PDAT-04

Is institutional data coming into or going out of the United States at any point during collection, processing, storage, or archiving?

Explanation

This question is asking whether any institutional data (which typically includes sensitive information like student records, financial data, research data, etc.) crosses international borders at any point in its lifecycle. Specifically, it's asking if data is transmitted to or from locations outside the United States during collection (when data is gathered), processing (when data is manipulated or analyzed), storage (where data resides), or archiving (long-term retention). This question is critical in security assessments because different countries have different data protection laws and regulations. For example, the European Union has GDPR, Canada has PIPEDA, and many other countries have their own data sovereignty requirements. When institutional data crosses borders, it becomes subject to those foreign jurisdictions' laws, which may have different (and sometimes conflicting) requirements for data protection, privacy, breach notification, and government access. To best answer this question: 1. Consider your entire data flow and infrastructure - where are your servers physically located? Where are your backup facilities? Where are your development teams? 2. Be specific about which data elements cross borders, when they do so, and to which countries 3. If data does cross borders, explain what safeguards are in place (encryption, data protection agreements, etc.) 4. If you use cloud services, research where their data centers are located and how they handle data transfers 5. Consider whether you have any international employees, contractors, or support staff who might access the data Even if you're using a US-based cloud provider, they might have data centers worldwide, so it's important to understand their infrastructure.

Guidance

Given the vast number of privacy regulations and laws throughout the world, it is important to know when, where, why, and how institutional data is being shared outside the United States. This information is necessary to ensure compliance and to protect the institutional data.

Example Responses

Example Response 1

Yes, institutional data does cross US borders during processing and storage Our primary application is hosted in AWS with our production environment in the US-East region (Virginia), but we utilize disaster recovery facilities in AWS's EU-West region (Ireland) Customer data, including personally identifiable information, is replicated to these facilities for business continuity purposes All data is encrypted both in transit and at rest using AES-256 encryption We have implemented Standard Contractual Clauses (SCCs) as required by GDPR, and we maintain a Data Processing Addendum with AWS Additionally, we have technical staff in our Toronto office who may access the data for troubleshooting purposes, though this access is logged, monitored, and requires multi-factor authentication.

Example Response 2

No, all institutional data remains within the United States throughout its entire lifecycle Our application is hosted in Microsoft Azure's US Government Cloud, which guarantees data residency within the continental United States We have contractually specified with Microsoft that data cannot leave US borders Our development, support, and administrative teams are all based in the US, and we have technical controls in place that prevent access to production data from non-US IP addresses Our backup and disaster recovery facilities are also located in geographically separate but US-based Azure regions We regularly audit our data flows to ensure compliance with this policy.

Example Response 3

We cannot guarantee that institutional data remains within US borders at all times Our primary SaaS application is hosted by a third-party provider who uses a global content delivery network (CDN) for performance optimization While our main databases are hosted in US-based data centers, metadata and cached content may be temporarily stored in edge locations worldwide to improve application responsiveness Additionally, our 24/7 support team includes staff in India and the Philippines who may need to access customer data to resolve critical issues We recognize this creates compliance challenges with certain regulations, and we're currently implementing data residency controls that will be completed within the next 6 months In the meantime, we utilize encryption, access controls, and comprehensive staff training to mitigate risks.

Context

Tab
Privacy
Category
Privacy of Sensitive Data

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron