Part 3: Cloud & Outsourcing Responsibility
| Item | Content |
|---|---|
| Document Name | Part 3: Cloud & Outsourcing Responsibility |
| Product Name | DTA Wide Sleep Management Platform |
| Date | 2026-02-10 |
| Scope | Part 3 (Backend/Infrastructure) |
1. Cloud Provider Overview
- Primary Cloud Provider: Google Cloud Platform (GCP)
- Region:
europe-west3(Frankfurt, Germany) - Service Model: IaaS + PaaS + SaaS Hybrid
2. Shared Responsibility Model
2.1 GCP Responsibility vs DTA Wide Responsibility
2.2 RACI Matrix (by GCP Service)
| GCP Service | Physical Security | Network Security | OS Patch | App Security | Data Protection | Backup | Monitoring |
|---|---|---|---|---|---|---|---|
| Cloud Run | GCP: R | GCP: R, DTA: A | GCP: R | DTA: R | DTA: R | GCP: I | DTA: R |
| Cloud SQL | GCP: R | GCP: R | GCP: R | DTA: R | DTA: R | GCP: R, DTA: A | DTA: R, GCP: C |
| Memorystore | GCP: R | GCP: R | GCP: R | DTA: R | DTA: R | GCP: R | DTA: R |
| Firestore | GCP: R | GCP: R | GCP: R | DTA: R | DTA: R | GCP: R | DTA: R |
| Cloud KMS | GCP: R | GCP: R | GCP: R | GCP: R | DTA: A | GCP: R | DTA: R |
| Secret Manager | GCP: R | GCP: R | GCP: R | DTA: R | DTA: R | GCP: R | DTA: R |
RACI Legend:
- R (Responsible): Execution responsibility
- A (Accountable): Final responsibility
- C (Consulted): Consultation needed
- I (Informed): Information sharing
3. Key External Service List
3.1 Cloud Services (GCP)
| Service | Purpose | Data Transmission | Security Certification | Contract Type |
|---|---|---|---|---|
| Cloud Run | API server hosting | Source code (container images) | ISO 27001, SOC 2, C5 Type 2 | Google Customer Agreement |
| Cloud SQL PostgreSQL | Primary database | User data, sleep logs, questionnaire responses | ISO 27001, SOC 2, C5 Type 2 | Same |
| Memorystore Redis | Cache, sessions | Session tokens, cache data | ISO 27001, SOC 2, C5 Type 2 | Same |
| Firestore | NoSQL DB (analysis logs) | Anonymized event logs | ISO 27001, SOC 2, C5 Type 2 | Same |
| Cloud KMS | Encryption key management | Encryption keys (HSM internal only) | ISO 27001, SOC 2, C5 Type 2, FIPS 140-2 | Same |
| Secret Manager | Secret storage | API keys, DB passwords | ISO 27001, SOC 2, C5 Type 2 | Same |
| Cloud Logging | Log collection | Application logs, audit logs | ISO 27001, SOC 2, C5 Type 2 | Same |
3.2 SaaS Services (Third-party)
| Service | Provider | Purpose | Data Transmission | Security Certification | DPA Signed |
|---|---|---|---|---|---|
| Firebase Cloud Messaging | Push notifications | Device tokens | ISO 27001, SOC 2 | ✅ GDPR DPA | |
| Firebase Crashlytics | Crash monitoring (mobile) | Crash reports, anonymized device info | ISO 27001, SOC 2 | ✅ GDPR DPA (Google) | |
| SendGrid | Twilio | Email sending | Email addresses | SOC 2 Type 2 | ✅ GDPR DPA |
| GitHub | Microsoft | Source code storage | Source code (Private Repo) | ISO 27001, SOC 2 | ✅ GDPR DPA |
3.3 External Interface Connection Security Specification (O.TrdP_10)
dta-wide-api → External Service Connection Structure:
External Interface TLS Implementation Status (O.TrdP_10):
| External Service | Authentication Method | TLS Version Specified | Notes |
|---|---|---|---|
| Firebase FCM | Service Account JWT (mutual authentication) | ✅ Google SDK | Google SDK manages TLS |
| Firebase Crashlytics | Service Account JWT (mutual authentication) | ✅ Google SDK | Google SDK manages TLS |
| SendGrid | API Key (one-way) | TLS 1.2+ | |
| GitHub | Token (HTTPS) | TLS 1.2+ | Source code only transmitted |
4. GCP Security Credentials (C5 Type 2)
4.1 C5 (Cloud Computing Compliance Controls Catalogue)
GCP C5 Type 2 Certification:
- Issuing Authority: BSI (German Federal Information Security Office)
- Certification Scope: All GCP services (europe-west3 included)
- Validity Period: 2024-01-01 ~ 2026-12-31 (expected)
- Certificate Location:
certs/gcp-c5-attestation-2024.pdf
C5 Major Requirements:
- ORP (Organization and Personnel)
- OPS (Operations)
- OIS (Information Security Incident Management)
- IDM (Identity and Access Management)
- DAT (Data Protection)
- LOG (Logging)
- CRY (Cryptography)
GCP Compliance Verification:
- Download C5 certificate via GCP Compliance Reports Manager
- Annual recertification (Type 2: continuous annual audit)
4.2 Other GCP Security Certifications
| Certification | Issuing Authority | Scope |
|---|---|---|
| ISO 27001 | ISO | Information Security Management System |
| SOC 2 Type II | AICPA | Service Organization Controls |
| GDPR | EU | Personal Data Protection Regulation |
| HIPAA | HHS (US) | Healthcare Data Protection |
| ISO 27017 | ISO | Cloud Security |
| ISO 27018 | ISO | Cloud Personal Data Protection |
| PCI DSS | PCI SSC | Payment Card Data Protection (not used) |
5. Data Processing Agreement (DPA)
5.1 GDPR Article 28 Compliance
GCP DPA:
- Contract Type: Google Cloud GDPR Data Processing Amendment
- Signature Date: [Contract date]
- Applicable Services: All GCP services
- Sub-processors: Google Sub-processor List (public)
- Data Location: europe-west3 (fixed) Germany
Third-party Service DPA:
| Service | DPA Signed | DPA Type | Signature Date |
|---|---|---|---|
| OpenAI | ✅ | GDPR DPA | 2024-06-01 |
| Firebase Crashlytics | ✅ | Google GDPR DPA | Included in Google Customer Agreement |
| SendGrid | ✅ | GDPR DPA | 2024-08-01 |
| GitHub | ✅ | GitHub DPA (Microsoft) | 2024-05-01 |
5.2 Sub-Processors
GCP Sub-processor List (Examples):
- Google LLC (USA) - Infrastructure operation
- Google Ireland Limited (Ireland) - EU data processing
- Google Germany GmbH (Germany) - Local support
Notification Obligation:
- GCP: Email notification 30 days before sub-processor change
- DTA Wide: Can raise objection within 14 days
6. Data Residency and Cross-Border Transfer
6.1 Data Residency Guarantee
GCP VPC Service Controls:
- All data processed only within
europe-west3region - Block access outside region (VPC Perimeter)
- Administrator access also through VPC within region only
6.2 No Cross-Border Transfer
Guarantees:
- All user data stored/processed in Germany (europe-west3) only
- Backups replicated Multi-zone within same region
- Administrator/developer access via Proxy through German region only
- Uses GCP global network but data locked to region
Exception:
- GitHub: Source code storage (no sensitive data included)
7. Vendor Security Monitoring
7.1 GCP Security Command Center
Configuration:
- Standard Tier enabled
- Vulnerability scan: Weekly
- Anomaly detection: Real-time
- Compliance check: Monthly
Alert Configuration:
- Critical vulnerabilities: Immediate email
- High vulnerabilities: Daily summary
- Compliance violations: Immediate alert
7.2 Vendor SLA Monitoring
| Service | SLA | Actual Uptime (2025) | Downtime Compensation |
|---|---|---|---|
| Cloud Run | 99.95% | 99.98% | Service credit (10-25% monthly usage) |
| Cloud SQL | 99.95% (HA) | 99.97% | Service credit |
| Memorystore | 99.9% | 99.95% | Service credit |
9. Supply Chain Security
9.1 Container Image Validation
GCP Artifact Registry:
- Container image vulnerability scan (automatic)
- Binary Authorization (signature verification)
- Provenance Attestation (SLSA Level 2)
Docker Image Signing:
# cloudbuild.yaml
steps:
- name: gcr.io/cloud-builders/docker
args: ['build', '-t', 'gcr.io/dta-wide-prod/dta-wide-api:$SHORT_SHA', '.']
- name: gcr.io/cloud-builders/docker
args: ['push', 'gcr.io/dta-wide-prod/dta-wide-api:$SHORT_SHA']
- name: gcr.io/cloud-builders/gcloud
args:
- kms
- asymmetric-sign
- --location=europe-west3
- --keyring=build-keyring
- --key=build-key
- --version=1
- --digest-algorithm=sha256
- --input-file=/workspace/image-digest.txt
- --signature-file=/workspace/signature.sig
9.2 Dependency Management
SBOM (Software Bill of Materials):
- Format: CycloneDX JSON
- Generation Tool:
@cyclonedx/bom - Update: Per release
- Storage Location:
artifacts/sbom-v1.x.json
Example:
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"version": 1,
"components": [
{
"type": "library",
"name": "@nestjs/core",
"version": "10.0.0",
"purl": "pkg:npm/%40nestjs/core@10.0.0"
}
]
}
10. Vendor Audit and Review
10.1 Annual Vendor Review
| Review Item | Frequency | Responsible | Action |
|---|---|---|---|
| GCP Security Certification Renewal | Annual | Security team | Verify C5 certificate |
| DPA Renewal | Annual | Legal team | Contract review |
| Sub-processor Changes | Quarterly | Compliance team | Approve/reject changes |
| SLA Achievement Rate | Monthly | Operations | Claim compensation |
| Vendor Vulnerabilities | Ongoing | Security team | CVE monitoring |
10.2 Exit Strategy (Contingency Plan)
Scenario: GCP Service Outage (Region Failure)
- Immediate Action (0-15 minutes):
- Cloud SQL HA Failover (automatic, < 60 seconds)
- Cloud Run Multi-zone auto-redeploy
- Short-term Action (15 minutes-4 hours):
- Manual Failover to another region (europe-west1)
- DNS TTL 60 seconds → fast switching
- Long-term Action (4 hours-2 weeks):
- Complete migration to another cloud provider (AWS/Azure)
- Execute migration plan (Section 8.2)
Evidence and References (Artifacts)
- RACI Matrix (Section 2.2 of this document)
- GCP C5 Type 2 Certification -
certs/gcp-c5-attestation-2024.pdf - DPA Contract (GCP) -
contracts/gcp-dpa-signed.pdf - VPC Service Controls Configuration -
artifacts/vpc-service-controls.yaml - SBOM (Software Bill of Materials) -
artifacts/sbom-v1.x.json - GCP Sub-processor List -
artifacts/gcp-subprocessors-list.pdf - Vendor Review Records -
reports/vendor-review-2025.pdf - SLA Achievement Report -
reports/sla-report-2025.xlsx - Migration Plan (Contingency) -
docs/migration-plan-gcp-to-aws.md
| Regulation | Requirement | Implementation | Evidence |
|---|---|---|---|
| BSI TR-03161 Part 3 | Vendor security credentials | GCP C5 Type 2 certification | Certificate |
| GDPR Article 28 | DPA execution | DPA for all external services | DPA contracts |
| DiGA (BfArM) | German data residency | europe-west3 region enforcement | VPC Service Controls |
| ISO 27001 A.15 | Vendor relationship management | RACI, SLA monitoring | This document |