This document explains when data residency is enforced in each location where Model Armor is available. Data residency lets you specify a geographic region where your data is stored and processed, which helps ensure that your data remains in that location. Model Armor helps provide control over where your data is handled, supporting compliance with various regulations.
Model Armor processes the following types of data:
Core data: The primary data that Model Armor processes, most relevant to data residency, which includes prompts, responses, and input files. Model Armor processes core data but doesn't store it at rest. For more information, see Data handling and storage.
Configuration data: Template and floor setting configurations such as rules, filters, and thresholds that Model Armor uses to scan prompts and responses. Model Armor processes and stores configuration data at rest.
How and when data residency is enforced
The following table indicates the data residency controls enforced by
Model Armor for each supported Google Cloud location.
Model Armor provides data residency guarantees at the
jurisdiction level, for example, a specific country like India, or a multi-region
like eu.
| Region/multi-region | Jurisdiction | At rest | In use | In transit | Feature support |
|---|---|---|---|---|---|
asia-northeast1 |
Japan | Yes | No | No | Full support |
asia-northeast3 |
South Korea | Yes | No | No | Full support |
asia-south1 |
India | Yes | Yes | Yes | Limited support |
asia-southeast1 |
Singapore | Yes | No | No | Full support |
australia-southeast2 |
Australia | Yes | No | No | Full support |
eu |
European union | Yes | Yes | Yes | Full support |
europe-southwest1 |
European union | Yes | Yes | Yes | Full support |
europe-west1 |
European union | Yes | Yes | Yes | Full support |
europe-west2 |
United Kingdom | Yes | No | No | Full support |
europe-west3 |
European union | Yes | Yes | Yes | Full support |
europe-west4 |
European union | Yes | Yes | Yes | Full support |
europe-west9 |
European union | Yes | Yes | Yes | Full support |
northamerica-northeast2 |
Toronto | Yes | Yes | Yes | Limited support |
us |
United States | Yes | Yes | Yes | Full support |
us-central1 |
United States | Yes | Yes | Yes | Full support |
us-east1 |
United States | Yes | Yes | Yes | Full support |
us-east4 |
United States | Yes | Yes | Yes | Full support |
us-west1 |
United States | Yes | Yes | Yes | Full support |
The Jurisdiction column indicates the geographical boundary (for example, a
country or a multi-region like eu or us) within which Model Armor ensures
data residency compliance for the in use and In transit data states.
The Region/multi-region column lists the specific Google Cloud region or multi-region identifier.
When data residency is enforced for a region in Model Armor, it helps ensure that data remains within a specified jurisdiction while in at least one of the following states:
At rest: Data remains within the specific Google Cloud region listed.
In use and In transit: Data residency enforcement for these states within the specified jurisdiction depends on the values in the In use and In transit columns:
- Yes: Data residency is enforced for the In use and In transit states within the listed jurisdiction. This means that the data remains within the boundaries of the listed jurisdiction while being processed or transmitted (not necessarily within that single region).
- No: Data residency is not enforced for the In use and In transit states within the listed jurisdiction. This means that the data might be processed or transmitted outside of the jurisdiction.
Regional endpoints
Regional endpoints provide access to resources in a specific location. When you use a regional endpoint, your request is routed directly to the endpoint's location. You can't use a regional endpoint to access resources in other locations.
Using a regional endpoint helps you enforce data residency controls for your resources when they're at rest, in use, and in transit. Each regional endpoint uses the following format:
modelarmor.LOCATION.rep.googleapis.com
Replace LOCATION with a supported location. For
supported locations, see Locations.
To access Model Armor regional endpoints from within a VPC network, you must create a Private Service Connect endpoint to the Model Armor APIs. This is required to prevent certificate errors when regional endpoints are accessed using Private Google Access or VPC Service Controls. For more information, see Troubleshoot Model Armor issues and About accessing regional endpoints through Private Service Connect endpoints.