← Back to blog

July 7, 2026 · 8 min read

GDPR Data Residency and International Transfers for SaaS

Moving EU personal data to a country without an EU adequacy decision — which includes the US, Singapore, and Australia — requires a transfer safeguard, most often the Standard Contractual Clauses (SCCs). For a SaaS the catch is subtle: a single non-EU sub-processor, a support login from outside the EU, or a backup replicated to another region can each be a "transfer". So compliance is less about where your servers sit and more about mapping where the data actually flows and covering every hop.

Data residency vs. an international transfer

The two get conflated, but they are different. Data residency is where personal data physically lives — a hosting region. An international transfer under Chapter V of the GDPR is any time personal data is sent to, stored in, or even accessed from a country outside the EU/EEA. Remote access counts: an engineer in Singapore querying an EU-hosted database is a transfer, even though the data never "moved". Crucially, the GDPR itself does not mandate that EU data stay in the EU — it requires that any transfer out of it carry an appropriate safeguard. Residency mandates (for example "our data must stay in Frankfurt") usually come from a customer contract or a sectoral rule, not from the GDPR text.

When a transfer is happening — often invisibly

Most SaaS businesses transfer far more than they realise. The usual sources:

SourceExample
Hosting regionYour servers or databases run in a non-EU region
Sub-processorsA US or APAC provider for email, analytics, error tracking, or payments
Remote accessSupport or engineering logging in from outside the EU
Backups & DRBackups replicated to a different, non-EU region
CDN / edgeRequests and logs terminating at non-EU edge nodes

The transfer mechanisms (Articles 44–49)

If a transfer is happening, one of these has to cover it:

  • Adequacy decision — the EU has ruled the destination country offers equivalent protection (for example the UK, Switzerland, and, under the Data Privacy Framework, certified US organisations). No further safeguard needed.
  • Standard Contractual Clauses (SCCs) — the EU-approved contract template, and by far the most common mechanism for a SaaS. You sign the current (2021) modular SCCs with each importer.
  • Binding Corporate Rules (BCRs) — internal rules for transfers inside a corporate group; heavyweight, mostly for large multinationals.
  • Derogations (Article 49) — narrow, occasional exceptions such as explicit consent or contractual necessity. Not a basis for routine, systematic transfers.

After Schrems II: the transfer impact assessment

Since the Schrems II ruling, signing SCCs is not the end of the job. You must assess whether the destination country's laws — particularly government-access regimes — would undermine the protection the SCCs promise, and where there is a gap, add supplementary measures: strong encryption in transit and at rest, pseudonymisation, tight access controls, and transparency about government-access requests. Document this transfer impact assessment; it is the artefact that shows you did more than paste a template.

What to actually do

  • Map your data flows. List every place EU personal data lands or is accessed from — hosting, each sub-processor, backups, support access.
  • Match a mechanism to each destination. Adequacy where it exists, SCCs plus a transfer impact assessment otherwise.
  • Keep a current sub-processor list and make sure a DPA plus the right transfer terms are in place with each one.
  • Offer transfer terms to your own customers. As their processor, you will be asked to sign SCCs and disclose where their data goes.
  • Consider EU-region hosting only when a customer contractually requires residency — it reduces transfers but does not, by itself, discharge the mapping work.

A worked example: how ValidonX handles its own transfers

We practise what this guide describes. ValidonX is a non-EU SaaS, so every EU customer relationship involves a transfer we have to map and cover — the same position most of our readers are in. Licensing data lives in isolated per-tenant databases hosted in Singapore; our billing and tax records sit with an accounting provider in Australia. Neither country has an EU adequacy decision, so both are international transfers rather than something we can wave away. We keep the data map current, the per-tenant isolation limits how far any single destination reaches, and Enterprise customers receive a DPA that documents our sub-processors and data flows. The takeaway is not that we host in a magic compliant region — it is that we know exactly where every piece of personal data goes and can show it.

This is engineering and process guidance, not legal advice — the right transfer mechanism for your data depends on your destinations and should be confirmed with a DPO or privacy counsel. For the surrounding obligations, see the practical GDPR guide for SaaS, the right-to-erasure guide, and the startup GDPR checklist.

Frequently asked questions

Does GDPR require me to store EU data in the EU?

No. The GDPR does not mandate data residency — it does not say EU personal data has to stay in the EU. It requires that any transfer out of the EU/EEA to a country without an adequacy decision carry an appropriate safeguard, such as the Standard Contractual Clauses. Requirements to keep data in a specific region usually come from a customer contract or a sectoral rule, not from the GDPR itself.

What are Standard Contractual Clauses (SCCs)?

SCCs are an EU-approved contract template that a data exporter and a non-EU importer sign to provide a lawful safeguard for an international transfer. They are the most common transfer mechanism for SaaS businesses. Since the Schrems II ruling you also have to run a transfer impact assessment and, where needed, add supplementary measures such as strong encryption.

Is using a US or non-EU cloud provider a GDPR transfer?

Generally yes. Hosting or processing EU personal data with a provider in the US, Singapore, Australia, or any other non-adequate country is an international transfer, and so is remote access to EU-hosted data from those countries. Each such transfer needs an adequacy decision or a safeguard like SCCs. Certified US organisations may be covered by the EU-US Data Privacy Framework adequacy decision.

Do I need a transfer impact assessment?

If you rely on SCCs (or another Article 46 safeguard), yes. Since Schrems II you must assess whether the destination country’s laws would undermine the protection the SCCs promise and, where there is a gap, document the supplementary measures you have added. Transfers under an adequacy decision do not need one.

Want licensing data with documented isolation and data flows? Start free — issue and validate your first license in minutes, with per-tenant isolation and GDPR controls built in, no credit card.

We use essential cookies for authentication and session management. Privacy Policy