Do you know where (country, location, hosting partner) your SaaS vendor stores your data? Not all SaaS providers are openly sharing this information. Yet, with the PRISM fallout in full force and Dutch minister of the interior Plasterk narrowly escaping a vote of no confidence this week over collecting and sharing 1.8 million records of metadata with the NSA, potential customers are likely very interested in knowing where, with whom and under which country’s jurisdiction their data will be stored. We found out that already 34 percent of Dutch SaaS vendors that do not manage their own compute infrastructure have their production site hosted outside the Netherlands (see Figure below).
Not surprisingly, The Netherlands is the number one location with 66 percent of SaaS production sites. The US is the second most popular location with 21 percent. UK comes third (6 percent), Ireland fourth (4 percent) and 3 percent have a hosting site location in Germany.
Should you care where and with whom your data is located? Yes, you should. When evaluating SaaS vendors it is important to understand whether they own their own infrastructure, which hosting partner they have if they do not, and which data centres their own or hosting partner infrastructure is located in. As we wrote earlier, digital data depends on robust digital infrastructure. Also, you should know which jurisdiction(s), rules and regulations your data resides under.
Are you automatically safe when your data is stored in a Dutch data centre? No. First, you need to have assurance that this really is the case. Second, you need to make sure the data centre and hosting partner have a robust infrastructure. As Wilson Pickett sang already in 1966: ninety-nine and a half just won’t do. Third, even if your data is stored in The Netherlands, your data needs to be encrypted and you should be the only one with the key. The PATRIOT Act and the Foreign Intelligence Surveillance Act (FISA) allow the NSA to tap into data that is not physically located in the USA as long as the data is stored with a US company. And as Dutch weblog De Correspondent shows, there are plenty of those around in The Netherlands (and other countries).
Bottom line: location matters in terms of jurisdiction, compliance, robustness and response time. If you do not want anybody to have unauthorised access to your data you should make sure it is encrypted and that you have the only key.