The vendor must host data in a specific geographic location to ensure that the data is protected by the applicable data protection laws of the EU or the country where the data originates. This is especially important for SaaS customers who transfer personal data from the EU to third countries, as they need to comply with the GDPR and the new Standard Contractual Clauses (SCCs) that regulate such transfers. The vendor must also provide adequate security measures and guarantees to protect the data from unauthorized access, disclosure, or loss. References = Risk and Information Systems Control Study Manual, Chapter 5: IT Risk Mitigation, Section 5.3: IT Risk Mitigation Strategies and Approaches, Page 253; Data Protection – New EU Standard Contractual Clauses - Bodle Law.