Vietnam: Contents of a contract for use of cloud computing service with a third party

According to the Circular No. 09/2020/TT-NHNN of the State Bank of Vietnam, a service contract signed with a third party that shall provide services for information systems of level 3 or higher and information systems that process clients’ personal information shall, inter alia, include the following contents:

1. General information

- The third party’s information security commitments, including:

+ Not to replicate, alter, use or provide the institution’s data for other individuals or institutions, unless the data is provided at the request of a regulatory authority as prescribed by law; in such case, the third party is required to give a prior notice to the institution before providing its data, unless giving notice will violate the law of Vietnam;

+ Disseminate the institution’s regulations on assurance of information security to all staff members of the third party involved in the contract execution, and implement methods for supervising their compliance with such regulations.

- Specific provisions on maximum allowable amount of time of service interruption and troubleshooting time limit, requirements for assurance of continuous operation (on-site backup, data backup, disaster recovery), requirements regarding processing, calculating and storing capacity as well as actions taken in case of failure to ensure service quality.

- Cases in which lease of a sub-contractor by the third party causes no change in responsibilities of such third party for services rendered to the institution.

- Data generated during the provision of service that is considered the institution’s asset. When the provision of service is terminated:

+ The third party shall return or support the transmission of the entire data used and generated during its provision of service to the institution;

+ The third party shall make a commitment to delete all data of the institution within a specified period of time.

- Notification of any violations against regulations on information security applied to the provided service committed by staff members of the third party.

2. Supplemented information for contract for use of cloud computing service 

- The third party must provide reports on audit of compliance with information technology regulations which is annually conducted by an independent audit organization during the validity of the contract;

- The third party must provide instruments for control of cloud service quality and procedures for monitoring and control of cloud service quality;

- The third party must clearly designate locations (cities or countries) for establishment of the data center outside of the territory of Vietnam which provides services for the institution;

- Responsibilities for data protection and prevention of unauthorized access to data through service distribution channels from the third party to institution must be defined;

- The third party must assist and cooperate in investigation carried out at the request of regulatory authorities of Vietnam as per law regulations;

- Data of the institution must be separated from other clients’ data used on the same technical basis provided by the third party.

View more details at the Circular No. 09/2020/TT-NHNN of the State Bank of Vietnam, effective from January 01, 2021.

Thuy Tram

>> CLICK HERE TO READ THIS ARTICLE IN VIETNAMESE