Data residency

Last updated: 2026-04-11 • ← Privacy

Backbuild runs on a globally distributed infrastructure that allows customer traffic to be served close to the end user. Where customers have specific residency requirements, data processing and storage can be pinned to defined geographic regions.

Primary processing locations

• Edge compute: the Cloudflare global network serves customer traffic from the edge location nearest the user. This network includes hundreds of points of presence worldwide.
• Core data store: customer data is stored in a managed Citus PostgreSQL cluster. The primary region is selected at contract time.
• Object storage: files and binary artifacts are stored in Cloudflare R2 in a region consistent with the customer's selected residency.
• Backups: backups are stored encrypted in object storage in a region consistent with the customer's selected residency, with geographically separated copies for disaster recovery where configured.

Default behavior

By default, request traffic is served at the edge location nearest the user for performance and availability. The core data store is located in a primary region that is chosen at contract time and is documented in the customer's order form. Cross-region replicas are used for resilience and are encrypted at rest.

EU data residency

Customers with EU residency requirements can use Cloudflare's Data Localization Suite (DLS) to keep personal data within the EU for processing and storage. When DLS is configured, request traffic is terminated and processed within EU data centers, and the core data store is pinned to an EU region. Contact the team during onboarding to configure DLS for your tenant.

US data residency

All processing and storage can be pinned to US regions on request. This is typically selected by customers with US-only operations or where customer contracts require US residency.

International transfers

Where personal data is transferred outside the EEA, UK, or Switzerland, Backbuild relies on the appropriate transfer mechanism:

• Standard Contractual Clauses (SCCs): the current EU Commission SCCs (2021/914) are included in the Data Processing Agreement for transfers subject to GDPR.
• UK International Data Transfer Addendum (UK IDTA): included for transfers subject to UK data protection law.
• Swiss addenda: additional clauses address transfers subject to the Swiss Federal Act on Data Protection.

A Transfer Impact Assessment methodology is followed for transfers that require one. Results are made available to customers under NDA on request.

Specific residency requirements

Customers with specific residency requirements — for example, a requirement to restrict processing to a single region, to exclude particular jurisdictions, or to use dedicated infrastructure — should contact the team to discuss options. Not all combinations are available on all subscription plans.