No, there are generally no laws that would prohibit a cloud service provider from hosting data outside of the US. However, foreign-based cloud service providers must acknowledge the authority of US regulatory agencies to examine the services performed. As a result, a cloud service provider should agree that US regulatory and enforcement agencies might audit the cloud service provider abroad, to the extent necessary to assess its compliance with the relevant US legal framework. The cloud service provider must also be willing to cooperate with any audit of its practices and information security program.

The Office of the Comptroller of the Currency ("OCC") has issued a bulletin regarding the use of foreign service providers: Bank Use of Foreign-Based Third-Party Service Providers: Risk Management Guidance (OCC Bulletin 2002-16). This bulletin highlights that, although the use of foreign third-party service providers is permissible, these providers may raise unique compliance issues and risks for the bank that may require enhanced monitoring of the third party, management of country risk through protective contract provisions, and other risk management tools. In addition, the guidance notes that the bank should consider how foreign data privacy laws or regulatory requirements may interact, or even conflict, with US privacy laws and regulations, including with respect to the bank's access to information and the bank's obligations regarding safeguarding customer information.