Regulated data may require certified data centers, BAs, and audit support. Check if the provider signs BAAs (e.g. HIPAA) and has ISO 27001 or SOC 2. Data residency (e.g. GDPR) may limit where you can host.
Certifications and agreements
- BAA (Business Associate Agreement): Required for HIPAA when the provider handles PHI. Provider must sign and comply with HIPAA safeguards. Not all hosts offer this.
- ISO 27001 / SOC 2: Indicates the provider has documented security and processes. Often required or preferred for enterprise and regulated workloads. Ask for current certificates and scope.
- Sector-specific: PCI-DSS for card data; FedRAMP for US federal. Check if the provider has the right certifications for your industry.
Data residency
- GDPR: EU personal data may need to stay in the EEA (or an adequate country). Choose a region (e.g. EU) and ensure the provider commits to data location and processing terms.
- Other regulations: Some countries require data to remain in-country. Verify the provider has DCs or options in the required jurisdiction.
- Contracts: Data processing agreements (DPA) and standard contractual clauses (SCCs) may be required. Ensure the provider offers them.
What to ask providers
- Do you sign BAAs (HIPAA) or DPAs (GDPR)? What certifications do you hold (ISO 27001, SOC 2)?
- Where is data stored? Can we restrict to a specific region or country?
- Do you support audits (e.g. provide evidence, questionnaires)? What is the process?
Summary
For regulated data: verify BAAs/DPAs, ISO 27001 or SOC 2, and data residency options. Choose a provider that commits to your compliance requirements and can support audits.
