Where does your data actually live?

A UK founder signs up for a US project management tool on a free trial. It solves the immediate problem. Three months later it's running their entire operations — contacts, documents, client communications, the lot. Nobody asked where the data lives. The answer, it turns out, is Virginia.

That might be fine. But it should be a deliberate choice, not one that nobody got round to making.

What data residency actually means

When you sign up to a SaaS product, your data is stored somewhere — usually a data centre run by AWS, Google, or Microsoft. Where that data centre sits determines which legal jurisdiction applies to your data.

For UK businesses, the relevant framework is UK GDPR. It governs what personal data you can collect, how long you can keep it, and where you can transfer it. Sending personal data outside the UK is only lawful if adequate protections are in place.

The US is on the UK's approved list. The UK-US Data Bridge — the UK's equivalent of the EU-US Data Privacy Framework, ratified in 2023 — covers most major US SaaS providers. So most US tools are lawful to use. But "lawful" requires the vendor to actually be certified under the scheme, not just headquartered in America.

What to check before you commit

Three questions worth asking before any tool gets embedded in your business:

Where is the data stored? Most reputable vendors publish this — look for a Trust Centre or Security page. "We use AWS" is not an answer. "AWS eu-west-2 (London)" is.

Do they have a Data Processing Agreement? A DPA is the contract that sets out what a vendor can do with your data. UK GDPR requires one for any third party that processes personal data on your behalf. Most major SaaS vendors offer one — usually in the legal section of their website. No DPA is a flag.

Who are their sub-processors? Your vendor uses other vendors, and those third parties touch your data too. Reputable providers publish a sub-processor list. It tells you whether customer data is flowing through a US analytics tool, a support platform with servers in Singapore, or somewhere else you haven't considered.

One more consideration for some sectors

The UK-US Data Bridge covers commercial data protection standards. It doesn't override the US CLOUD Act.

The CLOUD Act allows US law enforcement to compel US-based cloud providers to produce data stored on their servers — anywhere in the world. A data centre in London running on AWS infrastructure doesn't put your data beyond the reach of a US court order.

For most businesses, this is background noise. For clients in defence, legal services, or regulated financial services, it's a procurement question. Some organisations work only with providers headquartered outside the US, or with sovereign cloud infrastructure, precisely because of it. If your clients ask, you need to know the answer.

The practical reality

The platforms most UK businesses rely on — Salesforce, HubSpot, Notion, Slack — generally have UK-friendly data residency options or compliant transfer mechanisms. Checking is not usually the hard part. Remembering to check is.

The commercial consequence is more immediate than the regulatory one: clients in healthcare, finance, and legal services regularly ask about data handling. Not having a clear answer costs deals.

One practical step: a data register. A spreadsheet — one row per SaaS tool — recording where data is stored and whether a DPA is in place. An afternoon to build the first version. Five minutes per new tool thereafter.

If data handling is a gap in how your technology is set up, book a conversation — we can help you map what you have and where the risks are.