The CloudCode™
Download the full CloudCode document here.
Version 2.0 of the CloudCode was released on 24 July 2013. See the changes here.
The CloudCode is a voluntary disclosure-based Code of Practice that has been developed to improve the standard of services being provided by Cloud Service Providers. It also provides Cloud Service Consumers with the ability to view and compare disclosure statements from Cloud Service Providers and make informed choices when considering a Cloud Service Provider.
There are two core commitments that all Signatories to the CloudCode make and a set of Disclosures that are at its core:
1. Signatories won't say something is "Cloud Computing" unless it really is.
For the purpose of the CloudCode, Cloud Computing is defined as:
“On-demand scalable resources such as networks, servers and applications which are provided as a service, are accessible by the end user and can be rapidly provisioned and released with minimal effort or service provider interaction.”
This might include Software-as-a-Service, Infrastructure-as-a-Service, Platform-as-a-Service, or any variant that fits within this definition, and includes both public and private Cloud implementations. Products or services that don't strictly meet this definition but meet the spirit of the definition may be approved on a case-by-case basis. The definition is a simplified version of the full NIST definition to ensure it is both easy to understand and globally relevant.
2. Signatories will disclose important details about their Cloud products and services.
The CloudCode document outlines these disclosures in detail, to ensure all CloudCode signatories meet the same obligations. Disclosures are in the following categories:
- Corporate Identity including full contact details and details of which jurisdictional laws and regulations apply;
- Ownership of Information outlining who owns information once its been uploaded, including Metadata;
- Security standards and processes in place;
- Data Location including where backup data is stored (and thus what legal jurisdiction might apply);
- Data Access and Use including who can access it and what happens at the end of the service provision;
- Backup and Maintenance including how data is backed up, where and whether restorations are tested;
- Geographic Diversity of service;
- SLA and Support including when and how service is typically offered;
- Data Transportability focusing on how to get data in and out, especially when the service ceases;
- Business Continuity including redundancy and failover;
- Data Formats for data import and export, where relevant;
- Ownership of Application including whether it may be used locally;
- Customer Engagement including client audit, acceptable use policies and a privacy policy;
- Data Breaches outlining what will happen in the event of a data breach;
- Law Enforcement including what is disclosed without a warrant;
- In the case of New Zealand, confirmation of whether or not the provider will follow the NZ Privacy Commissioner's guidelines on breach notification.
Disclosures are comprehensive but not overly burdensome on providers.
Who does the CloudCode apply to?
The CloudCode applies to businesses who offer remotely hosted IT services of any type, either within a country that has adopted the CloudCode or from a country that has adopted the CloudCode, that meet the definition of Cloud Computing above.
Products and services which meet the definition in spirit and are generally considered a Cloud offering, but are precluded due to an arbitrary matter related to the definition, will be considered by the CloudCode team on a case by case basis.
The CloudCode is a voluntary code of practice and by becoming a signatory, a service provider represents to the public that they comply with the CloudCode’s requirements.
The CloudCode does not in any way place legal obligations on signatories to the Code, however non compliance with the code by a signatory could result in liability under general law (e.g. for misleading and deceptive conduct, an offence under fair trading legislation in most countries).
Complaints
The CloudCode document provides a full Complaints process.
The CloudCode complaints process is for consumers, companies and service providers who believe that a statement made by a CloudCode Signatory in their Disclosure Document is untrue or not accurate. The Register acts on complaints received, however the CloudCode Register itself may act as a Complainant if the CloudCode team suspects that a statement in a Disclosure Document is inaccurate.
This process is not intended for the following situations:
- Complaints about a service or product;
- Complaints about support, lack of service or issues surrounding restoration of service;
- Complaints regarding breaches of local laws and regulations that exist;
- Issues surrounding payment, pricing or collection of payments for services;
- Complaints about misleading product information or advertising, other than where the alleged misleading information amounts to a breach of the CloudCode requirements.
Any complaints of the above nature received will be referred back to the complainant.
You can view for more information about the CloudCode complaints procedure here.
Where the CloudCode operates
The CloudCode is currently available for:
- Cloud providers operating in New Zealand
- New Zealand Cloud providers operating in other countries
We are currently working with several groups to implement the CloudCode in other regions and countries and it is likely the CloudCode will be available elsewhere soon. If you would like more information on how the CloudCode can be adopted in your region, please contact us.
You can download the CloudCode now or become a signatory.