Through reading the Standard Terms and the Data Processing Addendum, I can see that the documents pretty much state that they can send data outside the EU.
As much as I like the product, this is just not jiving well with our compliance folks. Which I understand.
Any other European companies who have struggled with the same issue? How have you interpreted/solved this?
As Robert mentioned we do have an option for hosting in the EU, specifically Dublin, Ireland. You’re also correct that we can’t guarantee the data will never leave the EU. Our company is global, as are most of our subprocessors like our CDN provider, our image storage provider, etc. We do have numerous EU companies, large and small, that use our hosting. That said, I’m not their lawyer or compliance team, so I can’t speak to their decisions. Feel free to shoot us an email if you (or your compliance team) would like to chat about our hosting in more detail!
And this is all assuming you want managed hosting. Our Standard Terms and DPA are irrelevant if you decide to self-host.
Obligitory “I’m not a lawyer, nor is any of this legal advice.”
Yes, and it took us months to resolve(worth it).
The team at Discourse were exceptionally patient with us, and made a number of improvements. For example, the list of subprocessors is now significantly more detailed, informing us of which service is used where. Any of the sub-processors we don’t like, we simpy disable in our instance.
Ultimately our instance is hosted in the EU, and we’re currently using only European CDNs. Unfortunately users in China are unable to retrieve this content, so we might need to open up to world-wide CDNs. Users in other non-eu countries have no issue accessing the European CDNs.
In terms of GDPR, our policy is something like “Any transfer to a country other than a member state of the European Union or state that is part of the agreement regarding the European Economic Area requires the prior written consent of the Client and may only be performed if the special requirements of article 44 GDPR are met.”
We have a couple of clauses like this, which I understand this to mean “If you aren’t storing data in the EU, but it meets EU standards, then it’s ok.”