I can tell you that Azure has a DC in Ireland, not sure I can tell you the exact location. Could be wrong. I just wouldn't think you'd want to be able to find a data center with 22,000 schools MIS systems on Google Maps.
Personally I'd like to know it's in England and no backups, regards of if they are encrypted or not*, leave England. Not too fussed about exact locations so long as they have a primary and secondary and they're not next door to each other (ideally something like Manchester and London). I'm sure Ireland would be fine, its just, well if its within the same country I'd assume it would be easier to deal with issues that might occur. I just assume it might get a bit sticky trying to comply with two sets of government legislation, ones bad enough.
All boils down to trust. End of the day even if you get a guided tour of a data center in England, doesn't mean the data isn't forwarding to China or USA.
* I'm just saying this as we know the NSA can break most encryption and surely having a database full of all the UK children with behaviour reports and critical life events kinda makes for a good platform for making predictions about the future adult population of the UK. Paranoid I know.
ISO 27001 certification would be useful for you to have, if not already.
I agree @matt40k @Bromcom-PR In the UK is acceptable under DPA, although I would want to know where backups are too, not just a random signed agreement. A customer should know themselves, it is their responsibility too not just suppliers in telling them. Potentially, yes a school should be able to visit the site.
Other one is data erasing. How would you ensure that once your end the contract that they securely destroy the data.
Thing is, if they give you a legal document saying the data never leaves the UK and when you leave they securely destroy the data along with any backups - they're only ever going to get it wrong once, the fines and penalties are ridiculous. Pretty sure if it's an individuals fault they can be liable for life imprisonment. Personally I think I can trust a company when the MD signs his life away - literally.
I'm not making trouble if you read my posts carefully, I promise you. I'm just saying that information should be available if requested, there needs to get away from this secretive hush hush side, and more from the customer side they should be actively aware!
Fair point but like I said. Having something on your site saying UK only DC and letting people visit the DC and signing a document confirming this - it still comes down to trust. They could move the servers the day after, or forward your data outside of Europe. You of course build the trust by visiting the DC and checking out what they telling you.
One day @GREED we'll get to a point where we don't have any of these dark spots where information is hidden behind a NDA or the maze that is SupportNet ;)
Not just that, but fundamentally the more difficult or expensive it would be to say change the location of the data center overnight, the less likely it is a bona fide company would do that. ..
Checks legs :D