Skip to content

Cloud & Third-Party Services

Almost everything Holmes uses runs in the cloud or through a third party. This policy sets how Holmes chooses, approves, and keeps an eye on those services, and how it assesses the suppliers it hands data to. For most staff the one rule that matters: if a tool stores or processes Holmes information and IT hasn't approved it, don't use it, ask first.

It also carries the inbound third-party risk process. The outbound client-assurance statement, what we tell clients, is a communications artefact governed by, and kept consistent with, this policy.

1. Adoption and approval

Ref Requirement
CLD.1 Every cloud or third-party service MUST have an approval record stating which classification levels it may handle (02).
CLD.2 Any service handling CONFIDENTIAL or RESTRICTED information MUST be approved by IT before use. Services handling only PUBLIC information need lightweight registration, not full approval.
CLD.3 A documented risk assessment MUST be completed before commissioning any service handling CONFIDENTIAL or RESTRICTED information, covering data ownership, data export and portability, independent backup, disaster-recovery readiness if the service fails, the provider's security certifications, secure deletion on exit, sub-processors, and the provider's viability.
CLD.4 The risk assessment MUST use the current Holmes cloud assessment template.
CLD.5 Providers MUST hold current, appropriate certification (ISO 27001, SOC 2 Type II, or equivalent) proportionate to the service's risk.

The assessment criteria live in the internal template, with the AI-specific criteria in 05.

2. Operating cloud services securely

Ref Requirement
CLD.6 Internet access to cloud services MUST use MFA and, where supported, Conditional Access restricting to managed devices or known locations (03).
CLD.7 CONFIDENTIAL and RESTRICTED data MUST be encrypted at rest and in transit (02 IC.5).
CLD.8 Holmes data in a cloud service SHOULD be backed up independently of that service, subject to risk assessment. Backups MUST run independently of the primary provider for business-critical data.
CLD.9 Root, administrative, and break-glass credentials (including MFA recovery) for any cloud subscription MUST be held securely under IT control (03).
CLD.10 IT staff managing cloud services MUST understand the provider's shared-responsibility model and configure the customer side accordingly.
CLD.11 Services MUST be decommissioned cleanly at end of life: data exported or securely deleted, access removed, approval record closed.

3. Tenant configuration baseline

Ref Requirement
CLD.12 The Microsoft 365 and Azure tenant MUST be configured against a named benchmark (CIS Microsoft 365 Foundations) and assessed periodically, with findings remediated on severity-based timelines (10).
CLD.13 A register of approved cloud services MUST be maintained, recording owner, approved data levels, and review dates.

A named benchmark and a recurring check keep tenant configuration from drifting. The approved-tools register in 05 is a view of the wider register in CLD.13.

4. Third-party and supplier risk (inbound)

Ref Requirement
CLD.14 Third parties given access to CONFIDENTIAL or RESTRICTED Holmes or client information MUST go through the risk assessment (CLD.3) and be bound by contractual confidentiality and security terms.
CLD.15 Contracts MUST prohibit the provider using Holmes or client data for secondary purposes (analytics, product improvement, model training) unless explicitly approved.
CLD.16 Data residency MUST meet classification, regulatory, and client requirements. Where required, data MUST be processed and stored only in approved regions (02, section 7).
CLD.17 Providers MUST support secure data deletion and provide certification of removal on request or contract termination.
CLD.18 Contracts with providers handling Holmes or client data MUST include breach-notification obligations (12).

5. Client assurance (outbound)

Holmes issues a Client Assurance Statement describing these controls to clients and their due-diligence teams. It's a communications document, not a policy, and it's governed by two rules.

Ref Requirement
CLD.19 The Client Assurance Statement MUST NOT claim any control that isn't backed by a MUST in this set and actually implemented. Every claim MUST cite its controlling policy.
CLD.20 The Statement MUST carry an owner, date, and version, be reviewed at least annually and after material change, and name AI/LLM services explicitly, covering training-data exclusion, retention, and human-in-the-loop for automated actions (05).

CLD.19 keeps the statement honest: no external promise without an internal, implemented requirement behind it. Clients ask about AI specifically, so CLD.20 requires it to be named rather than left implied under "digital services".

CLD.15 (no secondary use) and CLD.16 (residency) implement NZ IPP12, GDPR Chapter V, and APP 8 for cross-border and third-party processing of personal information.

Provider breach-notification terms (CLD.18) are what let Holmes meet its own statutory and contractual deadlines (12). A provider that notifies late makes Holmes late.

Counsel review is needed on standard contractual security and breach clauses (CLD.14 to CLD.18) and on the Client Assurance Statement template (CLD.19, CLD.20).

00 Framework, 02 Information Classification, 03 Identity & Access, 05 AI Systems, 11 Logging & Monitoring, 12 Incident Response.