Request Demo Contact Login
Why eperi®
Use Cases
Info Hub
Partners
Inside eperi®
Request Demo
eperi® sEcure
Secure data in all cloud and web applications
eperi Logo
By Use Cases
AnyApp
Protect your data in web applications with comprehensive encryption and meet compliance requirements.
Microsoft 365
Secure your sensitive data in Microsoft 365 products against unauthorized access and ensure data protection and compliance.
SDK
Use the eperi® sEcure SDK to protect data in almost any cloud platform and open up new business potential.
By Industries
Finance
Ensure maximum data security and comply with DORA regulations with eperi® sEcure for the financial sector.
Healthcare
Protect patient data in the cloud and meet legal requirements for IT security in the healthcare sector with eperi® sEcure.
Public Sector
Secure sensitive data in public administration and meet the requirements of the NIS-2 directive with eperi® sEcure.
/ Mehr erfahren
eperi Logo
Newsroom
Stay up to date with our latest blog posts, press releases, press reports and event announcements.
References
Discover selected references for various use cases and industries.
eperi Logo
Our Partners
Benefit from the eperi® Partner Network and receive comprehensive support for secure and legally compliant cloud projects.
Become a Partner
Increase your customer loyalty and differentiate yourself with our patented data protection solutions for SaaS and cloud applications.
eperi Logo
What eperi® does
What makes eperi® unique
Memberships
Find out more about our involvement in various associations and organizations
Careers
eperi® - come for the job, stay for the team
eperi Logo

IaaS and PaaS: Increased data protection requirements

The use of infrastructure (IaaS) and platform (PaaS) services places high demands on data protection. In order to fulfill these requirements, providers and users must develop a concept that defines joint and shared responsibilities.

If a service provider processes personal data on behalf of a company, both parties must conclude an “agreement on commissioned data processing”. While such an agreement can be easily applied to cloud-based “Software as a Service” (SaaS) offerings, the situation is different when using IaaS and PaaS models. Here, the object of the contract can only be explicitly defined in the rarest of cases, as the customer uses the IT solutions provided on an as-needed basis. Therefore, at the beginning of the business relationship, only a framework agreement can be concluded for the hypothetical case of using cloud resources. Only when the customer actually uses the IT infrastructure or IT platform is a data set to be processed defined as the subject of the contract. As this “order” ends with the use of the cloud for data processing, the provider must subsequently delete all data from the resources used.

Provider recommends data protection options

The technical and organizational framework measures for commissioned data processing are also more complex with IaaS and PaaS models than with traditional provider-user relationships. As the provider cannot know the extent to which data access for authorized users must be regulated or controlled, it can only offer or recommend options for additional data protection to customers. Whether these are ultimately applied depends on the cloud user.

In any case, the cloud user should carry out a risk assessment to determine the data protection requirements. Finally, they are also responsible for evaluating the data protection measures and options offered by the cloud provider and comparing them with their own requirements and security needs.

If sensitive personal data is encrypted and pseudonymized using an encryption solution such as the eperi Gateway before it leaves the cloud user's protected environment, this effort can be significantly reduced. In this case, the cloud provider does not receive any personal data - because it is encrypted - or access to the keys in the first place, meaning that compliance with regulatory requirements with regard to data protection precautions can be significantly related to the cloud user's own measures.

In contrast, only the cloud provider is able to guarantee the physical security of the IT infrastructure and implement appropriate technical and organizational measures.

Shared responsibilities

In addition to these shared responsibilities for data protection when using IaaS and PaaS, there are joint measures that must be implemented on both sides. This includes, for example, both providers and users continuously searching for malware on the resources and data records operated in each case and protecting themselves against it with firewalls.

More about data protection in the IaaS and PaaS environment on Security-Insider.de