Advanced Search
Data Residency

Data Residency

Data Residency refers to the physical or geographic location of an organization's data or information and the legal or regulatory requirements imposed on data based on the country or region in which it resides.

Data residency is the physical location or locations of an organization's data, and the organization's storage management in regard to managing specific data in particular locations. Data residency also refers to the legal or regulatory requirements imposed on data based on the country or region in which it resides. As of early 2021, around 130 or more countries have enacted individual data privacy laws and data residency regulations.


The terms data residency, data sovereignty, and data localization can and often are used interchangeably. However, they can also be used to differentiate between similar but different concepts. In this case, data residency can refer to the concept of where a company chooses to store its data. In this model, data sovereignty presents a more restrictive concept in which data is subject to a nation's laws where it is collected, processed and stored. And data localization, in this model, refers to data of a given business which has to be kept within the borders of a country, whether it is a copy of the data required to be maintained, or a prohibition of the data leaving a specific country's border.

In the case where data residency is used to refer to the location where a government body, industrial body, or business, the organization may specify a location based on:

  • Tax benefits, in that specific governments offer a beneficial tax environment for a business ensuring a significant part of its operations stay within the country
  • Company policy, in that a business may choose to include data residency in its policy for customer transparency into data storage
  • Financial considerations, in that a business may choose to host data in a specific country due to cheaper operating costs as well as the possibility of a beneficial regulatory environment

Data laws by country

Data governed
Law, or laws, governing data use


Health records

Information Privacy Act 2014


Personal data

The Personal Information Protection and Electronic Documents Act (PIPEDA); provinces have other acts which regulate the use of data within the province in question.


Personal, business, and financial data

Golden Shield Program

European Union

Profile, employment, financial, health, and payment

The General Data Protection Regulation (GDPR)


Payment data

The Personal Data Protection Bill


Data must be kept in local data centers

Government Regulation No. 82 of 2012 on the Implementation of Electronic Systems and Transactions


Data from servers run on country domain

Republic of Kazakhstan No. 94-V dated May 21, 2013 'On Personal Data and Its Protection'


Government data

Nigeria Data Protection Regulation 2019

South Korea

Geospatial or mapping data

the Personal Information Protection Act; the Act on the Promotion of Information and Communications Network Utilization and Information Protection; and the Act on the Use and Protection of Credit Information.

The Kingdom of Saudi Arabia

Profile, health, employee, and financial

KSA Cloud Computing Regulatory Framework

The Russian Federation

All personal data

Data Protection Act No. 152 FZ dated 27 July 2006; Information Technologies and Information Protection Act No. 149 FZ dated 27 July 2006

United Arab Emirates (UAE)

Financial, health, internet of things, profile, and government

The Cyber Crime Law; UAE's Central Bank Regulatory Framework for Stored Values and Electronic Payment Systems; Telecommunications Regulatory Authority - The Consumer Protection Regulations; The DHCC Health Data Protection Regulation; The Dubai Data Law

United States

Personal information, financial, nonpublic personal information, healthcare, health insurance

US Privacy Act of 1974; Gramm-Leach-Bliley Act (GLBA); Health Insurance Portability and Accountability Act (HIPAA); Children's Online Privacy Protection Act (COPPA); individual states have individual data privacy laws


Subscriber, health, employee, and financial

Law No. 24/2018/QH14 on Cybersecurity; Law No. 86/2015/QH13 on Cyberinformation Security; Decree No. 85/2016/ND-CP; Circular No. 20/2017/TT-BTTTT

Data residency treaties

In the case of countries that do not have the same data protection laws as those found in the GDPR, and in the case of some countries which have similar protections, there are free trade agreements which prohibit data localization requirements and restrictions on cross-border flow. This is usually restricted to data flow between those countries. The treaties with data partnerships include:

  • Trans-Pacific Partnership
  • Comprehensive and Progressive Agreement for Trans-Pacific Partnership
  • United States-Mexico-Canada Agreement
Data residency and cloud computing

Cloud computing, which allow businesses to deliver hosted services over the internet, has created data residency concerns. Along with increasing data privacy laws and data residency regulations, more companies are moving to distributed cloud environments, integrated to a central cloud, allowing companies to extend applications and helping companies remain complaint to regional laws.

Often, cloud computing users are unaware of the company's data's physical location, as cloud computing providers store data globally across different data center locations. This can cause compliance concerns when users are unaware of local data residency laws and regulations and where the cloud provider's data centers are located across the globe.

Cloud computing users have to comply with the rules in each jurisdiction where the company operates, but also the rules governing how data is managed at the cloud service provider's data center locations. Service providers and their clients can also ensure where the data can and cannot be stored in service-level agreements.

Data residency-as-a-service

Data residency-as-a-service companies help businesses operated under local regulations and international regulations when operating in specific countries or regions. These service providers can also help companies store and process regulated data within the country of region. Service providers work to keep clients up-to-date on the changing compliance landscape for physical storage and data transmission outside local borders. And some service providers will also work to help companies expand into new territories and ensure compliance to new data laws.

Distributed cloud services

Data residency service providers can also help companies store data in specified regions and comply with the data residency regulations in those regions, and in moving the data in and out of those regions if they are not the region the client is housed in. Distributed cloud networks for data can help companies meet the regulations of each country and specific customer requirements. A distributed cloud can help companies offer software-as-a-service solution based on regional needs as they can reduce the difficulty of locating data which can occur in centralized cloud implementations.

Data access

Dependent on the service provider and the region, data is handled in different ways, but often this includes storing data in secured data centers in the locale in question. Service providers and data centers also develop ways for companies and related applications to communicate and access that data.

The accessing of data can be difficult, as under the GDPR the accessing of personal data is considered a transfer of data under the data protection law. Meaning even if the data is stored in a GDPR country, such as Germany, and the company has engineers in India and those engineers access the data, the data is considered to have moved out of Germany. And this restricts the possibility to claim data residency is in Germany if there is access by support functions in other countries. The use of data can be difficult among countries as definitions of acceptable data use can be different between countries in which a company is operating.

Data encryption

Often, data residency-as-a-service providers will offer end-to-end data encryption services, or else help clients enable end-to-end data encryption in order to increase the security around data. Data residency does not in itself provide encryption or any extra security. Often the encryption around data will remove personal or identifying information from the data and can go further to insure data is unreadable to cloud service providers, government agencies, or other third parties gaining access to the data.

Encryption can be important for data residency, as in some cases, even if the data is stored in the region requiring data storage or based on a regions data privacy laws, that does not mean the data will not be trafficked during its use or generation. For example, Canadian internet traffic often moves through the United States, where it can be accessed, even if that internet data is eventually stored in servers in Canada. As well, copies of data can move from organizations into cloud servers and a lack of encryption or other security measures can leave the data vulnerable.

Data residency companies




Further reading


Data across borders: The importance of data residency

Peter Day, Mixpanel


October 3, 2019

data residency

TechTarget Contributors


June 30, 2015

Data Residency: Meaning, Laws, & Requirements

Benjamin Vitaris


July 30, 2020

Direction for Electronic Data Residency -

Treasury Board of Canada Secretariat


November 1, 2017

How Companies are Managing New "Data Residency" Requirements | Park Place Technologies

Chris Adams


January 18, 2018

What is data residency-as-a-service - InCountry

Viktoriya Guseyva


August 8, 2020

Documentaries, videos and podcasts


Cloud Storage & Data Residency - Legal Implications of Offshore Data Centres

July 23, 2016

Data Residency

October 17, 2018

How European Data Residency Works

January 23, 2020

Understand data residency, Multi-Geo and how Microsoft secures your data in Office 365

June 20, 2018




Golden logo
Text is available under the Creative Commons Attribution-ShareAlike 4.0; additional terms apply. By using this site, you agree to our Terms & Conditions.