Data Residency — AI Systems, GDPR, and the EU AI Act
Key Takeaway: Data residency determines where your personal data physically sits and is processed. For enterprise AI systems, it is not an infrastructure preference — it is a legal requirement under GDPR, a procurement risk under the EU AI Act, and an increasingly explicit clause in enterprise vendor contracts.
What Is Data Residency?
Data residency refers to the geographic location where data is physically stored and processed. In enterprise technology, "data residency" typically means the country or region in which a cloud provider's servers hold and process an organization's data, including in-transit and at-rest states. For AI systems specifically, residency applies to: the input data fed into AI models (inference requests), the training and fine-tuning data used to develop models, model output logs and audit trails, and any intermediate representations created during AI processing.
Data residency is distinct from — but related to — data sovereignty (the principle that data is subject to the laws of the country where it is stored) and data localization (legal requirements in some jurisdictions to keep certain data within national or regional borders). In the EU context, the terms are often used interchangeably in B2B contracts.
Why It Matters
GDPR cross-border transfer restrictions. GDPR Chapter V prohibits the transfer of personal data to countries outside the EEA unless one of the Chapter V transfer mechanisms applies: adequacy decision, Standard Contractual Clauses (SCCs), Binding Corporate Rules, or a derogation. When an AI vendor processes EU personal data on infrastructure outside the EEA — even for milliseconds during inference — a transfer has occurred and must be legally grounded.
The "Schrems II" judgment (CJEU, 2020) invalidated the EU-US Privacy Shield and imposed additional requirements on SCCs, particularly for transfers to the US where government surveillance laws (FISA Section 702, Executive Order 12333) may conflict with GDPR. Enterprise buyers must verify not just that SCCs are in place but that the vendor has conducted a Transfer Impact Assessment (TIA) for US-hosted AI processing.
AI Act jurisdiction. The EU AI Act applies to any AI system whose outputs affect persons in the EU, regardless of where the system is hosted. However, where a system is hosted determines which supervisory authority has primary jurisdiction and whether data transfer restrictions under GDPR apply concurrently. An AI system hosted entirely in the EEA faces a simpler compliance picture than one distributed across US and Asian data centers.
Sector-specific requirements. Financial services (under EBA guidelines), healthcare, and public sector organizations face sector-specific data residency requirements that may impose stricter obligations than GDPR alone. In Italy, CONSIP procurement frameworks for public sector AI tools increasingly include EU data residency as a mandatory qualification criterion.
Core Mechanism: The GDPR Transfer Rules for AI
The key legal instruments for governing data residency in AI vendor contracts are:
Standard Contractual Clauses (SCCs, 2021/914/EU). The European Commission's updated SCCs (effective September 2021) provide the primary legal basis for most EU-to-US and EU-third-country AI data transfers. Module 2 covers controller-to-processor transfers; Module 3 covers processor-to-sub-processor (relevant for the sub-processor chain). SCCs must be incorporated by reference into the Data Processing Agreement.
Transfer Impact Assessment (TIA). Supervisory authorities expect that where SCCs are used, the parties have assessed whether the legal regime of the destination country undermines the protection the SCCs provide. For AI systems with US-hosted infrastructure, the TIA must address FISA 702 and Executive Order surveillance exposure.
EU data residency commitment. The cleanest procurement outcome for EU-regulated enterprises is an AI vendor with EU-only infrastructure — data that never leaves the EEA requires no SCCs, no TIA, and eliminates transfer risk entirely. This is now a differentiating factor in enterprise AI procurement and is reflected in vendor certification programs (e.g., BSI C5 for German cloud, ANSSI SecNumCloud for French public sector).
Edge Cases
Multi-region deployments. AI vendors that deploy across multiple AWS/GCP/Azure regions may process EU personal data in EU regions during normal operation but route it through US regions during failover, support escalations, or model inference. Residency commitments in contracts must cover all processing scenarios, not just the primary production path.
Model training vs. inference residency. Data may be processed in an EU data center at inference time but sent to US infrastructure for model retraining or fine-tuning. These are distinct processing activities and may carry different residency implications. Enterprise DPAs should specify residency requirements separately for inference and training.
Log and telemetry data. Audit logs, performance telemetry, and model output histories are often treated as infrastructure data rather than personal data — but if they contain personal identifiers or can be linked to individuals, they are personal data and subject to the same residency requirements.
Knowlee and Data Residency
Knowlee processes EU customer data on EU-hosted infrastructure. Supabase per-tenant isolation ensures that each customer's personal data remains within its designated data environment. For customers with explicit data residency requirements (regulated industries, public sector), Knowlee provides contractual data residency commitments specifying the EU regions in which data is stored and processed.
Knowlee's Data Processing Agreement incorporates Standard Contractual Clauses (Module 2) for any transfers that are technically necessary and documents the associated Transfer Impact Assessments. The sub-processor list specifies the data residency profile of each sub-processor. Knowlee's GDPR-compliant and ISO 42001-aligned framework ensures that residency obligations are tracked at the AI management system level — not just as individual contract clauses — making audit and verification straightforward for enterprise procurement and legal teams.