I’ve spoken with a lot of cloud-based BPM vendors over the past few years, and I inevitably ask where their services are hosted. Since almost all of these are American companies, or are primarily targeting the American market, the answer is, almost inevitably, in the United States. I continue to point out that that’s a problem for many non-American companies: my Canadian customers are mostly financial services and insurance, and not one of them would consider hosting any of their data – even non-executing process models – outside Canada. Yes, I’ve asked them. Similarly, many EU companies require that their data be hosted in the EU. The problem is not, as many believe, safe harbor regulations that attempt to bring US data privacy in line with the stricter laws of other countries; it’s the Patriot Act, which allows U.S. intelligence and law enforcement authorities to view personal data held by U.S. organizations without a court order, and without informing people or organizations that their data has been shared. This is in violation of Canadian privacy standards, as well as those of many other countries.
Yesterday, I had the chance to speak with someone at Human Resources and Skills Development Canada (our federal department dealing with labour and employment, which is pretty big due to the social benefits such as unemployment insurance and government pensions that we enjoy). They’re doing process modeling on a large scale across their department, and looking at how they can collaborate with other departments. Currently, they collaborate on process models using desktop sharing software for real-time collaboration between a modeler and a mentor who is helping them on a process, plus an internal repository and web publishing of the process models for viewing. I asked if they would consider using something like Lombardi Blueprint or one of the other online process modeling environments that are emerging, and he said, unequivocally, “only if it’s hosted in Canada.” I’m not sure if that’s an explicit Canadian government policy, but that’s their practice.
So to all the vendors who think that geography doesn’t matter for hosted solutions, a news flash: geography does matter if you plan to sell to non-American organizations, whether private sector or public sector.
</soapbox>
Thank you for such wonderful, pragmatic insight. Of course, this is not specific to BPM. I would be interested in any further thoughts you might have with regard to software or platform as a service offerings from American companies and any specific alternatives or strategies that may have emerged in your conversations.
Paul, thanks for your comment, and I agree this isn’t specific to BPM: it also holds true for hosted email and backup as well as many other applications.
The best strategy is to host in the countries or regions that are required to do business in those locales. For Canada, there are several large hosting companies who can do this even if an American SaaS company doesn’t want to build their own hosting environment here. For the EU, there’s Amazon’s EU infrastructure. Interestingly, I have some Canadian customers who would be happy with EU-based hosting, but not US-based.
The governments of Canada (Provincial and Federal) are really afraid of the USA Patriot Act which gives the US government a lot of power in regards to data in the US.
So all of these concerns for data being hosted in Canada is mostly as a protection of the personal information for canadian citizens and being one of those myself, I am all for that, hence the request for keeping canadian data in Canada.
I don’t know how the canadian government would feel about data hosted in the EU for example, but my guess is it is much simpler to deal with canadian law exclusively than to try and figure out the specifics of each country.
Eric, as far as I know, the EU doesn’t have the equivalent of the Patriot Act in terms of data privacy: if they want access to your data, they need to show a court why, and have to inform you. Much different laws than in the US.
Hey Sandy,
Good points all around. If SaaS BPM vendors aren’t explaining their compliance with various international data privacy laws in the very first presentation, there’s probably alot of other things they are doing wrong as well (SAS-70 Type II audits, Data Backups, Redundancy, etc..)
Shameless plug coming..
Appian of course provides our Appian Anywhere environment in multiple international locations and is proud to have one of Canada’s largest insurance companies as a successful Appian Anywhere SaaS BPM customer.
Thanks for the insights..
Malcolm Ross
Director, Product Management, Appian
Hey Malcolm, does this mean that you’ve solved the US-only hosting issue that you used to have?
Hey Sandy,
We’ve never had a US-only hosting option. We have two separate hosting providers we work with who both have multiple international locations, including US and EU.
EU data privacy laws typically satisfies Canadian companies concerns on privacy.
We’ve always been aware of the data privacy concerns of customers and adherence to their national laws.
Malcolm
I stand corrected, I must have recalled something from a pre-release time of Appian Anywhere.
Although I agree that EU privacy laws satisfy many Canadian companies’ concerns, the person from the Canadian federal government who I spoke with yesterday said “only if hosted in Canada”, not “only if not hosted in the US”. I’ve had financial services clients with the same restriction. For me personally, EU is fine.
SaaS is certainly still maturing and there are not consistent requirements between customers. Surprisingly, we have seen at Appian the largest growth of our SaaS customers coming from Financial Services in both the US and EU.
I believe the biggest requirement for SaaS vendors will be to offer the option to seamlessly transfer between an on-premise and SaaS environment to avoid Coghead type situations.
http://www.infoworld.com/t/platforms/coghead-customers-have-two-months-save-their-data-815
It’s a critical issue in vendors who only provide the SaaS option. For example, what would Blueprint customers have done if IBM decided to just turn off the Blueprint service and tell customers to switch to Blueworks. It seems implausible that a company would do such a thing to their customers, but SAP did just that with Coghead.
Malcolm
It’s a bit of a “if you build it, they will come” sort of thing: if you don’t have Canadian data centers (excuse me, “centres” 😉 ), then you won’t see a lot of growth in Canadian financial services and, apparently, federal government. The fact that you see growth in US and EU financial services is, in part, related to the fact that you’re hosting in the US and EU. Think about the inverse: how many US companies would select a SaaS product that is not hosted in the US?
Migration between SaaS and on-premise is important (although not at all the point of my post, so congrats for getting in a plug for something that Appian does well). With modeling, however, the risk of the SaaS platform disappearing is mitigated by the use of standards: if Blueprint goes away, then you just have to export all your models in BPMN 2.0 and import them to another modeling tool. You’d lose the collaboration, but not the models that you developed. I think that we’ll see Blueprint integrated into Blueworks in some way, rather than shut down, although it’s likely to be a bit of a painful transition.
Sandy –
I agree with the premise – that geography/location matters for your hosting locations. And that a lot of companies will care about it – and some of them care A LOT.
However, to be fair, there ARE canadian companies that use blueprint, and other hosted modeling tools (that, to my knowledge, don’t have hosting in Canada). Also, Blueprint is in use by customers in something north of 80 countries… and in particular, some big financial firms in Europe.
Also, not to delve to far into politics, but the Patriot act is much more of a concern for email hosting and other services that individual consumers use. You’re at more risk of having your privacy violated by placing a phone call to someone in the US than you are using a hosted BPM modeling tool. I’m not arguing the patriot act is right, I’m just pointing out that it actually gives much broader latitude on phone tapping than electronic surveillance.
Doesn’t change the fact that lots of companies would feel more comfortable having hosting in their home territory for all kinds of local-law issues/reasons, which is the core point you’re making 🙂
Scott, I think that using a SaaS process modeling tool is a pretty low risk for privacy, since it shouldn’t contain any of your internal or customer data — it’s your process models, not the executing processes. The only thing that it likely to be gleaned from process models is intellectual property or trade secrets, which the US government is probably not interested in. If these were executing processes, as in Appian, then customer identification and financial data could be accessed, which is what both financial companies and governments are more concerned about.
I know that I am asking for the neo-Luddite label, but from Google transferring blame to China for what was a huge “cloud burst” with Gmail to the security issues Sandy raises here — all mixed liberally with ever declining hardware prices, SaaS just ain’t worth the risk.
Alex, I completely disagree — SaaS is worth the risk, but you just have to be aware of what those risks are, and manage the appropriately. On-premise systems have shown to be insecure for a number of reasons ranging from social engineering to firewall breaches, so nothing is absolutely safe, but most of us are protected by the fact that we don’t do anything interesting enough for anyone to want to hack into it.
I recently got a response to my Patriot Act inquiry form a vendor. I am sharing it here as a discussion point. I still don’t think it is valid but they made some good points. I did not take the time to point out my concerns in this post, like without a court order that you mentioned.
“Third, we appreciate your concerns about the U.S. government’s potential usage of the USA Patriot Act to access your customer’s information. However, existing treaties between the U.S. and the Canada that were in place before the USA Patriot Act already permits the U.S. and Canadian governments to share information when cooperating in law enforcement activities, and it is highly unlikely that the U.S. government would use the USA Patriot Act to obtain your customers’ records if they were stored with our solution in the U.S.
The Mutual Legal Assistance Treaty of 1985 governs the sharing of personal information between Canadian and U.S. government agencies for law enforcement purposes. The treaty states, that “[a] Party seeking to obtain documents, records, or other articles known to be located in the territory of the other Party shall request assistance pursuant to the provisions of this Treaty,” except when both countries otherwise agree. Pursuant to this treaty, for law enforcement purposes, the U.S. government may request Canada’s assistance to access information stored in Canada. Therefore, the ability of the U.S. government to legally access to Canadian records, even if such records are stored in Canada, already existed before the passage of the USA Patriot Act.
Also, it is highly unlikely that the U.S. government would use the USA Patriot Act to access your information. In a 2004 Submission to the Information and Privacy Commissioner of British Columbia concerning the risks of outsourcing the personal information of British Columbians to the U.S., British Columbia Attorney General Geoff Plant stated that the “risk of access to Canadian information under the Patriot Act” is “minimal.””
JB, thanks for passing this on. I would love to be able turn this around, and ask how many US companies would allow their data to be stored in another country, especially one that allowed those records to be accessed without them being informed (much less giving consent). I would guess that the reaction would be much the same as Canadian companies are having to storing their data in the US.