Mission RHW
All writing

Where your data
should actually live.

This is the question most small business owners get nervous about. Three buckets, one rule, what to ask your builder. Takes seven minutes.

Reading time · 7 minutes Audience · owners with any sort of private client information

If the word “AI” makes you picture your client files sitting on an American server owned by a company you have never met, you are not wrong to be nervous. Some of them do. The good news is you get to choose.

Here is a plain way to think about where the information in your business should live once you have a business automation working with it. It takes five minutes to read and will save you from most of the mistakes I see owners make on this.

Chapter 01

Three buckets.

Every piece of information in your business belongs in one of three buckets. Not two. Not “it depends.” Three.

  • Private.

    Client session notes, medical records, immigration files, HR information, anything under privilege, anything you would be sued over if it leaked. This bucket never leaves your computer. Ever.

    How: the AI runs on your own machine. Nothing is sent anywhere.

  • Semi-private.

    Internal strategy notes, your own meeting minutes, rough drafts, early thinking. Not secret, but not for the public. Can live on a server you control or on your own computer. Not on somebody else's AI.

    How: a private server, or your own machine. You choose.

  • Public.

    Marketing copy, published blog posts, information you would happily Google. Fair game for any cloud AI. No privacy reason to bottle it up.

    How: any tool. Use whatever is convenient.

Chapter 02

The simple rule.

The reason this rule is so strict is that most builders are lazy about it. Cloud AI is cheaper and easier to build against, so the default choice, if you do not push back, is to send everything to someone else's server.

You have to be the person who says no. A good builder will thank you for it. A bad one will explain why you do not need to worry. Listen carefully to which you are hearing.

Chapter 03

What to ask your builder.

On your first call. Before any money changes hands. Take notes.

  1. For each piece of data my business handles, which of the three buckets is it in?
  2. Where will each bucket live, specifically? (“My laptop,” “my server,” or “a named cloud provider.”)
  3. Who else can see the data in each bucket? Including you, the builder.
  4. What happens to my data if we stop working together? Can you prove it is deleted?
  5. If you use any third-party services, which ones and for which bucket?
Chapter 04

Red flags.

  • “It's encrypted, so it's fine.”

    Encryption protects data in transit. It does not solve the question of whose server it lands on. Encrypted data you do not own is still not yours.

  • “We route it through a third party, but it's anonymised.”

    Ask which third party. Ask what “anonymised” means in specific terms. If the answer is hand-waving, the data is not as private as they say.

  • They cannot tell you which bucket applies to your workflow.

    They have not thought about it. Which means they have not thought about your business. Get someone who has.

That is it.

Three buckets. One rule. A short list of questions. You do not have to understand encryption or cloud architecture to protect your clients. You just have to know which bucket each piece of information belongs in and insist that your builder treats it that way.