Data residency is about where your data is stored and processed, and for a security platform the honest answer depends on which deployment you pick. In the cloud you choose a region and your tenant's data stays there; in a dedicated VPC everything pins to one region and account; on-prem and air-gapped keep data entirely inside your own infrastructure. Across all of them, the scanner works on dependency metadata and SBOMs rather than hoarding your source, and customer-managed keys are available so you control access. This FAQ clarifies what lives where, what crosses the boundary, and how residency differs from full sovereignty.
Frequently Asked Questions
What is the difference between data residency and data sovereignty? Residency is about geography, meaning which region your data is stored and processed in. Sovereignty adds legal and operational control, meaning who can lawfully access it and operate the system. You can have residency without sovereignty, for example EU data storage under a foreign-controlled operator. Sovereignty requires you to also hold the keys and operational access, which is the on-prem and air-gapped territory.
Where is my data stored in the cloud deployment? You select a region at onboarding and your tenant's data stays in that region, so an EU customer keeps data in the EU and a US customer in the US. Region selection covers your projects, SBOMs, and findings. For a hard single-region guarantee, a dedicated VPC pins all compute and storage to one region and account.
What data actually leaves my boundary? In on-prem and air-gapped deployments, nothing does; the only inbound flow is signed advisory data. In the cloud, scanning operates on dependency manifests, SBOMs, and metadata within your regional tenant rather than exporting your repository. The design principle is that your dependency graph is what gets analyzed through software composition analysis, not a retained copy of your source.
Does the AI engine move my data to another region? No. Griffin AI runs within your deployment boundary on infrastructure Safeguard controls in-region, or on your own infrastructure in the self-hosted tiers, so analysis does not cross into another jurisdiction. There is no external model API that would ship your code elsewhere. This keeps residency intact through the triage step, which is where many tools quietly break it.
Who holds the encryption keys, and does that affect residency? Data is encrypted in transit and at rest, and customer-managed keys let you control the key lifecycle through your own KMS. Keys do not change where data is stored, but they change who can unlock it, which is the bridge from residency toward sovereignty. In self-hosted tiers you hold the keys outright and we hold none.
How does residency support GDPR and similar regimes? Region pinning keeps personal and project data within the required jurisdiction, and customer-managed keys plus documented retention and deletion support the control mappings those regimes expect. To be precise, residency is one input to compliance rather than the whole of it; your DPA and processing terms complete the picture. The compliance overview states what is certified versus in progress.
Can I keep vulnerability data current without breaking residency? Yes. Advisory bundles flow inbound to your region or your infrastructure, and no code or finding flows outbound to fetch them, so keeping current does not move your data anywhere. Air-gapped installs import the same signed bundles from media. Freshness is a matter of cadence, not of exporting your data.
Is residency guaranteed in the multi-tenant cloud? Your tenant's data stays in the region you choose, though the infrastructure is shared with logical isolation rather than physically dedicated to you. If you need a single-region, single-tenant guarantee, the dedicated VPC provides it. Choose based on whether logical isolation in-region is sufficient for your policy.
What about metadata, logs, and telemetry? In self-hosted deployments, logs and telemetry stay entirely within your boundary because there is no outbound path for them. In the cloud, operational logging is scoped to your regional tenant and governed by the retention terms. There is no separate analytics pipeline shipping your project details to another region.
How does residency differ across the deployment tiers? In the multi-tenant cloud you get regional pinning with logical isolation; in a dedicated VPC you get single-region, single-tenant pinning; on-prem and air-gapped put all data inside infrastructure you own. Control tightens as you move down that list, and so does your operational responsibility. The deployment comparison lays out the trade-offs directly.
Does residency change how the platform meets government control sets? Residency helps with control mappings, and the architecture is built toward FedRAMP HIGH and DoD Impact Level requirements with SOC 2 Type II in progress. Honestly: those are architectural targets and an in-progress certification, and formal authorization also depends on operational and jurisdictional factors beyond where data sits. Highly regulated workloads usually pair residency with a dedicated, on-prem, or air-gapped deployment.
What can I do if my region is not offered in the cloud? Choose a dedicated VPC in the region you need, or self-host on-prem in that jurisdiction, which removes the dependency on our regional footprint entirely. Because the engine is identical across deployments, you do not sacrifice capability by self-hosting for residency. See pricing for how dedicated and self-hosted tiers are quoted.
How do I verify residency claims rather than take them on faith? Ask for the region configuration in writing, confirm the key-ownership model for your tier, and in self-hosted deployments observe directly that nothing egresses except the advisory pull. Verification is easiest in on-prem and air-gapped because the boundary is yours to inspect. Contact our team for the residency documentation specific to your chosen deployment.
To evaluate residency, review the software composition analysis and Griffin AI capability pages, check what is certified on the compliance page, compare tiers on the deployment comparison, and reach out with your jurisdiction requirements. Full documentation is at https://docs.safeguard.sh.