data.day
procurement / legal / checklist / governance / privacy

The Jurisdiction Checklist: 9 Questions We Ask Before We Sign

A procurement checklist to ensure data sovereignty. Stop buying software like office supplies and start treating contracts like treaties.

Sven Civic Sven Civic

The Fine Print is a Minefield

The contract landed on my desk with a sticky note: “Standard Terms, legal has reviewed.”

I respect our legal team, but they look for liability caps and indemnity clauses. They do not always look for the trapdoors where sovereignty escapes. I flipped to the section on “Sub-processors.” It was a URL. A dynamic link.

“This is unacceptable,” I told the procurement officer. “This link allows them to change who processes our Citizen data without our signature. Today it is a data center in Amsterdam. Tomorrow it is a call center in a jurisdiction with no privacy laws.”

We do not sign “Standard Terms.” We sign treaties. And every treaty needs a border patrol.

The Threat: Sovereignty by Footnote

The greatest threat to municipal data is not the hacker; it is the Terms of Service update. Vendors treat jurisdiction as a fluid concept to optimize their tax burden or server load.

They frame these shifts as “features”—global redundancy, follow-the-sun support, AI optimization. In reality, they are violations of our duty to the Citizen. When a support ticket is opened and a technician in a third-country logs in to debug the issue, that data has effectively crossed a border. Was there a visa issued for that data? No.

We cannot rely on verbal assurances. If it is not in the contract, it does not exist.

The Treaty: The 9-Point Jurisdiction Checklist

We do not proceed to a pilot until these questions are answered in writing, attached as an addendum to the contract.

  1. Data Residency: Can you guarantee contractually that data at rest will never leave [Specific Jurisdiction]?
  2. Support Access: From which countries can your support staff access our live instance? (We require a list, not “Global”).
  3. Sub-processor Logic: Do you require our affirmative consent before adding a new sub-processor, or just “notification”? (Notification is insufficient).
  4. The Subpoena Protocol: If a foreign government requests this data, do you commit to challenging it in court and notifying us immediately?
  5. Encryption Custody: Who holds the root keys? You, us, or a third party?
  6. Metadata Sovereignty: We know the core data is here, but where is the telemetry and usage data processed? (Often, this leaks sensitive behavioral patterns to the US).
  7. Exit Format: In what file format will our data be returned upon termination? (Proprietary formats are a trade embargo).
  8. Governing Law: Under which country’s laws is this contract arbitrated?
  9. Survivor Rights: If your company is acquired by a foreign entity, does this contract terminate automatically?

This checklist is not polite. It is not meant to be. It is the border control of our digital territory. If a vendor chafes at these questions, they are not looking for a partnership; they are looking for a colony.

FAQs

Why does the location of support staff matter?

Support staff often have root access. If 'Follow the Sun' support means a technician in a non-adequate jurisdiction accesses the DB, the data has technically left the country.

Is this checklist too aggressive for small vendors?

Small local vendors usually pass this easier than Big Tech. It is the giants who rely on vague global terms.

What if they refuse to answer?

Then they are hiding a liability. We walk away.