FM
founder_meera_hOPApr 29, 2026follow up to my BAA thread — first UK customer asking about data residency. our infra is all US AWS. they want assurance data stays in EU/UK. is that an actual UK GDPR requirement or just preference?
follow up to my BAA thread — first UK customer asking about data residency. our infra is all US AWS. they want assurance data stays in EU/UK. is that an actual UK GDPR requirement or just preference?
UK GDPR doesn't strictly require UK residency. but cross-border transfers from UK to US require either (a) adequacy decision (US doesn't fully have one), (b) standard contractual clauses, or (c) binding corporate rules. SCCs are most common — sign with the UK customer, document the transfer mechanism.
EU/UK customers OFTEN ask for residency as a preference even when not legally required. evaluate cost — AWS Ireland or London regions are easy to spin up. if it's a strategic customer, just give them the option.
I'm Sergei Tokmakov, California attorney (Bar #279869). UK GDPR (the post-Brexit equivalent of EU GDPR) generally permits transfers to "third countries" with appropriate safeguards. Standard Contractual Clauses (UK SCCs / IDTA) are the most common mechanism for US recipients.
For healthcare SaaS specifically, layer the data residency analysis on top of HIPAA — your US BAA flow doesn't cleanly map to UK Data Processor obligations, so you'll need separate UK-compliant DPA documents. Most US healthcare SaaS founders find that running a UK/EU AWS region for European customers is operationally simpler than navigating cross-border transfer compliance, even if not strictly required. Informational only.