This page provides an overview of achieving compliance with data residency regulations by using regional secrets in Secret Manager.
Overview of data residency
Data residency is the concept of keeping data within specific geographical boundaries due to legal, regulatory, or organizational requirements. Data residency isn't just a preference for some businesses; it's a legal and operational necessity. Data residency is essential to comply with strict regulations like GDPR, HIPAA, or PIPEDA, and mitigating the risk of hefty fines or legal action.
Enforce data residency using regional secrets
In Secret Manager, you can enforce data residency by creating regional secrets that ensure that your sensitive data is stored and processed within a specific location. With regional secrets, your secret data remains within the chosen location at all times, whether it's at rest, in use, or in transit.
Regional secrets work in the following manner:
- When you create a regional secret, you specify the location where you want it to be stored. The Secret Manager service ensures that the secret data stays within that location's infrastructure.
- Regional secrets can only be accessed by applications or services running within the same location. This adds an extra layer of security by limiting access to authorized entities within the designated location.
- Unlike global secrets, which are often replicated across multiple locations for high availability, regional secrets are not automatically replicated. This ensures strict data residency.
The following table explains the key differences between a regional secret and a global secret.
Feature | Global secret | Regional secret |
---|---|---|
Data residency | User managed replication to specific locations or automatic replication without any restriction. | Single location. Complete data residency zone (DRZ) compliance with data at-rest, in-use, and in-transit. |
Endpoints | Single, global endpoint | Regional endpoints |
Cross-location access | Possible with both user managed replication and automatic replication. | Not possible. Secret data is tightly restricted to your location of choice and doesn't flow outside its boundaries. |
Use cases |
|
|