Legal, Risk and Compliance

The correct answer is that strong encryption is performed prior to data transfer and the decryption keys are held exclusively by the data exporter. According to the European Data Protection Board (EDPB) Recommendations 01/2020 regarding supplementary measures for data transfers (following the Schrems II ruling), 'Use Case 1' refers to data storage for backup or other purposes where the data remains encrypted at rest and in transit. For this measure to be considered effective against public authority access in the third country, the encryption keys must be retained solely under the control of the data exporter (or a trusted third party in the EEA). This ensures that even if a public authority in the destination country compels the cloud provider to hand over the data, the provider can only supply unintelligible ciphertext.

The other answers are incorrect:
- Employing 'Bring Your Own Key' (BYOK) usually involves importing keys into the cloud provider's Hardware Security Module (HSM). While this increases security, the keys are technically within the possession of the data importer's infrastructure. If the importer is subject to surveillance laws (like FISA 702), they could potentially be compelled to use those keys to decrypt data or grant access to the HSM, rendering the measure insufficient for this specific compliance requirement.
- Storing the additional information required for attribution (re-identification keys) alongside the dataset in the destination jurisdiction negates the protection of pseudonymization. To be effective, the re-identification data must be kept exclusively by the data exporter in the protected jurisdiction.
- Relying solely on organizational measures, such as challenging government requests, is not sufficient when the law of the third country mandates access and overrides contractual obligations. While this is a good practice, 'Use Case 1' specifically relies on the technical guarantee that the importer cannot access the data even if they wanted to.

The correct answer is to assess the SaaS provider's vendor governance framework to validate the rigor of their oversight applied to the infrastructure host.

In the context of Cloud Security and Enterprise Risk Management (ERM), managing Nth-party risk (the risk posed by the vendors of your vendors) relies on the principle of cascading trust and verification. Since the organization has a contractual relationship with the SaaS provider but not the underlying infrastructure provider, it lacks the legal standing to audit the infrastructure directly. Therefore, the most strategic approach is to audit the SaaS provider's vendor management program. This ensures that the SaaS provider is effectively monitoring and holding their infrastructure provider accountable against industry standards, effectively extending governance down the supply chain without requiring impossible direct access.

Why the other answers are incorrect:

Mandating direct audit privileges is incorrect because public cloud infrastructure providers generally do not permit individual customers of their SaaS tenants to perform physical audits of their data centers. This approach is unscalable and counter to the multi-tenant utility model of public cloud computing, which relies on third-party attestations (like SOC 2 or ISO 27001) rather than direct customer audits.

Operationalizing tripartite agreements is incorrect because it is rarely feasible legally or effectively. Hyperscale cloud providers typically will not sign liability agreements with entities that are not direct customers. Furthermore, while this might transfer financial liability, it does not provide assurance regarding the actual security posture or reduce operational risk.

Implementing compensatory data isolation controls is incorrect as a primary assurance strategy. While applying additional controls at the application layer is a good defense-in-depth practice, it acts as a mitigation for potential vulnerabilities rather than an assurance activity that validates the supply chain risk management process itself.

The correct answer is that the jurisdiction maintains an adequacy decision regarding its data protection level.

Under the General Data Protection Regulation (GDPR), the transfer of personal data to a third country (a country outside the European Economic Area) is generally restricted unless specific safeguards are in place. However, the European Commission has the power to determine that a third country ensures an adequate level of protection by reason of its domestic law or the international commitments it has entered into. This is called an 'adequacy decision'.

Argentina is one of the specific countries that the European Commission has formally recognized as providing adequate protection. Consequently, personal data can flow from the EU to Argentina without any further safeguards being necessary, making the legal friction comparable to transferring data between EU member states.

Here is why the other options are incorrect:
- Mandating exclusive data localization protocols would require data to stay within the country (or in this context, force data to be stored locally upon arrival), which restricts cross-border data flows rather than facilitating them.
- Requiring Standard Contractual Clauses (SCCs) is a mechanism used when a country does not have an adequacy decision. While SCCs allow for legal transfer, they introduce more administrative and legal friction than an adequacy decision because specific contracts must be executed between the exporter and importer.
- Binding Corporate Rules (BCRs) are internal rules adopted by multinational groups of companies to define their global policy relative to international transfers of personal data. Implementing BCRs is a rigorous and time-consuming process requiring approval from supervisory authorities, and it is a mechanism for specific organizations rather than a country-wide regulatory classification.