Data residency / sovereignty

Provable data sovereignty — region-locked, regulator-ready.

A residency-zone architecture with an isolated database per region and hostname-authoritative routing. EU-resident data stays on EU compute and EU transit — something you can point an auditor at, not a clause you hope holds. Built for EU finance and critical infrastructure under DORA and NIS2.

1 / zone
Isolated Postgres per residency zone
Host
Authoritative routing — boundary at the edge
In-region
Streaming replication, single writer
0
Service-held decryption keys

Residency you can prove, not assert

Most “EU data residency” is a contractual promise sitting on top of a single global database. When a regulator asks where a critical function runs, or a court asks what a provider could disclose, a promise is not evidence. Sovereignty has to be a property of the architecture: a physically separate store per region, a routing boundary that code cannot cross by accident, and encryption the provider cannot reverse. Anything less is residency theatre.

How the zone model works

Each card pairs the sovereignty pressure with the concrete mechanism. The underlying topology is documented under distributed architecture and resilience.

Residency-zone architecture

The pressure

A vendor that promises EU residency but runs a single global database has nowhere to point a regulator. Sovereignty has to be a property of the topology, not a clause in the contract.

Glassbreak supplies

Glassbreak is organised as a tree of residency zones. Each zone is a self-contained estate with its own isolated Postgres — there is no shared global table that a zone’s data quietly lands in. A zone is the unit of sovereignty.

Per-region database isolation

The pressure

Logical row-level tenancy in one database still means one physical place where all data lives — and one subpoena, one outage, or one mis-scoped query that crosses borders.

Glassbreak supplies

Each residency zone owns a physically separate database. EU-resident records live in the EU zone’s Postgres; they are never written to another zone’s storage. Isolation is at the database boundary, not a WHERE clause.

Hostname-authoritative routing

The pressure

If routing decisions depend on a header, a cookie, or application logic, a bug can send EU data to a US box. The boundary has to be impossible to cross by accident.

Glassbreak supplies

The hostname is authoritative: glassbreak.cloud terminates and is served entirely within the EU stack — EU compute, EU transit, EU storage. The zone a request lands in is determined at the edge by which domain it hit, not by mutable request state.

Single-writer streaming replication

The pressure

Resilience within a region cannot come at the cost of sovereignty. Replicating to a far cloud for availability would defeat the residency guarantee.

Glassbreak supplies

Within a zone, native Postgres streaming replication (managed by repmgr) keeps a primary writer and a hot standby consistent — one writer, no split-brain. Replication stays inside the zone’s residency boundary, so failover never moves data out of region.

Sovereign key control

The pressure

Even region-locked storage is hollow if the provider can read the contents or a foreign key-holder can compel disclosure.

Glassbreak supplies

Content is encrypted on-device with zero service-held decryption keys, and enterprises can bring their own key material. Glassbreak cannot read zone content; lawful-access demands to the provider return ciphertext only.

Residency evidence on demand

The pressure

For an audit, “trust us” is not residency evidence. You need to show where data physically lives and who can reach it.

Glassbreak supplies

The zone model plus the immutable audit log produce the artefacts a DORA or NIS2 reviewer asks for: where the zone runs, which providers are in scope, and a per-action access trail exportable as PDF or JSON.

Mapped to DORA and NIS2

The two regimes that drive sovereignty requirements for EU finance and critical infrastructure — and what the residency architecture supplies for each.

DORA

Required

In force since January 2025. Financial entities and their critical ICT providers must evidence operational resilience, manage ICT third-party concentration risk, and keep documented recovery procedures — with a clear view of where critical functions run.

Glassbreak supplies

Per-zone isolation and the multi-cloud topology directly address concentration risk and continuity; the residency zone shows exactly where a critical function executes; the audit trail supplies the recovery and incident evidence DORA reviewers request.

See the DORA mapping

NIS2

Required

Cybersecurity and incident-handling obligations on operators of essential services and important entities. Multi-cloud redundancy, continuity of operations, and auditable incident handling are explicit themes; supply-chain security is in scope.

Glassbreak supplies

State distributed across independent providers with no shared failure domains, plus an exportable incident timeline for the competent authority. A single cloud or CDN outage does not interrupt access within a zone.

See the NIS2 mapping

Sovereignty without sacrificing resilience

Region-locked does not mean fragile. Within a zone, multi-cloud streaming replication keeps the estate available through a single-provider failure, all without moving data across the residency boundary. Encryption and key control are covered on the security page.

Frequently asked questions

What is a residency zone?

A residency zone is a self-contained Glassbreak estate with its own isolated Postgres database, served from infrastructure inside a defined jurisdiction. Data written to a zone stays in that zone’s storage. The zone is the unit of data sovereignty — there is no shared global table that a zone’s records also land in.

How is this different from a vendor that just claims EU data residency?

Many vendors run a single global database and assert residency contractually. Glassbreak makes residency a property of the topology: a physically separate database per zone, hostname-authoritative routing so the boundary cannot be crossed by a code path, and replication that stays within the zone. You can point an auditor at where data lives rather than at a clause.

Does Glassbreak support DORA and NIS2 evidence?

Yes. The zone model and multi-cloud topology address operational-resilience and concentration-risk expectations, and the immutable audit log produces the incident and recovery artefacts these regimes ask for. See the DORA and NIS2 mappings for the control-level detail. Glassbreak does not provide legal advice; confirm applicability with your compliance function.

Can resilience and sovereignty coexist?

Yes. Within a zone, native Postgres streaming replication keeps a primary and a hot standby consistent under a single-writer model, so failover is fast and split-brain is prevented — and replication never crosses the zone’s residency boundary. You get in-region high availability without exporting data.

Who can read data in a zone?

No one but the authorised key-holders. Content is encrypted on-device before it reaches the zone, Glassbreak holds zero decryption keys, and enterprises can bring their own key material. A lawful-access demand served on the provider returns ciphertext.

Pin your data to a region you can prove

Book a demo to map the residency-zone model and the audit evidence against your DORA and NIS2 scope, or start free and see where a zone runs for yourself.

Glassbreak does not provide legal advice. The descriptions above cover the technical and operational artefacts the platform produces; customers should consult qualified counsel and their compliance functions to confirm how data-residency and operational-resilience obligations apply to their specific circumstances.

This page is provided for transparency and does not constitute legal advice.

Stay Updated

Get product updates and security insights. No spam, unsubscribe anytime.

We respect your privacy. See our privacy policy.