Am I allowed to use software that stores data outside the EU?

Yes, but additional conditions apply. The vendor must provide appropriate safeguards such as Standard Contractual Clauses (SCCs) or an adequacy decision. Most major vendors (Google, Microsoft, Mailchimp) already have this in place. GDPRWise helps you verify and document this per party.

How do I find the storage location of my software?

Check the vendor's privacy policy or DPA (data processing agreement). The server region is often explicitly stated there. You can also contact the vendor's support team to ask.

What if I really can't find out?

Document in GDPRWise that the location is unknown and that you've contacted the vendor. It's better to be honest about uncertainty than to make an incorrect assumption. If the vendor can't provide clarity, consider an alternative.

Not Sure If Your Data Is Stored in the EU? Here's What to Do | GDPRWise

The GDPR requires you to document where personal data is stored. But what if you're not sure? GDPRWise helps you find out and record it correctly.

Why storage location matters

The GDPR sets strict requirements for transferring personal data to countries outside the EU. When you use software that stores data on servers in the United States, India, or another non-EU country, additional rules apply.

This doesn’t mean you can’t use those tools. But you need to know where the data is stored and document what safeguards are in place.

How to find out where your data is stored

Most software vendors publish their storage location. Here’s where to look:

1. The data processing agreement (DPA)

If you have a DPA with the vendor, it almost always states in which region data is processed. Major vendors like Google, Microsoft, and Amazon publish their DPA on their website.

2. The vendor’s privacy policy

Under headings like “Data transfers” or “International data transfers,” you’ll typically find whether data leaves the EU and what safeguards apply.

3. Direct contact

If you can’t find it, email the vendor asking: “Is the personal data we process through your service stored on servers within the EU?” Most vendors are required to give you a clear answer.

What if data is stored outside the EU?

That’s fine as long as appropriate safeguards are in place. The most common safeguard is Standard Contractual Clauses (SCCs), a set of standard contract terms approved by the European Commission. Major cloud vendors have already incorporated these into their terms.

Additionally, some countries have an adequacy decision. The European Commission has determined that these countries provide a comparable level of protection. Transferring data to those countries is permitted without extra safeguards.

Recording it in GDPRWise

In your third-party dossier, you can specify per party:

Whether data is stored inside or outside the EU
In which country the servers are located
Which safeguard applies (SCCs, adequacy decision, or other)

GDPRWise warns you if you add a party without a storage location, so you won’t forget to fill it in.

Practical rules of thumb

European vendors usually store data in the EU, but verify to be sure
American vendors often process data (also) in the US, but typically offer SCCs
Not sure? Document your uncertainty and contact the vendor. Honesty in your dossier is always better than an assumption

auto_awesome Map your third parties

GDPRWise helps you record per vendor which data you share, where it is stored, and which safeguards apply.

Start your free scan

What If You Don't Know Whether Your Data Is Stored in the EU?