Cloud Storage

Cloud services enable scalable storage for AHEEN's distributed programs but introduce risks like data sovereignty and access by foreign governments (e.g., US CLOUD Act).

Guidelines

Approved Providers: Use UoN-vetted services (e.g., Microsoft Azure with Kenyan data centers) compliant with DPA.
Risk Mitigation:
- Conduct DPIA before adoption.
- Encrypt data at rest/transit (AES-256 standard).
- Retain control of encryption keys.
- Include audit rights in contracts.
Best Practices from ICRC:
- Opt for private/hybrid clouds to limit third-party access.
- Ensure separation of user data; monitor for "black box" risks in AI-integrated clouds.
- Prohibit public clouds for sensitive data without jurisdictional safeguards.

Risk	Mitigation
Unauthorized Access	Multi-factor authentication (MFA); regular penetration testing.
Data Locality	Host in Kenya/EU for privilege recognition.
Vendor Breach	Require incident notification within 24 hours.

Prohibitions

No storage of highly sensitive data (e.g., biometrics) without compartmentalization.

Databases in the Cloud

[TBD] Hosting of Databases with sensitive data

Introduction

Data Protection Principles

Roles and Responsibilities

Data Classification

Data Lifecycle Management

Cloud Storage

Storage on Private PCs (BYOD Policy)

Use of AI

Risk Assessments

Data Sharing

Incident Response

Training and Awareness

Compliance and Auditing

References and Appendices

AHEEN Data Protection

General DPIA Checklist

Physical Device Security Checklist

Cloud Storage

Guidelines

Prohibitions

Databases in the Cloud