Our country’s regulation (which has additional conditions for the finance industry) says that you can’t use cloud services to store a user’s sensitive information. @Jagster So we can use cloud services as long as we don’t store sensitive data there.
It is OK if only email address is stored abroad - this alone is not considered sensitive info. Still, if at any point I store email address together with the full name of the user, this is considered sensitive information, since the user is now identifiable as a person. I’m worried because after SSO is used for login, since I can see our users’ email address and full name on the platform, I don’t know whether this data sent to and stored in the Discourse hosting, it is against our local regulations.
To demonstrate the mindset with our regulations: Say, for example, a 3rd party with malicious intent gets access to the physical drives of Discourse’s cloud server in the EU. Would they be able to read our users’ full name & email together, given that they logged in with SSO?