Cloud from Zero
by Sergey Okinchuk
The Classic Cloud MistakesSecurity Across the Three Clouds
Topic 37

Compliance and Data Residency

Concept

Some organizations do not just have to keep data safe — they have to prove it. Laws and industry standards require certain businesses to handle data in specific ways, document what they do, and submit to audits. Failing an audit is not just embarrassing; it can mean fines, lost contracts, or being barred from operating in a market entirely.

This territory is called compliance. Related but distinct is data residency: the legal requirement that certain data must stay within a specific country or region. Both topics sound dry and procedural, but they are real constraints that drive some of the most consequential cloud architecture decisions in regulated industries.

Think of a licensed restaurant kitchen. The building can be certified by the health department as meeting all the safety standards. But if the chef doesn't follow the food-handling rules — washing hands, storing ingredients at the right temperature — the certification doesn't protect against a health code violation. The certification shows the facility is capable of compliance; you still have to actually comply.

Compliance: Meeting the Written Rules

Compliance means satisfying the requirements of a specific law or standard. Three come up constantly in cloud conversations. GDPR (General Data Protection Regulation) is a European privacy law that governs how personal data of people in the EU is collected, stored, and used — it applies to any organization handling the data of people in the EU, regardless of where the organization is based. HIPAA (Health Insurance Portability and Accountability Act) is a US law requiring specific protections for patient health information. PCI DSS (Payment Card Industry Data Security Standard) is a set of requirements for any organization that handles card payments. These are not the only compliance frameworks — there are dozens — but they are among the most widely encountered.

Cloud providers earn compliance certifications by having their infrastructure and services independently audited against these standards. Those certifications mean the provider is capable of supporting compliant workloads. They do not mean your workload automatically complies — that depends on how you configure and use the services.

Data Residency and Sovereignty

Data residency is the requirement that data must physically reside within a defined geographic boundary — a country, a union of countries, or a specific region. Germany's banking regulator may require customer records to stay within Germany. A French government agency may require data to remain within the European Union. An Australian healthcare organization may face requirements to keep patient data in Australia.

Data sovereignty is a related concept: the idea that data is subject to the laws of the country where it physically sits. Choosing to store data in one country rather than another means choosing which legal system governs that data. This is why cloud region selection is sometimes not a technical decision at all — it is a legal one.

Cloud providers address this by offering region choices. When you deploy to a specific region — say, eu-west-1 or australiaeast — data stays in the data centers for that region and does not move to other regions automatically. Meeting a data-residency requirement means choosing the right region and confirming the services you use do not replicate data outside it.

Shared Responsibility, Again

The shared-responsibility model applies here too. The provider can achieve and publish compliance certifications for its infrastructure. That covers the provider's half. Your half — configuring the services correctly, training staff on data-handling procedures, maintaining audit logs, restricting access appropriately — is still yours to satisfy. A healthcare app built on a HIPAA-eligible service still has to be built correctly to actually be HIPAA-compliant.

Why Managers Care

Compliance and data residency shape real decisions at the organizational level. Which cloud provider to choose may depend on which regions they offer and which certifications they hold. Whether to expand a service to a new country may hinge on data-residency requirements that add cost and complexity. Procurement decisions often require evidence of compliance status before a vendor can be approved. These are not engineering concerns alone — they sit at the intersection of law, risk, and architecture, which is exactly where managers operate.

Two pillars — and your part in both
Compliance
meet written rules (GDPR, HIPAA, PCI DSS) — provider certifies; you configure correctly
Data residency
keep data within a required country or region — you choose the region; data stays there
Your part
use certified services, configure them right, restrict access, keep audit logs
Three cloudsAWS publishes extensive compliance certifications and offers region selection for data residencyGoogle Cloud publishes compliance certifications and offers regional deployments for data residencyAzure publishes compliance certifications (including many EU/government frameworks) and offers regional choices; details differ by region and service
Common Confusions
  • "If the provider is compliant, I'm automatically compliant." The provider's certification covers their half. You must still configure and use the services correctly — your half of the shared responsibility. A certified kitchen does not cook the food for you.
  • "Data residency is just about performance and latency." Storing data close to users does improve speed, but data residency requirements are legal obligations — not performance preferences. Violating them can carry fines and contractual penalties.
  • "Compliance is only a big-company concern." Any organization handling regulated data — a small clinic, a startup processing card payments, a freelancer working with EU customer data — must meet the relevant rules. Regulatory reach does not scale by company size.
Why It Matters
  • Compliance and data residency drive cloud and region choices in healthcare, finance, government, and any business handling the data of people in the EU — which is a large fraction of the world economy. These constraints are part of almost every real cloud architecture conversation.
  • For managers, fluency here means being able to ask the right questions: Does this provider hold the certifications we need? Are we storing data in the correct region? Who is responsible for what in our compliance posture?
  • Understanding the shared-responsibility nuance — provider certifies, you configure — prevents a dangerous assumption that can lead to failed audits and serious legal exposure.

Knowledge Check

What is "data residency" in the context of cloud computing?

  • Encrypting all stored data using the strongest available algorithm
  • Making regular backups in at least two separate geographic locations
  • Keeping data within a specific country or region as required by law
  • Storing data on hardware owned by the organization rather than rented

A cloud provider holds a HIPAA compliance certification. What does that mean for a healthcare customer building on that platform?

  • The customer's workload is automatically HIPAA-compliant with no further work needed
  • The customer is exempt from all external audits going forward
  • The customer can use certified services, but must still configure them correctly
  • The customer has fully met their HIPAA obligations by choosing that provider

Why does data residency affect which cloud region a company picks?

  • Regions closer to the company's office always offer lower storage prices
  • Some laws require that certain data stay within specific national borders
  • Data in a closer region always loads faster, improving application performance
  • Providers only issue compliance certifications in their specific home regions

You got correct