Data Residency in Buying

Region requirements.

Why it matters

Data residency is the discipline of keeping customer data in the jurisdictions the law requires. Vendor claims often hide cross-region replication; read the fine print before the contract signs rather than during the audit.

Regulatory constraints. GDPR (EU), DPA (UK), CCPA (California), and LGPD (Brazil) rules per jurisdiction. Sector rules (HIPAA, PCI) layer additional requirements on top.
Vendor claims vary. "Hosted in the EU" subtlety per vendor. Sometimes means "primary in EU, backups or replica in US"; the wording is deliberately ambiguous.
Default rule. Customer-jurisdiction-only per customer. Data stays unless the customer signs off; "we replicate for resilience" is not consent.
Documented residency commitment. Explicit residency clause per customer in the contract. Supports auditor reviews and creates the enforcement surface for drift.

What to ask vendors

The questions matter. Specifics over generalities; vendors that cannot answer in writing are vendors that have not thought it through.

Region list. Storage, processing, and replication regions per vendor. Demand specifics rather than "globally distributed"; the latter is marketing, not contract.
Architecture diagram. Data-path diagram per vendor. The vendor should not need to draft this for the procurement; it should already exist.
Subprocessor list. Subprocessor names and regions per vendor. Backup providers, search providers, and analytics tools all touch data; "we host in the EU" does not bind them.
Change-notice policy. Region-change notice per vendor. Catches drift after sign when the vendor adds a region without telling the procurement team.

Contract clauses

The clauses are where enforcement lives. Region clause, termination right, and DPA addendum together turn vendor promises into legal commitments.

Data residency clause. Explicit region list per contract with thirty-day-minimum notice for additions. The vendor cannot add a region quietly.
Termination right. No-notice-region-change termination per contract. The only enforcement mechanism that actually works; without it, the vendor's incentive is to ship first and apologise later.
DPA addendum. GDPR-compliant DPA signed at contract time per contract, not promised for later. "We'll send the DPA" rarely happens after the deal closes.
Audit-rights clause. Customer audit right per contract. Supports enterprise compliance teams and gives the buyer an actual lever rather than a request.

Multi-region trade-offs

Multi-region has real trade-offs. Within-jurisdiction is usually right; cross-jurisdiction breaks compliance unless the architecture can genuinely prove data does not cross.

Single-region. Simpler operations versus region-outage risk per deployment. Simpler operationally but risks total outage if the region fails.
Multi-region within jurisdiction. eu-west-1 plus eu-west-2 pattern per deployment. Right balance for most EU customers; resilience without crossing the regulatory boundary.
Multi-jurisdiction. US plus EU pattern per deployment. Breaks GDPR unless the architecture can prove data does not cross; hard to prove with most SaaS stacks.
Encryption boundary. At-rest and in-transit encryption per region per deployment. Supports compliance posture and limits the blast radius of a misconfiguration.

Apply

Apply the discipline by mapping customers to requirements and building residency questions into procurement. The procurement step is where the discipline either lands or evaporates.

Map customers by jurisdiction. Residency requirement per customer. Each customer maps to a residency outcome rather than a generic policy.
Audit current vendors. Residency-versus-customer-map check per vendor. Any mismatch is a renewal-time conversation, ideally with the data already on hand.
Build into evaluation template. Residency-question section per procurement. Catches issues during evaluation rather than during a renewal crisis.
Quarterly residency review. Customer-vendor map refresh per quarter. Catches drift when customer geography or vendor regions shift.