Open-source data governance tool

Provenance

Analyse cloud provider data governance and compliance across jurisdictions. Understand where your data lives, which laws apply, and how provider choices affect your regulatory exposure.

Open MapBrowse Providers
55
Providers Tracked
11
Laws Covered
42
Countries
10
Categories

How It Works

1

Select your business country

Choose where your business is legally established. This determines which data privacy laws and jurisdictional requirements apply to you.

2

Add your cloud providers

Build your stack by selecting the cloud services you use or are evaluating. Each provider's data regions, certifications, and legal exposure are analysed.

3

See compliance analysis

Get a clear picture of your data sovereignty posture: risk levels, applicable laws, CLOUD Act exposure, and certification gaps across your stack.

Understanding the Map

Jurisdiction Colors

Business Country
Your selected business jurisdiction
Has Data Centers
Countries where your selected providers have regions
EEA
European Economic Area member states
Five Eyes
Intelligence alliance: US, UK, CA, AU, NZ
Fourteen Eyes
Extended intelligence-sharing alliance
GDPR Adequate
Countries with EU adequacy decisions

Risk Classification

Low Risk
Not US-incorporated, no CLOUD Act exposure
Medium Risk
US-incorporated or CLOUD Act exposed, but has EEA data regions
High Risk
US-incorporated with CLOUD Act exposure and no EEA data regions

Risk is assessed from a European data sovereignty perspective. A provider's legal incorporation, parent company jurisdiction, and available data regions all factor into the classification.

Compliance Certifications

The five certifications tracked for every provider in the database.

SOC 2

Service Organization Control 2 — audits controls for security, availability, processing integrity, confidentiality, and privacy.

Demonstrates that a provider has undergone independent verification of their security controls. Required by many enterprise procurement processes.

ISO 27001

International standard for information security management systems (ISMS). Covers risk assessment, access control, and incident management.

Globally recognized certification that shows systematic management of sensitive data. Often required for cross-border data processing.

GDPR

General Data Protection Regulation — EU regulation on data protection and privacy for individuals within the European Economic Area.

Mandatory for any provider processing data of EU residents. Non-compliance carries fines up to 4% of annual global turnover or EUR 20M.

HIPAA

Health Insurance Portability and Accountability Act — US regulation protecting sensitive patient health information.

Required for any provider handling protected health information (PHI) in the US healthcare system. Mandates encryption, access controls, and audit trails.

PCI DSS

Payment Card Industry Data Security Standard — requirements for organizations handling branded credit cards.

Mandatory for providers processing, storing, or transmitting payment card data. Defines 12 requirements covering network security, encryption, and monitoring.

Data Privacy Laws

All 11 privacy and data protection laws tracked in the database.

Act on the Protection of Personal Information

Japan

Japan's primary data protection law regulating the handling of personal information by business operators, with cross-border transfer restrictions.

Max fine: JPY 100M for corporate violationsKey implication: Cross-border transfers require consent or equivalent protection standards recognized by Japan's PPC.

CLOUD Act

United States

US law allowing federal law enforcement to compel US-based tech companies to provide data stored on servers regardless of whether the data is stored in the US or on foreign soil.

Max fine: Contempt of court penaltiesKey implication: Any US-incorporated provider or subsidiary may be compelled to disclose data regardless of where it is stored.

California Consumer Privacy Act (CCPA/CPRA)

California, United States

California state law granting consumers rights over personal information collected by businesses, including the right to know, delete, and opt-out of sale.

Max fine: USD 7,500 per intentional violationKey implication: Applies to businesses meeting revenue or data volume thresholds that handle California residents' data.

FISA Section 702

United States

US surveillance law authorizing collection of foreign intelligence information from non-US persons located outside the US, through compelled assistance from electronic communication service providers.

Max fine: Contempt of court penaltiesKey implication: US providers may be subject to surveillance orders targeting non-US persons, creating risk for EU data subjects.

Federal Act on Data Protection (Switzerland)

Switzerland

Switzerland's revised federal data protection law (revFADP), aligned with GDPR standards, governing the processing of personal data by private persons and federal bodies.

Max fine: CHF 250,000 for individuals (criminal)Key implication: Cross-border transfers require adequate protection; Switzerland maintains its own adequacy list separate from the EU.

General Data Protection Regulation

European Economic Area

EU regulation governing the processing of personal data of individuals within the EEA. Requires lawful basis for processing, data minimization, and grants data subject rights.

Max fine: 4% of global annual turnover or EUR 20MKey implication: Cross-border transfers to non-adequate countries require SCCs, BCRs, or other safeguards.

Lei Geral de Protecao de Dados

Brazil

Brazil's general data protection law, modeled on the GDPR, governing the processing of personal data of individuals in Brazil.

Max fine: 2% of revenue in Brazil, up to BRL 50M per violationKey implication: International data transfers require adequate protection or specific legal mechanisms.

Personal Data Protection Act (Singapore)

Singapore

Singapore's data protection law governing the collection, use, disclosure, and care of personal data by organizations.

Max fine: SGD 1M or 10% of annual turnoverKey implication: Cross-border transfers require comparable protection standards in the receiving country.

Personal Information Protection and Electronic Documents Act

Canada

Canadian federal privacy law governing how private-sector organizations collect, use, and disclose personal information in the course of commercial activities.

Max fine: CAD 100,000 per violationKey implication: Organizations must obtain meaningful consent and are accountable for personal information transferred to third parties.

Privacy Act 1988 (Australia)

Australia

Australian federal law regulating the handling of personal information by government agencies and private-sector organizations via the Australian Privacy Principles.

Max fine: AUD 50M or 30% of adjusted turnover (whichever is greater)Key implication: Organizations must take reasonable steps to ensure overseas recipients handle personal information in accordance with the APPs.

UK GDPR

United Kingdom

The UK's retained version of the EU GDPR, supplemented by the Data Protection Act 2018. Governs processing of personal data in the UK post-Brexit.

Max fine: 4% of global annual turnover or GBP 17.5MKey implication: UK has its own adequacy decisions separate from the EU. Transfers from the UK follow UK-specific rules.

CLOUD Act & Intelligence Alliances

US CLOUD Act

The Clarifying Lawful Overseas Use of Data (CLOUD) Act allows US law enforcement to compel US-based companies to provide data stored on servers regardless of their physical location. This means that even if a US-incorporated provider stores your data in an EU data center, it could still be subject to US government access requests.

Providers incorporated in the US or owned by US parent companies are considered exposed. This may create direct conflicts with data sovereignty requirements under GDPR and similar regulations.

Five Eyes Alliance

An intelligence alliance between US, GB, CA, AU, NZ with comprehensive signals intelligence sharing agreements. Data stored in Five Eyes countries may be accessible to all member nations' intelligence agencies.

Fourteen Eyes Alliance

Extended to include DK, FR, NL, NO, DE, BE, IT, SE, ES. While the sharing is less comprehensive than Five Eyes, data in these jurisdictions carries elevated surveillance risk for privacy-sensitive applications.

These alliances are highlighted on the map when you select a business country. Providers headquartered in these jurisdictions are flagged in the analysis sidebar so you can make informed decisions about where your data resides.

Contribute

ProvMap is open-source. Submit new data via GitHub Issues with pre-filled templates.

Submit a Provider

Add a new cloud service provider with region data, certifications, and legal details.

Submit a Law

Add a data privacy law or regulation with jurisdiction, fines, and implications.

Submit a Jurisdiction

Add or update a country's data governance attributes (EEA, adequacy, alliances).

Submit a Compliance Framework

Propose tracking a new compliance certification across all providers.