Who has access to your hosted data?

I am evaluation a hosted solution for client and last week in one of our conversations he asked, ” who has access to my data”?  If we decided to use a hosted solution his entire inventory and customer database will be offsite, including all sales data. I didn’t have the answer so I began doing some research.  There are a lot of potential for some authority to request sales data or a specific customers data. Any type of audit could trigger a request. From I can determine at this point if there was a request for information for an audit the request would come to you and you would get the data and prove it in printed form or on a portable drive.  Recently Microsoft responded to a question about a request for data under The Patriot  Act.

The question put forward:

“Can Microsoft guarantee that EU-stored data, held in EU based datacenters, will not leave the European Economic Area under any circumstances — even under a request by the Patriot Act?”

Frazer explained that, as Microsoft is a U.S.-headquartered company, it has to comply with local laws (the United States, as well as any other location where one of its subsidiary companies is based).

Though he said that “customers would be informed wherever possible”, he could not provide a guarantee that they would be informed — if a gagging order, injunction or U.S. National Security Letter permits it.

He said: “Microsoft cannot provide those guarantees. Neither can any other company“.

While it has been suspected for some time, this is the first time Microsoft, or any other company, has given this answer.

Any data which is housed, stored or processed by a company, which is a U.S. based company or is wholly owned by a U.S. parent company, is vulnerable to interception and inspection by U.S. authorities. 

Last week, Microsoft opened up its Online Services Trust Center which explained in great detail how data was managed, handled and if necessary, handed over to the authorities.

While this was very candid response from Microsoft it open up a whole host of follow-up questions regarding the data and who else can have access to it. I will continue to some research but welcome input from anyone who can provide additional insight.