Can you run online business without US-cloud?
Moving away from US-based cloud services is challenging. Can it be done?
Yes! But it will cost you a bit of time & research.
There is a chasm between service providers and customers. Finding a suitable vendor is challenging for a few reasons, which I will describe in each section.
Why should you care about running your business without data transfer to the US?
The US, like China, Russia, and plenty of other countries, are not GDPR adequate country. Therefore, you must implement additional security measures when transferring personal data to these countries.
When Privacy Shield was a thing, transfer to the US could be secured with SCC, the Standard Contractual Clauses. However, due to surveillance laws in some countries - the US included, SCCs do not offer sufficient protection. As a result, there is no legal way to transfer Personal Data to the US, China or Russia unless these would be, say, end-to-end encrypted.
Suddenly, it matters who is your email provider, who runs your support platform and where you store your operational data and casual files.
In this article, we cover the following data processing platforms
- Wide Angle Analytics - how and where do we host our own product
- Live Chat
- Customer communication
- Auxiliary services
The Core - Wide Angle Analytics
- never transferring any end-user data outside of EU/EEA,
- never selling/sharing data we collect on your behalf, and
- being incorporated in the jurisdiction directly under GDPR law, Germany.
The company that runs Wide Angle Analytics is Input Objects GmbH, a Berlin-based business from Germany. No obfuscated structure. No nominee directors. We are actual humans. We live here, and we are accountable for our actions.
Our solution is 100% hosted by the pan-European cloud provider, the OVHcloud. Headquartered in France, OVH is one of the biggest in Europe and falls under the direct authority of CNIL. While OVH provides servers worldwide, we limit our deployment to France and Germany.
Our application is speedy and well optimized for minimum processing times. Our event processing API is fast and combined with a performant network from OVH. As a result, it has a negligible impact on the customer website.
Okay, let's jump to more interesting parts.
We reviewed multiple solutions.
First, we looked at hosted and self-hosted Rocket.Chat with Omnichannel extensions.
Hosted rocket chat for Omnichannel does not encrypt communication and is hosted on AWS. Bummer. Straight to be bin.
This felt tempting, but self-hosting a chat service felt like an unnecessary burden. So, just like we don't advise self-hosting web analytics, we would like to delegate the chat platform to a trusted and compliant vendor.
Live Chat is not our core value proposition, so we don't want to get distracted.
We looked at Userlike. It is offered by a German company, so we were hopeful. Moreover, their main communication platform is hosted on European servers, so it seemed to tick all the boxes.
Sadly, the chat script itself is served via AWS. During communication with support, it became apparent that their team did not meet our privacy standards.
Finally, we found our partner. Sendinblue, a French company, leverages a French data centre to host its servers. They use GCP and AWS for data recovery and backup, but only encrypted payloads are transmitted there.
Using AWS or GCP as dumb storage is an acceptable tradeoff.
Success! We have Live Chat.
Bonus round: While researching Sendinblue, we consolidate our marketing and transactional email delivery solutions. For the price of one, we managed to replace Userlike and Mailjet.
Support is very responsive and helpful. We couldn't be happier with our choice.
This was the most complicated part of the whole transition. Unfortunately, finding a good email platform for a business is unnecessarily complex.
As an individual, you have plenty to choose from:
- Mailbox .org
These are all awesome and secure email providers.
But try to run a business on these, and quickly you face challenges.
Let's go through the requirements for business email, including additional German requirements.
You must ensure the security of the communication. While GDPR does not enforce 2FA, it forces businesses to provide sufficient security measures. So let's be honest, email without 2FA should be immediately discarded as an option in 2022.
Many Business Mail solutions from Mailbox.org, IONOS or OVH do not offer 2FA. It is, frankly, bewildering.
The German law requires German businesses to have a tamper-proof email archive. Options and providers of such a service are abundant. Still, integration with some of the secure email providers is difficult or impossible.
ProtonMail cannot be connected to mail archiving infrastructure, and forwarding to the non-Proton mailbox is not supported.
Tutanota does not support email export and thus cannot even be classified as a business solution.
Access Control and Manageability
We had our eye on Mailfence and Runbox. Both platforms are excellent, and some of us happily use them for personal applications. But, sadly, using these for the organization is somewhat tricky.
Managing aliases, controlling which domains can be used by which account or even enforcing 2FA is something these platforms fail to support on satisfactory level.
Okay, which vendor supports good account management and security and is not Google or Microsoft? Fastmail!
Fastmail is incredible and worth every penny. Open standards, good security, and a decent amount of manageability. Problem? It is an Australian company with servers in the US.
Oh well, so long, Fastmail. Unfortunately, to provide adequate control and compliance for customer communication, we can't use Fastmail.
Customer communication and compliance
Our email communication solution is meant to communicate with customers. We are not talking about those who visit our customers' websites. So we should be good, right?
Not so fast. Our customers need peace of mind to communicate with us about their issues and problems. So if we ever exchange personal data or anything identifiable about the end user, we would have created a Personal Data transfer.
We need an ironclad solution from the vendor and hosting in an adequate country. If you interact with our support and share an IP or email of your customer, fear not. Everything remains compliant.
We found it! The HKN offers German-hosted Zimbra implementation with advanced security, compliance and email archiving services.
It ticks all the boxes and, once configured, is very convenient. Even integrates nicely with Nextcloud.
The downsides? No self-service during purchasing. We found this to be a common theme among European business service providers. Why do these companies expect us to go through a salesperson when a form with credit card entry would be enough?
Like every other SaaS business, we used plenty of other services. Workstation backup, in-app profiles via Gravatar, note-taking applications, etc.
These were much easier to replace by a compliant vendor or in-house solutions.
The critical point is that there is plenty of places where information can leak. Something as naive as debugging customer issues by exporting data to CSV on a local drive can grow into a compliance nightmare.
It took us close to three months of researching, planning and testing. Regardless, ultimately we arrived at the stage where our organizational structure assures no customer data leaks outside of the adequate country.
Something very few, if any, of our competitors can claim.
- Few of the "Top XXX" lists are helpful in this process because authors rarely focus on business-critical features.
- European businesses, even those offering good service, suffer from being outspent by American counterparties in marketing money.
- Some European businesses make it unnecessarily difficult to purchase their service. A self-service purchase process is a must.
- Customer Support is a space where European companies have jarring gaps. That covers accessibility, availability and sales drive of the customer rep.
Despite all the problems, strict compliance and legal requirements, it is possible to use services from adequate jurisdictions. Therefore, we firmly believe it is worth the effort. Nay, consider this an investment that will eventually increase these services' competitiveness and challenge the incumbent.