CloudGate is the innovative SaaS solution that enables you to fulfil the legal and regulatory obligations for your third-party ICT procurement efficiently and effectively.
CloudGate ensures compliance in outsourcing management and in accordance with the Digital Operational Resilience Act (DORA) - regardless of whether it's a managed service, cloud or AI services. CloudGate also allows you to master assessments from an information security and data protection perspective in an audit-proof manner.
The use of digital checklists and cross-team collaboration guarantee a smart workflow for you when dealing with the approval, monitoring and control of purchased ICT services.
Keep ICT third parties under control with CloudGate
RegTech solution for IT Governance, Risk & Compliance
CloudGate is the innovative SaaS solution that enables you to fulfil the legal and regulatory obligations for your third-party ICT procurement efficiently and effectively.
CloudGate ensures compliance in outsourcing management and in accordance with the Digital Operational Resilience Act (DORA) - regardless of whether it's a managed service, cloud or AI services. CloudGate also allows you to master assessments from an information security and data protection perspective in an audit-proof manner.
The use of digital checklists and cross-team collaboration guarantee a smart workflow for you when dealing with the approval, monitoring and control of purchased ICT services.
Work smart, not hard!
Organise the classification, evaluation and review of all types of outsourcing issues, relocations and other external IT references as use cases in agile boards: adapt the buckets flexibly to your processes and keep an eye on everything at all times as your processes move through the boards as "digital cards".
Use digital inspection catalogues for structured checklists - self-defined or ready-made from our library of current legal and regulatory requirements.
CloudGate helps you promote collaboration, including with providers, creates transparency and audit compliance, and saves you a lot of time by eliminating the need to use Excel.
Working together in parallel and everyone is enthusiastic
Read here what our users say about CloudGate - just click on your role!
-
"I finally know what to expect"
With CloudGate, our onboarding of new services is finally standardised. In the past, I never knew what to expect and how much work and time I had to plan for onboarding my projects.
Now I can finally see who has to check what and, above all, I can see the progress at any time and know where things stand.
But the best thing is that I'm no longer a “messenger”: I involve my providers directly in information gathering or audits, and no longer have to send excel sheets around.
I like the fact that after onboarding, I can immediately see what control measures and checks are in store for my services over the next few years.
I also like the fact that my role is free of charge as we use the First Class Edition.
-
"No more waiting around thanks to votum"
In my role as Digital Coordinator, I have the task of making digitalisation possible. The pressure from the specialist side to set ourselves apart from the competition is so great that we can barely keep up, especially when it comes to approving SaaS solutions, and usually have to onboard three to four solutions in parallel.
CloudGate helps me to maintain an overview and to always be able to talk to our business side, as well as our management.
I also really appreciate the collaborative approach of the solution. I have clearly defined our responsibilities and don't have to do this every time.
But my absolute favourite is the vote at the end of the audit:
At last, our audit areas ‘from supervisory law to ZAM’ have to vote clearly PRO or CONTRA of a service. Since we started using CloudGate, we no longer have to deal with the long delays with unclear statements and positions.
And if there is a problem, I can immediately see it in CloudGate and we can resolve it in our next service board meeting.
-
"Ingenious: central register, BaFin notifications and DORA information register in one tool"
I have to admit that it was with a heavy heart that we gave up our previous Excel-based risk assessment processes. Of course, it's not easy to let go, but it helped that microfin imported our checklists directly into CloudGate so that we could start using our familiar approach straight away.
We can now report outsourcings to BaFin at the touch of a button and with audit-proof documentation: The upstream data validation for notifications of intent and enforcement notifications, as well as the automatic transmission saves us errors and a lot of time - previously we did this laboriously by hand in the MVP front end.
But what really excites us is that the information register in accordance with DORA is now also being set up as a side effect - without any double entry of data!
The fact that microfin also maintains the legal and regulatory content and makes changes at national and EU level available quickly gives me a good feeling.
-
"Focus on data"
Finally, our specialist departments are motivated to clearly identify the data to be processed in connection with the introduction of new services. CloudGate makes it much easier for us to analyse protection requirements and risks.
We also have a good collection of risks and protective measures after just a few onboardings, without having to formulate them anew each time. CloudGate helps us by allowing us to easily transfer this information from previous use cases to new ones.
The clear country allocation with regard to data storage and processing helps us immensely to scrutinise those services that process sensitive data outside the EU.
We find the option of adapting data subject groups, legal bases, data collection methods, data policies and authorised access groups to our terminology in CloudGate brilliant.
-
"Game changer with increasingly scarce legal resources"
Thanks to the process mapped in CloudGate, we already know before the negotiation phase whether there is a significant/important outsourcing or carve-out. The fewer regulatory requirements we have to negotiate into provider contracts or hyperscaler contracts, the better: this saves time and energy.
In CloudGate, our colleagues can also categorise the usually numerous sub-providers of a provider into classes so that we can concentrate on the really critical sub-providers during subsequent contract reviews.
But what saves us even more time and resources is the automatic change detection in general terms of use. Without CloudGate, we would not be able to fulfil our obligation to check changes, especially with the high number of SaaS solutions - a real game changer.
Incidentally, we were very pleased that we were not forced to abandon our previous contract management solution, but were able to couple it with CloudGate very quickly. Thanks to the well-documented interface, our IT department was even able to implement this itself.
-
"In short: Wow!"
Naturally, we like to take a look under the bonnet of IT architecture. CloudGate looked really good: a Kubernetes-based modern application architecture with client separation and encryption.
We attach great importance to the continuous development of SaaS solutions. After coordination with microfin, it was clear that three to four releases per month would be rolled out to all customers via the automated CI/CD route - so evergreening is guaranteed.
As a rule, we not only evaluate the technology used, but also the UX design. We liked the user interface, the intuitive usability, the clarity and the wide range of export functions.
CloudGate is rounded off by a decent knowledge base. However, we particularly applaud the useful interface documentation in the solution itself: As a developer, you can try out all the REST API functions directly.
-
"Top delivery model including consulting"
microfin was recommended to us when we were looking for an outsourcing management tool. After the first meeting, it was already clear that the outsourcing and cloud consulting, coupled with more than twenty years of consulting experience with financial service providers and insurance companies, as well as a practice-orientated SaaS solution, represented a reliable promise for the future for us.
At first I was a little reluctant, as I had expected a sourcing consultant to organise its delivery model offshore. However, the opposite is the case: microfin delivers all services - from German-language support to DevOps and infrastructure operation - from Germany. In particular, the choice of the Open Telekom Cloud as our infrastructure provider has given us a lot of confidence.
We also use microfin as a consultant for tricky risk assessments: for example, we were able to use the ready-made risk assessment for Microsoft 365 in CloudGate and thus introduce MS Teams & Co. more quickly and implement the necessary controls.
The icing on the cake was the whitelabelling option, which contributed significantly to the acceptance of CloudGate among our users: It allowed us to customise the appearance of CloudGate to our corporate CI without any programming effort.
-
"They're on the ball"
I was pleasantly surprised by microfin's response times as early as the preparation phase for the CloudGate trial. Within a few hours, we had a free quote, an NDA and the general terms of use on the table, so that I was able to commission the trial directly, much to the delight of my colleagues.
I then, of course, looked at the pricing model and spoke to microfin about the billing modalities. I was an instant fan of the “Pay as you go” method, which was based on the roles used. The easy-to-control usage billing via the solution itself makes commercial processing much easier for me.
I was also delighted to realise that the role of the user in the First Class Edition of CloudGate can be used free of charge. This is very important for us, as our demand process can basically be initiated by any employee in the company - whether on the business or IT side - so we can't even name the number of users. Simply round!
-
"New ISM yardstick"
We wanted to know exactly what was going on and subjected CloudGate to our tried-and-tested ISM test with more than 200 test points. We looked at all technical and organisational measures, from application to security to access control, in detail.
What can I say: Our expectations were clearly exceeded. microfin set a new benchmark with their answers and we really had nothing to complain about.
Okay, with the Open Telekom Cloud as our partner for infrastructure management, we honestly didn't expect any other result.
We particularly liked the fact that microfin clearly presented the measures for application and infrastructure management separately for each requirement.
Incidentally, we have also discovered CloudGate for ourselves and the providers we audit can now edit our ISM checklists directly in CloudGate. This allows us to see the progress directly and intervene immediately rather than after four to six weeks if the level of detail is not right.
Top!
-
"Compliance in other areas too"
Our Central Outsourcing Management thought the legal and regulatory content in CloudGate was truly good. It's nice, the focus is on outsourcing and IT topics, but there's more to it, I thought at first.
Then I tried out the functionalities around check catalogues and digital checklists and recognised the potential of the predefined answers, question trees, decision support and checkpoint background information.
We have now created a whole series of check catalogues for specialist compliance topics and internal audits ourselves. This helps us to achieve compliance in other subject areas as well - the solution also provides audit security, and we have simply created additional agile boards for the new subject areas, thus separating ourselves very elegantly from the Central Outsourcing Management topics.
Very universal with additional benefits - this inspires me.
-
"Just do it!"
We didn't want to deal with CloudGate in the first place - our thinking was: “Not another risk management system”. However, we bought the argument that risks in connection with managed services, AI or cloud applications are best handled where the onboarding and risk checks are carried out.
We then only adjusted the risk matrix months after launching CloudGate. Unfortunately, quite a few risks had already been identified!
But what can I say: although we adjusted the risk matrix in terms of frequency of occurrence, level of damage and classes, we didn't have to reallocate the recorded risks - CloudGate did that automatically. Someone really put some thought into this.It's brilliant that we can easily record risks for individual services, contracts or providers on an ad hoc basis and that we can immediately see which services are driving our risks and which measures are mitigating them via the central risk dashboard.
Naturally, we wanted to regularly transmit the operational risks from CloudGate to our central risk management system. Fortunately, this was not as difficult as we had feared - microfin provided an interface via the REST API in just a few days.
-
"Finally involved right from the start"
With CloudGate, we finally have the opportunity to test the SaaS solutions that are highly coveted by our specialist departments in terms of ergonomics, performance and behaviour control right from the start. Both we and our HR department were tired of being asked just before a service was released and then having to reject a solution as a last resort.
Now we can scrutinise new solutions in onboarding directly with our own review catalogues in parallel with our colleagues and check them for potential violations of our employees' personal rights.
In doing so, we have learnt that critical reports or telemetry data can be restricted for many solutions to enable them to be used after all.
We were impressed by the fact that microfin had already provided us and HR with corresponding check catalogues when the CloudGate instance was provided. This demonstrates practical experience, and we are now taking off in our new role as innovators and enablers!
-
"Yes, BaFin can ring the bell"
We occasionally have to check the correctness of onboarding decisions or retrace decision-making chains. So it's a good thing that CloudGate has an explicit auditor role for me.
I can look at everything without having to worry about changing something unintentionally: My CloudGate role lets me use CloudGate in ‘read-only’ mode and I'm also the only one who can see the complete audit trail in full and in detail.
What I particularly like is the integrated option for digital signatures. This allows, for example, risk acceptances or production releases to be digitally signed by several responsible parties. This finally means that nothing is printed anymore and we can still prove that we have taken note of or approved something without any doubt.
What a cool thing!
How you benefit from CloudGate
From onboarding new services to controlling and reporting at the touch of a button
| Kickstart | You receive a preconfigured CloudGate instance in less than 1 hour and can start directly with your first use case | Collaboration | You break down the silos in your audit areas and enable collaboration - both internally and externally |
| Managed Content | You always stay up to date with legal & regulatory requirements | Enablement | You recognise "showstoppers" in audit processes very easily and can eliminate them early on |
| Efficiency | You are faster: predefined answers, decision support and conditional questions speed up your checks | Transparency | You delight your management with nimble reports including PDF and Excel exports in just a few clicks |
| Flexibility | You can easily customise everything: from workflows, check templates, use case types, to user roles, data categories, risk classes and service types etc. | Monitoring | Never miss anything again: CloudGate reminds you of tasks, checks, measures, risks and monitoring, etc. |
| Pay as you go | You only pay for what you use | Bilingual | You work together with your foreign locations in German and English |
Rule-compliant outsourcing in just 6 steps (in accordance with EBA-GL, MIFID II, MiFIR, FISG, KWG, MaRisk, etc.):
| 1. Onboarding | Your user wants to introduce a new service: They create a new use case for this in CloudGate, check the plausibility of the need for this service in an initial review and specify which data is to be processed in the new service. | 2. Performance classification and materiality analysis | Your customer must answer questions here that lead to a preliminary performance and materiality assessment (isolated HW/SW reference, other external reference, simple or significant outsourcing); this is also a good indicator for you of the subsequent scope of the audit. |
| 3. Protection needs assessment | Your Data Protection and Information Security departments assess the protection requirements of the data to be processed; they also determine the level of detail of a subsequent risk assessment based on existing certificates or test reports, for example. | 4. Risk assessment | Information Security, Data Protection, IT Architecture, Procurement, Provider Management, Legal, COM and others work together on a database; CloudGate requests a final vote for approval from all the review areas involved, i.e. a decision is forced and you can then conveniently report your intention to outsource directly to the BaFin MVP via XML upload or SOAP. |
| 5. Contract negotiation | For the negotiations with the providers, the regulatory requirements for the contracts are now clear from steps 2 and 4 and your legal department must confirm compliance with them using a digital checklist; this way, there’s nothing that can come back to bite you later on. If a contract is now concluded, you can report the completion of your outsourcing directly to BaFin from CloudGate. | 6. Control measures in use | Finally, you can easily plan all follow-up audits for the service, the contract, the provider or its sub-providers several years in advance. This helps you not to forget anything and you can look forward to future BaFin audits with peace of mind, as everything is documented in a clean and audit-proof solution |
Rule-compliant outsourcing in just 6 steps (in accordance with EIOPA-GL OS, VAG, MaGo, etc.):
| 1. Onboarding | Your user wants to introduce a new service: They create a new use case for this in CloudGate, check the plausibility of the need for this service in an initial review and specify which data is to be processed in the new service. | 2. Service classification and importance analysis | Your customer must answer questions here that lead to a preliminary performance and importance assessment (isolated HW/SW reference, other external reference, simple or important outsourcing); this is also a good indicator for you of the subsequent scope of the audit. |
| 3. Protection needs assessment | Your Data Protection and Information Security departments assess the protection requirements of the data to be processed; they also determine the level of detail of a subsequent risk assessment based on existing certificates or test reports, for example. | 4. Risk assessment | Information Security, Data Protection, IT Architecture, Procurement, Provider Management, Legal, COM and others work together on a database; CloudGate requests a final vote for approval from all the audit areas involved, i.e. a decision is forced and you can then conveniently report your outsourcing directly to the BaFin MVP via XML upload or SOAP. |
| 5. Contract negotiation | For the negotiations with the providers, the regulatory requirements for the contracts are now clear from steps 2 and 4 and your legal department must confirm compliance with them using a digital checklist; this way, there’s nothing that can come back to bite you later on. | 6. Control measures in use | Finally, you can easily plan all follow-up audits for the service, the contract, the provider or its sub-providers several years in advance; this helps you not to forget anything and you can look forward to future BaFin audits with peace of mind, as everything is documented cleanly and audit-proof in one solution. |
Stay up to date!
Never miss a new IT regulation again
Always up to date for you: our library of current legal and regulatory requirements. From GDPR, BSI C5:2020 or AIC4 to ISO and NIST standards, AI or the many "Digital Acts" of the EU (e.g. DORA), through to checklists according to EIOPA, VAG, MaGo, EBA, KWG, MaRisk and much more.
New are pre-filled test catalogues so that you can get your Google Cloud or your M365 up and running more quickly, for example.
Never miss a new IT regulation again!
1 | Transparency and compliance through the "Central Register" for cloud and AI applications and traditional outsourcing | 2 | Always at the cutting edge of regulatory and legal requirements - at national and European level | 3 | Traceable decisions and paper avoidance thanks to digital signatures for e.g. usage authorisations and risk acceptances |
4 | Convenient and validated BaFin reports via the direct connection to the BaFin reporting & publication portal | 5 | No more effort required to track changes to the general terms and conditions of use of SaaS applications | 6 | Continued use of existing systems (e.g. contract or risk management) thanks to easy integration via REST API |
7 | Clear responsibilities and faster checks thanks to collaboration in digital checklists - even with providers | 8 | Simple management of all risk and monitoring measures with reminder function and reporting, incl. PDF and Excel export | 9 | Simple commercial processing thanks to a usage-based billing model and annual billing |
| Functions & features | Economy99 €(role per month1) |
Business119 €(roll per month1) |
First Class159 €(roll per month1) |
|---|---|---|---|
| 30 days free trial | Included | Included | Included |
| Digital checklists of legal provisions and regulations | Initial | Initial & Updates | Initial & Updates |
| Reporting | Standard | Standard Reporting | incl. Excel exports |
| Languages | DE or EN | DE or EN | DE & EN & IT & FR |
| Support by | Mail best effort | Mail 24h | Phone 4h |
| Included storage space | 0.50 TB | 0.75 TB | 1.50 TB |
| Minimum number of chargeable roles | 10 | 15 | 20 |
| Free roles for "use case owners", i.e. users | - | - | Included |
| InApp chats | - | Included | Included |
| SCIM-based Sign On (e.g. Microsoft Entra ID, Okta) | - | - | Included |
| Publication of risk checks2 | - | - | Included |
| REST API | - | - | Included |
|
1 Annual billing of roles (one or more per user) plus VAT at the applicable rate 2 Provision of own use cases incl. risk checks for other customers |
|||
| Additional functions | Availability in Economy
(net price per month) |
Availability in Business
(net price per month) |
Availability in First Class
(net price per month) |
| MVP connection Connection to the BaFin reporting and publication platform |
- | - | 159 € |
| White labelling Option to customise the CloudGate GUI to the customer's own corporate design |
- | - | 139 € |
You can test CloudGate free of charge for 30 calendar days from registration or provision. For further use, you can choose one of the three editions Economy, Business or First Class. We will inform your test users by e-mail 5 days before the end of the test phase.
No. You register, create users for your assessors, copy assessment catalogues from the template area and start assessing the first use cases. If you wish, you can also customise these test catalogues to suit your requirements. Of course, you can also define your own test catalogues.
All editions can be cancelled with a notice period of 14 days before the end of the annual usage period.
In the First Class edition, the use case owners are free of charge - as many as you need. Use case owners submit e.g. managed service or cloud use cases for onboarding or review and are responsible for them over the entire life cycle of the use case. If you have also booked the BaFin MVP interface for a fee, you can use any number of BaFin notifiers free of charge.
We accept payment on account. We charge the usage fees one year in advance at the end of the trial period. All prices are subject to the applicable rate of VAT.
Yes, users/roles can be logged on and off at any time. Users/roles subject to charges are invoiced in advance from registration until the end of the one-year usage period. Reimbursement on cancellation takes place at the end of the one-year usage period. Regardless of the time of registration or deregistration, full months are always charged or refunded.
Yes, upgrades can be made during the year. A downgrade can be requested in writing at the end of the one-year usage period.
CloudGate currently supports German and English. In the First Class edition, your users can choose the language themselves and use either language. In the other editions, those responsible decide in advance whether to use German or English. Further languages are planned.
Yes, we will support you during testing with training courses, as well as with questions about operation or possible errors. In the Economy edition, you can send us an e-mail at any time. In the Business edition, this is guaranteed to be processed within 24 hours. In the First Class edition, we will call you back within 4 hours.
You can also book training or consulting services with us.
Your data is stored in the Open Telekom Cloud (OTC) at T-Systems in Germany. Upon written request, you will of course receive the exact address.
We protect your data with strong encryption during both transmission and storage. Additionally, users can choose to use their own encryption key ("bring your own key") for data storage encryption. For more information on data security, please refer to our data protection agreement. If desired, we are also happy to conclude a data processing agreement with you.
Yes, you can encrypt your data using a key you provide (setup subject to a fee based on effort).
We back up your data daily. Upon request, restoration of data from the past 14 days is possible at any time through our support.
Your data belongs to you. Data export is available upon request.
Your employees only need three things: an email address, a browser, and an internet connection.
We guarantee 99.9% availability per month. With 720 hours of operation, the maximum downtime per month is less than 1 hour. Maintenance windows are usually scheduled on Fridays from 5:00 p.m. CET with one week’s prior notice.
CloudGate is a SaaS solution with evergreening. Typically, several minor or even major releases are rolled out each month (always backward compatible). Setting up the necessary access permissions for such evergreening in your own data center would be very complex and likely not approved by your ISO — therefore, unfortunately, no.
If you truly need more storage than what is already included in your edition, we can provide additional storage upon request for an additional fee. The applicable T-Systems terms and conditions apply.
You can log in to CloudGate via Microsoft 365, Microsoft Entra ID (formerly Azure AD), or Okta.
Yes, you can use CloudGate’s comprehensive REST API to integrate systems such as your ticketing, contract management, risk management, or architecture management. Your admins can use the built-in, user-friendly test GUI in CloudGate to explore all functions of the REST API. The API covers the full range of CloudGate’s features and objects.
Yes, in the Business and First Class editions, we regularly maintain and update the checklist templates and make them available to all customers in the templates section. In the Economy edition, you have access to the version of the checklists available at the time of registration.
Currently, you can use our templates for the following audit areas: employee protection, compliance, data protection, procurement, information security, IT operations and architecture, provider and cloud management, legal, and regulatory requirements. Of course, you can also combine, rename, or define your own audit areas.
Yes, you can copy the checklist templates and customize them to suit your needs. You can also create and use entirely your own checklists.
We provide you with a wide range of comprehensive checklists—for example, BSI C5:2020 and AIC4, as well as regulatory checklists for banks and insurance companies based on EIOPA, VAG, MaGo, EBA, KWG, MaRisk, DORA, and many more.
Newly added are risk checklists specifically for Google Cloud, developed in collaboration with Google. A prebuilt risk assessment for Microsoft 365 is also available in CloudGate.
We continuously expand this content with new catalogs. All checklists are regularly updated by us to ensure your team always stays up to date.
Yes, various reporting options are available in CloudGate. The Business and First Class editions also include reports specifically required by regulatory authorities. We’re also happy to include your reporting needs in our development roadmap.
For regulated companies, a central register (or central outsourcing register) is available as an inventory. Additionally, a dedicated Use Case Report can be generated for each use case in CloudGate. This report contains all necessary information and can be shared as a PDF with relevant stakeholders and regulatory authorities.
CloudGate
Branimir Brodnik
Enabler and Managing Director
Do you have questions about CloudGate or would you like an insight into the tool? Branimir Brodnik has the answers and looks forward to hearing from you.
Tel +49 6172 177 630