Cloud 101

Working Group

Privacy Level Agreement

This group monitors the legal and regulatory landscape and performs research in the area of privacy and data protection compliance for cloud computing services at a global scale. Currently the group is working to extend the scope of the GDPR Code of Conduct in order to satisfy the data protection/privacy requirements in other relevant countries/states.
Cloud Security Alliance Code of Conduct for GDPR Compliance (Updated - September 2020)
Cloud Security Alliance Code of Conduct for GDPR Compliance (Updated - September 2020)


Privacy Level Agreement
How do privacy and security overlap?
In most aspects of the collection, use or processing of personal data, privacy and security functions overlap or coexist to some extent and at times use similar tools. Privacy and security professionals should regularly communicate to ensure that they understand each other’s responsibilities, needs, capabilities, and limitations; and keep track of the changes to the ecosystem in which the personal data is used by their organization. They also need to ensure that their efforts complement, and do not conflict with, each other, so that they can enable their organization to meet its objectives in the most efficient and cost-effective, manner.

Cloud Service Providers (CSPs) will be responsible for self-determining the level of protection required for the personal data they process.
Data protection compliance is becoming increasingly risk-based. Data controllers and processors are accountable for determining and implementing in their organisations appropriate levels of protection of the personal data they process. In such a decision, they have to take into account factors such as state of the art of technology; costs of implementation; and the nature, scope, context and purposes of processing; as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. To help address these challenges CSA created the CSA Code of Conduct for GDPR Compliance. It aims to provide Cloud Service Providers (CSPs) and cloud consumers a solution for GDPR compliance and to provide transparency guidelines regarding the level of data protection offered by the CSP. The code can be used to submit a self-assessment to the CSA STAR Registry.

Related training available through CSA.
CSA also offers a course that trains lead auditors & consultants in the CSA GDPR Code of Conduct and the CSA GDPR Certification. This training is led by Prof. Dr. Paolo Balboni (Founding Partner of ICT Legal Consulting). You can learn more about this course here 

Working Group Leadership

Paolo Balboni
Paolo Balboni

Paolo Balboni

Founding Partner of ICT Legal Consulting, President of the European PrivacyAssociation Professor of Privacy, Cybersecurity, and IT Contract Law at theEuropean Centre on Privacy and Cybersecurity (ECPC) within the Maastricht University Faculty of Law.

Paolo Balboni (qualified lawyer admitted to the Milan Bar) is a FoundingPartner of ICT Legal Consulting (ICTLC),a law firm with offices in Milan, Bologna, Rome, an International Desk inAm...

Read more

Daniele Catteddu
Daniele Catteddu

Daniele Catteddu

Chief Technology Officer, CSA

Daniele Catteddu is an information security and risk management practitioner, technologies expert and privacy evangelist with over 15 of experience. He worked in several senior roles both in the private and public sector. He is member of various national and international security expert groups and committees on cyber-security and privacy, keynote speaker at several conferences and author of numerous studies and papers on risk management, ...

Read more

Publications in ReviewOpen Until
CCPA - CSA Code of Conduct Gap ResolutionApr 10, 2023
Understanding Cloud Attack VectorsApr 28, 2023
CCMV4-LiteMay 15, 2023
Security Guidance for Critical Areas of Focus in Cloud Computing v5 - OutlineJun 01, 2023
View all
Who can join?

Anyone can join a working group, whether you have years of experience or want to just participate as a fly on the wall.

What is the time commitment?

The time commitment for this group varies depending on the project. You can spend a 15 minutes helping review a publication that's nearly finished or help author a publication from start to finish.

Open Peer Reviews

Peer reviews allow security professionals from around the world to provide feedback on CSA research before it is published.

Learn how to participate in a peer review here.

CCPA - CSA Code of Conduct Gap Resolution

Open Until: 04/10/2023

This spreadsheet from the Priv...

Understanding Cloud Attack Vectors

Open Until: 04/28/2023

The goal of the document is to map the various attack vectors that are actually being used during cloud-based attacks in Ia...


Open Until: 05/15/2023

Purpose and Scope of CCMv4-LiteCloud Security Alliance and the CCM WG have been developing a li...

Security Guidance for Critical Areas of Focus in Cloud Computing v5 - Outline

Open Until: 06/01/2023

The proposed outline for the Cloud Security Alliance Security Guidance for Critical Areas of Focus in Cloud Computing v5 is...