Guider

A GDPR checklist for choosing a cloud: 10 questions for your provider

Before you put personal data in a cloud, ask these ten questions. The answers quickly reveal whether a provider truly stands for GDPR or just says so.

GDPR compliance isn’t decided by a logo on a page — it’s decided by the structure behind it. Here are ten questions to ask a cloud provider before personal data moves in. The answers quickly separate the prepared from the hopeful.

Jurisdiction and ownership

  • Under which jurisdiction does the company sit — and the entire ownership chain?
  • Is there a parent outside the EU that could fall under the CLOUD Act or similar?
  • Does the provider own the hardware, or is capacity rented on a third party’s stack?

Data, keys and processors

  • Is there a data processing agreement, and what does it say about sub-processors?
  • Where are the encryption keys held, and can anyone outside the EU reach them?
  • Which sub-processors are used, and in which countries do they sit?
  • Does any transfer to a third country occur — and if so, on what basis?

Rights and exit

  • How are deletion and subject access requests supported in practice?
  • Can you export all data — and the whole setup as code — without a penalty fee?
  • Can the provider show residency and access in the product, not just claim it?

If an answer takes the form of “trust us” instead of “here’s the proof”, note it.

— from Kepler’s trust model

Kepler is built to answer yes, with evidence, to each of these. Want to test us against your own list? Get in touch.

Bygg på ett moln du faktiskt äger.

Ingen bindningstid. En körande VM innan du betalar en krona.