Let's decipher together the concept of digital sovereignty, a crucial issue for SaaS publishers like Kls. In this article, we explore in depth how Kls understands and ensures this sovereignty through its technical and strategic decisions.
What is digital sovereignty?
As a SaaS publisher, digital sovereignty is a major issue. But what exactly do we mean by digital sovereignty?
As Aude Schoentgen explains in her article Digital sovereignty: differing interpretations by states, companies and citizens, there is no universal definition. However, we tend to refer to the ability of a country, organization or even an individual to exercise complete control over its digital data, infrastructure and technologies. This implies autonomy and independence from external actors in the management and protection of these vital elements.
So, contrary to some preconceived ideas, it's not just about data hosting, although that remains an important component of the subject.
Technology sovereignty
While Kls places great emphasis on the quality of its products and their co-design, in order to provide solutions tailored to its customers' problems, the software publisher also owes it to itself to master the technologies it uses.
When it comes to choosing one, Kls first and foremost favors open source bricks (i.e. thesource code is freely available to those who want it) which allow for greater transparency. Among other important criteria, we look at:
- the independence of the development team,
- the popularity of the technology,
- its worldwide use,
- or the community's recognition of it.
This allows us to ensure that we don't lock ourselves into technologies with no future, too closed or little recognition.
We can also contribute to improving some of the open source technologies we use, for the good of Kls and the community.
When the use of a free or open source technology is not relevant, we strive to limit the impact of our choice on the rest of the application by separating the different bricks that helped build it. In this way, should the need arise or a more relevant solution emerge, we minimize the effort involved in migrating to it. This is essential if we are to ensure the longevity of our offering over the coming decades, as the ecosystem is set to evolve significantly with the emergence of new technologies and the demise of others.
The final aspect of technological sovereignty concerns its use. At Kls, all developments are carried out in-house, and recourse to external service providers is very rare. When we do, they are integrated into our team and their work systematically reviewed by Kls staff. In this way, we retain control not only of the technologies underlying our product, the Kls Desk, but also of how they are used.
Infrastructure sovereignty
By construction, the Internet is global, everything is connected. Logically, therefore, it's possible to spread one's infrastructure over several continents without any technical problems.
However, the news of recent years, be it conflicts or the COVID-19 pandemic, have not failed to remind us that global balances are fragile and that relations between countries can become strained.
In this context, we have chosen to locate our infrastructure in the European Union. All our servers and the services we use for our platform are located in the Paris and Dublin regions. In this way, not only do we comply with the RGPD by avoiding data transfers outside the European Union, but we also limit the geographical footprint of our service. We also remain in a restricted environment in which we can have confidence, and which reduces the risks of unavailability that great distances accentuate.
This does not mean that access to Kls Desk is limited to Europe. Being accessible via the Internet, it remains available on every continent.
But then, why not use a European host ?
If we've chosen to put our infrastructure with AWS, it's not because of the multiple advantages they put forward (even though we benefit from them) but because, at present, no European host offers such a comprehensive security package at prices that remain reasonable for a company like ours. Indeed, as Doctolib explains in the article Why does Doctolib use Cloudflare?, there is still no European solution up to the challenge.
Be careful not to confuse hosting with location. Hosting refers to the company with which we have our infrastructure (AWS so in the US) which is different from the location of our infrastructure/servers (in the EU).
Actually, since AWS is the world's largest public cloud provider, it enjoys a considerable advantage linked to the mass of data represented by the traffic that passes through it. As a result, it is easier to identify abnormal behavior and detect a bot for example when it reproduces the same patterns on hundreds of servers than when it does so on just a few machines.
As described in AWS's shared responsibility model, data security in the cloud is our responsibility, not the host's. So, even if the latter has a good level of security (ours is ISO-27001 and SOC 2 certified), it's up to us to protect our data and, above all, that of our customers and users. As we explained in our article Data security: how does encryption work? The Kls example, we implement several levels of security.
While we use the native encryption mechanisms offered by our hosting provider, we see these as additional measures rather than the main security measure that ensures we have control over the data we handle and store. That's why we've developed a unique encryption mechanism over which only our application has control. While we rely on standard, tried-and-tested technologies - a staple when it comes to security - the fact that we've set up an application mechanism means we can guard against any data manipulation should an actor come to obtain the various pieces of the puzzle that make up the documents we encrypt and their keys.
Impact of the CLOUD Act and other current legislation
The CLOUD Act is an American law often evoked when discussing the issue of digital sovereignty. Contrary to what its name might suggest, the CLOUD Act is not specific to cloud computing, but relates to the use of data outside US borders. With its full name Clarifying Lawful Overseas Use of Data, this law lays down a legal framework concerning requests that US judicial authorities can make to communication service providers such as telephone operators or public cloud providers. It should be noted that law enforcement agencies can request access to data that would not be located in the U.S.
While the text gives certain rights to US authorities, it also sets certain limits. For example, providers are fully entitled to contest requests that would conflict with the laws or interests of another country. The scope of the requests that can be issued is also limited, since it only applies in the context of a judicial warrant issued in connection with an investigation into an actual or potential crime. However, it would be unreasonable to consider that there is no risk that the data we process could be requested by US authorities.
From a technical point of view, it should also be noted that suppliers are not obliged to provide decrypted data. So, if the data is properly encrypted (we use the AES-256 algorithm), it won't be able to be exploited, by anyone, even if they hold a copy.
Finally, don't you think that the data is encrypted?
Finally, let's not forget that today's legal framework is not necessarily tomorrow's: 2001 saw the birth of the Patriot Act in the United States, a law that strongly encouraged European companies to favor sovereignty. What will we see appearing in the next few years?
Kls serene on sovereignty
As we've seen, digital sovereignty is a vast subject that encompasses several issues, both political and technical. At Kls, we do our utmost to meet our customers' challenges in every respect. We do our utmost to protect our interests and, above all, those of our users and customers.
As the world is constantly evolving, particularly the world of technology, we will continue to study all the options available to us and be ready to evolve our platform to maintain and even improve our sovereignty.
As more and more European initiatives emerge to counterbalance the American giants, we can assume that within a few years, a credible and viable alternative will emerge. This is part of the opportunities we can look forward to take our sovereignty a step further.
