An agent of the European Union Delegation in a third country uses a public cloud service to manage confidential documents related to diplomatic negotiations. The agent must ensure that, in the event of a security breach, the EU maintains exclusive control over the data and that the service provider cannot access the data without authorization, even under request from local authorities or the provider itself. According to EU data protection principles (GDPR) and best practices for cloud security applicable to EU institutions, which of the following technical and contractual measures is the MOST effective to guarantee that the cloud provider cannot decrypt or access the data at any time?