Data Sovereignty for Fund Managers

Data sovereignty means your data is subject to the laws of the country where it physically resides. If your fund's deal analysis data is stored on US servers, it is subject to US law — including the CLOUD Act, which can compel disclosure regardless of where the data's owner is located.

Fund managers handle sensitive information — deal terms, LP identities, investment strategies, portfolio company financials. If this data is stored in a jurisdiction with broad government access powers (such as the US CLOUD Act or UK Investigatory Powers Act), it could be accessed without your knowledge or consent.

The Clarifying Lawful Overseas Use of Data Act (2018) allows US law enforcement to compel US-headquartered technology companies to provide data stored on their servers, regardless of where those servers are located. This means data stored by AWS, Google Cloud, or Microsoft Azure can be accessed by US authorities even if the server is in Singapore, Dubai, or London.

Self-hosted means the software runs on servers that you control — either physical hardware in your office or virtual servers rented directly from a hosting provider. No third-party SaaS company has access to your data. DiligenceWorks deploys into infrastructure under your control.

Self-hosted and cloud can both be secure or insecure depending on implementation. The key difference is control: with self-hosted infrastructure, you control access. With cloud SaaS, the provider controls access and may be compelled by their home jurisdiction's laws to provide it to third parties.

Data residency means data is stored in a specific country. Data sovereignty means data is subject only to that country's laws. You can have data residency without sovereignty — for example, US cloud providers operating servers in the EU still face US CLOUD Act obligations.

GDPR does not mandate physical data location within the EU, but it restricts transfers to countries without adequate data protection. Self-hosted infrastructure within the EU eliminates cross-border transfer questions entirely.

PDPA does not mandate local storage but requires organisations to ensure adequate protection for data transferred overseas. Self-hosted infrastructure in Singapore simplifies PDPA compliance by keeping data within the jurisdiction.

CPS 230 (effective July 2025) requires APRA-regulated entities to manage operational risks including technology dependencies. Using self-hosted infrastructure reduces third-party concentration risk — a specific concern under CPS 230.

DiligenceWorks deploys into infrastructure under your control, in the data centre of your choosing. We do not operate a central cloud — your instance runs on your servers. Options include Hetzner (Germany), Vultr (Singapore, Tokyo, UAE), OVHcloud (London, Sydney, Quebec), and others.

No. DiligenceWorks deploys into your infrastructure. We provide the software; you control the servers. We cannot access your data unless you explicitly grant support access.

Your data stays on your servers. Since DiligenceWorks runs on infrastructure you control, stopping the subscription simply means the software stops receiving updates. Your data is not held hostage.