Data residency and regional secrets

This page provides an overview of achieving compliance with data residency regulations by using regional secrets in Secret Manager.

Overview of data residency

Data residency is the concept of keeping data within specific geographical boundaries due to legal, regulatory, or organizational requirements. Data residency isn't just a preference for some businesses; it's a legal and operational necessity. Data residency is essential to comply with strict regulations like GDPR, HIPAA, or PIPEDA, and mitigating the risk of hefty fines or legal action.

Enforce data residency using regional secrets

In Secret Manager, you can enforce data residency by creating regional secrets that ensure that your sensitive data is stored and processed within a specific location. With regional secrets, your secret data remains within the chosen location at all times, whether it's at rest, in use, or in transit.

Regional secrets work in the following manner:

  • When you create a regional secret, you specify the location where you want it to be stored. The Secret Manager service ensures that the secret data stays within that location's infrastructure.
  • Regional secrets can only be accessed by applications or services running within the same location. This adds an extra layer of security by limiting access to authorized entities within the designated location.
  • Unlike global secrets, which are often replicated across multiple locations for high availability, regional secrets are not automatically replicated. This ensures strict data residency.

The following table explains the key differences between a regional secret and a global secret.

Feature Global secret Regional secret
Data residency User managed replication to specific locations or automatic replication without any restriction. Single location. Complete data residency zone (DRZ) compliance with data at-rest, in-use, and in-transit.
Endpoints Single, global endpoint Regional endpoints
Cross-location access Possible with both user managed replication and automatic replication. Not possible. Secret data is tightly restricted to your location of choice and doesn't flow outside its boundaries.
Use cases
  • General secret management
  • No specific location where the data is to be stored
  • You are only concerned with availability and latency of data, and not regulatory requirements.
  • Strict data residency requirements
  • Data is to be stored in a specific location
  • You want to restrict movement of your sensitive data within that specific boundary

What's next