[sreitshamer]

But what if the app stored the data in your own AWS account, encrypted with a key only you know? (That's what we're building at Filosync)

[ajdecon]

Probably still not acceptable for many of these situations, especially when you're signing these kinds of data custody agreements. Oftentimes they specify requirements for physical custody of the hardware, and even if they don't, adding third parties into the mix (Amazon and you) may make the auditing requirements more complicated.

A lot of the time, these requirements are more about auditing and liability than about technical security measures.

[chmars]

That's usually fine as long as you don't have committed yourself to specific such as using local servers only.