Issue

The creation of a new set of enterprise systems by the ERP Rebuild program provides an opportunity to revisit historical decisions about the hosting locations of IT systems which were made in a time of on-premises data centres and were potentially influenced by acquisitions of businesses or other legacy Solvay concerns. This is done to better leverage available cloud technologies, SaaS and PaaS components, improve security and data protection, or improve end user experience. 

Recommendation

This document recommends continuing the current practice of using the European Union as the primary hosting location for global IT systems serving the Syensqo group as a whole. There are no architectural reasons to recommend building the new enterprise systems in the other viable alternative of the United States. A European location is expected to confer somewhat lower expected network latencies for the average end user, and a lower carbon footprint of the computing infrastructure. However most significant are legal and regulatory considerations which could prove to be significant barriers to a change away from an EU location. Understanding in detail the extent of these considerations, and the mitigations required to address them, would require an in-depth analysis by legal experts, and at a minimum, the creation of internal contractual frameworks to ensure compliance with relevant data protections and export controls. The recommended option is also referred to as Option B in this document. 

Background & Context

Historically most of Solvay's global IT systems have been located in on-premises data centres in Civirieux (north of Lyon in France), or AWS and GCP regions in Europe (predominantly the Netherlands and Germany). Global SaaS applications have followed this allocation, with Salesforce and other global SaaS instances being placed in the EU. For the purposes of this document, the countries of the EU are treated as a single geopolitical entity, with no distinction being made between countries of the Union. One exception to this is the discussion on network latency, where geographical 'Europe' designation is used. This includes other geographically proximate countries not in the Union, e.g. the UK, Luxembourg, Switzerland. 

The map below shows the geographic distribution of Syensqo staff across the world, followed by a pie chart summarising allocation across major geographic regions. 

Assumptions

• The ERP Rebuild program aims to, where possible, deploy a single, global instance of every enterprise system in scope of the program. Separate instances for specific countries (e.g. China) are not being deployed, because a thorough investigation into the relevant legal, regulatory, strategic, and security aspects determined that adequate security controls could be attained in a single-instance system without physical separations. 
• There are no technical barriers which limit access of Syensqo staff to the jurisdictions being considered for hosting the enterprise systems. Specifically Syensqo users located in mainland China are able to access business systems, including SaaS systems, via Syensqo-managed VPN tunnels regardless of the physical location of these systems. See also Specific architecture for China. 
• The European Union is treated as a single contiguous geopolitical region for the purposes of this document. 
• Syensqo does not have a requirement to locate infrastructure inside the borders of Belgium. 
• Syensqo enterprise systems do not contain any data that is formally Classified by the government of the US or any other nation. 
• Hosting in the EU satisfies export control requirements by the UK, EU, China, and other countries to whose regulations Syensqo is exposed to, potentially via export licenses, because Syensqo's existing ERP systems are hosted in the EU and thus presumably data export to the EU and storage inside the EU has been authorised. 
• ITAR is more restrictive than the US Export Administration Regulation ("EAR") covering dual-use products. Any solution that is sufficient for ITAR will also be sufficient for EAR. This assumption is intended to be validated prior to Approval of this document. 
• Adopting the recommendation described in this document would entail an export from the US to the EU of information beyond that which is governed by export controls such as ITAR and EAR, because the existing "BOM Vault" system WPX contains information that is not subject to the export controls of ITAR and EAR, but may be covered by other regulations, such as US data privacy regulations. It is assumed that no regulatory obstacles exist to the export of such data. The WPX system contains no personal data that is not already in EU-hosted systems. 

Constraints

• Due to the incumbency of the European Union as both the physical location for Syensqo's existing enterprise systems and data processing (e.g. by Shared Services staff in Portugal, management staff in Belgium and France), Syensqo do not have a comprehensive internal contractual framework for the export of various data from the EU to other jurisdictions. Scoping and implementing such a framework is a prerequisite for the implementation of enterprise systems outside of the EU. It may not be possible to fully implement the required contracts and processes within the timeline of the ERP Rebuild program. 
• This design has not been validated against the requirements of CMMC 2.0 Level 2, because it is deemed not to apply to Syensqo's ERP system. CMMC is a US Department of Defence cybersecurity assessment framework applicable when handling Controlled Unclassified Information (aka "CUI"). The majority of CUI handled by Syensqo is in the form of Customer Specifications, which are mainly used in Quality systems and processes. Bills of Material were validated by Syensqo's CMMC Assessor and external Counsel (Arnold and Porter), to be outside of the definition of CUI. 

Impacts

• The use of a single-instance SAP S/4HANA system located in Europe requires careful implementation of additional technical controls to ensure continued compliance with the ITAR data export restrictions. The use of NextLabs DAE is foreseen to provide field-level encryption of ITAR-classified data inside S/4HANA (and potentially SAP GTS). Although the relevant details are out of scope of this document, in summary, when protected by encryption end-to-end, ITAR-relevant data can be transmitted and stored outside of the USA without being considered to have been exported (see US CFR § 120.54 Activities that are not exports, reexports, retransfers, or temporary imports, and explanatory notes by the Department of State). For more details on NextLabs, please refer to Logical Architecture of NextLabs DAE. 

Business Rules

• When entering into agreements for software systems provided as SaaS, PaaS, or IaaS to the Syensqo group globally, preference must be given to the use of the EU as the physical hosting location unless adequate contractual and legal safeguards and controls are in place. 

Options considered

The scope of this discussion is limited to globally-used instances of enterprise systems, such as S/4HANA, SAP DataSphere, Salesforce, etc. Local site-based applications in the Manufacturing Execution Systems, Laboratory Management Systems, and R&I domains are not covered by this document, and should continue to be deployed in line with operational requirements and applicable data protection and data export control requirements. 

Option A: Build Syensqo's new global business systems in the USA

This option would seek to build all new enterprise systems in data centre locations in the USA. Relocation of existing SaaS systems would be considered on a case-by-case basis depending on integration requirements and data residency and export control requirements. If possible, systems would be located on the East Coast of the continental United States to maximise geographical proximity to Europe, and thus reduce latency from the approx. 42% of Syensqo employees based in that geography. 

Option B: Continue to locate global systems in the EU

This option continues the current practice of the use of the EU as the primary location for enterprise IT systems used globally by the Syensqo group. New systems being established by the ERP Rebuild program would be located in the EU. 

Evaluation

The EU and USA are approximately equivalently beneficial hosting locations from a technical perspective. Europe presents a marginally more beneficial location from a network latency perspective for the 18% of Syensqo users who are located in greater Asia (China, India, South Korea, Thailand); otherwise the user experience obtained via network latency is deemed immaterially different. Both locations offer great breadth of available technology solutions, with multiple "hero regions" of AWS, Azure, and SAP present in each location, thus offering early access to new technologies and sufficient depth of infrastructure to ensure resiliency and scalability. 

However Syensqo's historical choice of the EU as primary hosting location means the company is well-equipped to handle data protection and export controls in this legislative regime, and is ill-equipped to do the same when systems are hosted in the US. As there is no compelling technical reason to deviate from the existing use of the EU, while there are significant and currently largely unknown, legal complexities, this document recommends to continue to use the EU as the primary hosting location (i.e. Option B below). 

	Option A: Located in USA	Option B: Located in EU
Legal/regulatory requirements for data localisation	Superficially appears to be more compliant with the export controls imposed by ITAR, however... ...merely locating a server in the USA does not by itself ensure compliance with ITAR if non-US Residents are also able to access export-controlled data. If personnel who are not US residents must access the system (e.g. IT personnel for administration or maintenance), then mechanisms such as field-level encryption via NextLabs DAE must still be used; alternatively, all non-US Residents must be excluded from access.  Besides the US-based ITAR, Syensqo is also exposed to data export controls from the European Union, United Kingdom, China, Canada, Mexico, and Germany (for selected weapons-related products). Significant investigative work is required to understand the impact of these regulations on any decision to change Syensqo's historic use of the EU as its primary hosting location.	Syensqo has decades of experience handling global data protection requirements with IT systems located in the EU, and subject to EU regulation.  As a company incorporated in the EU, locating core enterprise data in the same jurisdiction minimises total overall exposure to legal and regulatory regimes. Locating this data in another jurisdiction could expose Syensqo to additional regulatory requirements or legal discovery mechanisms.
Internal legal support, inc. data export and data processing agreements	Syensqo currently lacks a contractual framework to fully govern the wholesale export of data from the EU to another jurisdiction. As confirmed by the Group Data Protection Officer, Syensqo decided not to implement at this time Binding Corporate Rules to govern export of data outside of the EU. Establishing such Rules is possible, but requires effort, time, and approval by the relevant competent data protection authority in the EU. This timeline is considered to be beyond that available to the Conceptual Design phase of the ERP Rebuild program.  On 10 July 2023 the European Commission adopted an adequacy decision for the data transfers of personal data between the EU and USA (“EU-US Data Privacy Framework” or “DPF”). This establishes a set of simplified measures for exchanges of personal data and commits organisations to several obligations regarding the processing of personal data. Adherence to the DPF must be certified by the Department of Commerce in the US. Syensqo has not commenced the process of establishing the required measures and obligations, and thus cannot yet take advantage of this mechanism.  The import into the US of information related to military or dual-use items from third countries may cause this data to fall under the scope of the relevant US export control law, and then subsequently prevent use of this data outside of the US unless a relevant license is obtained from the US government.	Data protection principles as defined in the EU by the GDPR are among the most comprehensive and protective in the global landscape. Many regulatory regimes in other countries broadly permit data transfer into jurisdictions with equivalent or higher degrees of data protection; hence transfer from third countries into the EU is less likely to be problematic or require complicated compliance mechanisms.  Ability to reuse existing export licenses permitting the movement of data from third countries into the EU country where Syensqo's current ERP systems are located.  Simplified compliance with the export requirements of the German BAFA authority, which has established that the electronic transfer of software or technology from the EU to a server in a third country constitutes an export, even if the data is solely transferred and stored in encrypted form, and no one in the third country has access to this data. The "encryption exemption" which exists in ITAR (22 CFR 120.54) does not exist in the German regulation.
Availability of SaaS applications	There is no significant difference between the EU and USA when considering the SaaS and PaaS services from SAP and Salesforce in each geography.  An analysis of SAP's Data Center listing (see also below) shows that all SAP SaaS and PaaS services relevant for Syensqo are available in the EU and USA. While SAP's region strategy is less well known than the strategies of AWS and Azure, it appears to be clear that both geographies receive new services upon release, and provide an equivalent degree of hosting location and provider diversity as evidenced by major SaaS and PaaS applications being available in multiple locations in each geography.  An analysis of Salesforce's public documentation reveals no significant differences in the regional coverage between the EU and USA for their core product. The exception to this is the Data Cloud product whose only EU-based hosting option is Frankfurt, although this is spread across multiple AWS Availability Zones for DR purposes.
Depth and breadth of technology platform components	There is no significant difference between the EU and USA when considering the available depth and breadth of technology solutions and platform components.  AWS and Azure operate multiple "hero regions" in both the EU and USA; these are generally the first locations to receive new features and products, offer the largest number of Availability Zones for redundancy, and largest infrastructure footprints to ensure infrastructure is available when needed. This bears greater importance to cutting-edge features such as AI/ML functions than commoditised server and storage services, because delays of a year or more are not uncommon between deployment to hero regions and products reaching smaller locations.
Network latency impact for end users		The EU will provide a marginally superior network latency for the average user at Syensqo.  An analysis of network latency data between the capital cities of countries with a Syensqo presence and the two most-likely hosting locations of Asheville, Virginia (USA), and Amsterdam (EU), when weighted by headcount in each country, reveals that the average latency for the US location is 44% higher than for the EU location.  Syensqo's user base is heavily weighted towards Europe (42%) and North America (36%), followed by Asia (18%). Only 3% of the Syensqo user base is located outside these regions. The Asian geography has generally materially lower latencies to Europe than to North America; China, India, and South Korea can expect to incur latency penalties of up to 120ms when connecting to North America rather than Europe. From a latency perspective, a European location is thus marginally more favourable for the Asian user base.
Carbon footprint		The electricity grid in major EU data center locations (e.g. Netherlands) tends to be marginally less CO₂-intensive than in major US locations (e.g. Virginia) when judged on an annual basis. For example, in the year 2023, the CO₂ intensity of the Dutch grid on a consumption basis was 301gCO₂eq/kWh vs. 396gCO₂eq/kWh for Virginia.
	A caveat to this analysis is that all major IaaS providers purchase electricity directly from power generators via direct purchase agreements that favour renewable energy, rather than obtaining power from the national grid. They also tend to purchase renewable energy offsets for a large part of their operations (e.g. AWS offsets 100% of carbon emissions in most Regions in 2023; Azure will offset 100% of emissions by 2025). Their actual CO₂ footprint is likely much lower to that of the respective national grids.

Below follows a summary analysis of the effect of various combinations of system location and use of NextLabs DAE on the ease of compliance with export controls of the US and EU, as well as EU data protection regulations. 

The conceptual architecture of NextLabs DAE integration into SAP systems is depicted on the separate page Logical Architecture of NextLabs DAE. 

	Located in USA		Located in EU
	With NextLabs DAE	Without NextLabs DAE	With NextLabs DAE	Without NextLabs DAE
US Export Controls (i.e. ITAR, EAR)	Data subject to US export controls is encrypted, at rest, a field level, and can only be decrypted by explicitly authorised persons. The rest of the system can be accessed by persons who are not US Residents and who are located outside of the USA. The system can be remotely supported by SAP.	Data subject to US export controls is not encrypted at rest, and visible to system administrators as well as potentially other users. This means only US Residents located in the US may act as system administrators, developers, etc. The ERP Rebuild program as currently staffed and located, cannot use this system to develop configuration, code, etc.	Data subject to US export controls is encrypted, at rest, a field level, and can only be decrypted by explicitly authorised persons, hence not deemed to be exported under 22 CFR 120.54. No export license is required.	Data subject to US export controls is exported from the US without being protected by encryption. An export license is required.
EU Export Controls (inc. German BAFA)	Storage of export-controlled data outside of the EU is considered to be an export regardless of encryption. An export license is required.		Encryption of export-controlled data is not required, but can be used. Storage in the EU means data is not exported; no licenses needed.	No issues. Encryption of export-controlled data is not required. Storage in the EU means data is not exported; no licenses needed.
	Depending on its nature, data may fall under the scope of US export controls. An export license from the US State Department may be required in order to use this data outside of the US, even though it originated outside of the US.
Data Protection regulations (e.g. GDPR)	After completing the development of its governance, Syensqo would need to establish Binding Corporate Rules, and seek necessary endorsements by the relevant data protection authorities.		Existing compliance mechanisms continue to be applicable.

See also

Maps showing the carbon intensity of the electricity grid by geography

Regional coverage of relevant SAP SaaS and PaaS Solutions

A summary of the List of SAP Data Centres for SAP Cloud Services for products and services relevant for Syensqo is represented below. Numbers indicate the number of physical locations (i.e. data centres or IaaS regions) in which each product or service is available. Availability of a product or service in only a single region in a particular geography may limit the Disaster Recovery options available for that service. This is thus represented as a paler shade of green in the table below. The information for this summary table was retrieved in September 2024, using the then-current version v.9-2024 of the document. The latest-available version can be retrieved at List of SAP Data Centres for SAP Cloud Services. 

Salesforce Locations

Salesforce documentation provides a list of data centre locations from which their application is served. Salesforce maintains 3 separate data centre locations in the USA, and 4 inside the EU (plus one in the UK). Each location provides multiple separate data centres with separate, completely redundant infrastructure. Salesforce additionally leverages AWS locations to deliver the Hyperforce and Data Cloud services. Despite a Dec. 2023 press release announcing the availability of core products on Alibaba Cloud in China, available documentation including those linked below, do not mention hosting locations in China. 

	EU	US	China
Salesforce-managed data centers	4	3	?
Hyperforce locations (hosted in AWS)	4	3	?
Data Cloud	1	2	?

See also the Salesforce Security, Privacy, and Architecture documents for Salesforce Services and Hyperforce.

Technical Resources related to Network Latency

WonderNetworks - latency data for many locations around the world

CloudPing - measure latency to various IaaS locations

Submarine Cable map - showing routes of fiberoptic cables carrying internet services

Excerpt from the 2022 Global Internet Map, published by Telegeography, showing aggregate internet bandwidth between major geographies: 

Change log

Workflow history