AI system location

Why does data location matter to startups? (penalties money/licensing; reputation)

It is likely that much of the data controlled by your company is stored in the cloud, by services such as AWS or Google Cloud, or in virtual data rooms. These services are brilliant tools but their use also asks for a little bit of time and attention to secure regulatory compliance (hark GDPR) as well as user trust.

What do your customers need to know?

There’s a lot of emphasis on transparency and disclosure in the data handling space. While this is very important in terms of building trust and remaining compliant, publicising company information is, of course, not without its pitfalls.

Your company does not want to give so much information as to leave itself vulnerable to security issues. There are, of course, also questions of secure IP, exposing backend infrastructure and proprietary algorithms and staying competitive. Generally, you want to be careful about exposing information which isn’t already in the public domain or published.

This said, there are certain things you want to make sure you are communicating to clients. This includes:

1. Which vendors you use

   1. Cloud processing such as Amazon Web Services or Google Cloud Platform

   2. LLMs such as OpenAI or Anthropic

   3. Email providers such as Loops or Mailchimp

2. Where the data is being stored and processed

   1. Name the country where data physically resides in a data center

3. How you have verified your trust for this vendor

   1. A statement in your privacy policy or trust page on how you assess vendors you use

   2. A window of opportunity for customers be notified of new vendors and if they so choose reject their usage

You’re ensuring you are communicating enough to your customers for them to have confidence in your data use and processing; for example, that their data isn’t being sold onwards without their knowledge or consent. Explaining that your company knows its own data flows, does a lot to comfort clients, showing that you maintain control and the ability to step in to protect their privacy.

Industry considerations

Choosing a location for your contracted data processing unit becomes a particularly acute issue in certain industries. Healthcare services, financial services and legal services, for instance, are industries which often require personal data to remain in data centers in a certain country.

Customer (and jurisdictional) considerations

The location of data subjects is also crucial. The jurisdiction in which they reside will have its own demands as to where their data may or may not be stored. For instance, if you handle the personal data of EU residents, the personal data can only be transferred outside of the EEA with certain safeguards in place.