Where is my content stored? This question is a hot topic, especially for organisations in regulated industries and government organisations. There is also a general concern about how can access the content and can my data be seized. Here are some insights and a few of my thoughts.

Microsoft have an Azure Region in New Zealand, which is great for people who want to build and host applications here, however services including M365 and D365 are not available. The same is true for other smaller markets. This means our data is often hosted in a different Region and that may have some implications for you and your content.

In Europe, Microsoft’s data centres are owned by a subsidiary company registered in Ireland. This helps keep European data to help comply with EU regulations including GDPR, however subsidiary businesses of US companies are in scope for the Cloud Act. This means regardless of where M365 is hosted and you data is located, it is within reach of the Cloud Act. Microsoft provides a Sovereign Cloud offering and EU Data Boundaries to help address these concerns

It isn’t just the Cloud Act that is of concern, law enforcement and government agencies in many other countries can also be of concern, especially if you content is located in a different country with their own local laws. Microsoft’s privacy statement explains how they protecting the access to your data, they won’t just hand it over.

Microsoft publishes an annual report on the request for data under the Cloud Act, which is reassuring. Microsoft’s commitment to reporting provides transparency and a good insight into requests, a large proportion of which are declined.

Back to the initial question about the location of your data. The Microsoft 365 Admin Portal provides details for each of the services enabled in your tenant. Visit the data residency page for details. In this screenshot, you can see all of my M365 services are hosted in Australia (I am in New Zealand). Read this to learn more about the storage locations.

It also provides details on whether you are eligible for Advanced Data Residency (ADR), a service add-on that gives you more control over where data is located. It includes tools to migrated data from non-compliant areas into the Region you specify. In a multi-Geo tenant you also have this ability, Microsoft doesn’t require you to have both ADR and Multi-geo.

You may be concerned about the residency of your content because of a general concern about the foreign government or law enforcement access. You can see from the most recent report Microsoft has published, that this is a very small edge case.  There may be other commercial reasons for concern, such as protecting intellectual property, commercially sensitive, privacy requirements or regulatory requirements in your country.

What can you do?

In both scenarios, you need to make a choice. If your data is in SharePoint Online, you can use Purview to encrypt content. This prevents anyone from reading the content of the document even if it is downloaded from your environment. This does have licensing implications and requires planning. It might be a good test for “are we really at risk “vs “I feel nervous and I’m not sure”. There are many benefits to Purview beyond this specific issue.

If this option doesn’t meet your requirements, you may choose to implement SharePoint in your own environment. Microsoft provide SharePoint Subscription Edition with a close feature match to SharePoint Online. There are also other options for hosting your data and services like file servers and other document management systems.

In addition to the SharePoint data location, you should consider where data from archiving and backup resides. If you are using third-party backup solutions you may have the ability to specify the storage location. Other tools like data replication, content processing services etc, may also move data to a different location. Check the vendors documentation or ask them to confirm.

Finally, you should consider where information is processed. You may have integrations, automations and workflows that interact with your content. Not all services are available in every Region, in some cases content may be processed in a different Region.

In my opinion, the concern about location and control over the data you own is valid. We (the customers of cloud service providers) should be aware of where our data is stored and understand what this means. We shouldn’t panic and have a kneejerk reaction without understanding the implications and risk.

The data and content we create and store in cloud services, regardless of who provides the service should be part of your data and information governance strategy. You are far more likely to suffer a data breach through the unintended actions of someone with access, than you are to be hacked or have your data seized. Where will you focus your effort?