What happens to data offered through a US cloud software vendor now that the EU-US Privacy Shield has been invalidated? Because the Foreign Intelligence Surveillance Act (FISA) is about electronic communication service providers, this ruling has an effect on a lot of cloud software within your organization. The main problem with US regulations is that US intelligence agencies have access to all personal data of non-Americans processed by a US electronic communications provider, even if stored in Europea. Electronic communication providers are, for example, the email services, cloud storage, and Internet Service Providers (ISPs) that your organization (or the processors your organization works with) use. Making the seperate agreements for this is often grey area.
Ask yourself the following questions:
1. In which countries does the supplier have data centres?
2. Who has physical access to these data centres?
3. Have any agreements been made with the supplier or are they to be made?