Data residency, answered properly

“Where is our data, and who can reach it?” Every regulated customer eventually asks. Most vendors answer with a region name and hope. There’s a better answer — and it’s architectural.

What it is

Not one law but a family of overlapping demands: residency requirements (data must be stored in a jurisdiction), sovereignty concerns (which governments can compel access — the US CLOUD Act reaches US-headquartered cloud providers regardless of region), and transfer rules (GDPR’s mechanisms for moving EU data). Customers compress all three into one question, and a credible vendor answers all three distinctly: where data is stored, where it’s processed, who can access it, and under what legal exposure.

Who actually needs it

Any vendor selling to Canadian public sector and health (provincial rules and procurement preferences on residency), EU customers (transfer mechanisms post-Schrems), financial institutions (outsourcing rules), or defence (CPCSC’s expectation that specified information stays under Canadian jurisdictional control). In practice: everyone reading this site, eventually.

What it takes

Architecture decisions, not paragraphs: deployment regions chosen deliberately, encryption with key custody you can explain (who holds the keys matters more than where the disks are), access controls that limit which staff and support paths can reach customer data, and documentation that states the CLOUD Act position honestly rather than pretending a Canadian region makes it go away. Retrofitting residency later is expensive — the cheap moment is when you design.

How it maps to what you may already have

This is the cross-cutting layer: the same architecture answers GDPR transfer questions, CPCSC sovereignty expectations, provincial health procurement, and the “data location” rows of every SOC 2-adjacent security questionnaire you’ll ever receive. One deliberate design, reused everywhere — the opposite of answering each questionnaire from scratch.

The Canadian angle

Canada is a genuinely good place to answer this from: major cloud providers run Canadian regions, Canada’s EU adequacy status helps with European customers, and “Canadian company, Canadian region, documented key custody” is a strong position against US competitors — provided the CLOUD Act analysis is done honestly (a Canadian region on a US-headquartered cloud is not, by itself, jurisdictional immunity, and sophisticated customers know it).

How I help

I help you make the residency architecture deliberate — regions, keys, access, and the written position — then reuse it in every questionnaire and customer call. It’s part of the fractional CISO engagement and compliance readiness work; when a specific deal hangs on a residency answer, enterprise deal support is the fast path.

Customers asking where their data lives?

The next step is a 30-minute conversation — no pitch, no obligation. An honest read on where you stand and what actually matters next.