Data Residency: Building Your Global Strategy

On September 22, 2016, Zuora, Inc, the world’s leading provider of subscription billing, commerce, and finance solutions, announced their future plans to establish a European data center to host their European customers. Here Zuora VP & CSO Pritesh Parekh discusses how to approach building a data residency global strategy and asks 10 key questions that help determine the type of data center solution that most fits your business.

Originally published in Information Management.

All businesses must make it a priority to maintain rigorous standards for data protection. But when it comes to the “how,” there are many options from which to choose. Making the best selection for your business requires you to assess the various business drivers, understand all relevant regulations, and do your due diligence on the available options for data access and storage.

business decision drivers

When you’re thinking of establishing a data center, you need to first evaluate the inputs that are driving this decision, for example:

  • Sales. Is the location of your data center creating friction in your sales cycle? Is your sales team facing international customers and/or larger US companies with a global presence who make demands for local or regional data centers?
  • Customers. Data sovereignty is a big concern in many countries. Is this an issue for your global customers? Are there countries where your business does or does not want to have a physical presence?
  • Technology/Operations. Are there scalability, performance, or other system operations considerations to consider when establishing a new data center location? • Cost. Of course, cost will be a consideration for all of the decisions we are discussing.

Regulatory Considerations

Global data protection law seems to be in a constant state of flux, with no one-size-fits-all answers. To operate internationally, you’ll need to hold yourself to the highest standards of compliance with privacy regulations across every region and country in which you do business. You’ll have to work closely with a legal team that has a global perspective, to understand your options for complying with these standards:

  • Changing Regulations. As an example, when The U.S. – EU Safe Harbor was invalidated in October 2015, U.S. companies doing business in the EU were left with a patchwork of options for transferring EU data, including Model Commercial Clauses, Privacy Shield and others, each with their own pros and cons. If you’re going to be a global company, you need to thoroughly understand your options in a changing legal landscape.
  • Data Center Location. Customers and regulators hold international companies — particularly those based in the U.S. — to the highest standards of compliance with national and regional privacy and data transfer regulations. Depending on circumstances, the location of your data centers can solve (or complicate) these issues dramatically.

assessing the options

Across industries, there’s a broad spectrum of interpretations of privacy and data regulations. This leads to a variety of options in terms of how businesses understand and integrate the requirements. Using EU regulations as an example, few of the available options for data centers could be seen as falling somewhere on a continuum, where each option presents unique regulatory and operational challenges and advantages that will differ from company to company:

Option 1 – Open a data center in Europe and store EU-based data there. The data may still need to be accessed by your personnel outside the EU for support, billing, etc. This option may satisfy the business objectives of your sales team and customers, but may not resolve regulatory issues.

Option 2 – Open a data center in EU as with Option 1, and also incur the additional operational and personnel costs of having support staff in EU. Assure that all data processing is done in the EU. This may provide further solutions to business and regulatory concerns, but is by no means a silver bullet.

Option 3 – Open an outsourced data center in the EU, run by an EU-based entity. However, there will still be regulatory hurdles, due to your company’s ties to the US or the cloud service provider’s ties to the U.S. Microsoft, as an example, has spent millions of dollars creating a data center network using European entities that arguably has no corporate connection to the US. This kind of solution is not without regulatory concerns as well, and would be prohibitively expensive for all but the largest enterprises.

Colocation vs cloud

Another important consideration is whether to have the international data center be colo or cloud, most common of which is AWS (Amazon Web Services), the largest cloud service provider.

The trend is moving to the cloud, primarily because of ease of deployment: with cloud, you can bring up services literally in a matter of seconds rather than spending months building hardware and infrastructure before you can even begin to prepare your applications for deployment. With cloud, you just need to manage deployment.

Cloud is also a popular choice for security reasons. Amazon spends millions of dollars on security, which all their cloud customers benefit from. If you had to build your own security in different data centers — under a heterogenous model equipped to manage different security concerns in different regions – that would be very difficult to manage. AWS supplies a staple security model which can be used across countries. Leveraging their security stack and building security programs on top of that is powerful, as well as fast.

Colo/Cloud Audit: 10 Questions

To help you make the decision of colo versus cloud, below are a set of key questions for consideration. I highly recommend that you go through the exercise of answering these questions internally as well as sharing this out with peers in similar companies for their input for a more comprehensive view.

1. What regulatory requirements do we have for the data/location/technology? Consider Safe Harbor, Data Residency, Patriot Act and other regulations.

2. How many customers to-date have pushed back on an public cloud strategy? Since customers are a key driver in this decision making process, it’s important to be aware of — and carefully consider any — customer concerns. It’s also pretty enlightening to hear what customers of related companies are saying.

3. What are the security or other concerns we’re hearing today around running on public cloud? In addition to customer input, what other concerns are bubbling up around public cloud strategy — and are they valid?

4. What are other SaaS companies, large and small, doing in this area? Why? And how did they arrive at their decision? This question will help you to uncover relevant companies who may be willing to participate in your audit. Input from your peers might also reveal good insights.

5. What does risk allocation look like with a colo or with an public cloud relationship? Do a review of what risks your company would have to bear in terms of data breaches, etc.

6. What would be the cost of operating fully in public cloud versus a pure colo solution? And would this change by the number of colos you support? You’ll also want to consider if/how costs could be mitigated, and what the trade-offs are in terms of cost.

7. What countries have issues with data residency in a non on-premise solution? Does storing data locally address the concerns or does it need a complete separation (separate local Support, Operations etc)? Is complete separation really necessary from a storage and access standpoint?

8. Does an on-premise colo solution matter if we are still a US-based company? This could mean does it matter from an actual legal/regulatory perspective, or just in terms of customer/prospect perception.

9. How does storing data locally impact data residency and data transfer regulations? Consider U.S. laws and regulations, as well as those in the EU or other countries in which your company does (or will do) business.

10. What are public cloud providers like AWS doing to help its cloud customers be compliant in EU? Companies that are already using public cloud providers can provide their personal perspective.

The question of data residency is really a broad company issue that’s about much more than just security. It’s up to each individual company to interpret the regulations and assess their own drivers to make a united decision about their particular data center needs.

Keep Learning

The Ultimate Guide to Monthly Recurring Revenue (MRR)
What ASC 606 means for revenue recognition
Understanding material weakness in internal control for finance
SaaS pricing models: A comprehensive monetization guide