Sign in Get started
Back to blog

Where your data actually lives

by Kaligon Team 3 min read

“It’s in the EU region” and “it stays in the EU” are two different sentences. Your provider’s marketing treats them as synonyms. Your auditor does not. And neither should you.

A region is a placement hint for your primary copy of the data. That’s it. It tells you where the VM boots and where the block volume sits. It says nothing about where the backups land, which continent the dashboard runs from, or where the support engineer is sitting when they open a session into your account. Picking eu-west from a dropdown is the start of the conversation, not the end of it.

Residency, sovereignty, and the GDPR floor

These three words get mashed together, so let’s separate them.

Residency is physical: which datacenter holds the bytes at rest. That’s the easy part, and the part most providers will actually honor.

Sovereignty is legal: whose laws can reach the data and the people who operate it. A US-headquartered provider can be compelled to hand over data sitting in Amsterdam. The disk never left the Netherlands; the jurisdiction followed the parent company home. Residency without sovereignty is a comforting half-measure.

GDPR transfer rules are the binding part for European data. Moving personal data outside the EEA needs a lawful basis: an adequacy decision, Standard Contractual Clauses, the right safeguards. “We replicate backups to us-east for durability” is a cross-border transfer, even if nobody decided it on purpose. The replication job doesn’t read the contract.

The sneaky leak points

The data plane is rarely where things go wrong. The leaks are in the plumbing nobody screenshots.

  • Control planes. Your VMs run in eu-west, but the panel, the API, and the orchestration brain often run from one home region. Every API call, every metric, every config change can route through there. The workload is local; the metadata about your workload is on a plane.
  • Backups and snapshots. Durability features love to copy across regions for safety. Sensible engineering, terrible compliance surprise. Always check where the second copy lives.
  • Support access. When you open a ticket and grant access, where is that engineer? Under whose jurisdiction? An offshore support tier can be a transfer that never shows up in your architecture diagram.
  • Logs and telemetry. Centralized logging is the classic accidental exfiltration channel. IPs, user IDs, request bodies — all personal data, all quietly shipped to wherever the log cluster happens to live.

Ask your provider these four questions in writing. The pauses tell you more than the answers.

How Kaligon handles it

We designed around these leak points instead of patching over them later.

Your data stays in the region you pick. Not the primary copy with asterisks — the data. Block volumes are replicated in-region, snapshots stay in-region, and there’s no surprise cross-region durability job shipping a copy somewhere “for safety.” No egress fees between resources in the same region means you’re never financially nudged into spreading data around, either. The 90-day audit log gives you who-did-what, in-region, so you can prove it rather than promise it.

GDPR is the floor, not the ceiling. We treat it as the minimum bar, not the marketing badge. And support speaks the language you file the ticket in — handled by people in jurisdictions that match the promise, not an offshore tier that quietly becomes a transfer.

Region should be a decision you make on purpose, with the whole picture visible — backups, control plane, support, the lot. Pick a region on the pricing page and what you pick is what you get. No fine print, no second continent you find out about during an audit.