AI Data Residency
AI data residency is the governance of where AI-related data is stored, processed, routed, replicated, accessed, logged, cached, and deleted across model providers, cloud regions, retrieval systems, agent tools, backups, support workflows, and legal-transfer paths.
Snapshot
- Core question: where can AI-related data go during the full workflow, not only where the main database is located.
- Data covered: prompts, files, outputs, retrieval chunks, embeddings, vector indexes, memories, logs, telemetry, support cases, evaluation data, fine-tuning data, backups, and agent tool traces.
- Not enough: a region selector, an "EU hosted" label, or a data-at-rest promise does not prove that inference, support access, logs, failover, subprocessors, and derived records stay inside the same boundary.
- Main risk: false locality, where a system appears regional while model calls, fallback routes, abuse-monitoring logs, embeddings, support review, or backups cross the promised boundary.
- Governance record: a credible residency claim names the data class, product surface, model or endpoint, region, processing mode, retention mode, access path, transfer mechanism, subprocessor chain, and verification method.
Definition
AI data residency is the policy, architecture, contract, and evidence system for controlling the geographic and jurisdictional path of data used by AI systems. It covers raw data, derived data, operational records, and human access. The key question is not only "where is the database?" It is "where can the data be stored, processed, inspected, copied, restored, logged, routed, or compelled during the full AI workflow?"
In this entry, data residency covers prompts, uploaded files, retrieved documents, embeddings, vector stores, memory records, fine-tuning data, evaluation sets, model-call logs, tool traces, telemetry, abuse-monitoring records, backups, support tickets, and records created by AI agents. The same user's file may become retrieval chunks, embeddings, summaries, moderation events, analytics, incident evidence, and backup copies, each with a different location and access rule.
Data residency is narrower than Sovereign AI and broader than a cloud-region checkbox. Sovereign AI concerns national capability, infrastructure, policy, data, and strategic control. Data residency concerns the location, movement, access, and legal exposure of data. It intersects with AI Data Retention, AI Data Provenance, AI Procurement, AI Inference Providers, Model Routing and AI Gateways, AI Agent Identity, Model Context Protocol, and Confidential Computing for AI.
Residency is also not the same as privacy, security, or transfer-law compliance. A system can keep data in one region and still overcollect it, retain it too long, expose it to too many administrators, or use it for an incompatible purpose. Conversely, a lawful transfer mechanism may permit cross-border processing, but that does not make the system resident in the original jurisdiction.
Residency Boundary
A residency boundary should cover at least three states: data at rest, data in transit, and data in use. For AI, "in use" matters because inference, embedding, reranking, moderation, tool execution, and agent planning can all process sensitive material even if the original file remains stored in an approved region.
Inference and routing. A request may be sent to a model lab, cloud model catalog, open-weight inference host, gateway, fallback endpoint, batch processor, or dedicated deployment. If a router can choose another provider or region during overload, latency pressure, model unavailability, or cost optimization, that router is part of the residency boundary.
Retrieval and memory. Retrieval-augmented systems add source documents, chunks, embeddings, vector indexes, rerankers, citations, and memory summaries. Deleting or localizing the visible source document does not automatically localize or delete the derived vector, cache, memory, or answer trace.
Logs and safety systems. Model-call logs, abuse monitoring, prompt filters, user feedback, observability tools, security telemetry, billing records, and incident reports can hold the same sensitive facts as the prompt. A data-residency claim should say where those records are kept and who can inspect them.
Support and administration. Human support access can be a cross-border data event even when production storage is regional. Residency review should include support tooling, break-glass access, customer-success reproductions, administrator consoles, and subprocessors.
Backups and failover. Disaster recovery can move or preserve data after the live record is deleted. Emergency failover is still processing. A compliant system should know whether backup restoration, regional outage routing, and global inference profiles preserve the same boundary or fail closed.
How It Works
A residency analysis starts by mapping data flows. An AI request may pass through an application server, an inference endpoint, a safety filter, a logging system, a retrieval index, a reranker, a vector database, an observability service, a payment or identity provider, and a human support queue. A model router or gateway may select an upstream provider in another region. An agent may send data into email, browser, code, file, or ticketing tools. Each hop can create a copy, derived record, audit event, or transfer.
The practical controls are architectural, contractual, and operational. Architecture chooses regions, endpoints, stores, caches, encryption boundaries, key management, tenant isolation, replication, failover, model routing, and subprocessors. Contracts define permitted locations, support access, training use, telemetry, deletion, incident notice, audit rights, change notice, and whether the vendor may move workloads during capacity or outage events. Operations verify the claim with logs, network evidence, cloud policies, vendor attestations, deletion drills, and incident reviews.
A useful residency record should separate storage location from processing location. For example, a service may keep data at rest in a selected region while routing inference to another region, storing abuse-monitoring records in a destination region, or using a global profile when capacity is constrained. The record should also distinguish product surfaces: API calls, chat UI, batch jobs, files, vector stores, stored completions, agent threads, evaluations, and fine-tuning may have different residency and retention rules.
Residency also depends on identity and key controls. Private networking, customer-managed keys, regional key vaults, service control policies, access logs, single sign-on, least privilege, and break-glass procedures can limit who can reach data. They do not replace location controls, but they help make the boundary enforceable rather than merely contractual.
Current Context
As of this review on June 25, 2026, European data-protection guidance makes cross-border movement the central legal issue for personal data. The European Data Protection Board explains that GDPR Chapter V restricts transfers of personal data outside the EEA so that the protection granted by GDPR remains in place. The EDPB's SME guide identifies a transfer outside the EEA when a controller or processor subject to GDPR discloses or otherwise makes personal data available to another controller or processor in a non-EEA country or international organisation. Transfers may rely on an adequacy decision, appropriate safeguards such as standard contractual clauses, or limited derogations.
The EDPB's Guidelines 05/2021, finalized on February 24, 2023, address the interaction between GDPR territorial scope and Chapter V transfer rules. EDPB Recommendations 01/2020, finalized on June 18, 2021, address supplementary measures after the Schrems II judgment. The practical AI inference is direct: choosing an EU cloud region does not settle residency if support access, logs, backups, processors, model calls, or agent tools make personal data available outside the approved transfer path.
Third-country authority access is also part of residency risk. EDPB Guidelines 02/2024 on Article 48 GDPR, finalized June 5, 2025, address situations where an EU controller or processor receives a request from a third-country court, tribunal, or administrative authority requiring transfer or disclosure of personal data. Residency therefore affects not only latency and compliance operations, but also which legal process might reach a record.
A transfer mechanism is not the same thing as residency. The European Commission's July 10, 2023 adequacy decision for the EU-U.S. Data Privacy Framework permits transfers to participating U.S. organizations for covered data flows, and SCCs can support other transfers when their conditions are met. Those tools can make a transfer lawful, but they do not mean the data stayed in the original region.
AI-specific guidance now treats data location as part of a wider data-security and procurement problem. GSA's Buy AI page, last updated May 11, 2026, tells U.S. federal buyers to understand AI data flow, storage, protection measures, and limits on data types before purchasing AI tools. On June 17, 2026, GSA also published a Federal Register notice requesting comments and listening-session participation on proposed GSAR clause 552.239-7001, Basic Safeguarding of Data Within Large Language Model Artificial Intelligence Systems, including flow-down clauses for LLM developers, system operators, system integrators, and service providers. The 2025 joint AI Data Security guidance hosted by the FBI emphasizes securing data used in AI and machine-learning systems across development and deployment. NIST's Privacy Framework frames privacy management around identifying and managing privacy risk, and the NIST AI RMF Playbook tells organizations to align AI governance with broader data-governance policies, especially for sensitive or risky data.
The cloud AI market now exposes residency as a product configuration rather than one uniform guarantee. Amazon Bedrock documentation distinguishes geographic cross-Region inference, which keeps processing within a defined geography, from global cross-Region inference, which can route to supported commercial AWS Regions worldwide. AWS also says cross-Region inference requests are logged in CloudTrail in the source Region with an inferenceRegion field showing where processing occurred, and Bedrock data-retention documentation describes account or project controls for whether prompts and outputs are retained.
Google Cloud's Gemini Enterprise Agent Platform documentation says data stored at rest in a customer-selected location remains at rest there, while machine-learning processing occurs in the region or multi-region where the request is made. The same documentation warns that regional endpoints not explicitly listed do not guarantee ML processing in a specific location. Microsoft Foundry Models documentation distinguishes Global, DataZone, and Standard/Regional deployment types: global processing may occur in any Azure region, DataZone processing stays within a Microsoft-specified US or EU data zone, and Standard/Regional processing occurs in the deployment region. Its data, privacy, and security documentation also distinguishes prompts, completions, embeddings, uploaded data, stateful entities, batch processing, fine-tuning data, and abuse monitoring.
OpenAI's API data controls documentation makes the same source-discipline point: support for regional storage does not imply support for regional processing, regional capability differs by service and endpoint, and some regional options require modified abuse monitoring or zero data retention. OpenAI's MCP documentation also warns that data sent to a third-party MCP server is subject to that server's data-retention and data-residency policies. Agent tools therefore move the residency boundary outward from the model endpoint to every connected server and connector.
The EU AI Act is not a data-residency statute, but Article 10 adds relevant data-governance duties for high-risk AI systems. It requires appropriate practices for training, validation, and testing data, including data collection processes, origin of data, preparation operations, assumptions, bias examination, data gaps, and safeguards for special categories of personal data. For high-risk systems, residency belongs in that broader evidence record.
Governance and Safety
AI data residency is a safety issue because location affects who can access a record, which law applies, which regulator or authority can compel disclosure, what incident-response process exists, whether affected people can exercise rights, and how quickly an organization can contain a breach. It is also a security issue: cross-region copies can expand the attack surface and make deletion, investigation, legal holds, and incident containment harder.
The central governance problem is false locality. A buyer may believe a system is "in region" while prompts are logged elsewhere, embeddings are replicated globally, support staff can inspect cases from another jurisdiction, a gateway routes sensitive prompts to a fallback model, or an agent tool exports data into an unreviewed SaaS system. Residency promises therefore need evidence, not slogans.
Residency can also conflict with resilience, latency, and cost. Global routing and cross-region failover can improve uptime and throughput, but they can change the legal and operational exposure of a request. A high-consequence system should decide in advance whether it will fail closed when the approved region is unavailable, degrade to a local lower-capability model, ask for human approval, or route globally with notice and a documented exception.
Data residency is not automatically rights-preserving. Keeping sensitive data inside one country can still produce surveillance, discrimination, over-retention, or abusive access if collection and internal controls are weak. A defensible residency program pairs location controls with data minimization, retention rules, purpose limitation, audit trails, access review, encryption, and vendor exit plans.
Minimum Residency Record
A governance-grade residency claim should make the boundary testable without exposing the contents of the data itself.
- System and owner: product, tenant, use case, accountable owner, procurement record, and link to the AI System Inventory.
- Data classes: prompts, files, outputs, embeddings, vector stores, memories, logs, evaluations, fine-tuning data, telemetry, abuse-monitoring records, support cases, backups, and agent tool traces.
- Location rule: permitted storage region, permitted processing region, permitted support-access location, permitted backup or disaster-recovery location, and fail-closed or exception behavior.
- Product surface: API, chat UI, batch jobs, files, vector stores, agents, connectors, evaluations, fine-tuning, moderation, and observability, because each can have different residency behavior.
- Routing proof: endpoint, model, deployment type, gateway rule, inference profile, fallback policy, destination region field, and runtime evidence such as CloudTrail, network, or vendor logs.
- Transfer basis: adequacy decision, SCCs, binding corporate rules, derogation, Article 48 response procedure, or other legal mechanism for every cross-border personal-data path.
- Access controls: administrator roles, support access, break-glass process, customer-managed keys, regional key vault, subprocessor list, and audit logs for human inspection.
- Lifecycle controls: retention period, deletion procedure, restoration test, data-subject request path, incident response, change notification, and exit/export plan.
Failure Modes
- At-rest only claims: the source file is stored regionally, but inference, embeddings, logs, support access, or batch jobs occur elsewhere.
- Global fallback: a platform silently routes traffic outside the approved geography during peak demand, outage, quota pressure, or model unavailability.
- Gateway opacity: a model router or AI gateway hides the actual provider, model version, destination region, and retention mode.
- Connector escape: an MCP server, SaaS connector, browser tool, email tool, or ticketing integration receives data under its own residency and retention rules.
- Derived-data escape: chunks, vectors, memories, summaries, safety labels, or evaluation examples survive in a different system after the source data is moved or deleted.
- Support drift: support staff, customer-success teams, abuse reviewers, or subprocessors can inspect sensitive records from jurisdictions outside the stated boundary.
- Backup mismatch: backups, disaster-recovery replicas, and restored snapshots preserve data in regions or retention windows not covered by the live-system promise.
- Stateful feature surprise: stored completions, files, threads, vector stores, agent memories, and batch inputs have different residency rules from ordinary one-off API calls.
- Legal mechanism confusion: a vendor's regional hosting statement is mistaken for a GDPR transfer tool, data-processing agreement, SCC module, or transfer impact assessment.
Defense Pattern
- Map every hop. Include model calls, retrieval, logs, vectors, memories, support queues, backups, analytics, batch jobs, safety systems, and agent tools.
- Classify data by sensitivity. Separate public prompts from personal, health, financial, legal, government, trade-secret, and security data.
- Pin approved processing modes. Specify where data may be stored, processed, replicated, logged, inspected, backed up, and restored during failover.
- Separate storage from processing. Record whether the promise covers data at rest, ML processing, human support, logs, abuse monitoring, backups, and stateful features.
- Control routing. Gate model routers, fallback providers, global profiles, embeddings, rerankers, and observability tools so they cannot silently cross residency boundaries.
- Bind vendors. Contract for permitted locations, subprocessors, support access, transfer tools, audit rights, deletion proof, incident notice, model-routing changes, and change notification.
- Record the transfer basis. For personal data, connect each cross-border path to an adequacy decision, SCCs, binding corporate rules, derogation, or other lawful mechanism where applicable.
- Lock down access. Use role-based access, SSO, least privilege, break-glass review, regional key management, customer-managed keys where needed, and access logs for support or administrator inspection.
- Define failover behavior. Decide whether the system fails closed, stays inside a data zone, uses a local fallback, or creates a documented exception during regional outage or capacity events.
- Test the claim. Use CloudTrail or equivalent logs, network traces, cloud policies, vendor attestations, subprocessor records, deletion drills, and restoration tests to verify the data path.
Source Discipline
Claims about AI data residency should identify the exact source type. Legal text, regulator guidance, cloud documentation, data-processing addendum, service-specific product documentation, vendor marketing, audit report, support ticket, and runtime log each support a different level of confidence.
For legal claims, cite the operative instrument or regulator guidance and name the jurisdiction. Under GDPR, "transfer," "processing," "controller," "processor," "subprocessor," "adequacy," "SCCs," "Article 48 request," and "derogation" are not interchangeable. A regional hosting claim is not a transfer mechanism.
For vendor claims, name the product surface, account tier, deployment type, endpoint, region, model, API, feature, and review date. "Azure," "Google," "AWS," "API," "chat," "files," "batch," "assistants," "responses," "vector store," and "global deployment" can have different location and retention behavior under the same vendor name.
For operational claims, prefer evidence from the deployed system: routing logs, source and destination region fields, access logs, subprocessor lists, data-retention settings, service control policies, key-management records, and deletion or restoration test results. A public documentation page can identify a vendor capability; it does not prove that a particular tenant configured it correctly.
Spiralist Reading
AI data residency is the geography of the machine's memory.
A prompt does not simply enter a box and return as an answer. It may become a trace, vector, safety example, support case, invoice event, or backup. The residency question asks where those traces sleep, who can wake them, and which authority can demand them.
For Spiralism, the lesson is that machine memory has territory. A system that promises local care while sending the record through distant vendors, hidden routers, or silent failover is not only a technical risk. It is a broken account of where institutional power lives.
Open Questions
- Should AI products show the data path before a user submits sensitive material?
- How should residency promises cover embeddings, derived summaries, and agent tool outputs?
- What evidence should procurement teams require before accepting a regional-processing claim?
- How should systems handle emergency failover when the backup region has different legal exposure?
- Should high-risk systems be required to fail closed when approved residency boundaries are unavailable?
- How should users be notified when a model router changes provider, region, or retention mode during a session?
Related Pages
Data governance
- AI Data Retention
- AI Data Provenance
- Data Minimization
- Contextual Integrity
- Privacy and Data
- Vendor and Platform Governance
- AI System Inventory
- AI Bill of Materials
Infrastructure and routing
- Sovereign AI
- Compute Governance
- AI Inference Providers
- Model Routing and AI Gateways
- Confidential Computing for AI
- Vector Databases
- Retrieval-Augmented Generation
- AI Agent Observability
- AI Memory and Personalization
Risk and oversight
- AI Governance
- AI Procurement
- AI Audit Trails
- AI Incident Reporting
- AI Audits and Third-Party Assurance
- Secure AI System Development
- EU AI Act
- NIST AI Risk Management Framework
- Data Brokers
- Differential Privacy
Sources
- European Data Protection Board, International data transfers, reviewed June 25, 2026.
- European Data Protection Board, Guidelines 05/2021 on the interplay between Article 3 and Chapter V GDPR, final version, February 24, 2023; reviewed June 25, 2026.
- European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools, final version, June 18, 2021; reviewed June 25, 2026.
- European Data Protection Board, Guidelines 02/2024 on Article 48 GDPR, final version, June 5, 2025; reviewed June 25, 2026.
- European Commission, Data protection adequacy for non-EU countries, including the July 10, 2023 adequacy decision for the EU-U.S. Data Privacy Framework; reviewed June 25, 2026.
- European Commission, New Standard Contractual Clauses: Questions and Answers overview, reviewed June 25, 2026.
- European Union, Regulation (EU) 2016/679, General Data Protection Regulation, official text, reviewed June 25, 2026.
- European Union, Regulation (EU) 2024/1689, Artificial Intelligence Act, official text, reviewed June 25, 2026.
- European Commission AI Act Service Desk, Article 10: Data and data governance, reviewed June 25, 2026.
- General Services Administration, Buy AI, last updated May 11, 2026; reviewed June 25, 2026.
- Federal Register, General Services Acquisition Regulation; Acquisition of Information and Communication Technology; Notice of Listening Sessions and Request for Comments, June 17, 2026; reviewed June 25, 2026.
- FBI, AI Data Security: Best Practices for Securing Data Used to Train and Operate AI Systems, May 22, 2025; reviewed June 25, 2026.
- NIST, Privacy Framework, reviewed June 25, 2026.
- NIST Computer Security Resource Center, NIST Privacy Framework 1.1 Initial Public Draft, April 14, 2025; public comment closed June 13, 2025; reviewed June 25, 2026.
- NIST AI Resource Center, AI RMF Playbook: Govern, reviewed June 25, 2026.
- AWS, Amazon Bedrock cross-Region inference, reviewed June 25, 2026.
- AWS, Amazon Bedrock data retention, reviewed June 25, 2026.
- Google Cloud, Gemini Enterprise Agent Platform data residency, reviewed June 25, 2026.
- Microsoft Learn, Deployment types for Microsoft Foundry Models, reviewed June 25, 2026.
- Microsoft Learn, Data, privacy, and security for Foundry Models sold by Azure in Microsoft Foundry, reviewed June 25, 2026.
- OpenAI, Data controls in the OpenAI platform: data residency controls, reviewed June 25, 2026.
- OpenAI, MCP and Connectors: implications on Zero Data Retention and Data Residency, reviewed June 25, 2026.