Data Residency¶
Statement¶
ClaimGuard's primary data residency commitment today is the
European Union: every byte of customer data at rest — application
state, snapshots, GCS uploads, Secret Manager payloads, Cloud Logging
buckets — is stored in GCP's europe-west1 region (Belgium). The
two outbound flows that leave the EU boundary are documented on
Subprocessors and on
AI transparency.
The control sits at partial because the EU-residency commitment is real and verifiable today, but stronger residency guarantees that specific customers may ask for ("no inference outside the EU," "customer-selected region per tenant") would each require additional work. None has been engaged yet because no customer has asked.
Implementation¶
Where data at rest lives¶
| Storage primitive | Region |
|---|---|
VM boot disk deepfakebench3 (claim-guard-app-1) |
europe-west1-b |
Daily snapshots (claim-guard-daily policy) |
europe-west1 (multi-zonal within the region) |
| Postgres data files (on the VM boot disk) | europe-west1-b |
| GCS upload buckets | europe-west1 (verified via gcloud storage buckets describe) |
| GCP Secret Manager | Automatic replication; storage in EU GCP regions per the secret's replication policy |
Cloud Logging _Required and _Default buckets |
global per GCP defaults — log entries originate in europe-west1 and are aggregated in Google's globally-managed logging infrastructure |
Outbound flows that leave the EU¶
| Flow | Where it goes | Documentation |
|---|---|---|
Google Gemini API (gemini-2.5-pro) inference calls |
Google's globally-managed Generative AI infrastructure; inference may happen outside the EU per Google's published Generative AI residency behavior | AI transparency, Subprocessors |
| Cloud Logging aggregation | Google's globally-managed logging infrastructure; entries originate in europe-west1 |
Audit logging (cloud) |
These are the only two flows that leave the EU boundary in normal operation.
What we can promise customers today¶
- Application data at rest in
europe-west1— verifiable by the resource state. - Snapshots in the same regional geography — verifiable by
gcloud compute snapshots list ... --filter=.... - EU-anchored support workflows — the operator pair is EU-personal-data accessible (i.e., we do not have a non-EU support team that touches production data).
- Subprocessors named — the Subprocessors page enumerates the two production-data-handling vendors (both Google entities) and notes the residency posture for each.
What we cannot promise today¶
- "No inference outside the EU." The Gemini API is globally managed by Google; a stronger commitment requires a Gemini API plan change.
- Per-tenant region selection. The application's storage is single-region; a multi-region offering with per-tenant residency would require a feature design (per-org storage routing, per-org cloud-resource placement).
- Region-locked logging. Cloud Logging is globally aggregated by default; pinning logging buckets to a specific region is possible but is not in place.
- Region-locked Secret Manager. Secrets currently use automatic replication; locking to specific regions is supported and would be a small change.
Status¶
partial — verified 2026-04-29.
What's in place:
- A clean EU-region commitment for primary data at rest.
- A documented and short list of outbound flows that leave the EU boundary.
- Cross-references to the AI and subprocessors pages so the residency story is consistent across the portal.
Known gaps¶
- No "no inference outside the EU" commitment at the AI vendor level.
- No per-tenant region selection — single-region today.
- Cloud Logging is globally aggregated. Region-locked logging buckets are configurable but not configured today.
- Secret Manager uses automatic replication rather than region-locked.
- No formal data-residency clause in customer agreements yet — bilateral on request.
Roadmap¶
- Region-locked Secret Manager for the four
claim-guard-*secrets — small change, low risk; deferred until a customer asks. - Region-locked Cloud Logging buckets — same.
- Stronger AI-vendor residency commitment — pursued only when a customer demands it.
- Per-tenant region selection — full feature design; not on the near-term roadmap.
- Standard data-residency clause added to the DPA template once it is published. See DPA.