Specifications include, but are not limited to: Oracle Cloud@Customer is a solution for customers who want to run Oracle PaaS and IaaS behind their firewalls, in their own data centers. Below is a summary of data management and the roles and responsibilities that are included as part of the service: Data Management/Protection: The Service Provider does not require or request access to customer data in order to provide Cloud@Customer services. Data Management: During the performance of the Services, DCA will maintain control over and responsibility for any data residing in the environments. The Service Provider does not and will not: Change any data, other than as required for the performance of the services Have any role in determining or maintaining the accuracy of any data. Control how data is hosted, processed, stored or destroyed by DCA. Control DCA’s access to data, other than restricting access to data through applying physical and logical access controls, as applicable, as part of the services. Monitor DCA’s use of or access to data, except as necessary to provide the Services. State Responsibilities The State is responsible for compliance with standard and advised security best practices, included but not limited to: Encryption of all data at rest and in transit. Maintain control and access to data encryption keys. Limit customer employee access, per previously established internal audit requirements. Monitor application and data logs, per previously established internal audit requirements Additionally, Section 3(c) “Data Protection, “of the Special Provisions allows changes to the requirement that Personal Data and Non-Public Data shall be encrypted when it is at rest, in use and in transit with controlled access. Accordingly, DCA agrees not to change this requirement and adds that DCA is solely responsible for the encryption of and access control to all data, including State Data, Personal Data and Non-Public Data, under Contract.
