際際滷

際際滷Share a Scribd company logo

Qualifying SaaS, IaaS.pptx

Sachin Bhandari
Sachin Bhandari

The document discusses quality agreements for cloud providers offering Infrastructure as a Service (IaaS) and Software as a Service (SaaS). It notes that these models move customer data and systems outside of their control, so quality agreements are important to define roles and responsibilities. Key areas the agreements cover include data security, service levels, change management, compliance, and liability. The quality agreement cannot delegate regulatory accountability from the customer to the cloud provider. IaaS agreements focus more on infrastructure while SaaS agreements also cover application responsibilities and performance.

1 of 8
Qualifying SaaS, IaaS Create a Quality Agreement with Cloud Providers SACHIN BHANDARI HEAD OF CSV, QUALIFICATION AND STANDARDS BOEHRINGER INGELHEIM
The Various Deployment Models & Regulatory Impact IaaS, PaaS and SaaS models move a significant portion of the GXP data out of companies control framework. It is important to note that the SaaS/IaaS providers are not subject to the same GxP regulations as the regulated company and that ultimate accountability for GxP requirements resides with the regulated company. Image courtesy : PaaS vs IaaS vs SaaS differences, pros, and cons | Artifakt Blog
GXP perspective to Quality Agreements Infrastructure/ applications intended use Applicable controls on Data ( IaaS/SaaS) User Accesses ( IaaS/SaaS) Administration Privileges ( IaaS/SaaS) Audit Trails(SaaS) Quality Management System Change Management Release Management Incident Management User Access Management Fitment for purpose of Application/Infra Associated serveries such as BCP/DRP (detailed further) Applicable regulations Measures to ensure data integrity. The quality agreement must not delegate GxP accountabilities to the IaaS/SaaS provider.
Key considerations in Quality agreements for IaaS/SaaS The scope and specifications of the services, including the features, functions, and limitations of the software and infrastructure. The service levels and standards that the provider must adhere to, such as availability, uptime, response time, backup, recovery, and maintenance. The data ownership, access, protection, and retention policies, as well as the data integrity and confidentiality measures that the provider must implement4. The risks and liabilities allocation between the parties, and the remedies and penalties for non- compliance or breach of contract. The communication and escalation procedures, as well as the dispute resolution and termination mechanisms, in case of any issues or conflicts4. These constituents should be defined and documented in a clear and comprehensive manner and reflect the roles and responsibilities of both the provider and the customer. Quality agreements for SaaS and IaaS can help ensure that the quality, reliability, security, and performance of the services meet the expectations and requirements of the customers, especially in regulated industries such as life sciences.
SaaS/Iaas Quality Agreement Constituents Scope of the agreement Definition of the services provided Identification of the parties involved Duration and termination conditions Roles and responsibilities Responsibilities of the service provider Responsibilities of the customer Data security and privacy Data protection measures Compliance with relevant data protection regulations (e.g., GDPR) Data breach notification procedures Service levels and performance Service availability and uptime guarantees Response and resolution times for support requests Regular performance monitoring and reporting Backup and disaster recovery Data backup frequency and retention policies Disaster recovery plans and procedures Data restoration timelines Change management Notification of planned updates and maintenance Procedures for requesting and implementing changes Impact assessment and rollback plans Compliance and audits Adherence to industry standards and certifications (e.g., ISO, SOC) Rights to audit the SaaS provider's processes and controls Remediation of identified non-compliance issues Training and support Provision of user training and documentation Support channels and hours of availability Escalation procedures for critical issues Intellectual property and confidentiality Ownership of customer data and any customizations Protection of proprietary information and trade secrets Non-disclosure agreements Liability and indemnification Limitation of liability clauses Indemnification for third-party claims related to the SaaS services Governing law and dispute resolution Applicable laws and jurisdiction Dispute resolution mechanisms (e.g., mediation, arbitration)
IaaS Vs SaaS Difference in the Quality Agreement- Explained Scope of the agreement IaaS: Primarily focuses on the provision of virtualized computing resources over the internet. SaaS: Covers the delivery of software applications over the internet. Roles and responsibilities IaaS: The provider is responsible for managing the infrastructure, while the customer is responsible for managing the operating systems, middleware, and applications. SaaS: The provider is responsible for managing both the infrastructure and the software applications. Data security and privacy IaaS: The provider is responsible for the security of the infrastructure, while the customer is responsible for the security of their data and applications. SaaS: The provider is responsible for the security of both the infrastructure and the data. Service availability and performance IaaS: The agreement would focus on the availability and performance of the infrastructure resources. SaaS: The agreement would focus on the availability and performance of the software applications. Backup and disaster recovery IaaS: The provider is responsible for the backup and recovery of the infrastructure, while the customer is responsible for the backup and recovery of their data and applications. SaaS: The provider is responsible for the backup and recovery of both the infrastructure and the data. Change management IaaS: Changes typically involve infrastructure updates and upgrades. SaaS: Changes can involve both infrastructure updates and application updates. Support and incident management IaaS: Support is typically for infrastructure-related issues. SaaS: Support covers both infrastructure and application-related issues. Compliance and audits IaaS: Compliance requirements are primarily related to the infrastructure. SaaS: Compliance requirements cover both the infrastructure and the software applications. Intellectual property and confidentiality IaaS: The customer retains ownership of their data and applications. SaaS: The provider may have access to the customer's data, and there may be clauses related to the use of customer data. Liability and indemnification IaaS: Liability is typically limited to the infrastructure services provided. SaaS: Liability can cover both the infrastructure services and the software applications provided.
IaaS Vs SaaS (cont..) SaaS IaaS + Application Performance Support Services IaaS Service Level Agreements (SLAs) Data Protection and Privacy Disaster Recovery and Business Continuity Plans Performance Metrics Roles and Responsibilities Review and Audit Rights Termination Clauses Dispute Resolution Scalability and Flexibility Cost and Pricing Structure
Sachin Bhandari EMAIL : SACHIN.BHANDARI@GMAIL.COM LINKEDIN : Sachin Bhandari | LinkedIn

More Related Content

Qualifying SaaS, IaaS.pptx

  • 1. Qualifying SaaS, IaaS Create a Quality Agreement with Cloud Providers SACHIN BHANDARI HEAD OF CSV, QUALIFICATION AND STANDARDS BOEHRINGER INGELHEIM
  • 2. The Various Deployment Models & Regulatory Impact IaaS, PaaS and SaaS models move a significant portion of the GXP data out of companies control framework. It is important to note that the SaaS/IaaS providers are not subject to the same GxP regulations as the regulated company and that ultimate accountability for GxP requirements resides with the regulated company. Image courtesy : PaaS vs IaaS vs SaaS differences, pros, and cons | Artifakt Blog
  • 3. GXP perspective to Quality Agreements Infrastructure/ applications intended use Applicable controls on Data ( IaaS/SaaS) User Accesses ( IaaS/SaaS) Administration Privileges ( IaaS/SaaS) Audit Trails(SaaS) Quality Management System Change Management Release Management Incident Management User Access Management Fitment for purpose of Application/Infra Associated serveries such as BCP/DRP (detailed further) Applicable regulations Measures to ensure data integrity. The quality agreement must not delegate GxP accountabilities to the IaaS/SaaS provider.
  • 4. Key considerations in Quality agreements for IaaS/SaaS The scope and specifications of the services, including the features, functions, and limitations of the software and infrastructure. The service levels and standards that the provider must adhere to, such as availability, uptime, response time, backup, recovery, and maintenance. The data ownership, access, protection, and retention policies, as well as the data integrity and confidentiality measures that the provider must implement4. The risks and liabilities allocation between the parties, and the remedies and penalties for non- compliance or breach of contract. The communication and escalation procedures, as well as the dispute resolution and termination mechanisms, in case of any issues or conflicts4. These constituents should be defined and documented in a clear and comprehensive manner and reflect the roles and responsibilities of both the provider and the customer. Quality agreements for SaaS and IaaS can help ensure that the quality, reliability, security, and performance of the services meet the expectations and requirements of the customers, especially in regulated industries such as life sciences.
  • 5. SaaS/Iaas Quality Agreement Constituents Scope of the agreement Definition of the services provided Identification of the parties involved Duration and termination conditions Roles and responsibilities Responsibilities of the service provider Responsibilities of the customer Data security and privacy Data protection measures Compliance with relevant data protection regulations (e.g., GDPR) Data breach notification procedures Service levels and performance Service availability and uptime guarantees Response and resolution times for support requests Regular performance monitoring and reporting Backup and disaster recovery Data backup frequency and retention policies Disaster recovery plans and procedures Data restoration timelines Change management Notification of planned updates and maintenance Procedures for requesting and implementing changes Impact assessment and rollback plans Compliance and audits Adherence to industry standards and certifications (e.g., ISO, SOC) Rights to audit the SaaS provider's processes and controls Remediation of identified non-compliance issues Training and support Provision of user training and documentation Support channels and hours of availability Escalation procedures for critical issues Intellectual property and confidentiality Ownership of customer data and any customizations Protection of proprietary information and trade secrets Non-disclosure agreements Liability and indemnification Limitation of liability clauses Indemnification for third-party claims related to the SaaS services Governing law and dispute resolution Applicable laws and jurisdiction Dispute resolution mechanisms (e.g., mediation, arbitration)
  • 6. IaaS Vs SaaS Difference in the Quality Agreement- Explained Scope of the agreement IaaS: Primarily focuses on the provision of virtualized computing resources over the internet. SaaS: Covers the delivery of software applications over the internet. Roles and responsibilities IaaS: The provider is responsible for managing the infrastructure, while the customer is responsible for managing the operating systems, middleware, and applications. SaaS: The provider is responsible for managing both the infrastructure and the software applications. Data security and privacy IaaS: The provider is responsible for the security of the infrastructure, while the customer is responsible for the security of their data and applications. SaaS: The provider is responsible for the security of both the infrastructure and the data. Service availability and performance IaaS: The agreement would focus on the availability and performance of the infrastructure resources. SaaS: The agreement would focus on the availability and performance of the software applications. Backup and disaster recovery IaaS: The provider is responsible for the backup and recovery of the infrastructure, while the customer is responsible for the backup and recovery of their data and applications. SaaS: The provider is responsible for the backup and recovery of both the infrastructure and the data. Change management IaaS: Changes typically involve infrastructure updates and upgrades. SaaS: Changes can involve both infrastructure updates and application updates. Support and incident management IaaS: Support is typically for infrastructure-related issues. SaaS: Support covers both infrastructure and application-related issues. Compliance and audits IaaS: Compliance requirements are primarily related to the infrastructure. SaaS: Compliance requirements cover both the infrastructure and the software applications. Intellectual property and confidentiality IaaS: The customer retains ownership of their data and applications. SaaS: The provider may have access to the customer's data, and there may be clauses related to the use of customer data. Liability and indemnification IaaS: Liability is typically limited to the infrastructure services provided. SaaS: Liability can cover both the infrastructure services and the software applications provided.
  • 7. IaaS Vs SaaS (cont..) SaaS IaaS + Application Performance Support Services IaaS Service Level Agreements (SLAs) Data Protection and Privacy Disaster Recovery and Business Continuity Plans Performance Metrics Roles and Responsibilities Review and Audit Rights Termination Clauses Dispute Resolution Scalability and Flexibility Cost and Pricing Structure
  • 8. Sachin Bhandari EMAIL : SACHIN.BHANDARI@GMAIL.COM LINKEDIN : Sachin Bhandari | LinkedIn