I'd really like to bring the thread back on track - my original desire was that any SaaS business owners treating cross-border personal information share tips or experience on how they're doing it, both from legal and technical standpoints. I believe we've covered enough justification of why this is worth discussing.
From here on, if you'd like to debate whether or not you believe data sovereignty is a pertinent issue, or if the issue even exists, I'd kindly ask you to start your own thread.
Personally, I'm dealing with EU, China, and no-sovereignty-law zones. I'm running everything out of EU datacenters at the moment, and now that China has recently passed their own data sovereignty laws my clients are scrambling to audit their data warehousing and also subcontractors that process personal info. At this stage, I'm looking at writing a database router for my application, adding a few columns to client profiles to enable them to set data locality preferences, and saving and retrieving the data on a Chinese VPS. This is aggravating, because:
- That's a lot of work, and it's unclear if I'll be able to bill it
- Chinese VPSes cost a mint compared to other options
- The db server would be exposed to the internet (yes, I'd shut everything off except opening the db port to the app server IP, but it's still less secure than in a private network).