Definition
Data Residency
Data residency is the geographic location where data is physically stored, processed and replicated — typically expressed as a specific country or sub-national region (e.g. "eu-west-3 / Paris" or "Germany only, no replication outside Frankfurt").
Data residency is necessary but not sufficient for sovereignty. A service can claim "EU data residency" while its parent entity remains subject to the CLOUD Act — meaning the data is physically in Frankfurt but legally reachable by US authorities. True sovereignty requires data residency PLUS legal-entity sovereignty (operator outside US legal reach) PLUS operational sovereignty (operators are EU citizens).
Why it matters
- ✓GDPR Articles 44-49 require a legal basis for any data transfer outside the EEA — data residency is the simplest way to avoid the analysis.
- ✓Many sectoral regulations (HDS for French healthcare, BSI C5 for German federal, ENISA TLP-AMBER and TLP-RED frameworks) specify required data-residency regions.