English
Start free trial

By Yair Knijn · September 15, 2025

Your data never left the EU, except for the file-transfer hop that did

The compliance lead signs off on data residency the usual way. The database lives in Frankfurt, the compute runs in an EU region, the backups stay in-zone. The attestation goes to the regulated buyer, the DPA gets countersigned, everyone moves on. The storage map was correct. The transfer map was never drawn.

That gap is where a regulated-EU commitment quietly breaks. Under the GDPR, a transfer to a third country is any movement of personal data outside the EEA, however brief, and it needs a legal basis: an adequacy decision, appropriate safeguards such as SCCs, Binding Corporate Rules, or a narrow derogation. A file that touches a US edge node for a fraction of a second during a relay hop is a transfer. Nobody mapped it, so nobody papered it.

Where residency promises actually break: relays, edge nodes, CDNs

Storage gets audited because it has a region label in a console. The transfer path has no such label, and that is exactly where the leak hides. A managed file transfer (MFT) flow can pass through a load balancer's anycast front door, a CDN configured for global acceleration, an SFTP gateway that resolves to whichever point of presence sits closest, or a partner relay whose routing you do not own. Any one of these can land a payload on infrastructure in us-east-1 while your storage sits in eu-central-1.

Anycast and CDN edge logic optimize for latency, not jurisdiction. A generic acceleration layer grabs the nearest healthy node, and nearest means network hops, not borders. Pin nothing and the platform makes the choice for you. It does not consult your DPA.

Why storage residency does not imply transit residency

The two run on different mechanics. Storage residency is a placement decision you make once and verify in a console. Transit residency is a routing property that shifts per connection, per partner, per failover event. The international internet runs over submarine cables, internet exchange points, and routing infrastructure owned across many jurisdictions, none of which a single organization controls.

This is not a theoretical exposure. DORA puts ICT third-party and data-flow oversight on regulated financial entities, and the EU Data Act tightens expectations around where data actually moves. Location-blind transit is becoming a finding an examiner writes up, not a footnote you wave away with a storage diagram.

Mapping the full file path against your contractual commitment

You cannot attest to what you have not traced end to end. Take one regulated flow and follow the bytes from the partner's first TCP handshake to the moment the file lands in durable EU storage. Note every hop that terminates TLS, buffers the payload, or makes a routing decision, and put a jurisdiction next to each one.

If any row reads US or unknown and your commitment says EU-only, you have a violation regardless of where the file ultimately rests. The weakest hop sets your real residency posture, not the strongest one.

Pinning transfer routing to the jurisdiction you promised

Mapping finds the leak. Pinning closes it. That means region-locked ingress endpoints, transfer routing constrained to EU points of presence, failover that stays in-jurisdiction, and TLS terminated only on infrastructure you can name and place. Policy-enforced geofencing makes residency a runtime property rather than a contract clause nobody can verify when the bytes are actually moving.

In xEvolve, each customer tenant runs as an isolated Environment with transfer routing pinned to a declared region and every hop captured in one audit trail, so the path you attest to is the path the bytes actually take. Start with the security model and trace one flow against your commitment before a regulator does it for you.