AI Data Residency Checker

Check where your AI provider stores data by region and tier

Select your AI provider, subscription tier, and required data residency region to check whether the provider can meet your data sovereignty requirements — covering prompt storage, training use, and backup location. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

Why does data residency depend on the subscription tier?

Regional data residency, zero-retention modes, and signed DPAs are almost always enterprise or platform features (for example Azure OpenAI or a provider's enterprise plan), not consumer-tier features. A free or individual plan typically processes data wherever the provider chooses, so the tier is decisive.

If your organization must keep data in a specific region, the AI provider’s logo tells you nothing — the tier is what matters. This checker tells you whether a given provider and plan can keep your prompts in your required region, and flags the gaps around training and backups.

How it works

You select a provider, a subscription tier, and your required region. The tool checks those against a knowledge base of how each provider handles residency by tier and returns a clear verdict — supported, conditionally supported, or not available — plus notes covering where prompts are stored, whether the tier excludes training, and what to confirm about backups and retention.

Why tier is decisive

Regional storage, zero data retention, and signed DPAs are platform/enterprise features. A consumer or individual plan generally processes data wherever the provider routes it, while enterprise plans (and cloud-hosted variants like Azure OpenAI or Vertex AI) let you pin a region and sign a DPA. Asking for EU residency on a consumer plan is usually a category error.

The three guarantees you actually need to verify separately

“Data residency” is often used loosely to mean several different things that are actually distinct commitments. When assessing an AI provider, you need to confirm each separately:

Storage region — where your prompts and any associated data are physically written to disk. This is what most people mean by data residency. Enterprise and platform tiers typically allow you to specify a region (EU, US, UK, for example); consumer tiers generally do not.

Training exclusion — whether the provider will use your prompts and outputs to train or improve its models. These are independent of storage region. A provider can store data in the EU and still use it for training unless you are on a tier (or have negotiated a contract) that excludes this. Enterprise tiers typically exclude training; free and individual tiers typically do not.

Zero data retention — whether the provider stores any copies of your prompts after the request completes, or discards them immediately. Some enterprise plans offer zero retention for inference — the request is processed and the input is not written to any persistent store. This is the strongest privacy guarantee and the one most relevant to regulated data.

What a DPA actually gives you

A Data Processing Agreement (DPA) is a signed contract between your organization and the provider that governs how the provider handles personal data you send it. Under GDPR, if your prompts contain personal data, a DPA is required — the provider is acting as a data processor. A DPA specifies:

  • What data the provider may process, for what purposes, and for how long
  • Sub-processors the provider may engage
  • The security measures the provider maintains
  • What happens to data on termination (deletion, return)

A marketing page saying “GDPR compliant” is not a DPA. Many providers make DPAs available for enterprise tiers on request; some require a specific plan tier to be eligible to sign one. The checker notes which tiers allow DPA execution.

Common mistakes when assessing AI data residency

  • Assuming the provider’s headquarters location determines where your data is stored (it does not — storage region depends on the service configuration).
  • Treating “GDPR compliant” on a marketing page as equivalent to a signed DPA with clear processing terms.
  • Checking storage region without checking training exclusion — these are separate settings that can independently apply.
  • Not asking about backup region, which can be a different geography from the primary storage region.

Tips and notes

  • Residency, training opt-out, and zero retention are three separate guarantees — confirm each one you need.
  • For a binding answer, the relevant artifact is your signed contract / DPA, not a marketing page.
  • Provider offerings in this area change regularly — verify against current documentation before finalising a procurement decision.
  • Pair this with the AI Provider Terms Comparison Tool to evaluate privacy holistically, and the Zero-Trust AI Access Policy to encode the result into governance.