Back to glossary

Term

Data Residency

Data residency refers to the physical storage and processing location of data — the geographic region or country where the servers sit. It says nothing about which legal jurisdiction may access that data.

Data Residency — explained in detail

Data residency answers a purely factual question: in which data center, region, and country does my data physically sit, and where is it processed? If you select the region “EU (Frankfurt)” with a cloud provider, your data rests on servers located within the EU.

The crucial distinction is from data sovereignty. Sovereignty answers a legal question: which jurisdiction governs the data — whose courts and authorities can order access, regardless of where the servers stand? Residency is a question of place, sovereignty a question of jurisdiction.

The most important point in practice is therefore: residency does not equal sovereignty. Even when data sits in an EU data center, it can fall under non-European legal authority if the provider is headquartered outside the EU — for example, in the United States.

Example / Practical use

A German company uses an LLM API and deliberately selects an EU processing region to meet GDPR requirements. The inputs (prompts) are processed in Frankfurt and not stored permanently — so the data residency is in the EU.

If the provider is a US corporation, however, the US CLOUD Act applies: it compels US companies to grant US law enforcement access to stored data on request — including data in data centers outside the US. The data physically sits in the EU yet is simultaneously subject to US jurisdiction.

For GDPR-compliant LLM use, EU-region hosting is therefore a necessary but not sufficient building block. Providers such as OpenAI (EU projects with in-region processing), Azure OpenAI (EU Data Boundary), or Claude via AWS Bedrock / Google Vertex AI in EU regions offer EU residency. True technical sovereignty additionally requires controls such as customer-controlled encryption keys, single-tenant deployments, and policy-enforced geofencing — measures that make unauthorized access technically impossible rather than merely contractually prohibited.

Distinction from similar terms

  • Data sovereignty: The legal order that governs the data. Data residency concerns only the physical location; sovereignty the jurisdiction. EU residency does not guarantee EU sovereignty as long as the provider is subject to third-country law.
  • Data localization: A statutory obligation to store certain data within a country. Residency is often a voluntary configuration choice, localization an enforced mandate.
  • Zero data retention: Concerns not the location but the storage duration — whether a provider keeps data at all after processing. It complements residency but does not replace it.

Entdecke mehr

Themenuebersicht