding of your target infrastructure and business processes. On this basis, we remove legal stumbling blocks so that you can steer your company with peace of mind.

High-stretch contract design

Service Level Agreement (SLA)

Cloud computing leads to dependencies. This applies in particular to SaaS services that are used for business-critical processes. To delineate responsibilities between the customer and the provider, it is a good idea to agree on availability regulations. The contractual complexity arises from questions of the measurement point, the measurement period, the measurement substrate and the way of availability measurement. Aitava speaks the language of your business side and supports you in creating and negotiating SaaS contracts.

Commercial design

In terms of commercial design, the concretely agreed licensing metric is the decisive factor for Software as a Service. The market is moving from user-dependent remuneration (e.g., fee per user) to usage-dependent remuneration (e.g., price per request). A transparent and comprehensible license metric – including a clear technical link – is the basis of every binding SaaS contract. As far as cloud contracts are long-term contracts, a balanced price adjustment mechanism should also be considered.

Ready for the edge?

We pave the way for legally secure cloud computing.

We also advise on:

IT Projects

Aitava combines years of comprehensive expertise in complex IT projects. We represent both service providers and customers. From startups to large enterprises.

Learn more

Platforms and Digital Business Models

The mega-success of digital platforms is putting legislators on notice. This is often accompanied by actionism. Aitava brings product and law to a common denominator.

Learn more

IT Security and Data Protection

Aitava supports you in preparing your company for the current challenges and regulatory requirements and in efficiently minimizing damage risks.

Learn more

IT Conflict Resolution

With forward-looking contract drafting and negotiated solutions, escalation can often be avoided in practice. If necessary, we go the last mile and conduct contentious proceedings.

Learn more