IT Outsourcing and Background Checks: What Needs to Be Checked for Cloud Service Providers
When a company buys cloud services, SaaS solutions or managed services, it delegates not only computing power but also access to sensitive data to the employees of a third party. The administrator at a hyperscaler, the support employee of a SaaS provider, the technician of a managed service provider — they can all view customer data, copy it, modify it or, in the worst case, exfiltrate it. Art. 28 GDPR, DORA Art. 28, MaRisk AT 9 and BSI C5 therefore require the commissioning party to review not only the provider’s technical security, but also take responsibility for the personnel security of its employees. This article shows what needs to be checked in practice — and how procurement and compliance teams can meet their duty of care.
Legal bases: Why personnel security at the provider is your problem
Art. 28 and Art. 32 GDPR
Art. 28(1) GDPR states that controllers may only use processors that offer sufficient guarantees for appropriate technical and organisational measures. Art. 32 GDPR specifies the security of processing, and paragraph 4 makes this explicit: controller and processor must ensure that natural persons acting under their authority process personal data only on instructions. This requirement cannot be met without checking employee reliability.
DORA Art. 28 — for financial institutions
The Digital Operational Resilience Act (EU 2022/2554) has been clarifying the requirements for banks, insurers and asset management companies since 17 January 2025. Art. 28 requires financial institutions to include, in contracts with ICT third-party service providers, among other things, “requirements for staff hiring and training”. The RTS on Sub-Outsourcing further details this with minimum requirements for personnel reliability. Anyone who needs to comply with DORA cannot avoid structured employee screening by their service providers.
BaFin MaRisk AT 9 (Outsourcing)
For German financial institutions, the Minimum Requirements for Risk Management (MaRisk) also apply, specifically AT 9 on outsourcing. Para. 7 requires the outsourcing institution to review sufficient guarantees before concluding the contract — this explicitly includes the reliability and qualifications of the service provider’s staff. In the latest MaRisk amendment (7th amendment of 29 June 2023), this requirement was tightened further for ICT outsourcing.
BSI C5 — Cloud Computing Compliance Criteria Catalogue
The C5 criteria catalogue published by the German Federal Office for Information Security is regarded as the de facto standard for cloud providers in Germany. The assessment criteria HR-01 to HR-05 (personnel security) explicitly require: reliability checks before hiring, confidentiality agreements, regular security awareness training, controlled off-boarding and disciplinary processes for violations. Cloud providers without a valid C5 attestation should not even be considered for regulated industries.
Specific requirements for cloud service providers
Which employees need to be checked?
Not every employee at a provider needs to undergo a full screening. What matters is the level of access to customer data or customer systems. The following prioritisation has proven effective in practice:
Role | Type of access | Screening standard |
|---|---|---|
Cloud administrators, SRE, DevOps | Root/domain admin, access to customer data | Full screening: identity, criminal record, sanctions lists, credit check, professional references |
Database administrators | Direct database access | Full screening |
2nd/3rd level support | Escalated access to customer data | Identity, criminal record, sanctions lists, references |
Security team (SOC, CSIRT) | Log and incident data | Full screening (like admins) |
1st level support | Restricted ticketing access | Identity, criminal record, sanctions lists |
Developers with prod access | Deployment into customer systems | Full screening |
Sales, marketing without system access | No direct customer data | No screening obligation (but recommended: sanctions lists) |
What depth of screening is appropriate?
For privileged access, at a minimum the following should be checked:
Identity verification: Officially issued document, ideally with video identification or an eIDAS-compliant eID.
Criminal record extract: Not older than 3 months, from all countries where the person has lived during the last five years.
Sanctions list screening: EU, UN and OFAC lists as well as national lists in the relevant jurisdictions.
Credit and financial reference check: Insolvency and sworn statement records — especially relevant for roles involving asset or data value.
Qualification verification: Diplomas and certificates relevant to the role.
Reference check: At least two former employers, by phone or in writing.
Documentation evidence
The provider must be able to prove that the checks took place — usually through: (a) a signed attestation from an independent auditor, (b) anonymised logs of the individual checks, (c) an annual report showing coverage by role category. Direct review of the original documents is neither possible nor GDPR-compliant — the provider’s employees are not in a contractual relationship with the client.
Re-check intervals
Best practice is: full initial screening at hiring or when moving to privileged access, refresh of criminal-record and sanctions-list checks annually, full recertification every three years. Ad hoc checks when there is a specific trigger (insolvency, criminal proceedings, media reports).
Contract clauses: What must be in the sub-DPA
The Data Processing Agreement (DPA) under Art. 28 GDPR is the central control lever. The following clauses should be included:
Personnel reliability clause: Obligation for the provider to screen employees with access to customer data to a defined standard — with reference to BSI C5 HR criteria or ISO/IEC 27002:2022 control 6.1.
Documentation obligation: Annual report on coverage, without disclosing personal data.
Audit right: Right to on-site review or to commission an external auditor, at least annually.
Sub-processing: Obligation to pass the screening standard on to all sub-service providers. Prior approval required for new sub-service providers.
Incident reporting: Immediate reporting of breaches, including insider-threat incidents.
Termination right: Extraordinary right to terminate the contract in the event of a breach of personnel reliability requirements.
Liability: At least up to the amount of GDPR fines, ideally with proof of insurance.
Red flags: How do I recognise providers with weak personnel security?
In the due diligence phase, there are clear warning signs:
No valid C5 attestation or ISO 27001 certificate with the scope “personnel security”.
No documented background check policy. If sales answers this question with “of course we do that”, but cannot provide a document — be careful.
Checks only at hiring, with no repetition.
Exclusion of certain employee groups (for example, “we do not screen our offshore teams”).
Lack of transparency regarding sub-service providers: Anyone who does not impose a binding standard on subcontractors has no control over the supply chain.
No reporting processes for insider incidents or employee off-boarding.
Geographic risks: Employees in countries without a functioning criminal-record system — without a compensating mechanism.
Due diligence process before awarding outsourcing
A structured due diligence process before signing the contract should include at least the following steps:
Risk classification of the outsourcing project: Determine the criticality of the outsourced data/function.
Questionnaire distribution: Standardised questionnaire to candidates (see checklist below).
Certificate and attestation review: C5, ISO 27001, SOC 2 Type II, TISAX — depending on the sector.
References: Talk to existing customers, especially from the same industry.
On-site visit / remote audit: Especially for critical functions.
Contract negotiation: Do not back down on personnel security clauses.
Pre-go-live attestation: Final evidence that personnel security has been implemented.
Audit rights: How, how often, what should be checked?
Audit rights are legally provided for, but they are rarely used in a targeted way. The rule is: unused audit rights are, from a supervisory perspective, the same as non-existent audit rights. Recommended frequency and scope:
Type of review | Frequency | Scope |
|---|---|---|
Document review | Annually | Policies, attestations, reports, sample review of check logs |
Remote audit | Every 2 years | Interviews with security, HR and compliance; system access review |
On-site audit | Every 3 years or on an ad hoc basis | Physical security, organisational culture, off-boarding samples |
Ad hoc | When there is a specific trigger | Incidents, media reports, personnel changes in key functions |
What applies in Switzerland, Austria and across the EU?
Switzerland
The FINMA Circular 2018/3 “Outsourcing — Banks and Insurers” governs outsourcing for the Swiss financial sector. Para. 20 requires the outsourcing institution to carefully select and monitor the provider — including personnel qualifications. Para. 36 requires clear rules on subcontracting. For cloud outsourcing, FINMA also published Cloud-use Guidance in 2023, which explicitly addresses the personnel security of cloud providers. Since 1 September 2023, the revised Federal Act on Data Protection (revFADP) stipulates in Art. 9 commissioned data processing, which is functionally equivalent to Art. 28 GDPR.
Austria
The FMA minimum standards for outsourcing procedures (FMA-MS-OL) are decisive for Austrian financial service providers. In terms of content, they largely mirror the German MaRisk requirements, with particular focus on group outsourcing. The provider’s personnel security is part of the overall assessment. In addition, the Austrian Data Protection Act (DSG) applies alongside the GDPR and sets stricter requirements for the public sector.
Across the EU
At EU level, DORA is now the flagship regime for the financial sector. The RTS on Sub-Outsourcing (Commission Delegated Regulation, published in 2024) specifies sub-outsourcing requirements. The EBA Guidelines on Outsourcing Arrangements (EBA/GL/2019/02) remain decisive for non-ICT outsourcing. For all other sectors, GDPR Art. 28 and sector-specific regimes apply (NIS2, MDR, IVDR, etc.). Pan-European companies should define a harmonisation standard that reflects the highest applicable individual standard.
Checklist: 15 questions for every cloud provider
Is there a valid BSI C5 Type 2 attestation or ISO/IEC 27001 certificate including controls for personnel security?
Which employee categories have access to customer data and what screening standard applies to each category?
What background checks do you perform before hiring? (Please list: identity, criminal record, sanctions lists, credit check, references, qualifications.)
At what intervals are checks repeated and what triggers an ad hoc repeat?
How is sanctions list screening (EU, UN, OFAC) implemented in practice — daily or one-off?
How do you document the checks carried out, and which reports do you provide to your customers?
In which countries is your staff with access to customer data located, and how do you address screening limitations there?
Which sub-service providers do you use and how do you ensure their personnel security?
How does your off-boarding process work (technically and documentarily), and how is it reviewed?
Which insider-threat detection measures are implemented?
How often do awareness trainings take place and are attendances documented?
Which NDAs and confidentiality clauses apply to your employees?
What audit rights do you grant your customers contractually, and have you already conducted customer audits on personnel security?
How do you ensure the separation of customer data access at personnel level (multi-tenancy)?
Which insurance policies cover personnel-related incidents and to what amount?
Indicium as a tool for vendor employee screening
Companies that themselves act as processors or cloud service providers must be able to show their own customers that their employees have been properly screened. Companies that act as clients must control their service providers. Indicium serves both sides.
The Indicium platform offers:
GDPR-compliant background checks with complete legal basis documentation.
Vendor module for structured capture and assessment of provider personnel security.
Multi-jurisdiction checks: DE, AT, CH, EU-27, UK, US and 40+ other countries.
Continuous sanctions list monitoring with automatic alerting.
Audit trail in a structure compliant with BSI C5, ISO 27001 and DORA.
Questionnaire engine for standardised vendor due diligence based on the 15-question checklist.
Template library for DPA, sub-DPA and audit rights clauses, reviewed by German lawyers.
This ensures that both your own organisation and your critical service providers meet the requirements of GDPR, DORA, MaRisk and C5 — and that your compliance documentation will stand up to any audit by BaFin, FMA, FINMA or the ECB.
Book a demo and show us which service providers are still unchecked in your system — we’ll show you how Indicium solves this in 30 days.
Read more — related articles
Nabil El Berr
