Data Sovereignty Glossary

Record of who accessed data, when, and from where.

Rules defining where access decisions are enforced.

Visibility into when and why cloud providers access customer data.

A ruling that a country provides equivalent data protection standards for cross-border transfers.

Physical location of administrators accessing sensitive data.

Control over where AI data, models, and outputs are stored and processed.

Isolated backups used for compliance and security.

Ensuring logs are stored in compliant regions.

Physically separate data centers within a single cloud region.

Control over where backup catalogs and indexes are stored.

Internal policies allowing multinational companies to transfer data lawfully.

Using externally generated encryption keys in cloud services.

Documented process to migrate data off a cloud provider compliantly.

Evaluation of how extra-territorial laws (such as the U.S. CLOUD Act) may impact data stored in foreign-owned or foreign-operated cloud infrastructure, even if data is hosted in-country.

Shared cloud for organizations with common compliance needs.

Formal validation of regulatory adherence.

Unintentional deviation from residency or sovereignty rules.

Storing audit proof within approved jurisdictions.

Hardware-based isolation protecting data during processing.

Sovereign cloud combined with confidential computing.

Ongoing verification of data location and access.

Ongoing checks ensuring data stays compliant.

Location where cloud management metadata and orchestration are processed.

Controls for energy, utilities, and transport data.

Movement of data across national or regulatory boundaries.

Restrictions preventing failover to foreign regions.

Rendering data unreadable by destroying encryption keys.

User-provided data stored in cloud services.

Hardware Security Module deployed and controlled by the customer in a specific jurisdiction to enforce local key residency and sovereignty requirements.

Encryption keys fully controlled by the customer.

Entity that determines how and why personal data is processed.

Difficulty of moving large regulated datasets across borders.

A strict form of residency where data must remain within national borders at all times.

Data unintentionally moving out of approved regions.

Location where actual customer data is stored and processed.

Contract between a data controller and data processor that defines how personal data will be processed, where it will reside, and which cross-border transfer mechanisms apply.

Entity that processes data on behalf of the controller, often a cloud provider.

National or regional laws defining rules for handling personal or sensitive data.

Residual data remaining after deletion.

A requirement that data must be physically stored in a specific geographic location.

Verification that data remains in approved locations.

The principle that data is governed by the laws of the country where it is stored or processed.

Processes and tooling that allow users to exercise rights (access, erase, rectify, restrict) in a way that respects residency constraints and local legal timelines.

Risk assessment required before transferring regulated data internationally.

Rules governing where stored data physically resides.

Controls on where data may travel during transmission.

Governs where data is processed in memory or compute.

Rules governing analytics or insights derived from regulated data.

Whether analytics outputs are considered regulated data.

Broader control over data, infrastructure, platforms, and governance.

Encryption model in which both the cloud provider and the customer hold separate keys, ensuring data cannot be decrypted unless both parties cooperate under agreed legal frameworks.

Protecting stored data using encryption.

Protecting data as it moves across networks.

Data transfer during extraction, transformation, and loading.

Strategic control over data, infrastructure, and digital services.

Automated gathering of audit and compliance proof.

Laws that apply to data even when it is stored outside the originating country.

Location control for ML feature data.

Regulations governing banking and financial records.

EU regulation governing personal data protection and international data transfers.

Technical controls that prevent data or traffic from traversing networks, regions, or jurisdictions that are not approved by residency or sovereignty policies.

Database design where data is sharded or partitioned by geography so that each shard stays in a specific region or country to satisfy residency requirements.

Backups stored only in approved geographic regions.

Laws allowing governments to request or compel access to stored data.

Risk that foreign governments may legally access cloud-hosted data.

Rules restricting public-sector data to national infrastructure.

Requirements for storing and accessing patient data.

Encryption model where cloud providers never access keys.

Requirement that cloud provider support personnel and SOC/NOC teams accessing regulated data or consoles operate from within specific approved geographies.

Ensuring identity data is governed under local jurisdiction.

Indian law mandating localization of certain personal data.

Restrictions on where ML inference workloads run.

Storing data exclusively within an approved cloud region.

Legal agreement between two or more data controllers who jointly determine the purposes and means of processing, clarifying residency and sovereignty responsibilities.

The legal authority that governs how data may be stored, accessed, or transferred.

Temporary, approved access for sensitive operations.

Requirement that encryption keys remain within specific jurisdictions.

Legally sanctioned access to data by authorities under defined conditions.

Residency rules applied to cold or archive storage tiers.

Limitations where managed services do not fully honor residency guarantees.

Restrictions on where metadata about data is stored or processed.

Rules governing where ML training data is processed.

Architecture spanning multiple regions, often constrained by residency rules.

Country-specific cloud designed to meet domestic regulatory requirements.

Preparing encryption for future regulatory and security needs.

Limiting admin access based on geography, role, or approval.

Capturing admin sessions for audit and compliance.

Registry of systems, locations, and purposes for which personal data is processed, including explicit fields for data location and transfer mechanisms.

Explicitly binding workloads and data to approved geographic regions.

Legal obligations governing how data is collected, stored, processed, and transferred.

Mandatory disclosure of data handling practices.

Governance over where backup or replicated copies may exist.

Automated system preventing non-compliant data placement.

Standardized use of tags/labels on datasets, buckets, and services to encode residency, jurisdiction, and classification requirements for automated enforcement.

Backup policy that ensures primary copies, replicas, and archives (including snapshots) are only written to storage locations compliant with residency constraints.

Deployment pipelines that enforce region, account, and configuration checks so that regulated workloads can only be deployed into compliant regions and tenants.

Global or regional load balancing that only routes sessions to regions and backends approved for the user’s or dataset’s jurisdiction.

Application or network logic that directs user traffic and API calls only to services and regions that comply with applicable data residency rules.

Recovery point objectives limited by residency rules.

Recovery time objectives impacted by geographic restrictions.

Controls governing where SaaS platforms store and process customer data.

EU court decision invalidating Privacy Shield and tightening cross-border data transfer rules.

Verifiable deletion of data within jurisdiction.

Operational data generated by cloud services about customer usage.

Architecture where all data and services reside in one region.

Governance ensuring snapshots do not violate residency rules.

Cloud infrastructure operated under local laws with restricted foreign access.

A defined geographic or legal boundary within which data must remain.

DR strategies compliant with data sovereignty laws.

Encryption key management operated entirely within national boundaries.

Network design ensuring that traffic between users, applications, and data stores remains on in-country or regulator-approved carriers and does not transit non-compliant jurisdictions.

Demonstrated controls proving data sovereignty compliance.

Real-time alerts for residency or sovereignty breaches.

Legal agreements enabling lawful international data transfers.

Residency controls for real-time data pipelines.

Third-party service used by a data processor to handle data.

Restrictions on where cloud provider support staff may access data from.

Mandates for storing subscriber data domestically.

Geographic control over logs, metrics, and monitoring data.

Temporary data movement during processing or routing.

Secure enclave protecting data-in-use.

Verifying every data access request regardless of network or location.