Data Residency
The rule that customer data must be stored and processed in a specific country or region, typically the user's jurisdiction.
The rule that customer data must be stored and processed in a specific country or region, typically the user's jurisdiction.
Basic
Data residency is a compliance requirement that data stay within a defined geographic zone. EU regulators often require EU residency for GDPR-regulated data. US federal agencies require US residency for FedRAMP. Germany, France, and some sovereign-cloud regions have stricter country-specific requirements. For AI, data residency typically covers both training data and runtime inputs/outputs, including prompt logs. Major AI providers offer regional endpoints (OpenAI EU, Anthropic via AWS EU, Google Vertex EU) to satisfy residency.
Deep
Data residency is distinct from data sovereignty. Residency means "data lives in region X." Sovereignty adds "and is subject only to region X's laws." A US provider with EU-hosted servers satisfies residency but may still face US legal reach (CLOUD Act, FISA). EU customers concerned about sovereignty pick Mistral direct or sovereign clouds (OVH, Scaleway, Deutsche Telekom's DeepL). For AI specifically, residency applies to: prompts at ingestion, generated outputs, logged interactions, and training data if opted in. Each regional endpoint is a separate deployment with its own uptime and model coverage.
Expert
Data residency requirements appear in GDPR Chapter V (Articles 44-50), Schrems II (2020 CJEU) invalidating US Privacy Shield, the EU-US Data Privacy Framework (2023 re-enabling transfers), and national laws like Germany's Datenschutz-Grundverordnung implementation. CLOUD Act (2018) authorizes US law enforcement to compel US companies to produce data regardless of location, which is why pure data residency without sovereign cloud is insufficient for some buyers. Sovereign cloud offerings (GAIA-X initiative, Bleu in France) are emerging but have limited AI model availability. Cross-border transfers require SCCs + transfer impact assessment.
Depending on why you're here
- ·Residency = where data is stored
- ·Sovereignty = where data is legally subject
- ·CLOUD Act complicates pure US-provider residency
- ·Pick the regional endpoint matching your users' jurisdiction
- ·Use OpenAI EU, Anthropic EU via Bedrock, Mistral EU-native
- ·See /pricing/eu-hosted for the filtered list
- ·Sovereignty positioning differentiates EU-native providers
- ·Mistral and Aleph Alpha capture enterprise EU where US providers struggle
- ·GAIA-X and Bleu represent emerging sovereign-cloud competitor stack
- ·The rule that your data has to stay in your country
- ·Why there are "EU" and "US" versions of cloud services
- ·Matters for legal reasons more than technical ones
Residency is table stakes. Sovereignty is the next battleground · and Mistral is betting the company on it.