An owner forwarded me a vendor questionnaire last month from one of her customers. The customer was asking, in plain language, whether the AI tool the firm uses processes data in the EU. The vendor’s marketing page said “European data residency” in green text near the top. The Data Processing Addendum, four pages in, mentioned that logs may be aggregated in the US for security analysis and that support staff have global access. She asked which document was telling the truth. Both were, partially.
That is the residency question in 2026. It looks like a yes-or-no on the vendor’s website. It is not, and the gap between the marketing badge and the contract is where every AI procurement headache lives.
What is data residency?
Data residency is a geographic commitment about where data sits and gets processed. For a normal SaaS app it is fairly simple. UK customer data on UK servers, processed by UK systems, not leaving UK jurisdiction. For AI it fractures, because an AI service is a stack of five separate components rather than one process in one place. Each of those components can sit in a different country under a different legal regime.
The five layers are: the prompt you send at the moment of use, the model weights themselves, the logs and conversation history the system keeps, the training data the model was built on, and the physical compute that runs the inference. A vendor can honestly say “prompts processed in the EU” while logs go to a US data lake, support staff in three time zones can read them, and model weights are mirrored to AWS regions worldwide. The badge is true. So is everything underneath it.
Why does it matter for your business?
It matters because your obligations sit one level up from the vendor’s. Under UK GDPR Chapter V you are responsible for the lawfulness of any international transfer of personal data, regardless of what the vendor’s landing page says. The Italian Garante’s temporary block of ChatGPT in March 2023 is the working example that regulators do act on AI residency when they think the answer is wrong.
It also matters because of the US CLOUD Act. AWS, Microsoft, Google, OpenAI and Anthropic are US companies. A US Department of Justice subpoena can in principle reach data sitting in their UK or EU data centres. Residency in London or Frankfurt reduces the exposure, it does not eliminate it. Mistral, headquartered in Paris, is the cleanest non-US option in 2026, with the trade-off that the model capabilities are roughly a generation behind the frontier.
Where will you actually meet it?
You will meet residency in three places. The first is a customer’s vendor questionnaire, where larger buyers in regulated sectors push residency clauses down to suppliers as part of their own compliance posture. The second is your own vendor due diligence when you bring an AI tool in. The third is procurement frameworks, particularly anything Crown Commercial Service, NHS, or a financial services customer.
You will also meet it inside contracts you have already signed. NHS DSP Toolkit clauses, MoD List X work, FCA-regulated outsourcing, and a growing share of B2B Data Processing Addendums all name UK or EU processing as a hard requirement. The pattern in 2026 is that residency has stopped being an enterprise-only concern. It is now a routine question on a five-person services firm’s vendor form, asked by a procurement officer at a mid-sized insurer.
The most useful place to meet the term is in the contract you are about to sign with an AI vendor. If they will not name where prompts are processed, where logs live, and whether their support staff can read them, that is the answer.
When to ask, when to ignore
Treat residency as mandatory when your customer or regulator says so. NHS contracts, MoD List X, FCA-regulated outsourcing in many configurations, and any customer Data Processing Addendum that names UK or EU only. In those cases there is no negotiation. The AI service either offers the required residency or you cannot use it for that workload.
Treat residency as preferred when you are competing on trust, when you handle Special Category Data under GDPR Article 9, or when public-sector revenue is material to the business. UK or EU residency simplifies your Transfer Risk Assessment paperwork, signals to procurement teams that you have done the work, and reduces CLOUD Act exposure for sensitive cases. The cost is sometimes a smaller feature set or a slightly older model.
Treat residency as largely immaterial when there is no personal data of UK or EU residents involved. Internal-only marketing copy drafts, brainstorming the firm’s own product positioning, summarising your own non-personal business data. The vendor’s location and your own commercial preference still matter, the GDPR transfer rules do not.
There is one trap worth flagging. Sending five clean procurement questions to the vendor is not the same as a Transfer Risk Assessment. The TRA is an ICO-and-counsel exercise. The ICO publishes a Transfer Risk Assessment Tool that is the right starting point, and qualified legal advice is the right next step for anything that touches Special Category Data or a regulator-facing contract.
Related concepts
Data sovereignty is the broader idea that data is governed by the laws of whichever country it sits in, and by extension whichever country can compel access to it. Residency is one mechanism for asserting sovereignty, the legal jurisdiction question is bigger and shows up in any conversation about US providers, UK regulators, and where a subpoena could in principle land.
Data localisation goes further than residency. It is the requirement, usually set by national law, that certain data must remain inside national borders without exception. Russia, China, and parts of the GCC enforce localisation. The UK does not, with sector-specific exceptions for defence and parts of the NHS estate.
Standard Contractual Clauses, or SCCs, are the contractual mechanism UK and EU exporters use to lawfully transfer personal data to a country without an adequacy decision. After the Schrems II judgment, SCCs alone are not enough for US transfers, which is why the Transfer Risk Assessment exists.
The CLOUD Act is the US statute that lets US authorities compel US companies to produce data stored anywhere in the world. It is the reason the ICO’s international transfers guidance treats US-based vendors as a separate category from UK or EU ones, even when the data centre badge says London.
The point of all this is to give you enough vocabulary that the next vendor who shows you a green “EU residency” tick cannot use the badge to end the conversation. You do not need to become a data protection officer. You do need to know which question to ask next.
