Sovereign Cloud to Ensure SaaS Data Residency in EEA
The European Court of Justice decided in the Schrems II judgment that additional measures for transferring Personal Identifying Information (PII) to countries outside the EU/EEA are required. Here is Ambassify's response.
Ambassify received multiple questions from customers regarding the measures we will take in light of the Schrems II verdict by the European Court regarding data transfers to third countries.
The European Court of Justice decided in the Schrems II judgment that additional measures for transferring Personal Identifying Information (PII) to countries outside the EU/EEA are required.
A valid transfer basis such as Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR) is no longer sufficient.
What these “supplementary measures” actually mean in practice is currently unclear.
The current situation using U.S. vendors – hosting data in the EU
Ambassify’s strategic cloud hosting providers (AWS and Salesforce) host data in data centers within the EU/EEA. This means that customer data, including backups of customer data, from Ambassify services and products, are processed within the EU/EEA only.
Ambassify controls access to customer data in AWS and Salesforce. The cloud hosting provider’s personnel are not granted access to customer data. Ambassify does not transfer customer data outside the EU/EEA, nor does Ambassify instruct our cloud hosting providers to do so.
The risk regarding using U.S. vendors – CLOUD act
Another topic Ambassify receives questions about is the CLOUD Act. Vendors like Amazon and Salesforce are based in the U.S. and therefore are subject to U.S. law, hereunder the CLOUD Act.
The CLOUD Act does not grant U.S. law enforcement agencies unrestricted access to data stored in the cloud, inside or outside the U.S.
American law enforcement agencies can compel service providers to provide data only by meeting the rigorous legal standards for a warrant issued by a U.S. court. U.S. law sets a high bar for obtaining a warrant, requiring that an independent judge conclude that law enforcement has reasonable grounds to request the information, that the information requested directly relates to a crime under U.S. law, and that the request is clear, accurate, and proportional. These are international legal principles and not a specific U.S. vendor risk: any authority from any country in the world is free to file a request for access to data to a cloud vendor, including Norwegian tax authorities or the Swedish police.
Our strategic cloud hosting providers have a strong commercial interest in not disclosing data to any authorities. Cloud providers’ business, including their aim to further increase market shares within the public sector, relies on customers' trust that their data is kept strictly confidential.
Thus, Ambassify’s hosting providers have included contractual commitments to challenge government requests for data if they were to receive a court order.
In any case, Ambassify controls access to customer data. The vendor's personnel is not granted access to customer data. This means that if an Ambassify vendor receives a court order, and their challenge of it is not successful, they have to notify Ambassify and ask for Ambassify's approval to access data. In such cases, Ambassify would fight the request and inform the affected customers. Ambassify has not received any such requests.
Since the beginning of this year, we have been investigating a few future-proof solutions. Currently, our internal legal, security, and technical team is analyzing this topic as we recognize this is a critical topic for our customer base. But, we want to think these decisions through to minimize the impact on the continuity of the business and our existing customers.
We also closely follow this topic to get a clearer understanding from ECJ of what they define as supplementary measures and how future-proof they are regarding potential future legislative decisions.
Below you will find a few of the different solutions we are looking into for our 2023 roadmap.
Data protection as a service
Sovereignty is not easy to implement. However, this does not mean it is incompatible with storing data on a Cloud provider.
European Cloud Hosting
OpenStack is open-source cloud software that you, as an organization, can use to roll out your own cloud. For most organizations, this will be a bridge too far, but some companies already offer a managed version of OpenStack in the EU. This way, you can benefit from a sovereign cloud solution fully managed and running in the EU.
Currently, one of the providers of this is Deutsche Telekom in the form of Open Telekom Cloud.
A similar offering will be available from Oracle, launching Oracle’s sovereign cloud regions for the European Union.
Hybrid cloud solution
This solution refers to using two or more cloud providers where the most sensitive data is stored at a sovereign EU-based vendor while having the flexibility of the public cloud for other types of data.
As mentioned, there are a lot of questions that have to be answered before making any major decision regarding this topic.
- What the impact on our platform pricing will be. With the volume that the big three US cloud providers have, comes the added advantage of pricing power. There is a big chance that a move to an EU vendor will increase our infrastructure cost and, consequently, our license pricing.
- As a long-term customer of AWS, switching vendors is not something you decide overnight. What about security, stability, and internal processes, and how will these impact our business continuity?
- How we are planning to retrain personnel to be comfortable when working with these new environments and tools.
One thing is sure: we will take the steps needed to stay compliant with any of the current and future decisions the European Court of Justice decides.
Ensuring all our customer data is stored and processed in a compliant way has been and will stay one of Ambassify's priorities.