Data residency
Where AxioRank stores your data, exactly which sub-processor holds what, and the controls EU and UK teams use to keep data under their governance.
AxioRank stores customer data in the United States. We state that plainly because residency questions deserve a direct answer, not an implied one. This page documents the storage posture, the data each sub-processor touches, and the concrete controls that let teams with EU or UK obligations adopt AxioRank with their counsel's blessing.
Where data lives
| System | Region | What it holds |
|---|---|---|
| Supabase (Postgres + auth) | United States | Accounts, workspaces, policies, audit logs, all application data |
| Vercel (hosting + edge) | United States (global edge for static assets) | Request logs, connection data, IP addresses |
| Stripe (billing) | United States | Billing contact and payment metadata |
| Resend (email) | United States / EU | Recipient addresses and message content |
| Inngest (background jobs) | United States | Event payloads (already redacted before they enter the queue) |
| Modal (ML threat scoring, opt-in) | United States, or the EU for workspaces set to the EU region | Redacted tool-call payloads, secrets masked |
| Pinecone (behavioral baselines, opt-in) | United States | PII-masked, redacted call text |
| PostHog (analytics, opt-in) | United States | Usage and device data |
The authoritative list, including purposes and opt-in status, is the public sub-processor register. Changes are announced before new sub-processors receive personal data, per the DPA.
What never reaches us in the first place
Residency exposure is a function of what data exists, not only where it sits. AxioRank is designed to minimize the first variable:
- Write-time redaction: secrets are masked by the gateway before an audit row is written. The stored payload contains fingerprints, not values.
- IP minimization: workspaces can hash or truncate visitor IPs at collection (Settings → Data retention).
- Opt-in ML lanes: nothing leaves the core path to Modal, Pinecone, or PostHog unless a workspace explicitly enables those features.
Controls for EU and UK teams
- Transfer terms: our DPA incorporates Standard Contractual Clauses (and the UK addendum) for international transfers, with GDPR Article 28 processor obligations.
- Retention you control: per-workspace audit and inbound retention windows, enforced by a daily purge (Settings → Data retention).
- Your own regional copy: stream every audit event to SIEM infrastructure you run in your own region (Splunk, Datadog EU sites, OTLP, or NDJSON over HTTPS). Your copy is complete and verifiable against our signed checkpoints, so analysis can happen entirely inside your boundary. See Audit export.
- Self-service data rights: export and erasure for accounts and whole workspaces, with jurisdiction-aware deadlines. See Privacy.
AxioRank runs an EU-pinned deployment of the optional ML assessment service. A workspace set to the EU region (Settings → Workspace → Inference region, on the Team plan or higher) has its opt-in ML assessment lane processed on compute in the European Economic Area. This pins ML inference only; primary storage stays in the United States for every workspace, as the table above shows.
What we will not claim
We do not offer EU data storage today, and we will not imply otherwise with vague "global infrastructure" language. If your requirement is hard EU storage of the primary database, AxioRank does not meet it yet; the streaming and minimization controls above are how current EU customers reduce what the US copy contains to redacted, minimized governance metadata.