Data Residency & Sovereignty
Guide to data residency and sovereignty across clouds covering GDPR, regional regulations, data boundary enforcement, sovereign cloud offerings, encryption key management, and compliance checklists.
Prerequisites
- Understanding of data protection regulations (GDPR, HIPAA)
- Familiarity with cloud regions and availability zones
- Basic knowledge of encryption and key management concepts
Data Residency and Sovereignty Across Clouds
Data residency refers to the geographic location where data is stored and processed. Data sovereignty refers to the laws and regulations that apply to data based on the country or region where it resides. As governments worldwide enact stricter data protection laws (GDPR in Europe, LGPD in Brazil, PIPL in China, POPI Act in South Africa, Australia's Privacy Act), organizations must carefully plan where their data lives and how it moves across borders.
Cloud providers offer regions, zones, and data boundary controls to help you comply with data residency requirements. However, the implementation and granularity of these controls differ significantly across AWS, Azure, GCP, and OCI. Some providers offer sovereign cloud offerings specifically designed for government and regulated industries. Others rely on configuration-based controls that the customer must implement and monitor.
This guide covers the regulatory landscape, how each cloud provider addresses data residency, region and zone architectures, data boundary enforcement mechanisms, sovereign cloud offerings, and practical configuration examples for implementing data residency controls in multi-cloud environments.
Not Legal Advice
This guide provides technical information about cloud data residency capabilities. It is not legal advice. Data residency requirements vary by jurisdiction, industry, and data classification. Consult with your legal team and compliance officers to determine the specific requirements that apply to your organization before implementing data residency controls.
Key Regulations by Region
| Regulation | Region | Key Requirements | Penalties |
|---|---|---|---|
| GDPR | EU/EEA | Data processing rules, cross-border transfer restrictions, right to erasure | Up to 4% of global annual revenue |
| Schrems II / EU-US DPF | EU → US | Adequate safeguards for EU data transferred to US | Transfer suspension |
| PIPL | China | Data localization for personal info, security assessments for cross-border transfer | Up to 5% of annual revenue |
| LGPD | Brazil | Similar to GDPR, data processing consent, cross-border rules | Up to 2% of revenue in Brazil |
| DPDPA | India | Data processing consent, government can restrict cross-border transfers | Up to INR 250 crore (~$30M) |
| POPI Act | South Africa | Adequate protection required for cross-border transfers | Up to ZAR 10M (~$550K) or imprisonment |
| APPs / Privacy Act | Australia | Reasonable steps to protect data sent offshore | Up to AUD 50M (~$33M) |
| HIPAA | US (Healthcare) | PHI protection, BAA required with cloud providers | Up to $1.9M per violation category/year |
| FedRAMP | US (Government) | Standardized security assessment for cloud services | Loss of government contracts |
Cloud Region Availability
The number and distribution of cloud regions determines where you can physically store and process data. More regions give you more flexibility in meeting data residency requirements. All four providers continue to expand their region footprint.
| Region | AWS | Azure | GCP | OCI |
|---|---|---|---|---|
| Total Regions | 34+ | 60+ | 40+ | 49+ |
| North America | 8 | 12+ | 8 | 6 |
| Europe | 8 | 15+ | 9 | 10+ |
| Asia Pacific | 10 | 15+ | 10 | 12+ |
| Middle East / Africa | 3 | 6+ | 3 | 7+ |
| South America | 1 | 2 | 1 | 2 |
| Government Cloud | GovCloud (2 regions) | Azure Government (8), Azure China (2) | Assured Workloads | Government Cloud (multiple) |
| Sovereign Cloud | AWS Dedicated Local Zones | Azure Sovereign (EU, Germany, China) | Sovereign Controls | EU Sovereign Cloud, OCI Dedicated Region |
Azure Has the Most Regions
Azure has the largest number of cloud regions globally (60+), which gives it the broadest geographic coverage for data residency requirements. OCI is second with 49+ regions and has been expanding aggressively, particularly in underserved markets. AWS and GCP have fewer regions but each region typically has more availability zones, providing stronger intra-region redundancy. For niche geographic requirements (e.g., specific countries in Africa or the Middle East), check each provider's region map carefully.
Data Boundary Enforcement
Each cloud provider offers mechanisms to restrict where resources can be created and where data can be stored. These controls range from IAM-level restrictions to organization-wide policies.
AWS Data Boundary Controls
# SCP: Restrict EC2 and RDS to EU regions only
aws organizations create-policy \
--name "EUDataResidency" \
--type SERVICE_CONTROL_POLICY \
--content '{
"Version": "2012-10-17",
"Statement": [{
"Sid": "RestrictToEURegions",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"rds:CreateDBInstance",
"s3:CreateBucket",
"lambda:CreateFunction"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"eu-west-1",
"eu-west-2",
"eu-west-3",
"eu-central-1",
"eu-central-2",
"eu-north-1",
"eu-south-1",
"eu-south-2"
]
}
}
}]
}'
# S3 Object Lock for compliance retention
aws s3api put-object-lock-configuration \
--bucket my-gdpr-bucket \
--object-lock-configuration '{
"ObjectLockEnabled": "Enabled",
"Rule": {
"DefaultRetention": {
"Mode": "COMPLIANCE",
"Years": 7
}
}
}'
# Restrict S3 replication to same region only
# (Prevent cross-region replication to non-EU regions)Azure Data Boundary Controls
# Azure Policy: Restrict resource locations to EU only
az policy assignment create \
--name "restrict-to-eu" \
--display-name "Restrict Resources to EU Regions" \
--scope "/providers/Microsoft.Management/managementGroups/EU-Workloads" \
--policy "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c" \
--params '{
"listOfAllowedLocations": {
"value": [
"westeurope",
"northeurope",
"germanywestcentral",
"francecentral",
"swedencentral",
"switzerlandnorth",
"norwayeast"
]
}
}'
# Azure Policy: Deny storage replication to non-EU
az policy definition create \
--name "deny-non-eu-replication" \
--display-name "Deny Storage Replication Outside EU" \
--mode Indexed \
--rules '{
"if": {
"allOf": [
{"field": "type", "equals": "Microsoft.Storage/storageAccounts"},
{"field": "Microsoft.Storage/storageAccounts/sku.name", "in": ["Standard_GRS", "Standard_RAGRS"]}
]
},
"then": {"effect": "deny"}
}'GCP Data Boundary Controls
# Organization Policy: Restrict resource locations
gcloud org-policies set-policy --organization=ORG_ID - << 'EOF'
constraint: constraints/gcp.resourceLocations
listPolicy:
allowedValues:
- in:eu-locations
EOF
# This restricts ALL resources in the organization to EU regions only
# Assured Workloads: Create a sovereign workload environment
gcloud assured workloads create \
--organization=ORG_ID \
--location=europe \
--display-name="EU Sovereign Workload" \
--compliance-regime=EU_REGIONS_AND_SUPPORT \
--billing-account=BILLING_ACCOUNT_ID
# Assured Workloads enforces:
# - Resources only in EU regions
# - Support only from EU-based personnel
# - Customer-managed encryption keys stored in EU
# - Data Access Transparency logging
# VPC Service Controls (restrict API access to prevent data exfiltration)
gcloud access-context-manager perimeters create eu-data-perimeter \
--title="EU Data Perimeter" \
--resources="projects/eu-project-1,projects/eu-project-2" \
--restricted-services="storage.googleapis.com,bigquery.googleapis.com" \
--access-levels="accessPolicies/POLICY_ID/accessLevels/eu-only"
# The perimeter prevents data from being accessed outside the boundary
# even by authorized users, unless explicitly allowedOCI Data Boundary Controls
# OCI: Subscribe to specific regions only
oci iam region-subscription create \
--region-key FRA \
--tenancy-id TENANCY_OCID
# OCI Dedicated Region: Full cloud in your data center
# Oracle deploys a complete OCI region on-premises
# Fully air-gapped from public cloud if needed
# Same APIs, services, and pricing as public OCI
# OCI EU Sovereign Cloud
# Separate from public OCI, operated by EU entity
# Data never leaves EU, operated by EU-resident staff
# Same services as public OCI
# Available in Frankfurt and Madrid
# Create a policy restricting data to specific compartments
oci iam policy create \
--compartment-id TENANCY_OCID \
--name "eu-data-policy" \
--statements '[
"Allow group EU-DataTeam to manage object-family in compartment EU-Data where request.region = eu-frankfurt-1",
"Deny group EU-DataTeam to manage object-family in compartment EU-Data where request.region != eu-frankfurt-1"
]'Sovereign Cloud Offerings
Sovereign clouds are isolated cloud environments designed to meet strict data residency and sovereignty requirements. They are typically operated by local entities, staffed by local personnel, and physically isolated from the provider's global cloud infrastructure.
| Offering | Provider | Key Features | Target Market |
|---|---|---|---|
| AWS Dedicated Local Zones | AWS | Isolated infrastructure, customer-owned facility | Government, defense |
| Azure Sovereign (EU) | Azure | EU-operated, data boundary enforced | EU public sector, regulated industries |
| Azure Government | Azure | FedRAMP High, IL5, physically isolated | US government |
| GCP Assured Workloads | GCP | Compliance controls on public cloud | Regulated industries |
| GCP Sovereign Controls | GCP | Partner-operated, key management by local entity | EU, APAC sovereign requirements |
| OCI Dedicated Region | OCI | Full OCI region in customer data center | Government, defense, finance |
| OCI EU Sovereign Cloud | OCI | EU-incorporated entity, EU-resident staff | EU public sector |
OCI Dedicated Regions
OCI Dedicated Regions are unique in the industry: Oracle installs a complete cloud region inside your own data center, giving you the full OCI service portfolio with complete physical control over the infrastructure. This is the most comprehensive sovereign cloud offering available, as you control the physical facility, network connectivity, and access controls. Pricing is subscription-based starting at $500K/year with a minimum 4-year commitment.
Encryption and Key Management
Data residency is not just about where data is stored but also where encryption keys are managed. If encryption keys are stored in a different jurisdiction than the data, the entity controlling the keys effectively controls the data. Each provider offers key management services that can be restricted to specific regions.
| Feature | AWS KMS | Azure Key Vault | GCP Cloud KMS | OCI Vault |
|---|---|---|---|---|
| Regional Keys | Yes (keys are regional) | Yes (vault is regional) | Yes (key ring is regional) | Yes (vault is regional) |
| HSM Backing | CloudHSM (FIPS 140-2 L3) | Managed HSM (FIPS 140-2 L3) | Cloud HSM (FIPS 140-2 L3) | Virtual Private Vault (FIPS 140-2 L3) |
| External Key Manager | External Key Store (XKS) | Managed HSM with BYOK | External Key Manager (EKM) | BYOK support |
| Key Access Justifications | No | No | Yes (Key Access Justifications) | No |
# AWS: Create a regional KMS key
aws kms create-key \
--description "EU data encryption key" \
--region eu-central-1 \
--key-usage ENCRYPT_DECRYPT \
--origin AWS_KMS
# GCP: Create a regional key ring with Cloud HSM
gcloud kms keyrings create eu-keys \
--location=europe-west1
gcloud kms keys create data-key \
--keyring=eu-keys \
--location=europe-west1 \
--purpose=encryption \
--protection-level=hsm
# GCP: Enable Key Access Justifications
# (Requires Assured Workloads + KAJ enabled)
# Provides audit trail of every Google access to your keys
# You can configure auto-deny for specific justification codes
# Azure: Create a Key Vault in EU region
az keyvault create \
--name my-eu-vault \
--resource-group eu-rg \
--location germanywestcentral \
--sku premium # HSM-backed
# OCI: Create a Vault in EU region
oci kms management vault create \
--compartment-id COMPARTMENT_OCID \
--display-name "eu-vault" \
--vault-type DEFAULTCross-Border Data Transfer Mechanisms
When data must be transferred across borders (for backup, analytics, or serving global users), organizations need legal mechanisms to justify the transfer. The appropriate mechanism depends on the source jurisdiction and destination.
GDPR Cross-Border Transfer Mechanisms
| Mechanism | Description | Cloud Provider Support |
|---|---|---|
| EU-US Data Privacy Framework | Self-certification by US companies | All 4 providers certified |
| Standard Contractual Clauses | EU-approved contract templates | All 4 providers offer SCCs |
| Binding Corporate Rules | Intra-group transfer approval | Customer responsibility |
| Adequacy Decisions | EU recognizes country as adequate | UK, Japan, South Korea, Canada, etc. |
| Explicit Consent | Individual agrees to transfer | Customer responsibility |
Practical Data Residency Checklist
| Step | Action | Tools |
|---|---|---|
| 1. Classify Data | Identify what data has residency requirements | Macie (AWS), Purview (Azure), DLP API (GCP) |
| 2. Choose Regions | Map data types to allowed regions | Provider region maps |
| 3. Enforce Boundaries | Prevent resource creation outside allowed regions | SCPs, Azure Policy, Org Policy |
| 4. Encrypt with Regional Keys | Use CMEK with keys in the same region as data | KMS, Key Vault, Cloud KMS, Vault |
| 5. Control Replication | Ensure backups and replicas stay in allowed regions | Replication policies, lifecycle rules |
| 6. Audit Access | Log and monitor all data access | CloudTrail, Activity Log, Audit Log |
| 7. Document Transfers | Maintain records of cross-border data flows | Legal / compliance documentation |
| 8. Test Controls | Verify boundaries work with penetration testing | Prowler, ScoutSuite, custom scripts |
# Verify no resources exist outside allowed regions
# AWS: Check for resources in non-EU regions
for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
if [[ ! "${region}" =~ ^eu- ]]; then
count=$(aws ec2 describe-instances --region "${region}" \
--query 'length(Reservations[].Instances[])' --output text 2>/dev/null)
if [ "${count}" -gt 0 ]; then
echo "WARNING: ${count} instances found in ${region}"
fi
fi
done
# GCP: Check for resources outside EU
gcloud asset search-all-resources \
--scope=organizations/ORG_ID \
--query="NOT location:europe*" \
--format="table(name,assetType,location)"
# Azure: Find resources outside EU
az resource list \
--query "[?!starts_with(location, 'europe') && !starts_with(location, 'germany') && !starts_with(location, 'france') && !starts_with(location, 'sweden') && !starts_with(location, 'switzerland') && !starts_with(location, 'norway')].{Name:name,Type:type,Location:location}" \
--output tableMetadata and Control Plane Data
Even when you restrict data storage to specific regions, be aware that metadata (resource names, configuration, audit logs) may be stored in the provider's control plane which could be in a different region. GCP's Assured Workloads addresses this with data residence for control plane metadata. Azure's EU Data Boundary commits to processing EU customer data within the EU. Verify each provider's commitments for metadata residency if your compliance requirements extend beyond primary data storage.
Key Takeaways
- 1Azure has the most cloud regions (60+) for broadest geographic coverage; OCI is second with 49+ and expanding rapidly.
- 2All providers offer region-restriction policies (SCPs, Azure Policy, Org Policies) to enforce data residency.
- 3GCP Assured Workloads provides the most comprehensive data boundary controls including metadata residency and support location restrictions.
- 4OCI Dedicated Regions install a complete cloud region in your data center for maximum sovereignty control.
- 5Encryption key location matters: keys in a different jurisdiction from data can undermine residency controls.
- 6EU-US Data Privacy Framework and Standard Contractual Clauses are the primary mechanisms for GDPR-compliant cross-border transfers.
Frequently Asked Questions
How do I ensure my data stays in the EU?
What is a sovereign cloud?
Do cloud providers access my data?
Written by CloudToolStack Team
Cloud engineers and architects with hands-on experience across AWS, Azure, and GCP. We write guides based on real-world production patterns, not just documentation rewrites.
Disclaimer: This guide is for educational purposes. Cloud services change frequently; always refer to official documentation for the latest information. AWS, Azure, and GCP are trademarks of their respective owners.