You have to be extremely careful and conscious about what you are able to upload and what you are not.
E-mails are generally OK as long as they are not containing customer info (most aren't). The moment you get a data file from the customer (e.g. a CAD drawing, spreadsheet, some analysis, etc.) that is protected by a restrictive NDA, you must not even upload it to the corporate Onedrive to provide it to a colleague. It has to go through an on-premises server - or you have to send someone with an (encrypted) USB stick. And access is strictly controlled, only people who need it will have it.
This stuff is taken extremely seriously - a security breach leaking customer data because someone carelessly uploaded a confidential file where they shouldn't have could cost you millions in both lost customers and huge lawsuits.
>If clauses in contracts are enough to keep you out of legal trouble the same should be true independently of the size of the provider.
The problem is that you are not only after the clause in the contract to "keep you out of legal trouble" and suing the provider for money should anything go wrong. You actually want to be 99.9999% sure that nothing bad happens in the first place, that you have almost 100% uptime and the data are safe, not only to legally cover your backside.
Why? Because your own customers (or government) would haul your arse to court otherwise. No amount of compensation you get out of the service provider will fix it should it come to that. You could easily go bankrupt or to prison here.
Small startups have no chance to compete in this area with giants like Microsoft or Amazon. E.g. we are in the EU and are legally forbidden from storing some data in US hosted servers. So both Microsoft and Amazon (and also Google) have complied and have EU datacenters for this reason - and you can explicitly specify (both technically and contractually) which instances your e-mail or files are allowed to be stored in and which ones not.
An US startup with no own infrastructure only renting servers/compute from e.g. Amazon? How exactly are they going to ensure this, regardless of what is in the contract with me when I have no influence on how they structure their own contracts with their cloud providers?
Esp. when that company is here today but may not be tomorrow - goes bust, gets bought out by a competitor, etc. No amount of legalese will protect you here when you have nobody left to sue.
Unfortunately in this area the deck is stacked against startups and small companies sky-high, even if you aren't trying to convince them to give you all their confidential data and only trying to sell much more pedestrian services - e.g. payment services or something like payroll management.
That is the theory - only in my experience the reality is quite different. Employees do not bother to classify incoming emails as confidential or internal. So everything gets sent to the cloud.
Also, having servers in the EU helps to fulfill some regulations, it certainly cannot prevent that your customer data gets exposed.
You are missing the point. Sensitive customer data never touch e-mail, period. So there is nothing to "send to the cloud".
That's a matter of organizing the work and training your staff, along with appropriate technical measures where required. Not some hypothetical theory or matter of whether someone bothers to classify something or not.
If it is confidential to the degree that it cannot leave company premises then e-mail is automatically taboo and the file never gets transferred anywhere by mail (or any sort of cloud service).
Moreover, access is controlled and only the people who need it get it - along with a strictly worded information that it is under such and such NDA and must not leave the premises or be shared/uploaded outside of the company.
If the company you work for doesn't do it like this, then they either don't deal with so sensitive materials or they don't care - and then they will end up in court or bankrupt (or both) sooner than later.
Having servers in the EU is not about "not getting data exposed" or only a matter of some sort of regulatory compliance (even though that is important too - e.g. whenever GDPR is involved). Without that minimal guarantee that e.g. NSA or Boeing or Ford or some other major US competitor of some of our customers won't get to see their information (happened before, industrial espionage at a state level is a thing) they wouldn't even talk to us about sharing data with us. On top of that data is obviously encrypted too.
Data/IP protection is a process, there is no single magic thing that you do and are set. Leaks, whether intentional or not can and will happen - e.g. it is difficult to 100% prevent a disgruntled employee from walking out of the door with some sensitive files on a USB stick or a phone even if you institute a completely draconian regime at the workplace (which is counterproductive).
It is about having a process in place to mitigate against and minimize both such occurrences and their impact.
E-mails are generally OK as long as they are not containing customer info (most aren't). The moment you get a data file from the customer (e.g. a CAD drawing, spreadsheet, some analysis, etc.) that is protected by a restrictive NDA, you must not even upload it to the corporate Onedrive to provide it to a colleague. It has to go through an on-premises server - or you have to send someone with an (encrypted) USB stick. And access is strictly controlled, only people who need it will have it.
This stuff is taken extremely seriously - a security breach leaking customer data because someone carelessly uploaded a confidential file where they shouldn't have could cost you millions in both lost customers and huge lawsuits.
>If clauses in contracts are enough to keep you out of legal trouble the same should be true independently of the size of the provider.
The problem is that you are not only after the clause in the contract to "keep you out of legal trouble" and suing the provider for money should anything go wrong. You actually want to be 99.9999% sure that nothing bad happens in the first place, that you have almost 100% uptime and the data are safe, not only to legally cover your backside.
Why? Because your own customers (or government) would haul your arse to court otherwise. No amount of compensation you get out of the service provider will fix it should it come to that. You could easily go bankrupt or to prison here.
Small startups have no chance to compete in this area with giants like Microsoft or Amazon. E.g. we are in the EU and are legally forbidden from storing some data in US hosted servers. So both Microsoft and Amazon (and also Google) have complied and have EU datacenters for this reason - and you can explicitly specify (both technically and contractually) which instances your e-mail or files are allowed to be stored in and which ones not.
An US startup with no own infrastructure only renting servers/compute from e.g. Amazon? How exactly are they going to ensure this, regardless of what is in the contract with me when I have no influence on how they structure their own contracts with their cloud providers?
Esp. when that company is here today but may not be tomorrow - goes bust, gets bought out by a competitor, etc. No amount of legalese will protect you here when you have nobody left to sue.
Unfortunately in this area the deck is stacked against startups and small companies sky-high, even if you aren't trying to convince them to give you all their confidential data and only trying to sell much more pedestrian services - e.g. payment services or something like payroll management.