Does FDA consider it acceptable for data to be distributed across a cloud computing service’s hardware at several different geographic locations at the same time without being able to identify the exact location of the data at any given time?

If appropriate controls are in place, there are no limitations regarding the geographic
location of cloud computing services. However, it is critical for sponsors and other
regulated entities to understand the data flow and know the location of the cloud
computing service’s hardware in order to conduct a meaningful risk assessment regarding
data access, integrity, and security. Data privacy laws may differ from country to
country. Therefore, sponsors and other regulated entities should perform appropriate risk
assessments to ensure that data residing on storage devices outside their country can be
retrieved and accessed during FDA inspections.