DSP · Data Security and Privacy Lifecycle Management

DSP-13Cloud & AI Related

Personal Data Sub-processing

Specification

Define, implement and evaluate processes, procedures and technical measures for the transfer and sub-processing of personal data within the service supply chain, according to any applicable laws and regulations.

Threat coverage

Model manipulation

Data poisoning

Sensitive data disclosure

Model theft

Model/Service Failure

Insecure supply chain

Insecure apps/plugins

Denial of Service

Loss of governance

Architectural relevance

Physical infrastructure

Network

Compute

Storage

Application

Data

Lifecycle

Preparation

Resource provisioning, Team and expertise

Development

Design, Guardrails

Evaluation

Evaluation, Validation/Red Teaming

Deployment

Orchestration, AI Services supply chain

Delivery

Operations, Maintenance, Continuous monitoring

Retirement

Data deletion

Ownership / SSRM

Owned by the Customer (AIC)

The Customer (AIC) is responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies services or products they consume.

Model

Owned by the Customer (AIC)

Orchestrated

Owned by the Customer (AIC)

Application

Owned by the Customer (AIC)

Implementation guidelines

[All Actors]
1. Control storage location and maintain transfer logging for any personal data the actor stores.

2. Manage sub-processing of model data and telemetry with data-protection-by-design for any data the actor passes to downstream processors.

3. Provide secure routing and plugin governance for any middleware or plugin frameworks the actor operates.

4. Operate plugin / API sub-processors with user transparency for any third-party services the actor integrates.

5. Deliver legal accountability and risk assessments for sub-processing.

Auditing guidelines

1. Examine the CSP’s contractual terms, procedures, roles, responsibilities, documents, and technical measures for transferring personal data and sensitive data to subprocessors and how subprocessors are to treat this data.

2. Identify areas where contractual controls are insufficient and ensure appropriate risk mitigation is in place.

3. Establish whether the CSP has documented the roles and responsibilities for this process.

4. Select a sample of data transfers to subprocessors to establish that the controls and reporting of the subprocessors comply with the CSP’s data privacy and security policy.

5. Verify that contracts with suppliers and sub-processors include clauses that comply with applicable laws and regulations regarding the transfer and sub-processing of personal data.

6. Verify the effectiveness of technical measures such as encryption, secure communication channels, and data masking used during data transfer and sub-processing.

7. Verify that regular assessments and audits are conducted to evaluate the effectiveness of data transfer and sub-processing measures and identify potential risks.

8. Verify that all processes, procedures, and technical measures related to data transfer and sub-processing are thoroughly documented and regularly updated to reflect changes in laws and regulations.

9. Examine the CSP’s contractual requirements for subprocessor compliance, reporting, and non-compliance sanctions and the CSP’s right to audit. Establish subprocessors’ processes, controls, and metrics to comply with the organization's requirements.

10. Review documentation demonstrating how the infrastructure supports customers in maintaining regulatory compliance for sub-processing activities.

11. Assess whether the CSP provides visibility and logging capabilities for data transfers that would enable customers to track sub-processing activities.

12. Evaluate whether the CSP has documented which regulatory frameworks (e.g., GDPR, CCPA) their infrastructure is designed to support regarding data transfers.

Standards mappings

ISO 42001No Gap

42001: A.10.2 Allocating responsibilities
42001: A.2.3 Alignment with other organizational policies
42001: 9.1 – Monitoring and measurement
42001: 10.2 – Corrective action for deviations in data supply chains
27001:  A.5.14 - Information transfer
27001: A.5.20 - Addressing information security within supplier agreement
27001: A.8.23 – Information masking
27001: A.5.10 – Acceptable use of information
27001: A.5.15 – Access control
27002: 5.14 - Information transfer
27002: 5.20 - Addressing information security within supplier agreement
27002: 9.4 – Access control enforcement
27002: 8.10 – Data handling policies

Addendum

N/A

EU AI ActPartial Gap

Article 10
Article 23
Article 24

Addendum

Supply chain responsibilities are covered but sub-processing procedures are not detailed.

NIST AI 600-1Partial Gap

GV-1.1-001
GV-6.1-004

Addendum

Augment GV-1.1-001 and GV-6.1-004with privacy-specific and legal compliance controls.

BSI AIC4Partial Gap

SSO-01
SSO-02
BC-06

Addendum

For such topics, there is the GDPR in the EU. The GDPR is translated to local regulations for every country in the EU. This is a explicit target of GDPR.

AI-CAIQ questions (1)

DSP-13.1

Are processes, procedures, and technical measures defined, implemented, and evaluated for transferring and sub-processing personal data within the service supply chain according to applicable laws and regulations?