One of the simplest ways to comply with the GDPR for European companies storing and processing the personal data of EU/EEA/Swiss data subjects is to host the information systems in Europe. As a European business, if your internal teams use hosted services such as Dropbox, Google Drive, or Microsoft OneDrive to handle customer information, you are at risk for being in breach of GDPR. Without a self-hosted cloud storage service, you lose control of where your data is stored. All the major US based technology companies have clauses in their Terms of Service permitting them to store, archive, and backup customer data in whichever datacenter they wish.
Choosing a self-hosted cloud storage solution such as NextCloud is an excellent first step to reclaiming control over your data. Traditional enterprises with company-owned datacenters will most likely choose to host NextCloud behind their corporate firewall, in their private cloud. Administrators can leverage existing identity and authentication services such LDAP/AD, and perimeter security measures such as corporate firewalls and VPNs, to protect access to the organization’s NextCloud instance.
What about SMEs who don’t have a company-owned datacenter, or even colocated servers in a datacenter within Europe? Young European entrepreneurs grew up with Google or Microsoft services such as Gmail, Calendar, and Docs in their personal life, so naturally, not being able to use Google Apps or Office 365 for their business due to GDPR is an inconvenience.
GDPR may seem like a headache to comply with, but there are other performance & security advantages of self-hosting your cloud storage in Europe which you might not yet have considered.
- Faster access to your data – Uploading & downloading files from a NextCloud instance located close to you could be much speedier than US-based cloud storage services.
- Cloud storage behind firewall – If hosting NextCloud on-premises, your data stays safely protected behind your corporate firewall. Data can take the fastest route (over the LAN) between your users and the NextCloud instance.
- Freedom to switch providers – If hosting NextCloud with a third-party cloud provider, it is much easier to migrate data to a different datacenter in the future, compared to using proprietary tools to export data from Dropbox, Google Drive, Microsoft OneDrive.
- EU legal jurisdiction & privacy protection – US authorities must make a request for cooperation with local law enforcement agencies, and obtain a warrant under local law, to obtain data from NextCloud instances hosted in Europe.
- Full disk encryption supported – NextCloud supports application-level, full disk encryption but many organizations encrypt the entire NextCloud data volume at the kernel level with dm-crypt and LUKS (Linux Unified Key System).
Hosting NextCloud in the public cloud with a provider that is based in Europe and GDPR compliant can be a good workaround. Traditional hosting providers like OVH (France) and Hetzner (Germany) now have extensive cloud offerings that provide the same convenience as more well-known IaaS providers such as AWS, Azure, and GCP. As an additional option, emerging cloud providers such as UpCloud (Finland, affiliate link) provide innovative services such as attachable, high IOPS block storage volumes up to 2TB with compute costs less than ⅓ the price of AWS or Azure.
For small to mid-sized businesses in Europe requiring a highly available setup where their data is triple-replicated (2 copies in primary datacenter, 1 copy off-site) for the utmost data protection, deploying NextCloud on an elastic cloud computing platform can be a great option. The elasticity of being able to start small, and add additional application servers and block storage along the way is unparalleled.
Options such as dedicated servers or storage VPS can even be more cost-optimal if you have an accurate idea of the capacity you need. It’s not uncommon to see independent hosting providers in Europe advertise storage VPS plans with 1TB of capacity for as low as several euros/month. As a general rule of thumb, budget dedicated servers or VPS are backed by much slower storage hardware such as mechanical HDDs instead of public clouds, which have mostly gone all-SSD. Cloud providers typically have more stringent SLAs, and their volumes are typically backed by RAID 10 or RAID 50 configurations, versus a hosting provider that may simply provision the server with JBOD or RAID 1.
Since the data you plan to store in NextCloud is business-critical, it’s crucial to look into what redundancy the hosting or cloud provider already has in place, before deciding whether it’s necessary to configure additional replication and backups.
Important questions to ask when you decide to host NextCloud with a Europe-based cloud or hosting provider is whether the entity you’re contracting with is incorporated in the EU/EEA or Switzerland, and also the location of the datacenter. This ensures your hosting company is required to follow EU laws when they handle you and your customer’s data. After May 2018, all companies in Europe should have taken the necessary steps to make their operations GDPR-compliant.
NextCloud is trusted by major European organizations such as the German Federal Government, Siemens, and Raiffeisen Informatik Center, as an alternative to storing data with proprietary services typically bundled with office suites, email services, and groupware by American technology giants.
If moving from hosted solutions such as Google Apps or Office 365, the collaborative functions to edit documents together can be replaced by integrating Collabora Office or OnlyOffice with NextCloud. As of June 2019, NextCloud 16 and 17 users also have access to the NextCloud Text collaborative rich-text editor, which enables real time document editing between NextCloud users, with text and video chat. Collabora Office and OnlyOffice are free for up to 20 simultaneous users, while NextCloud has no such limitation.
NextCloud’s calendar and email apps can also be integrated with European hosted email services such as Mailbox.org (Germany) or ProtonMail (Switzerland), with IMAP and CalDAV sync for email clients such as Outlook or Thunderbird. Combined with these services, NextCloud can be a complete Google Apps or Office 365 replacement for the modern workplace — where you make no compromises on data security and convenience.
With NextCloud, you always know where your data is stored and how it is managed. When using cloud storage services such as Dropbox, Google Drive, OneDrive, you are forced to sign a draconian Terms of Service that gives the parent company carte blanche to archive and data mine your data as they see fit.
Why put your sensitive data at risk of abuses such as mass scanning with image recognition AIs? US cloud providers argue this is necessary to prevent their services from being used to share obscene photos, or to provide you with “extra features” which you might not want, such as facial recognition. There is no way of knowing whether the image recognition is only used for its intended purpose, or for commercial gain.
It’s only fair that you should entrust your data to a cloud provider only if they trust you in return. Using NextCloud gives your organization the flexibility of storing, archiving, and deleting its data based on its own policies, instead of wondering whether Google or Microsoft has kept extra copies on its servers for months or years after you “deleted” the data.
Are you ready to take back control of your data? Contact our team to discuss your options for deploying NextCloud on-premise, in the cloud, or as a managed service. We have organizations across Europe in France, Spain, and Germany who have already trusted us to lead the implementation of self-hosted systems for them, and would be pleased to assist you as our next customer.
Contact a NextCloud Specialist
Autoize LLC is not an affiliate or partner of NextCloud GmbH, the developers of NextCloud. We are an independent company providing consulting & support for the open-source, community edition of NextCloud.