Compliance

Data residency

Where your data physically lives. A procurement question that often decides whether a UK lender can sign a vendor at all.

Definition

Data residency is the geographic location where personal or sensitive data is stored and processed. It is distinct from data sovereignty (whose laws govern the data) and data localisation (a legal requirement to store data in-country).

UK GDPR position

UK GDPR does not require all personal data to be hosted in the UK. Articles 44–49 permit transfers outside the UK if a valid mechanism is in place:

  • Adequacy decision — automatic for transfers to EEA, Switzerland, Andorra, Argentina, Canada (commercial sector), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Republic of Korea, Uruguay, UK (from EU perspective)
  • UK International Data Transfer Agreement (IDTA) — for transfers to non-adequate countries; the UK successor to the EU SCCs
  • UK Addendum to the EU SCCs — alternative wrapper for the same purpose
  • UK extension to the EU-US Data Privacy Framework — for transfers to certified US recipients

Why UK lenders care anyway

Even though UK GDPR allows outside transfers under a valid mechanism, UK alt-lenders often contractually require UK or EEA residency from vendors. Reasons:

  1. Customer trust. UK SME borrowers consistently prefer UK residency in vendor RFP scoring. "Where will my data live?" is asked in nearly every enterprise sales cycle.
  2. Regulatory alignment. The PRA's outsourcing supervisory statement (SS2/21) and FCA Consumer Duty both favour UK or EEA residency for customer records as part of a documented risk-assessment.
  3. Simplified compliance. UK-only residency removes the operational overhead of maintaining IDTAs, SCCs, DPF certifications, and transfer-impact assessments for every onward transfer.

What "UK data residency" usually means in vendor marketing

Three patterns, varying strength:

Strong residency

All customer personal data stored in a UK data centre (typically London). No replication outside the UK. Backups also in UK (Manchester / Dublin sometimes appears as part of "UK + Ireland" claim).

Mixed residency

Primary storage in UK; backup in EEA; control-plane / admin tooling sometimes US. Common for SaaS vendors using AWS / GCP — they offer London region for storage but admin / monitoring / control-plane services run elsewhere.

Weak residency ("UK presence")

Vendor has a UK CDN node or point-of-presence for caching, but actual customer data storage is US. Marketing claims "UK presence" or "global with UK edge". Usually inadequate for lender procurement teams.

What to ask a vendor

Standard questions in any procurement / DPA review:

  1. Where is customer data stored at rest?
  2. Where are backups stored?
  3. Full sub-processor list, with location of each.
  4. Which transfer mechanism (IDTA / DPF / Addendum) covers any non-UK transfer?
  5. Is the vendor signed up to the EU-US DPF if data flows through a US recipient?
  6. What happens to data on contract termination — destroyed in X days, kept for legal-hold reasons, exportable, etc.?

Refusal to answer any of these is a red flag.

Borrowsignal's data residency

Customer account data and webhook payloads: UK (London / lhr region on Fly.io). Database: EU (Frankfurt, Neon). Email delivery: EU (Resend, EU-US DPF certified). CDN + DNS: UK edge (Cloudflare). No data leaves UK / EEA except via EU-US DPF for the email-delivery sub-processor. Full list in our DPA Annex B.

Related

Frequently asked

Is UK data residency legally required?

No general UK law requires all personal data to be hosted in the UK. UK GDPR permits transfers under valid mechanisms (adequacy decision, IDTA, UK SCC Addendum, EU-US DPF). Sector-specific rules can be tighter — financial-services prudential regulators sometimes require UK or EEA residency for specific records.

What does "UK data residency" mean in a vendor's marketing?

Three patterns: strong (all storage in UK), mixed (UK primary + EEA backup + US control-plane), weak (US storage with UK CDN/PoP). Always ask for written data-flow + sub-processor list.

Does UK data residency cover sub-processors?

It must, to be meaningful. UK storage + US sub-processor for analytics = broken residency. Full sub-processor list with locations is a standard procurement/DPA ask.

Why do UK lenders care about data residency?

Customer trust, regulatory alignment (FCA Consumer Duty + PRA SS2/21 favour UK/EEA), and simplified compliance overhead.