Any good documents for data protection review by IT?

I’m a lecturer at a UK university, and I’m in the process of trying to reassure my IT department that a standard JupyterHub / Kubernetes setup on Google Cloud is:

  • Secure
  • Complies with data protection
  • Can be recovered in case of disaster

Are there any good documents to which I can point the IT department, apart from ? Does anyone have experience of this process, and advice to offer? Would it be worth setting up a repository for this kind of administrative documents? Is there a good Google Cloud contact who has experience of this, and who can help?