Achieving regulatory compliance can be complicated—especially when using a service provider like Altiscale or Amazon AWS. You may wonder: Is your organization responsible for every aspect of its regulatory compliance when using a service provider? And how does the service provider fit in? Are they responsible for anything and, if so, what? How can your organization make sure your service provider is doing what it’s supposed to?
In this blog we’re going to answer these questions. But before we do, here’s some important background information:
A regulated company (i.e., the customer) that employs a service provider must determine whether they, the service provider, or both parties, are responsible for each aspect of the customer’s compliance (more on how to figure this out later).
However, the regulated customer is ultimately responsible for ensuring that its operations meet all legal and regulatory requirements. So, even when a service provider is responsible for meeting a subset of the customer’s compliance requirements, the customer must ensure that the service provider does so. This is called a “shared responsibility” model.
We know. It’s complicated. But it will all become clearer from here on out.
Determining Ownership of Compliance Requirements
Now that we’ve covered the legality, let’s talk about how to figure out which party—the customer or the service provider—is practically responsible for each aspect of compliance. First, you should know that it’s impossible for a service provider to offload all of a customer’s compliance requirements, although we at Altiscale would love to do so. For example, take two common requirements: security for data at rest and the ability of a user to opt out of data collection. Altiscale can and does take full responsibility for security of data at rest (e.g., data stored in the Altiscale Data Cloud). However, it’s impossible for us to manage the ability of a user to opt out of data collection. This is because Altiscale doesn’t actually collect any of the data that our customers process on our systems. Also, our legal terms bar us from even looking at our customers’ data, except in a few limited cases. This means that only the company that originally collects the data can let users opt out.
So, how can an organization determine which compliance controls it must enact and which can be outsourced to a service provider? Altiscale believes the answer should lie with the service provider. We make it easy for our customers to tell the difference by outlining this information in our compliance certifications. We also detail the specific controls Altiscale has in place to meet each of the requirements we manage.
Now remember—even when a service provider is responsible for complying with a subset of a customer’s compliance requirements, the customer must ensure that the service provider does so. However, sometimes this is easier said than done. Customers can find it challenging to perform the required audits on both their own operations and those of their service providers.
To make validation of compliance easier, Altiscale’s customers are able to leverage our audited compliance reports. This means they don’t have to go through the hassle of sending out their own auditors to inspect our operations. For example, companies operating within a wide variety of regulated environments can use Altiscale’s SOC 2 report to demonstrate compliance with many of the most common compliance controls. This is because the AICPA SOC 2 control criteria are designed to meet the common portions of many different regulatory compliance requirements. Altiscale also offers PCI and HIPAA compliance reports for companies involved in the finance and healthcare industries.
Although it requires careful planning to manage regulatory compliance when using a service provider, it’s well worth it. A service provider is able to not only decrease a company’s compliance burdens, but also greatly reduce its operational load as well. It all boils down to the benefits far outweighing the costs. And that, at least, is not complicated at all.