Dossira
Create
Menu
← Back to Articles

Defining Data Residency and Operational Scope

Published
By Hannah K.
Procurement Data residency Security reviews GDPR

Precision in Location Claims

Procurement teams ask a simple question: “Where is our data?”

The answer is rarely simple. Modern SaaS applications rely on distributed infrastructure. A single “server” does not exist. Instead, we have storage buckets, databases, caches, and delivery networks.

To satisfy a security review, we must move beyond country codes. We must define the scope of the claim.

The Three Layers of Data Location

When we discuss “data,” we are discussing three distinct categories. A precise answer addresses each one.

1. Customer Content

This is the core value. It includes the files, documents, and decision records you upload to a workspace.

For European operators, this data should reside on infrastructure physically located within the EEA. This is the baseline requirement for many regulated industries.

  • Scope: File storage (blobs) and database records containing user-generated text.
  • Mechanism: Regional selection in the cloud provider configuration (e.g., AWS Frankfurt or Stockholm).
  • Verification: The sub-processor list identifies the primary cloud provider and their region.

2. Service Metadata

Metadata describes the content. It includes file names, file sizes, user email addresses, and timestamps.

Metadata is essential for the application to function. It allows the system to list files without downloading them. Often, metadata lives in the same region as the content. However, global routing services may process transient metadata to direct traffic.

  • Scope: User logs, directory structures, access lists.
  • Mechanism: Application databases and identity provider logs.

3. Operational Access

This is the most critical and overlooked layer. Data may sit in Frankfurt, but if an administrator in a third country can read it, the “hosting” claim is weak.

True sovereignty involves “eyes-on” access control. It asks where the support and engineering teams are located.

  • Scope: Maintenance access, support tickets, and system recovery.
  • Mechanism: Operational policy and contract restrictions (Standard Contractual Clauses).
  • Verification: The vendor’s organizational measures and transparency reports.

The Verification Path

Trust requires evidence. A procurement officer should not accept a marketing claim. They should look for the Proof Stack.

Statement: “We host and operate in Europe.”

Scope: Applies to all workspace content and persistent metadata.

Mechanism:

  1. Hosting: Primary infrastructure is located in [Specific Region, e.g., Germany].
  2. Operations: Personnel with production access are employed by European entities or bound by EU-standard data protection agreements.

Verification:

  1. Sub-processor List: Confirms the infrastructure provider and location.
  2. Data Processing Agreement (DPA): Legally binds the vendor to specific transfer mechanisms and locations.
  3. Audit Logs: Show no unauthorized access from outside the defined boundary.

Why This Matters

Risk is a function of exposure.

If data stays in Europe, but support teams in another jurisdiction access it, the legal protection of the GDPR may be diluted. Foreign law enforcement could theoretically compel access through the support team.

We recommend defining the “Data Boundary.” This boundary includes the hard drives, the network cables, and the people who hold the keys. When all three remain within the jurisdiction, the risk profile is stable.

Ask for the boundary. Verify the sub-processors. Accept nothing less than clear scope.