November 26, 2025

ITSM or ITAM in the Cloud — Yes or No?

ITSM or ITAM in the Cloud — Yes or No?

One of the ITSM vendors we work with is Freshworks. All Freshworks products — the ITSM/ESM platform Freshservice, the ticketing system Freshdesk, and its chat-oriented implementation Freshdesk Omni — are fully cloud-based. Therefore, when we start discussing these solutions with customers, we almost always hear: “Oh, it’s cloud-based… we probably can’t use that because of the legislation.”
At the same time, this “legislation barrier” does not prevent companies from actively using services such as Microsoft Teams, Slack, Azure, or AWS.

Considering the global trend toward cloud adoption — and the fact that all new products, whether we like it or not, are released in the cloud — we decided to explore the topic in detail.
So, can ITSM and ITAM be deployed in the cloud or not? Let’s dig in.

Where Do Concerns About the Cloud Come From?

As a rule, the “claims” against cloud platforms come down to two main ideas:

  1. We cannot store personal data in the cloud — the law prohibits it.
  2. We cannot transmit information about our infrastructure to the cloud — someone might gain access.

Let’s break this down step by step.

Personal Data

First, let's understand what counts as personal data under the law.

From the Law of the Republic of Kazakhstan “On Personal Data and Their Protection” dated May 21, 2013 No. 94-V:
https://online.zakon.kz/Document/?doc_id=31396226

“Personal data — information relating to a specific or identifiable subject of personal data, recorded on electronic, paper, or other material media.”

“Personal data are classified into publicly available and restricted access.
Publicly available personal data are those for which confidentiality requirements do not apply and access is open with the subject’s consent.”

So the key criterion that defines data as personal is the ability to uniquely identify a person based on them. Data not protected by Kazakh legislation are considered publicly available — for example, a person’s first and last name. Often the same applies to job titles and even corporate email addresses, which are typically easy to guess using standard patterns like name.surname@domain.kz.

What do customers actually mean when they say “personal data cannot be stored abroad”?

Let’s read further.

Storage Requirements

Article 12. Collection and storage of personal data
Storage of personal data must be performed in a database located on the territory of the Republic of Kazakhstan.

At first glance, that seems final — data must be stored in Kazakhstan. End of story?
Not exactly.

Cross-Border Transfer of Personal Data

Article 16. Cross-border transfer of personal data

Cross-border transfer of personal data is allowed under certain conditions.

Key points:

  1. The receiving country must ensure adequate protection of personal data.
    In the EU, this is regulated by GDPR.
  2. Even if this is not the case, personal data can still be transferred if the subject gives consent.

For example, in the official clarification regarding the transmission of ID document scans through WhatsApp, it is stated:

“To receive copies of identity documents via online platforms or messengers (WhatsApp), the representative must obtain the subject’s consent, including consent for cross-border transfer, as WhatsApp servers are located outside Kazakhstan.”

Meaning: even a passport scan may legally be transmitted to a foreign cloud server if the data subject agrees.

Given that companies already use services like Microsoft Teams — and that employment contracts routinely include personal data processing agreements — using a cloud ITSM platform does not contradict the law. Freshworks’ European data centers are located in Germany, and the company strictly adheres to GDPR and other regulations: https://trust.freshworks.com/

For HR automation, things are a bit more nuanced (due to sensitive data), but even here, consent from the data subject is legally sufficient — which makes cloud platforms such as the newly released Freshservice for Business Teams fully usable.

Security of Cloud Services

"Okay, maybe it’s not illegal… but isn’t it unsafe? If the cloud gets hacked, someone might access our employee data or infrastructure details!"

Here are the key points:

1. SaaS vendors take security extremely seriously

Global vendors whose business depends on trust invest enormously in protecting customer data.
A breach of a bank rarely makes global headlines — but a breach of a major cloud platform always becomes worldwide news, damages reputation, and can drop stock prices by double digits.
This is why companies like Google, Amazon, ServiceNow, Datadog, Freshworks, and Flexera prioritize cybersecurity at a level far beyond that of most enterprises.

2. Cloud ITSM platforms provide extensive security mechanisms

Including:

  • SSO
  • MFA (two-factor authentication)
  • HTTPS encryption
  • Role-based access control
  • IP allowlists
  • Audit logs

Suppose an attacker somehow gains administrator access to an ITSM platform. What can they see?

a. No user passwords are stored.
b. Only publicly available personal data: names, emails, job titles.
c. Infrastructure data: hostnames, IPs, OS and software info, CMDB topology.
These could indeed help an attacker — but the same applies to any corporate system they compromise.
d. Ticket and change history — potentially useful for planning attacks.
e. Orchestration workflows — if misused, could initiate unauthorized operations.

Thus, ITSM cloud risks ≈ same risks as any compromised on-prem enterprise system.
Monitoring logs and suspicious activity is essential.

And above all — security awareness training for employees, because most breaches happen through social engineering.

Conclusion

In this article, we examined what Kazakhstani law actually regulates regarding cloud storage and processing — and what real risks exist.

Final conclusions:

  1. Kazakh law requires storing data on servers located in Kazakhstan,
    but does NOT prohibit cross-border transfer    ,
    as long as data protection requirements are met and/or the data subject gives consent.
  2. Yes, some ITSM-stored data could theoretically help attackers —
    but cloud SaaS platforms do not pose any greater risk than any other corporate system.
    Security best practices must be followed: MFA, encryption, RBAC, IP restrictions, monitoring, and employee cybersecurity training.

How Synta Can Help

Synta is an Authorized Freshworks Partner.
We specialize in implementing Freshservice, Freshdesk, and Device42.

Our team will help you deploy these powerful yet intuitive cloud solutions and get maximum value from automating your service management processes.

Contact

Get in touch

Getting in touch is easy - subscribe to our channel in Telegram and LinkedIn page.
Have a project in mind or just want to talk automation? Drop us a message — we’re always happy to connect, share ideas, and see how we can help.

We care about your privacy and personal data. By sending this form you accept the terms and conditions of our privacy policy.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Consulting and automation for enterprise class ITAM and ITSM

info@synta.pro

Republic of Kazakhstan, 050046, Almaty city, Egizbayev street 7/9, office 174

Quick Links
AboutBlogEventsContact
Technology partners
Flexera
Snow SoftwareBMC SoftwareFreshworks

© 2025 Synta LLP. All Rights Reserved

Privacy policy