GDPR compliance isn’t decided by a logo on a page — it’s decided by the structure behind it. Here are ten questions to ask a cloud provider before personal data moves in. The answers quickly separate the prepared from the hopeful.
Jurisdiction and ownership
- Under which jurisdiction does the company sit — and the entire ownership chain?
- Is there a parent outside the EU that could fall under the CLOUD Act or similar?
- Does the provider own the hardware, or is capacity rented on a third party’s stack?
Data, keys and processors
- Is there a data processing agreement, and what does it say about sub-processors?
- Where are the encryption keys held, and can anyone outside the EU reach them?
- Which sub-processors are used, and in which countries do they sit?
- Does any transfer to a third country occur — and if so, on what basis?
Rights and exit
- How are deletion and subject access requests supported in practice?
- Can you export all data — and the whole setup as code — without a penalty fee?
- Can the provider show residency and access in the product, not just claim it?
If an answer takes the form of “trust us” instead of “here’s the proof”, note it.
— from Kepler’s trust model
Kepler is built to answer yes, with evidence, to each of these. Want to test us against your own list? Get in touch.