What is data residency?

Cloud computing has undoubtedly been one of the most impactful and challenging changes organizations have made since 2000. Not only did it provide a new way to build and consume applications at greater agility and lower cost, but it also changed the way people communicate and collaborate, both at home and at work.

Cloud computing has significantly impacted how an organization thinks about and handles data in many ways — such as data residency. When IT teams hosted their own infrastructure on premises, there was no question where data resided. But with the distributed nature of the cloud, IT teams have to be aware of which region groups and availability zones data is stored in so they’re staying compliant with data residency laws like GDPR and not accruing unexpected costs.

Let’s dive deeper into data residency, how it is affected by data locality and sovereignty, and the impact on application developers.

Data residency is used to identify where an organization’s data is stored geographically and is often aligned to a country or region’s’ policy regulations. It is an essential part of several critical privacy and security compliance frameworks. As a result, organizations who leverage collaboration tools — in particular who develop applications — should be mindful of where their data is hosted geographically and any potential regulatory implications for that region.

For example, a Canadian organization that wants to leverage a US cloud provider needs to ensure that their data stays in Canada and is not stored at a US data center location. This is not only required for tax reasons but also to prove that the business is wholly operated within Canada. This regulation requires organizations to ensure data processing and storage is within Canada to meet compliance and regulatory requirements such as the Personal Information Protection and Electronic Documents Act, or PIPEDA.

An organization, therefore, needs to impose data residency policies and ensure that infrastructure and data management workflows are properly implemented to meet these requirements.

When you consider data residency, it isn’t just tax and local regulatory decisions that you must worry about. National laws and policies governing where data is and is not allowed to travel are also relevant. This is where data sovereignty and localization come into play. Let’s dive a bit more in-depth into those topics to understand their relationship to data residency.

As mentioned previously, the concept of data residency refers to where data is geographically stored and may be based upon regulatory, taxation, and policy decisions.

An organization that operates in different geographic locations should ensure that any basic data residency regulations are met and that any cloud services that are adopted meet the requirements. This can often be designated during the initial configuration of cloud workloads and applications and should be reviewed per compliance requirements.

Data sovereignty takes the concept of data residency one step further and includes any national laws applicable in the geographic area in which the data is stored. Governments typically implement it to prevent their citizen’s data from falling into the wrong hands. For example, organizations whose data is stored and/or processed within the European Union must follow GDPR regulations that dictate how data can be stored and handled. GDPR, or the General Data Protection Regulation, focuses on key tenets around transparency, storage, security, and accountability. This framework also applies to foreign companies who may be based in other geographic locations but who have customers or any type of data related to EU nationals or entities.

Data localization is the strictest of data management regulations, requiring that all data created within certain borders stay within the boundary. These regulations are often focused on protecting personal data by ensuring data stays within the nation’s boundaries, and they have the strictest compliance requirements. Data localization requirements are also key when adopting cloud workloads or building applications that may leverage services located in other geographic locations. It is therefore critical to look at both applications and data to ensure that they are contained within the borders of where the organization is operating.

Some notable examples of these types of regulations include Russia’s On Personal Data (OPD) Law, which requires the storage, update, and retrieval of data on its citizens to be restricted to approved data center resources within the Russian Federation. India is also working on a draft of its own Personal Data Protection Bill, which specifies data localization requirements to allow the government to audit data on its citizens without the need for additional government involvement.

As organizations define which data residency or other data regulations need to be adopted, ensuring that application developers understand the requirements will help align them with meeting the requirements. If developers are not aware of the implications of data residency from a geographic perspective, it can affect taxation and the regulations the organization is subject to.

For applications that are built leveraging public cloud providers, understanding which data center locations are being utilized and how this impacts data is key, both from a processing and a storage perspective. Customers should also verify that their service-level agreements with their cloud providers include strict guidelines for where their data is allowed and not allowed to reside.

Data residency is an important concept for a few noteworthy reasons. First, It is important to be aware of the taxation laws of the region where your data is stored in order to know what it will cost your organization. Second, you want to ensure you’re compliant with regional policies and national regulations for data storage, processing, and transfers. Finally, it is all about keeping your organization — and your data — safe.

Fauna is a flexible, developer-friendly 100% ACID transactional database delivered as a secure and scalable cloud API. In addition, Fauna has a rich security model that combines attribute-based access control with SSL and third-party authentication to offer strong security, which can be invoked directly from the browser. If you are building an application that has stringent data residency requirements, Fauna's Region Group architecture ensures your databases are geographically located based on the region you choose without compromising on performance or reliability. With Fauna, users will now have access to distinct Region Groups where users can keep their data resident to a specific, major region of the globe.

The data API for modern applications is here. Sign-up for free without a credit card and get started instantly. Sign-up now

Try our quick start guide to get up and running with your first Fauna database, in only 5 minutes! Read more