Homepage    |    Wiki    |    GitHub    |    Twitter

Where is Joplin Cloud hosted?

This question didn't seem to fit Development, Features, nor Support. So into the Lounge it goes :wink:

I'm curious about the Cloud. I found one mention of hosting, so far, and it was in a question which I think nobody who read it knew the answer to.

I've been weighing out self-hosting vs managed hosting. Knowing where the managed hosting is located is information that I'd find useful. As an example, a region would give me a rough idea of latency, a country of data protection laws, and the data centre of the specific standards they follow.

Most of all, it might scratch the itch I get when I don't know something I want to know.

1 Like

On the joplin cloud website itself you can read the privacy policy and terms & conditions.
I won't pretend to know physically where the data is stored but the company itself is registered in England & Wales

We follow GDPR, which for now still applies in the UK too. Even if they somehow implement a weaker version of it later on, we'll probably still stick to the more restrictive GDPR guidelines (and of course we'll also comply with whatever is required in the UK).

1 Like

@Daeraxa Thank you, I appreciate the link, pointing me in the direction of the legal registration :tada:

@laurent Thank you, I am grateful to be made aware about the intent to probably stick to the stricter of either GDPR or whatever framework the UK chooses to implement :sparkles:

Please be aware, that GDPR gives also protection against public/governmental access rights. If UK would change to more US-like rules, Joplin Cloud wouldn’t be able to protect the data by holding on GDPR principles internally. Fortunately this is a theoretical scenario today, but laws can change.

Right, it's mainly in terms of data retention that we can follow a regulation that's stricter than the default, but government access rights we indeed can't do anything.

Whether it will be a problem or not, we'll see. With the recent improvements to E2EE I'm still hoping that we can make it the default eventually, as it's the best way to secure user data even from someone with access to the server.

1 Like

Fair points, indeed. I find the priority given to encryption quite positive. I'm also keen on E2EE, in part because of how data protection regulation can change and because E2EE protects against bad actors. On principle, I'm in support of making E2EE the default whenever user data leaves the client.

On that note, I'm particularly interested in the extension of E2EE to include shared notes through Server/Cloud. I've found content in a few places that suggest shared notes are now covered by E2EE. But, I'm baffled that the announcement for 2.6 doesn't mention E2EE explicitly, only that collaboration on encrypted shared notes is now possible. To me, the text implies Shared Notes are now included in E2EE; but I'm open to the idea that I've misinterpreted what I read.

This is my current understanding:

GB has left the EU 1st Jan. 2021, therefore, GDPR is not valid in UK.

There is an agreement between EU and GB that EU recognizes UK as a “third country” with equivalent level of data protection.

Therefore, data of EU residents can be transferred to UK with consent of the end user if data contains personal information.
This agreement runs out July, 1st 2025, currently without extension.

For business of any kind, the GDPR demands storage of all business data in GDPR-compliant countries, which ultimately means that the physical storage location must be within the EU borders.

Due to this requirement of the GDPR, the use of the Joplin Cloud by business users would likely be a data protection breach based solely on their location in the UK.

Can confirm as example that we added a policy to our procurement proces, meaning the hoster must keep data within the European Economic Area.

GB has left the EU 1st Jan. 2021, therefore, GDPR is not valid in UK .

That's not what the ICO website says:

Does the GDPR still apply?

Yes. The GDPR is retained in domestic law as the UK GDPR, but the UK has the independence to keep the framework under review. The ‘UK GDPR’ sits alongside an amended version of the DPA 2018.

The UK GDPR | ICO.

A number of EU laws has been retained in the UK or have been converted to equivalent ones, because they still need to trade with the EU. One can hope they'll permanently keep GDPR, otherwise as you've noted it would make cross-border business needlessly complicated.

»The GDPR is retained in domestic law as the UK GDPR, but the UK has the independence to keep the framework under review.«

This is the hurdle: Having the same law does not mean that it applies from EU view. Because of that, there is the “agreement” until July, 2025.

The major thing left out there: The storing of data by business users. It is (up to then) no problem to transfer data to UK. But as a (for example) German company I have to store my data in EU countries.

To be clear: Cross-border business IS needless complicated.

1 Like

Thanks for clarifying, that makes sense.