Question

How can a cloud-based solution achieve regulatory compliance with respect to data storage locality?

Context

Different legal and regulatory requirements and standards in different geographic regions might call for specific types of data to be physically stored in a designated country/legal jurisdiction. For example, EU GDPR differentiates between data storage and transfer within the EU boundaries and the export and storage of data outside of the EU.

Solution

Cloud providers offer their services with location tags. When instantiating a service, the cloud user can choose the geographic location, which is specified by a regional designation (e.g. EU-West). While cloud providers usually do not advertise the exact physical location of their data centres, they do provide guarantees that a geographic location designation falls under a certain legal jurisdiction. Geographic designations, however, do not extend to cover all cloud services; large cloud environments remain at least partially location-agnostic, especially for the services that need to have dispersed infras- tructure to ensure functionality, such as DNS or Web Application Firewalls.