Data residency is the geographic location where personal data is stored and processed. It is not the same as company headquarters: a US-headquartered SaaS may host its EU customers' data entirely in the EU, and an EU-headquartered SaaS may run its servers in the United States. What matters is where the data physically lives and gets processed.
For EU buyers, EU residency simplifies a lot. It avoids the cross-border transfer requirements that came out of the Schrems II ruling and removes the question "what happens if a US authority subpoenas this data".
Why residency is not just a checkbox
Data does not stay in one place naturally. Modern SaaS systems have a primary database, backup replicas, log aggregators, email senders, analytics pipelines, AI inference endpoints. Each one is a place data can travel to. "Hosted in the EU" should mean all of those, not just the primary database.
Some vendors advertise EU hosting but rely on a US-based AI provider for inference. The customer message is sent across the Atlantic, the reply comes back, the conversation gets stored in the EU. From a residency perspective, that round trip matters. The data was processed outside the EU, even briefly.
A complete residency commitment names every component and where it runs. Most vendors that take EU residency seriously will list this on their security or sub-processor page.
EU residency and AI
AI inference used to be the hardest residency problem. The strongest models were hosted only in the US. That has changed. EU regions exist for major frontier model APIs, and EU-hosted open-weight models perform well enough for nearly all support and sales tasks. A vendor running AI entirely in the EU is now a realistic option, not a compromise.
Look for explicit language: "AI inference takes place in the EU" beats "we use EU-based providers" because the second leaves room for fallback to non-EU regions.
Residency versus encryption
Some vendors argue encryption makes residency unnecessary. The data is encrypted, the argument goes, so the physical location does not matter. Under GDPR, this is wrong. Encryption is a control inside processing. Residency is about where processing happens. Both are required for different reasons.
In Keloa
In Keloa, every system component runs in EU regions: storage, application servers, AI inference, search, backups. We list each in our sub-processor list and commit to EU residency in the DPA. See security for the full picture.