Cross-border cloud: where your data physically is and how to verify it

Cloud services eliminate the need to run your own servers, hire administrators, and think about physical infrastructure. That is a genuine and understandable advantage. But alongside it, a company takes on a new type of uncertainty: exactly where the data is, who has physical and logical access to it, and how any of that can be verified.

When data sat in your own server cabinet, the answers to those questions were obvious. When data moves to the cloud - and especially to a foreign provider's cloud - the questions remain, but the answers become considerably less clear. The starting point is understanding what the cloud SLA actually says - and what it deliberately leaves out.

What specifically raises questions

The first question is physical location. Most large cloud providers operate through global networks of data centres. Data may be replicated across regions for resilience. Unless the storage region is explicitly specified and fixed in a contract, a company cannot be certain its data does not cross into a different jurisdiction.

The second question is provider-employee access. Engineers and support staff at a cloud provider may have technical access to customer data when servicing the infrastructure. How restricted, logged, and audited that access is - is a material question that rarely gets discussed before an incident.

The third question is jurisdictional access rights. A company operating under one country's jurisdiction may be legally required to hand over customer data in response to a government request - even if the customer is in another country. This is not a hypothetical scenario. It is a real legal risk that varies depending on the provider's jurisdiction.

Why this is a management question, not only a technical one

IT can select a technically reliable provider. But the decision about where to store customer data, which categories of data are acceptable in a foreign cloud, and what contractual guarantees are required - that is not an IT decision. It is a decision with legal and reputational consequences.

Companies handling personal data of individuals, financial information, or public-sector data often have regulatory data localisation requirements. Violating those requirements is not a technical failure - it is a compliance problem.

But even where there are no regulatory requirements, the trust question is a business one. If a client asks where their data is stored - "in the cloud" is not an answer.

What can be verified and what has to be taken on trust

Some things are verifiable. A contract with the provider can and should specify: the storage region, conditions for provider-employee access, procedures when government requests arrive, and terms for data deletion on contract termination. The questions to ask a cloud provider before trusting it with data mostly apply here too, with the jurisdictional dimension added on top.

The existence of independent security audits and certifications - SOC 2, ISO 27001 - provides some confidence that processes exist and are reviewed by a third party.

But much still comes down to trust. A provider declares policies - whether each engineer and each operation actually follows them cannot be fully verified from the outside. That should be honestly acknowledged when deciding where to place sensitive data.

How to approach the choice

The right approach starts with data classification. Not all data is equally sensitive. Marketing materials and public documents are one category. Customer personal data, financial records, and commercial secrets are another. The rules for handling them should differ.

For sensitive categories, it is worth asking the provider specific questions and getting the answers in contractual form, not only in marketing materials. If a provider is not willing to put the answers in writing in a contract - that itself is information for the decision.

Questions to ask the provider

Before placing sensitive data in the cloud, it is worth getting written answers to the following:

1. In which specific region or country will the data be stored?
2. Can the provider guarantee that data will not leave that jurisdiction without notification?
3. What access do provider employees have to customer data, and how is that access controlled?
4. How does the provider respond to a government request for access to customer data?
5. What happens to data when the contract ends - timelines and confirmation of deletion?

If there are no clear answers to these questions, trust in the arrangement is built on hope, not on agreements.