Never before has it been so easy to create online services. The technology to set up websites and various functionalities is at hand and the efforts for research and setup of a best possible web service are much lower than just some years ago. We love the simplicity of services like Firebase and Netlify.
Easily kickstarting your company comes with a certain price though. You may face vendor lock-in or privacy rights issues to only mention two problems scratching the surface when working in the world of someone-else's computer.
As a germany based startup we are looking into what options we have to mitigate issues like these from the beginning. If you ask Twitter tech people what services you should use, there might instantly be a biased list of providers worldwide.
Picking out some of the most popular IaaS and PaaS providers we also took a look into their imprints. Funny parts first: those providers might not even have an imprint (as it is not required outside of german-speaking territories, see (1) below) or a section stating their GDPR handling (2). Are they able to ensure compliance? They should, of course. Right?
It becomes difficult if you look at it from the perspective of an organization within the European Union. There you have one of the strictest data protection policies worldwide. Assessing and using any IaaS/PaaS/SaaS or other cloud services is not that easy to find out. Can I use Cloud Provider X for my business? I would not sweepingly answer that for you but let's have a look.
Starting with the giants:
Amazon Web Services
- Imprint: On aws.amazon.com I could not find any imprint page. There are pages for contact, support, policys, data protection and, terms of use though.
- EU GDPR compliant: According to AWS all services are "GDPR ready" (Aug, 2020)
- Headquarter Location (3): Seattle, Washington, USA
- Was hard to find on the website: no
- Has offices within the EU: Yes, Luxemburg
- Data Centers within the EU: Yes, multiple locations, obliges Cloud-Act (4)
Microsoft Azure
- Imprint: Yes, links to the imprint of microsoft.com
- EU GDPR compliant: Providing portals for help to use GDPR compliant services. Which implies that it lies in the hands of the user what to make out of it. (Aug, 2020)
- Headquarter Location: Redmond, Washington, USA
- Was hard to find on the website: not at all
- Has offices within the EU: Yes
- Data Centers within the EU: Yes, obliges Cloud-Act (4) and Sovereign Clouds (6)
Google Cloud
- Imprint: cloud.google.com does not show an imprint on the first page. Via google.com it was possible to reach it, yes.
- EU GDPR compliant: committed to GDPR on G Suite and Google Cloud Platform (Aug, 2020)
- Headquarter Location: Could not find headquarter information. Imprint refers to Google Ireland Limited, Dublin, Ireland
- Was hard to find on the website: Could not find headquarter address for Google LLC or Alphabet
- Has offices within the EU: Yes, multiple offices
- Data Centers within the EU: Yes, obliges Cloud-Act (4)
The above three are doing a lot to make it possible for international clients to use their services. According to news (5) EU based financial institutions are working together with Google and Microsoft which says a lot about contractual possibilities that could be negotiated. It also says that companies are not completely required to go out of service or move to other providers. The European Banking Authority puts the strictest requirements in auditing for moving core activities into cloud services.
Let's continue with some other popular public cloud providers:
DigitalOcean
- Imprint: digitalocean.com does not show an imprint. There are pages for support, about and legal though.
- EU GDPR compliant: Supports GDPR (Aug, 2020)
- Headquarter location: New York, NY, USA
- Was hard to find on the website: On the very end of the terms page
- Has offices within the EU: -
- Data Centers within the EU: Yes, obliges Cloud-Act (4)
Heroku
- Imprint: Not on heroku.com to be found. Thera are pages for terms of use and legal information though.
- EU GDPR compliant: Compliance with GDPR (Aug, 2020)
- Headquarter location: salesforce.com inc. San Francisco, California, USA
- Was hard to find on the website: Privacy page link leads to Salesforce. There they make it quite clear, calling it "Worldwide Corporate Headquarters"
- Has offices within the EU: Salesforce, Yes
- Data Centers within the EU: Yes, obliges Cloud-Act (4)
Annex
Note: If you find any errors or wrongdoing to any of the listed providers, please inform me so I can make the according correction. This article does not serve the purpose of harming any company but to help organizations find their way to educated decisions and compliant use of personal data with services.
1) Imprint In german speaking countries like Germany, Switzerland and Austria (Impressum) required as a legally mandated statement for ownership and authorship for publications including websites.
2) GDPR General Data Protection Regulation is a regulation for data protection and privacy within the EU and EEA. I would refer to that throughout the post but am open to add infos on regulations from other countries.
3) The headquarter location is important if you have to clarify within GDPR where the data of your employees and customers are stored. Let's say your company obliges to GDPR, the law does allow data transfer outside of the EU only when certain criteria are met by the company or country for required data protection.
4) Cloud-Act: Other than GDPR which is EU law there is a US law called Clarifying Lawful Overseas Use of Data Act (Cloud-Act) following the Patriot Act. It allows US Intelligence to access data from US comanies on their data centeres and subsidiary companies all over the world. This is to consider if you have business critical information and ask yourself if it belongs to a "foreign cloud".
5) News articles
Cooperation with announcement effect: Deutsche Börse relies on Microsoft-Cloud Körner, Andreas: "Kooperation mit Signalwirkung: Deutsche Börse setzt auf Microsoft-Cloud", Handelsblatt, 6.5.2019
Deutsche Bank expects a billion-dollar profit from Google cooperation Schneider, Katharina; Demling, Alexander: "Deutsche Bank verspricht sich von Google-Kooperation einen Millardengewinn", Handelsblatt, 17.7.2020
6) Sovereign Clouds or National Clouds are terms used by Microsoft Azure to differentiate Services which serve the purpose of required compliance by following the law of the country where the servers are geographically located. See: docs.microsoft.com/de-de/azure/active-direc..