Sensitive Data Transfer

[All Actors]
1. Protect any datasets and outputs the actor transmits during cross-system transmission.

2. Secure service-to-service inference and plugin data flow under the actor’s control through authenticated, encrypted channels and strict access controls.

3. Secure user data transfers, log handling and consent-based usage for any user data the actor processes.

4. Classify, encrypt and contractually limit transferred data for any transfers the actor initiates or receives.

5. Provide secure-by-default networking, encryption and transfer logs.

1. Examine the CSP’s procedures and technical requirements for securing and legally transferring personal and sensitive data. Establish that this process and key controls comply with the CSP’s data privacy and security policy.

2. Establish whether the CSP has documented the roles and responsibilities for this process.

3. Select a range of personal and sensitive data transfers to confirm that each transfer adhered to the CSP’s policy, procedures, and controls. Confirm that all relevant evidence was formally documented.

4. Verify that data transfers are protected from unauthorized access using encryption, secure communication channels, and access controls.

5. Verify compliance with relevant data protection laws (e.g., GDPR, CCPA) and organizational policies throughout the data transfer and processing activities.

6. Verify that regular assessments and audits are conducted to evaluate the effectiveness of data transfer and processing measures and identify potential risks.

7. Verify that all processes, procedures, and technical measures related to data transfer and processing are thoroughly documented and regularly updated to reflect changes in laws and regulations.

8. Obtain a sample of the technical measures implemented by the CSP to determine if those measures adhere to the CSP’s data privacy and security policy.

9. Determine how the CSP ensures that all third-party providers protect the transfer of personal or sensitive data.

10. Verify implementation of encryption protocols (e.g., TLS 1.2+) for all network paths that transfer sensitive data. 

11. Assess technical measures enforcing geographical data residency requirements, including documentation of data storage locations. 

12. Review access control mechanisms for infrastructure components that handle sensitive data transfers, verifying the principle of least privilege implementation. 

13. Evaluate network monitoring capabilities for detecting unauthorized sensitive data transfers. 

14. Verify implementation of secure API gateways and other transfer boundary protections. 

15. Assess documentation and technical implementation of data transfer logging and monitoring for compliance verification.