Login
SIGN UP FOR FREE

Part 1) Storage of files

When you host data with anyone (Microsoft, your Dataroom, file transfer), the files go sit on a bunch of servers, and it’s important to know where those servers are. Most providers are cloud first, and will literally store stuff everywhere.

For your data there will be the storage servers, the OCR servers, the AI Servers and search indexing servers. All these servers will parse each of your files. For the users of the service logging in there’s also the login servers and all the marketing servers. It’s common for a cloud provider to have in excess of 20 Sub Processors, all over the globe.

That doesn’t always play well with a whole raft of compliance legislation – GDPR (EU/UK), HIPAA (USA), CPRA (California), POPIA (South Africa) Privacy Act Australia etc etc etc.

Here’s some example terms from some major providers.

Dropbox terms

Around the world. To provide you with the Services, we may store, process and transmit data in the United States and locations around the world – including those outside your country. Data may also be stored locally on the devices that you use to access the Services.

Ansarada privacy

Ansarada storage entities – Amazon US, Microsoft US, Oracle, US. Actual locations we couldn’t find.

The Parties acknowledge that Ansarada is located in a territory outside of the EEA and the United Kingdom that is not an Adequate Territory under the GDPR or the UK GDPR. Any personal data transfer from the EEA to a location outside the EEA in a country or territory that is not an Adequate Territory, shall be subject to the Model Clauses (Module I: Controller to Controller when Ansarada is controller, and Module II: Controller to Processor when Ansarada is processor)

So when you upload any file with personal data to many cloud providers, it will almost certainly go to the US, and most likely other locations. This is a problem from a GDPR (or enter your local legislation here!) perspective, and if one staff member or client finds out their data is overseas without all the necessary paperwork in place, there could be trouble (let alone the regulatory bodies).

So no matter what confidentiality terms are in place, un-redacted personal data is most likely being sent overseas, before anyone has even looked at it!

Storage with Projectfusion and safedrop

Projectfusion storage – location of your choice (usually UK, France, Germany or Canada)

When we talk about the content you upload (you’re the Controller, and we’re the Processor) it’s very simple. Everything is hosted in the location you request – UK, France, the US (or 27 other locations). That’s everything. There’s no international transfers required. French data stays in France. End of.

Part 2) File sharing

OK, so that’s storage, Now let’s look at the transaction or file share. With Projectfusion, nothing is going to leave your location choice unless you or the recipient put it there, so….

So this is where it gets harder.

You’re going to need a bunch of stuff in place, the core things:

Legal stuff, at a minimum:

Technical considerations:

Can I restrict access to say just UK IP addresses?

We can do this with Projectfusion and safedrop, but it’s not bulletproof – recipients may use VPN’s to appear to be in the UK. We try and block the VPN’s, but it can cause issues.

How does Projectfusion and safedrop help me?

Need more?

CMS publish a great checklist pre M&A transaction here https://cms.law/en/media/local/cms-hs/files/publications/broschueren/checklist-mua-und-gdpr-04-2020

Leave a Reply

Your email address will not be published. Required fields are marked *