Data protection
The location of people's data is critical important from a legal standpoint. The Safe Harbor agreements between the US and Europe are a set of principles not a legal framework and using them does not mean that you are covered legally if an industry regulator should launch an investigation into your data practices.
Cobweb has multiple UK datacentres although the current Telehouse datacentre is used to run the hosted services. Adams told us that they did have two other datacentres in the UK but for security and commercial reasons, did not want their locations disclosed. Adams recognises that having a single active datacentre does look like a risk issue.
"We will be delivering new services out of another datacentre next year and these are being built around Exchange Server 2010." said Adams. "What I can also confirm is that we do move customer data between our different datacentres and onto tape with everything being kept within the UK".
One of the advantages that Adams believes customers see in both hosted and SaaS solutions is that it takes away the worry about how to deliver this level of support. "We not only do offsite backup but also do inline real-time backup and snapshots. This can be complex and the SME often lacks the technical expertise to do this properly."
Moving data off premises might let people think they have got rid of a problem but that is not the case. You can outsource process and services but not your legal liability. One of the main reasons why there is so much concern as to where your data ends up is that you have to answer to your own customers and the law in your own country.
There are numerous examples now going around the web where companies have allowed their data to move out of their control and then had to live with the consequences. It is critically important, therefore, that people do due diligence on their supplier and ask where the data will be stored.
eDiscovery
Once your data is off your premises, what do you do if there is a request from the courts for eDiscovery or if you need to remove data pursuant to a legal request. After all, anyone can contact you and ask for you to remove any reference to them that is more than six months old.
When I've asked this question of hosted mail providers over the last two years there is normally a long pause followed by a change of subject. Adams jumped in. "We've had to deal with certificates of destruction already" he said and we have solutions in place for customers.
"We recommend that those customers who believe that they will have a requirement for eDiscovery either internally or because they are regulated, should buy an email archival service. This allows then to access their data and control the deletion and changes to mail and other content in their store. This gives them a DIY option that can be worked into their existing processes.
"When it comes to actual destruction, we have only had 2-3 cases in our history and have two options. The first is that we can issue a certificate of destruction based on the live data on the system. However, we cannot do that for backup data. This is due to complexity.
"All data is held here for seven years and our tapes are stored offsite. To bring back all the tapes in order to locate a specific customers data and then do all the restores would be prohibitive. In this case we can give a written undertaking that the data will not be accessed or released from our systems."
This latter is something that few people think about when they talk about destruction of data. Even inside a company when you have control, it would be fair to say that few if any of the companies I have ever come across have the ability to mark all backed up references as removed.
Data protection and eDiscovery is not confined to a single country and over the last few years, many countries have enacted laws that allow them to probe increasing amounts of data, irrespective of whose it is. Adams admitted that the intrusion of law enforcement on data has even led to some US companies coming to Cobweb to host their data where it won't be subject to the Patriot Act.
"It is very difficult to second guess legislation in the UK and Europe" said Adams. "We have had a small number of requests to supply law enforcement based on an ongoing legal situation. We have to comply but the amount of times it has happened is small and so far has not happened with a reseller.
"I can categorically say that all our data is kept and resides in the UK and that is part of our value as a UK provider" said Adams.
Adams finished by saying that Cobweb had contracted to HP about providing services only to UK resellers and that while there had been conversations about taking this service into Europe, there were currently no contractual arrangements.
