"You pay a bit more, but you get a lot more control," Enderle explained. "Particularly if you are talking about sensitive or regulated data, that control becomes a requirement."
Since Safe Harbor's defeat in October, OwnCloud has seen an increase in the number of inquiries it's received, Rex said.
"It's tough for enterprises operating across national boundaries because the laws are all different -- at least for now -- and the legal environment is changing rapidly," said Roger Kay, principal analyst at Endpoint Technologies Associates.
Generally, if an organization is in charge of its own storage, it can set up its "depots" in each country according to its legal requirements, Kay pointed out.
"Of course, this is more expensive, since a single data center might be able to handle a whole region," he added. "But it's a best practice to spread data around among data centers anyway, for redundancy, efficiency of access and disaster recovery."
There is a slight risk if the system includes resources from multiple parties -- in this case, the EFSS and storage providers, Kay said. Specifically, "the interface between the two and with the enterprise customer may offer an exploitable weak link."
A fully integrated system could also run more smoothly.
Still, "if a company follows the rule 'keep the data in its country of origin,' it's in pretty good shape legally," Kay said. "There is a cost to that schema," but it may be less than the fines the company might face for not following such a regimen, he added.
OwnCloud's software has been downloaded some 7 million times this year -- roughly double last year's count. It claims more than 2.5 million users today. There's also an enterprise version offering features such as SharePoint integration, Oracle database support, a file firewall and a logging module with reporting. That version is priced starting at $9,000 per year for 50 users. OwnCloud currently boasts about 250 paying customers, the majority of which are split pretty evenly between EMEA and North America.
For CIOs wrestling with data-sovereignty questions, Rex has a few suggestions. First and foremost, "make a conscious decision," he said. "Watch out for your shadow IT, and don't let your traveling sales team decide your data privacy laws."
Second, "what really matters is where the encryption keys are stored," he warned. "Just because someone tells you the files are encrypted, if they have the keys, it's a bit pointless."
Sign up for CIO Asia eNewsletters.