Over the last two years more and more clients have requested that we assist them with moving some or all of their business services to the "cloud." Some of these clients want to use a service that would result in sensitive information being stored on the servers of a third party service provider, such as web-based email, Salesforce.com, Google Docs. As much as each of these businesses have heavily debated the pros and cons of moving to the cloud, rarely do they consider where the cloud is physically located.
Financial and health industries have always had a focus on thinking through where their protected data was located. There is a sophisticated legal framework dealing with prohibitions on the storage of sensitive data on foreign soil, such as financial, import-export or healthcare rules and regulations. For example, a well thought-out online services agreement for a financial institution should have a strict prohibition on storage of data in certain countries or a country other than where the financial institution is located.
However, businesses do not always consider that the information that is stored in a cloud-based service may be physically located on servers not situated in the United States. Having your business information located in a foreign country can easily (very, very easily) lead to loss, unauthorized private and governmental access and the tripping of the myriad of existing laws, rules and regulations.
The Software Advice Blog has a recent blog post that highlights some of the considerations that a business should undertake when considering the storage of data in a cloud-based service. Because the decision making process for each business is unique, no blog post is going to give you all of the answers. But the examples here and in the entry on Software Advice do give you some idea of what your business should be considering.
A final note is that the physical location of cloud-based servers is relevant at all times, not just when you have offices, employees or services based in other countries. You may know that you are dealing with a company based in your home country, but you should not assume that the servers used by that company are also based in your home country.