You must take special precautions when receiving, sending and storing sensitive data. For example, storing data on Google Drive is not compliant because contractors that are foreign nationals may be managing your data. The same
goes for other third-party software applications you may use for business management, unless they are taking specific precautions such as hosting their servers on AWS GovCloud.
Even if you are storing your data locally, it may not be safe. You must be careful who accesses data via a desktop or laptop within your facility, and these devices cannot physically leave the country.