In the midst of a global pandemic, with many parts of the world still under lockdown conditions, we can all appreciate how technology enables us to stay connected with our friends, family, and colleagues across the globe.

Every online communication, however, requires the transfer of data, often across international borders. From data privacy in the news to recent legislation, such as Europe’s GDPR and California’s CCPA, most of us are at least tangentially aware that the handling of data has both personal and organizational consequences.

But many people also find this continually changing arena confusing — understandably. One such area of confusion is the role played by technology providers, such as Sitecore, versus the role of those who purchase and use this technology.

The choice is yours

We consistently run into confusion around one question in particular: who chooses where my customer data is located, Sitecore or our organization? The simple answer is that our customers do — based on our approved list of data centers. And that choice will determine the costs, as data centers have different pricing structures.

Keep reading to learn more about this important and often misunderstood aspect of data management within Sitecore.

What is data localization?

Data localization laws, also knowns as data residency laws, require data related to a specific region to be processed and/or retained in that country. Varying by country, these laws cover diverse kinds of data from limited types, such as health or financial information, to all personal data no matter the type.

It isn’t only different types of data that these laws cover. There are also a variety of regulations around what can be done with the data. Some laws, for example, block certain datasets from leaving the country completely, while other laws allow data to be transferred but only if master copies are kept in the country. (No wonder people are confused!)

The variety and nuance of countries’ specific data localization laws can be a challenge for businesses to manage, depending on their processing infrastructure and where their customers are based.

Where is customer data hosted?

At Sitecore, we strive to empower our customers to choose the right approach to managing their customer’s data based on their unique business model.

When a customer deploys Sitecore, they select the appropriate data center for their customer data, and we note this in our Order Forms. Sitecore keeps the data in that location until the customer instructs us to transfer it to another data center, which they have selected.

There’s one other critical fact to remember: Each data center has its own pricing model, which directly affects the price Sitecore customers pay for storing their customer data.

How are cross-border data transfers managed?

Let’s take a look at the way data transfers are managed using Sitecore.

EU to US

When we transfer data from the EU to the US, we do so in compliance with the Standard Contractual Clauses (SCCs), which remain valid (for now), with additional supplementary measures. These measures ensure adequate safeguards1 that minimize the risk that US authorities would access our data.

  • Takeaway: The Schrems II ruling doesn’t change your ability to transfer data today between the EU and US — meaning you don’t need to worry or take any action at this time. (You can read more about the Schrems II ruling here.)

Brexit effects

We’re closely monitoring developments of the drafted adequacy decision to allow for the continued free flow of personal data from the EU into the UK. In the meantime, the UK is still able to receive data from the EU under the adequacy bridge agreed in the 2020 trade and cooperation agreement.

This means UK customers can choose a UK data center or an EU data center, while relying on the SCCs. It also means non-UK global customers who are collecting data from the UK can store it in an EU data center. (It’s worth repeating, again, that prices will vary depending on the data center your organization chooses.)

Other regions

Customers in other regions and sectors may have different needs for managing their data in accordance with their country-specific compliance programs. No matter your compliance requirements, we have you covered.

Given current data laws, Sitecore does not currently offer products in China or Russia.

1. When responding to third-party requests for access to data stored in a cloud environment, whether as part of civil litigation or criminal procedure, in any subpoena or otherwise, we follow defined protocols. We strongly believe that these satisfy the requirements of “additional safeguards,” which may be required to ensure the validity of the SCCs. These protocols include:

  • Establishing clear processes for responding to government requests
  • Requiring government requests to be narrow
  • Ensuring that government requests are lawful
  • To the extent permitted by law, tell customers about government requests that impact their data or environments
  • Rejecting or contesting invalid government requests if we believe that a request is invalid

All responses to any government requests are provided by Sitecore’s Legal Team, with the assistance of outside counsel when appropriate, to ensure we can comply with the obligations of applicable laws and pursuant to the provisions of customer contracts.

Rachael is Senior Director, Legal Counsel (Global Privacy and Data Security) at Sitecore, where she manages the company’s internal data governance program and advises on global privacy, data protection, and cybersecurity matters. Follow her on on LinkedIn