Google’s SaaS Contract with Los Angeles
Posted by hyperguard on June 10, 2010
Los Angeles recently selected Google Apps to provide the city with cloud services, which over 30,000 of its employees will use. After hearing this news, we came across a blog post that looks at Los Angeles’s contracts with Google and CSC, the company implementing Google’s SaaS for the city, and its provisions. With the terms of the contract publicly available, will this set a standard for the security industry?
Los Angeles has separate contracts with Google and CSC, and based on reports, the deal includes the following terms: unlimited damages for a data breach, provisions allowing audits, guarantees that data remain in the contiguous 48 states, penalties if Google’s services are unavailable for any longer than 5 minutes a month, unlimited damages if its nondisclosure agreement is breached, Google is required to encrypt the city’s data and break it into pieces when it is at rest so that no one can get their hands on a full file and bars Google from viewing any data without permission from the city.
The contract also requires CSC to establish a security program to ensure the confidentiality of protected information, including protection against anticipated threats, unauthorized access and use, and the proper disposal of protected data. The Google contract also contains security obligations, such as “all facilities used to store and process customer data will had adhere to reasonable security standards no less protective than the security standards at facilities where Google stores and processes its own information of a similar type.”
As cloud computing becomes more favorable among companies, and cities as it turns out, security is one of the most important factors to consider when moving applications to the cloud. Could these contracts become a template for the industry—helping to protect companies and clearly outline what vendors are responsible for?