Are you generally able to accommodate storing each institution's data within its geographic region?
Explanation
Data residency drives this question, which probes whether you can keep each institution's data stored within its own geographic region. This is important for several reasons:
1. Data Residency/Sovereignty: Many countries and regions have laws requiring certain types of data (especially personal data) to remain within their borders. For example, the EU's GDPR has implications for data storage locations.
2. Compliance Requirements: Educational institutions often must comply with regional regulations about where student, research, or administrative data can be stored.
3. Performance: Storing data closer to users can reduce latency and improve application performance.
4. Disaster Recovery: Some institutions may have policies requiring data to be stored in specific regions for business continuity purposes.
The question is being asked in a security assessment because data location affects legal jurisdiction, which determines which privacy laws and government access provisions apply to the data. This has direct security and compliance implications.
When answering this question, you should be specific about:
- Which geographic regions you can support
- Any limitations to this capability
- Whether there are additional costs for region-specific storage
- How you implement and verify regional data storage
- Any exceptions where data might temporarily leave the specified region (e.g., for backup or failover)
Example Responses
Example Response 1
Yes, our cloud infrastructure is designed with geographic data sovereignty in mind We maintain data centers in North America (US East, US West, Canada), Europe (Ireland, Frankfurt, London), Asia Pacific (Tokyo, Sydney, Singapore), and South America (São Paulo) Customers can specify their preferred data storage region during onboarding, and we enforce data residency through technical controls that prevent data migration between regions without explicit authorization All data, including backups and replicas, remains within the customer's selected geographic region We can provide documentation certifying data location upon request.
Example Response 2
Yes, we can accommodate storing data within specific geographic regions Our platform operates on AWS infrastructure, allowing us to leverage their global region structure We currently support data residency in the United States, European Union, United Kingdom, Canada, and Australia When an institution specifies their geographic requirement, we provision their tenant in the appropriate regional data center and implement logical controls to ensure data remains within that region Note that while primary data storage will be region-specific, certain metadata and authentication logs may be stored in our central US management infrastructure for operational purposes We clearly document these exceptions in our data handling policy.
Example Response 3
No, we currently cannot guarantee data storage within specific geographic regions Our platform operates on a globally distributed architecture where data may be automatically replicated across our data centers in the United States, Europe, and Asia for redundancy and performance optimization While we implement strong encryption and access controls to protect all customer data, our current infrastructure does not support strict geographic data residency requirements We understand this limitation may impact institutions with specific regulatory requirements, and we're evaluating the possibility of offering region-specific storage options in our product roadmap for next year.
Context
- Tab
- Infrastructure
- Category
- Datacenter
Related questions
- Select your hosting option.
- Is a SOC 2 Type 2 report available for the hosting environment?
- Are the data centers staffed 24 hours a day, seven days a week (i.e., 24 x 7 x 365)?
- Are your servers separated from other companies via a physical barrier, such as a cage or hard walls?
- Does a physical barrier fully enclose the physical space, preventing unauthorized physical contact with any of your devices?
- Are your primary and secondary data centers geographically diverse?

