Practical AI and SaaS for Business

AI Data Residency Comparison: What Six Major Vendors Actually Offer

AI tools can store prompts, files, transcripts and outputs in different countries, even when the vendor advertises regional hosting. This guide compares the controls offered by major business AI platforms and shows what to verify before relying on a residency claim.

Last verified: 14 July 2026. References checked against current legislation.

Editorial Perspective

You are Alex, an operations manager at a 30-person consulting firm preparing to sign an EU client contract that says business data must stay within the EU. Your writing and meeting tools are useful, but nobody has documented where their prompts, files and transcripts actually go. This comparison helps you identify the regional controls each vendor offers, the gaps those controls leave, and the questions to record. No technical background is needed.

This article summarises publicly available guidance from regulators and official sources. It is general educational information only and does not constitute legal or professional advice. Requirements vary by jurisdiction. Consult your regional authority or a qualified professional for advice specific to your situation.

If your business uses AI to draft documents, summarise meetings or analyse files, it is normal not to know where every copy of that information is stored or processed. Vendor pages often use similar phrases for controls that cover very different data. This guide explains the differences in plain English, compares six widely used business platforms, and gives you a practical way to document the choice.

In short: Data residency usually controls where selected customer content is stored at rest. It does not automatically mean every prompt is processed in that region, every log stays there, or every connected service follows the same rule. Check storage, processing, metadata, integrations, plan eligibility and contractual wording separately.

What data residency means for an AI tool

Data residency describes the geographic location where defined data is kept, usually while it is stored. For an AI service, that can include prompts, responses, uploaded files, meeting transcripts, chat history and generated documents. The important word is defined, because each vendor decides which data types are covered by its residency commitment.

Residency is not the same as data sovereignty. Sovereignty is the broader question of which country's laws and authorities may apply to the data. It is also not the same as processing residency, sometimes called inference residency, which concerns where the AI model runs while generating an answer.

Think of an AI request as a journey. Your prompt may leave a laptop, pass through identity and security systems, reach an AI model, call a search or connector service, generate an answer, create logs and then be saved in a chat history. A vendor may keep the saved prompt in Europe while handling authentication, routing, diagnostics or a third-party web search elsewhere.

The business use case: Alex and the EU client contract

Alex's task is not to find a vendor with the word Europe on its website. It is to show what happens to the firm's actual data. Before checking, the consulting firm assumed its AI writing and meeting-transcription tools stored information wherever the default servers happened to be, usually in the United States.

Alex lists the tools, identifies the account plan and administrator, then checks whether prompts, responses, uploaded documents, recordings and transcripts are covered. The firm finds that some products offer EU storage and processing controls, another stores data in the United States, and one allows regional recording storage while retaining account and operational data in the United States. Alex changes the available settings vendor by vendor and saves the evidence in the client contract file.

Data and privacy flag: A regional setting is not a blanket guarantee. Features such as web search, external connectors, plug-ins, support access and third-party meeting bots can send information outside the selected region under separate terms.

AI data residency comparison

The strongest controls in this comparison are attached to business or enterprise plans and must be configured deliberately. The table summarises vendor documentation reviewed in July 2026. It is a starting point, not a substitute for checking the current order form, data processing agreement and administrator settings for your exact subscription.

Major business AI tools and their published residency controls

ChatGPT EnterpriseMicrosoft 365 CopilotGoogle Workspace with GeminiClaude EnterpriseZoom Workplace AI featuresOtter
Published regional option Storage in multiple regions; inference residency in selected regionsInteraction content follows Microsoft 365 geography, with ADR and Multi-Geo optionsUnited States or Europe through Workspace data regionsTraffic routing choices may be available, but stored data remains in the United StatesSelected recordings, transcripts and content can use supported storage regionsVendor states storage uses AWS US West
Content clearly covered Eligible conversations, files, memory, custom GPT content and generated artefactsPrompts, responses and related interaction historyGemini prompts and responses, plus covered Workspace contentCommercial customer data under Anthropic's service termsSelected recordings, transcripts, chats tied to recorded meetings and other listed contentTranscripts and service data stored through the vendor's AWS environment
Important limitation Metadata, some non-GPU processing and external integrations may remain outside the regionLocation depends on tenant setup, licences and preferred data location configurationOnly listed services and data types are covered; logs and cached content can be outside scopeRegional traffic routing is not EU storage residencyAccount and operational data continue to be stored in the United StatesNo published customer-selectable EU residency option in the cited policy
Best fit when residency matters Organisations able to buy an eligible Enterprise workspace and define allowed featuresBusinesses already governed through Microsoft 365 tenant and data-location controlsWorkspace customers on an edition that includes the required data-region featuresBusinesses that can accept US storage or negotiate separate termsTeams needing regional control over recordings and transcripts, with documented exceptionsLower-risk use where US storage is acceptable

ChatGPT Enterprise

OpenAI offers one of the clearest separations between storage residency and model-processing residency. Its documentation says eligible new ChatGPT Enterprise and Education workspaces can store in-scope customer content at rest in supported regions, including Europe, the United Kingdom, the United States, Canada, Japan and several Asia-Pacific and Middle East locations. Inference residency, which keeps supported GPU execution in-region, is available in a smaller set of locations.

The covered content includes conversations, uploaded files, memory, custom GPT content and certain generated artefacts. OpenAI also states that workspace metadata, billing information, user logins, some transient processing and data sent to external integrations may fall outside the chosen region. Review the current ChatGPT residency documentation before treating the setting as an all-data guarantee.

Microsoft 365 Copilot

Microsoft 365 Copilot is attractive when the business already manages data locations through Microsoft 365. Microsoft says the content of Copilot interactions and the related semantic index are stored at rest in the relevant geography. Advanced Data Residency and Multi-Geo options can provide more specific location commitments when the tenant, licences and user settings meet the stated conditions.

The detail that catches smaller businesses is configuration. A user's prompt and response location can depend on the tenant's primary geography or the user's Preferred Data Location, while the source document can remain in a different geography. The Microsoft 365 Copilot data residency page explains these dependencies and should be read alongside the organisation's actual data-location report.

Google Workspace with Gemini

Google Workspace can apply United States or European data-region policies to Gemini prompts and responses on supported editions. Google's current coverage table includes the Gemini app and Gemini features in Workspace, with prompts and responses covered at rest and during processing. It also covers selected content in Gmail, Drive, Docs, Meet and other core services.

The limitation is scope rather than a lack of regional controls. Google says data types not specifically listed, such as some logs or cached content, are not covered by the policy. Availability also depends on the Workspace edition and data-region feature level, so check the official data-regions coverage table rather than assuming every Business plan has identical processing controls.

Claude Enterprise

Claude's published commercial-product position is a useful example of why routing and storage must be separated. Anthropic says it uses multiple cloud providers and may route customer traffic through selected countries in the United States, Europe, Asia and Australia, depending on the service and agreement. The same documentation states that data is stored in the United States.

A European traffic-routing option can reduce where requests are processed in transit, but it does not by itself provide European storage residency. A business with a contract that requires EU storage should not treat regional routing as equivalent evidence. Anthropic's server-location statement is the primary starting point, followed by any negotiated enterprise terms.

Zoom Workplace AI features

Zoom allows paid customers to choose storage locations for specific content, but not for every category of Zoom data. Its administrator documentation lists regional storage options for items such as cloud recordings, recording transcripts, selected meeting content, phone recordings and contact-centre transcripts. Administrators can also choose a live-transcript processing location in supported configurations.

Zoom explicitly says account data and operational data continue to be stored in the United States. Other categories remain tied to the region where the account was provisioned. This makes Zoom workable when the requirement is narrowly about recordings or transcripts, but the exception list must be documented. See Zoom's data and storage location guidance.

Otter

Otter's published help material states that it uses AWS services in the US West region for data storage. The policy describes encryption controls, but it does not present a customer-selectable European residency option. For a business contract that requires transcripts and uploaded meeting information to remain in the EU, that published position is likely to remove Otter from the shortlist unless the vendor offers different written terms for the account.

This does not make the tool inherently unsafe. It means its stated location may not match a particular contractual requirement. The relevant evidence is Otter's data security and privacy policy, plus the current subprocessor list and contract.

Why the legal and governance context matters

Regulators generally focus on accountability, transparency, security and lawful handling, not on a universal rule that all AI data must stay in one country. A client contract, professional rule, public-sector condition or internal policy can still impose a stricter location requirement. That is why the business needs to identify the source of the requirement before selecting a setting.

For personal data connected with people in the European Economic Area, the European Commission's guidance on international data transfers explains the mechanisms used when information moves outside the region. The European Data Protection Board publishes guidance that can help organisations understand the regulator's approach.

In the United States, the Federal Trade Commission's privacy and security guidance emphasises that businesses should honour the promises they make about information handling and maintain appropriate safeguards. For a structured management approach, ISO/IEC 42001 provides an AI management-system standard, although purchasing or certifying against a standard is different from meeting a particular contract clause.

What to check before choosing a region

Start with the data and the requirement, not the vendor's marketing label. Use the following sequence for every AI tool that receives client, employee or commercially sensitive information.

  1. Write down the source of the requirement. Record whether it comes from a client contract, an internal policy, a sector rule or a regulator's guidance.
  2. List the data types. Include prompts, outputs, files, recordings, transcripts, chat history, user details, logs and support tickets.
  3. Separate storage from processing. Ask where information is stored at rest, where model inference occurs and which supporting processes can happen elsewhere.
  4. Confirm the plan and workspace. Regional controls may be limited to new enterprise tenants, add-ons or specific editions.
  5. Check exclusions. Look for metadata, billing data, abuse monitoring, backups, previews, beta features, search and third-party connectors.
  6. Save evidence. Keep the vendor page, contract wording, administrator screenshot, date checked and name of the person who approved the setting.
💡

Practical record: A simple vendor register can include tool, business purpose, data entered, plan, storage region, processing region, exclusions, contract link, setting owner, verification date and next review date.

Industry-specific implications

Professional and regulated sectors often need a more detailed record because the AI tool receives information that is already controlled elsewhere. A location setting does not replace access control, confidentiality rules, retention limits or a review of whether the information should enter the tool at all.

  • Legal services: check client confidentiality terms, matter restrictions and whether connected search or plug-in services receive the prompt.
  • Accounting and finance: separate public drafting tasks from work involving tax records, payroll, banking details or non-public financial information.
  • Health and care: verify whether the selected product and contract are intended for the relevant health information, rather than relying on a general business subscription.
  • Education: distinguish staff productivity use from tools that process student records, recordings or assessment material.
  • Consulting and agencies: record client-by-client restrictions because one customer's contract may be stricter than the firm's default policy.

Common mistakes

The most common mistake is documenting the vendor rather than the configured service. A statement such as “Microsoft stores data in Europe” is too broad. A useful record names the tenant, licence, preferred data location, covered interaction data, exceptions and verification date.

Other mistakes include assuming the user's physical location controls storage, confusing encryption with residency, ignoring transcripts created by a meeting bot, and enabling web search after the original assessment. Businesses also forget that a new feature may not inherit an existing residency commitment automatically.

AI data residency checklist

  • Identify the contractual, policy or regulatory reason for the location requirement.
  • Confirm the exact product, plan, tenant and feature.
  • Record where prompts, responses, files, recordings and transcripts are stored.
  • Record where model inference and other processing occur.
  • List metadata, logs, account data and support data that are outside scope.
  • Review web search, plug-ins, connectors, agents and subprocessors separately.
  • Apply and lock the administrator setting where available.
  • Save vendor documentation and contractual evidence with the date reviewed.
  • Set a review date after major product changes or contract renewal.
  • Use a regional authority or qualified adviser for requirements specific to your situation.

Frequently asked questions

Methodology (Real-World, Verified)

We test AI tools against real SMB workflows: the tasks a 20-person business actually uses AI for, not enterprise demos. Pricing is verified at the vendor's published rates, with local-currency conversions noted where relevant. Compliance notes reference the legislation and regulatory guidance relevant to each article's region. Every tool is judged on one question: could a business with no dedicated IT department actually pick this up and use it on Monday morning.

Related reading: our AI governance by region.

Free tools: AI Privacy Risk Scorer to score your current AI tool setup against data-privacy best practice | AI Tool Selector to get a personalised AI tool recommendation for your business.

Does EU data residency mean all data stays in the EU?

No. It usually applies only to the customer content and features named in the vendor's commitment. Metadata, billing data, security logs, support processes, external searches and connected applications may be handled elsewhere.

Is data residency the same as GDPR compliance?

No. Residency is one control concerning location. GDPR considerations can also include lawful processing, transparency, purpose limitation, security, individual rights, retention and international transfer mechanisms. A regional setting alone does not establish compliance.

Can a VPN force an AI tool to store data in a chosen country?

No. A VPN can change the apparent network location of a user, but storage residency is controlled by the vendor's architecture, account provisioning, contract and administrator settings. It does not rewrite the service's data-location terms.

Which AI tool has the best EU data residency?

There is no universal winner because the tools cover different work. ChatGPT Enterprise, Microsoft 365 Copilot and Google Workspace with Gemini publish meaningful regional controls, but eligibility and exclusions differ. The best fit is the product whose written scope matches the data and contract you need to manage.

Should a small business avoid every tool that stores data in the United States?

Not automatically. The decision depends on the type of information, customer promises, applicable framework, transfer arrangements and risk controls. A US-hosted service may be suitable for low-risk drafting but unsuitable for a client project with an explicit EU-only storage clause.

How often should data residency settings be reviewed?

Review them at least when the contract renews, the vendor changes terms, a new AI feature is enabled, a connector is added or the business begins handling a new category of sensitive information. A dated annual review is a practical baseline for stable tools.

Find official guidance for your region

Requirements vary by jurisdiction. This article provides general information only. Consult your regional authority or a qualified professional for advice specific to your situation.

The information in this article is general in nature. It reflects a summary of publicly available guidance and does not constitute legal, privacy, or professional advice. Your obligations will depend on your specific situation, jurisdiction, and business circumstances. Do not rely on this article as a substitute for qualified legal or professional advice.

Turn this comparison into a repeatable vendor review by creating a simple AI register for the tools your staff use.

Get the Free AI Register Template