Hi there,<div><br></div><div>Has anyone who's using or considered using PAAS providers like Heroku got any thoughts about data protection and concerns about transfer of data outside the EU?</div><div><br></div><div>Our amateur reading of the guidelines from the ICO seem to be that if you're processing personal data outside the UK it can be </div>
<div><br></div><div>1) somewhere within the EU/EEA which has equivalent data protection rules.</div><div>2) in another jurisdiction judged by the EU Commission as having adequate data protection laws (i.e not the US)</div>
<div>3) in the US as long as the data processor has certified compliance with the US - EU 'Safe Harbor' frameworks.</div><div>4) in the US with a data processor with whom your contract includes standard terms drawn up by the EU to guarantee protections equivalent to EU data protection rules.</div>
<div>5) in the US if you can "make an assessment that the level of protection for data subjects’ rights is ‘adequate in all the circumstances of the case'" (on the base of the data processors' existing terms of service and policies, or of extra technical measures you take to protect the data, or maybe just by getting users' consent to the transfer).</div>
<div><br></div><div>We had originally settled on Heroku for hosting our application - until the discussion turned to data protection. I'm pretty sure (awaiting confirmation) that Heroku aren't Safe Harbor certified, and am sure that they won't agree to a modified contract/terms of service in order to win one small customer. So that leaves us with option 5, and our business owners are understandably queasy about the idea of making a legal judgement (about the adequacy of Heroku's privacy and data management policies) ourselves and being liable if we turn out to have got it wrong.</div>
<div><br></div><div>Any Heroku customers here? How have you dealt with this?</div><div><br></div><div>Mark</div><div><br></div><div><br></div>