EAAPL-CMP007 — Data Residency for AI Architecture
Status: Proven
Tags: privacy-act gdpr apra-cps234 data-isolation medium-complexity
Version: 1.1
Last Updated: 2026-06-12
Author: Enterprise AI Architecture Pattern Library
1. Executive Summary
AI systems introduce new vectors for cross-border data transfer that existing data residency controls were not designed to address. When a user query is sent to a cloud LLM API, it crosses borders. When documents are indexed into a vector store for RAG, embeddings are computed and stored somewhere. When a model is fine-tuned on enterprise data, training data is processed in a cloud provider's data centre. Each of these AI-specific flows must be assessed against applicable data residency obligations: GDPR Article 46 (cross-border transfers from the EU), Australian Privacy Act APP 8 (cross-border disclosure from Australia), and APRA CPS234 offshore risk notification requirements.
This pattern provides a reference architecture that ensures AI training, inference, and storage remain within required geographic boundaries. It covers: regional model deployment strategy; data sovereignty controls for RAG pipelines; technical controls preventing prohibited cross-border data transfer; audit evidence generation for regulators; APRA offshore risk notification obligations; GDPR Article 46 transfer mechanisms; and APP 8 accountability mechanisms. Cloud provider-specific architectures for AWS, Azure, and GCP regional isolation are included, along with on-premises sovereign deployment guidance.
2. Problem Statement
Business Problem
Organisations operating in Australia and/or the EU face legal obligations to keep personal data within jurisdiction or to ensure equivalent protection for cross-border transfers. Cloud AI services—especially managed LLM APIs—are predominantly operated from US data centres. The business pressure to use the most capable AI models conflicts directly with data sovereignty obligations, and many organisations are unaware of the extent to which AI operations transfer personal data across borders.
Technical Problem
Cloud LLM API calls, by default, route to the provider's nearest or lowest-latency endpoint—which is often not in the user's jurisdiction. RAG pipelines embed documents in vector representations and store them in managed vector stores that may be located in any region the provider offers. Fine-tuning jobs are submitted to cloud compute that may span multiple regions. Network traffic inspection is insufficient to detect these flows because they appear as HTTPS calls to legitimate cloud provider APIs.
Symptoms
- No documented mapping of which AI inference calls send data to which geographic regions
- Cloud LLM API contracts do not specify Australian or EU data processing locations
- Vector stores are created in default provider regions (us-east-1, eastus) regardless of data classification
- No audit evidence exists demonstrating that personal data remained in-jurisdiction during AI processing
- APRA or privacy regulator enquiry reveals organisation cannot confirm where regulated data was processed
Cost of Inaction
| Dimension |
Consequence |
| Regulatory |
GDPR Article 46 breach — fines up to EUR 20M or 4% global turnover; OAIC investigation; APRA supervisory action |
| Legal |
Contracts with EU/Australian customers may include data residency commitments that are being violated |
| Operational |
Regulator-ordered cessation of AI processing until compliant architecture deployed |
| Commercial |
Loss of government contracts, healthcare contracts, and financial services contracts requiring data sovereignty |
3. Context
When to Apply
- AI systems processing personal data subject to GDPR, Privacy Act, or other data residency regulation
- APRA-regulated entities using cloud AI services to process customer financial data
- Government agencies with Australian Signals Directorate (ASD) data classification requirements
- Healthcare organisations processing patient data with contractual or regulatory in-country requirements
- Any organisation with contractual data residency commitments to customers
When NOT to Apply
- AI systems processing exclusively synthetic or fully anonymised data with no re-identification risk
- AI systems processing publicly available, non-personal data only
- Research AI systems with explicit data sovereignty exemptions
Prerequisites
| Prerequisite |
Description |
| Data Classification |
Data classification taxonomy that identifies personal data and its jurisdiction of origin |
| Cloud Provider Region Mapping |
Knowledge of which cloud provider regions are within required jurisdictions |
| Legal Counsel |
Review of applicable cross-border transfer obligations and available mechanisms |
| Network Architecture |
Ability to configure VPC/VNet endpoints to restrict data egress |
| Vendor Contracts |
Data Processing Agreements with AI vendors specifying processing locations |
Industry Applicability
| Industry |
Residency Requirement |
Primary Regulation |
| Australian Banking / Finance |
Australia |
APRA CPS234 ¶20; Privacy Act APP 8 |
| Healthcare (Australia) |
Australia |
Privacy Act; State health privacy legislation |
| EU Operations |
EU/EEA |
GDPR Article 46 |
| Australian Government |
Australia (Protected/Highly Protected) |
ISM; ASD Cloud Security Guidance |
| EU Government |
EU |
GDPR; NIS2; national sovereignty requirements |
| Global Multi-National |
Jurisdiction-specific |
Multiple simultaneous residency requirements |
4. Architecture Overview
The Data Residency for AI Architecture implements geographic isolation at four layers: compute, storage, network, and audit.
Layer 1 — Regional Inference Endpoint Strategy
Instead of sending AI inference requests to globally routed LLM API endpoints, the architecture deploys dedicated regional inference endpoints for each required jurisdiction. For Australian data: inference is routed to AWS Sydney (ap-southeast-2), Azure Australia East, or GCP Australia Southeast 1—regions that offer both the cloud provider's contractual commitment to keep data within Australia and the physical infrastructure to fulfil that commitment. For EU data: inference is routed to EU-region endpoints (AWS eu-central-1 Frankfurt, Azure West Europe Amsterdam, GCP europe-west1 Belgium) with GDPR-compliant Data Processing Agreements in place. The inference routing layer inspects each request's data residency tag and routes to the appropriate regional endpoint. Requests tagged as Australian personal data are never routed to US or EU endpoints; EU personal data is never routed to non-adequate-country endpoints.
Layer 2 — Data Sovereignty Controls for RAG Pipelines
RAG pipelines introduce residency risk at three points: document embedding (compute); vector storage (storage); and retrieval (read access from inference context). The architecture addresses each: embedding computation runs in regional AI compute resources (the embedding model runs in-region, not as an API call to a cross-border endpoint); vector storage is created in a regionally isolated managed service (AWS OpenSearch in Sydney, Azure AI Search in Australia East, or a self-hosted pgvector instance on Australian infrastructure); and retrieval queries are routed only to the in-region vector store. Documents tagged as Australian personal data never leave the Australian region during the embed-store-retrieve cycle.
Layer 3 — Technical Controls Preventing Cross-Border Transfer
Technical controls enforce residency at the network level, not just through application-level routing (which can be misconfigured). Controls include: VPC/VNet Service Endpoints that prevent traffic from leaving the regional cloud environment; egress firewall rules blocking outbound HTTPS to non-permitted AI API endpoints; Service Control Policies (AWS) or Azure Policy / GCP Organisation Policies that prohibit resource creation outside permitted regions; data loss prevention (DLP) policies that inspect outbound API calls and block calls containing personal data to non-permitted endpoints; and cloud-native geo-restriction on storage buckets and databases.
Layer 4 — Audit Evidence Generation
Regulators require evidence, not assertions. The audit layer generates continuous audit evidence: cloud-native flow logs (AWS VPC Flow Logs, Azure Network Watcher, GCP VPC Flow Logs) recording all outbound traffic with destination IPs and geolocation tags; API Gateway access logs recording which AI endpoint each inference request was routed to; a Data Residency Compliance Report generated monthly that summarises: total inference requests by source jurisdiction and destination region, number of DLP blocks (cross-border attempts prevented), and any exceptions (requests requiring manual review). This report is retained as regulatory evidence.
APRA Offshore Risk Notification
Where APRA-regulated entities use cloud AI services that process regulated data offshore (e.g., using an EU-region Azure OpenAI endpoint for non-Australian data), CPS234 ¶20 requires the entity to assess and manage the offshore risk. Where the processing is material, the entity must notify APRA under the offshore outsourcing notification regime. The architecture includes a materiality assessment workflow that evaluates whether planned offshore AI processing meets APRA notification thresholds, and a notification record if the threshold is met.
5. Architecture Diagram
flowchart TD
subgraph Input["Data Sources"]
A[AU Personal Data]
B[EU Personal Data]
C[Non-Personal Data]
end
subgraph Core["Residency Control Core"]
D[Residency Tagger]
E{Regional Router}
F[DLP Enforcement]
end
subgraph Regions["Regional Inference Stacks"]
G[AU Region Stack]
H[EU Region Stack]
I[Global Endpoint]
end
A --> D
B --> D
C --> D
D --> F
F --> E
E -->|AU tagged| G
E -->|EU tagged| H
E -->|non-personal| I
G -->|flow logs| D
H -->|flow logs| D
style A fill:#dbeafe,stroke:#3b82f6
style B fill:#dbeafe,stroke:#3b82f6
style C fill:#dbeafe,stroke:#3b82f6
style D fill:#f0fdf4,stroke:#22c55e
style E fill:#f3e8ff,stroke:#a855f7
style F fill:#fee2e2,stroke:#ef4444
style G fill:#d1fae5,stroke:#10b981
style H fill:#d1fae5,stroke:#10b981
style I fill:#fef9c3,stroke:#eab308
6. Components
| Component |
Type |
Responsibility |
Technology Options |
Criticality |
| Residency Tagger |
Processing |
Classify each request's data by jurisdiction; attach residency tag |
Custom middleware; AWS Lambda; Azure Function; metadata from upstream systems |
Critical |
| Regional Inference Router |
Routing |
Route inference requests to permitted regional endpoints based on residency tag |
API Gateway with routing rules; service mesh (Istio); custom |
Critical |
| AU-Region Embedding Service |
Processing |
Compute text embeddings using AU-region resources only |
Amazon Bedrock Titan (Sydney); Azure OpenAI (AU East); sentence-transformers on EC2 |
High |
| AU-Region Vector Store |
Storage |
Store embeddings with no replication outside AU |
AWS OpenSearch (Sydney); Azure AI Search (AU East); pgvector on RDS (Sydney) |
Critical |
| AU-Region LLM Inference |
Processing |
Execute LLM inference within Australian geographic boundaries |
Amazon Bedrock (Sydney); Azure OpenAI (AU East); vLLM on EC2 Sydney |
Critical |
| EU-Region Inference Stack |
Processing + Storage |
Equivalent AU-region stack for EU personal data |
AWS eu-central-1; Azure West Europe; GCP europe-west1 |
Critical |
| VPC/VNet Service Endpoints |
Network |
Prevent AI API traffic from leaving regional network boundary |
AWS VPC Endpoints; Azure Private Endpoints; GCP Private Service Connect |
Critical |
| DLP Enforcement |
Network |
Inspect outbound calls; block personal data to non-permitted endpoints |
AWS Macie + Lambda; Azure Purview + Policy; custom Cloud Function |
High |
| Service Control Policies |
Policy |
Prevent resource creation in non-permitted regions at cloud account level |
AWS SCPs; Azure Policy; GCP Organisation Policies |
High |
| VPC Flow Logs |
Audit |
Record all outbound network traffic with destination and data volume |
AWS VPC Flow Logs; Azure Network Watcher; GCP VPC Flow Logs |
High |
| Residency Compliance Reporter |
Audit |
Generate monthly compliance summary for regulatory evidence |
Custom Lambda/Function + S3 report; scheduled query on flow logs |
High |
| APRA Notification Workflow |
Governance |
Assess materiality of offshore AI processing; generate APRA notification |
Custom workflow; ServiceNow; manual for now |
High |
7. Data Flow
Primary Flow
| Step |
Actor |
Action |
Output |
| 1 |
Upstream System |
Submit inference request with data subject context |
Request with data attributes |
| 2 |
Residency Tagger |
Identify data's jurisdiction based on classification metadata or content detection |
Residency tag: AU / EU / unrestricted |
| 3 |
Regional Inference Router |
Route request to permitted regional endpoint based on residency tag |
Routed request to correct region |
| 4 |
Regional Embedding Service |
Compute embeddings in-region |
Embeddings computed within jurisdiction |
| 5 |
Regional Vector Store |
Store/retrieve embeddings; all operations in-region |
Context retrieved from in-region store |
| 6 |
Regional LLM Inference |
Execute inference in-region using in-region model or regionally locked API |
AI response generated in-region |
| 7 |
VPC Flow Log |
Record outbound connection: source, destination IP, destination region, bytes transferred |
Flow log entry for audit |
| 8 |
Residency Compliance Reporter |
Aggregate monthly flow logs; verify all AI traffic stayed within permitted regions |
Monthly compliance report |
Error Flow
| Step |
Failure |
Detection |
Recovery |
| Residency Tag Missing |
Request lacks residency tag; router cannot determine correct endpoint |
Router policy: fail-closed to most restrictive region (AU or EU) |
Apply most restrictive residency control; alert data engineering; add classification |
| Regional Endpoint Unavailable |
AU-region or EU-region AI endpoint down |
Health check; router fails |
Fail closed (do not route to non-permitted region); graceful degradation to offline process; alert |
| DLP Policy Miss |
Personal data sent to non-permitted endpoint without block |
Retrospective flow log analysis; audit |
Incident response; assess data exposure; notify regulator if GDPR/APP threshold met |
| SCP Removal |
Service Control Policy accidentally removed; resources created in wrong region |
AWS Config / Azure Policy / GCP Org Policy alert |
Immediately restore SCP; move or delete out-of-region resources; assess data exposure |
8. Security Considerations
Security and Residency Controls
| Domain |
Control |
Implementation |
Regulation |
| Authentication |
AI endpoint access requires service identity; prevents misconfigured applications from calling wrong region |
IAM policies restricting endpoint access by service identity |
APP 11; GDPR 32; CPS234 ¶17 |
| Authorisation |
Only authorised services can invoke regional AI endpoints; deny all by default |
IAM deny policies on non-region endpoints; VPC endpoint policies |
APP 11; GDPR 32 |
| Secrets |
Regional API keys stored in regional secrets managers; no cross-region secret replication |
AWS Secrets Manager (region-specific); Azure Key Vault (region-specific) |
CPS234 ¶17 |
| Encryption |
Data in transit encrypted TLS 1.3; data at rest CMEK with region-specific keys |
Regional KMS keys; no cross-region key replication |
GDPR Article 32; APP 11 |
| Auditability |
Flow logs and API access logs retained in-region; cannot be deleted during retention period |
Immutable regional log storage; retention 7 years |
GDPR Article 5(2); APP 11 |
OWASP LLM Top 10 — Residency Controls
| OWASP LLM Risk |
Residency Implication |
Control |
| LLM01 Prompt Injection |
Injection may force inference to a different endpoint; bypass residency routing |
Enforce residency at network layer (VPC endpoint), not just application routing |
| LLM02 Insecure Output Handling |
AI output containing personal data routed to non-permitted downstream system |
Output residency check; DLP on responses |
| LLM03 Training Data Poisoning |
Malicious training data injection may occur via non-permitted data channel |
Training data source controls; in-region data pipelines |
| LLM04 Model Denial of Service |
DoS may force failover to non-permitted regions |
Failover policy: fail-closed to in-region only; no cross-region DR if residency-restricted |
| LLM05 Supply Chain Vulnerabilities |
Third-party AI component may process data outside jurisdiction |
Supply chain residency assessment; DPA specifying processing location |
| LLM06 Sensitive Information Disclosure |
AI model in non-permitted region receives personal data |
Router + DLP as primary controls; model never receives data if in wrong region |
| LLM07 Insecure Plugin Design |
Tool calls may exfiltrate data to non-permitted systems |
Tool call whitelist; egress DLP on tool calls |
| LLM08 Excessive Agency |
Autonomous agent may initiate data transfers to non-permitted destinations |
Agent action scope limits; egress DLP |
| LLM09 Overreliance |
N/A — overreliance is not a residency risk |
N/A |
| LLM10 Model Theft |
Stolen model weights from in-region deployment may be moved offshore |
Model weight access control; DLP on model artefact egress |
9. Governance Considerations
Residency Governance
| Domain |
Requirement |
Owner |
Cadence |
| AI Data Flow Mapping |
Document all AI data flows by data type and destination region |
Data Governance / Architecture |
At design; updated on change |
| DPA Inventory |
Data Processing Agreements with all AI vendors specifying processing locations |
Legal / Procurement |
At vendor onboarding; annual review |
| APRA Offshore Notification |
Assess whether offshore AI processing meets APRA notification threshold |
CRO / CISO |
At design of offshore AI capability; annual review |
| Residency Compliance Reports |
Monthly evidence of residency compliance for regulatory archives |
Cloud Engineering |
Monthly |
| Incident Investigation |
Any residency breach triggers investigation and potential regulator notification |
Privacy Officer / CISO |
Event-driven |
Governance Artefacts
| Artefact |
Description |
Retention |
| AI Data Flow Maps |
Jurisdiction-annotated data flow diagrams for all AI pipelines |
Lifetime of system + 7 years |
| DPA Register |
All data processing agreements with AI vendors, specifying processing locations |
Duration of vendor relationship + 7 years |
| APRA Offshore Notification Records |
Evidence of APRA notifications or materiality assessments concluding no notification required |
7 years |
| Monthly Residency Compliance Reports |
Monthly summary of AI traffic by jurisdiction; DLP blocks; exceptions |
7 years |
| Residency Breach Incident Reports |
Investigation and outcome for any residency breach |
10 years |
10. Operational Considerations
Monitoring and SLOs
| SLO |
Target |
Measurement |
Breach Action |
| Cross-Jurisdiction Inference Rate |
0% — no personal data routed outside permitted region |
Monthly flow log analysis; DLP block rate |
Immediate investigation; residency breach incident |
| Regional Endpoint Availability |
99.9% per region per month |
Synthetic probes every 60 seconds |
P2 incident; no cross-region failover if restricted; offline process activated |
| DLP Policy Effectiveness |
>99.9% of attempted cross-border transfers blocked |
DLP block rate; penetration test |
Review and update DLP policy; retrain classifier |
| Residency Compliance Report Generation |
100% generated monthly within 5 business days of month end |
Report generation log |
Alert cloud engineering; generate manually if automated fails |
Disaster Recovery
| Scenario |
Residency Implication |
Recovery |
| Regional Cloud Provider Outage |
AU-region or EU-region AI unavailable |
Fail closed: activate manual offline process; do not route to non-permitted region; restore in-region when available |
| Regional Vector Store Corruption |
RAG pipeline unavailable for jurisdiction |
Restore from in-region backup; do not fall back to cross-region replica if data is residency-restricted |
| Routing Logic Failure |
Router sends AU personal data to US endpoint |
DLP should block; if not blocked: incident response; assess exposure |
11. Cost Considerations
Cost Drivers
| Cost Driver |
Indicative Cost |
Notes |
| Regional LLM API Premium |
10–30% cost premium over US-region pricing |
Most cloud providers charge same; check regional pricing for specific models |
| Regional Vector Store |
USD 500–5,000/month per region |
Scales with embedding volume and query rate |
| DLP Enforcement |
USD 1,000–10,000/month |
Scales with outbound API call volume |
| VPC Flow Logs Storage |
USD 200–2,000/month |
Scales with log volume; can be expensive at high throughput |
| Engineering Overhead |
USD 100,000–300,000 (initial) |
One-time for residency architecture design and deployment |
Indicative Cost Range
| Organisation |
Annual Residency Control Cost |
Notes |
| Small (AU only, <1M inferences/month) |
USD 100,000–300,000 |
Mostly engineering + regional API; minimal tooling overhead |
| Mid-size (AU + EU, 1M–100M inferences/month) |
USD 300,000–1,000,000 |
Dual-region stack; DLP; monitoring |
| Large (multi-jurisdiction, >100M inferences/month) |
USD 1,000,000–5,000,000 |
Multi-region stacks; enterprise DLP; dedicated team |
12. Trade-Off Analysis
Architecture Options
| Option |
Description |
Pros |
Cons |
Recommended For |
| Option A: Cloud-Native Regional Deployment |
Use cloud provider's regional AI services with contractual residency commitments |
Lowest operational overhead; managed infrastructure |
Dependent on cloud provider's regional AI service availability; may not cover all required regions |
Most organisations with major cloud provider relationships |
| Option B: Sovereign On-Premises AI |
Self-hosted models on infrastructure within jurisdiction |
Maximum data control; no third-party residency dependency |
Highest cost; highest operational burden; limited model capability |
Government and defence with highest sovereignty requirements |
| Option C: Hybrid Regional + On-Premises |
Cloud for low-sensitivity, on-premises for high-sensitivity |
Balances capability and control |
Complexity of dual architecture; data classification must be precise |
Regulated enterprises with tiered data sensitivity |
Architectural Tensions
| Tension |
Trade-Off |
Resolution |
| Model Capability vs Sovereignty |
Best LLM models (GPT-4o, Claude Opus) may not be available in AU/EU regions |
Use regional models for restricted data; best models for non-restricted data; track regional availability as it expands |
| Latency vs Residency |
AU/EU region endpoints may have higher latency than US endpoints for global users |
Accept latency trade-off for restricted data; use closest permitted region |
| Cost vs Compliance |
Dual-region architecture doubles infrastructure cost for AI workloads |
Cost is non-negotiable where residency is a legal obligation; optimise within permitted regions |
| Granularity vs Complexity |
Fine-grained residency tagging (field-level) vs document-level residency |
Start with document-level; add field-level only where genuine mixed-jurisdiction documents exist |
13. Failure Modes
| Failure |
Likelihood |
Impact |
Detection |
Recovery |
| Residency Tag Misconfiguration |
Medium |
Critical — AU personal data routed to US endpoint |
DLP block; monthly report anomaly |
Incident response; data exposure assessment; regulator notification if GDPR/APP threshold |
| Regional Model Not Equivalent |
Medium |
Medium — regional model has lower quality; business bypasses restriction |
User feedback; model quality monitoring |
Accept quality trade-off; escalate to vendor roadmap; never bypass residency for quality reasons |
| Cloud Provider Moves Region |
Very Low |
High — contracted "AU region" data centre moves outside Australia |
Legal review of provider's data centre disclosures |
Review DPA; negotiate updated commitments; assess whether processing continued to meet obligation |
| DLP Misconfiguration Blocks Non-Personal Data |
Medium |
Low — legitimate cross-border calls blocked; operational disruption |
Operations alert; false positive rate monitoring |
Tune DLP policy; review blocked calls; whitelist non-personal data patterns |
Cascading Failure Scenario
An organisation's AI inference routing system is refactored for performance. A change is made to the routing logic that removes the residency tag check, routing all inferences to the global endpoint (us-east-1) for lower latency. The DLP policy was not tested on the new routing path. Over three weeks, all AU personal data inference requests are routed through the US endpoint. A monthly compliance report (the only detective control) identifies the anomaly at week four. The privacy officer investigates and finds AU customer data—including health information—was processed in the US by a provider without Australian-jurisdiction contractual commitments. The organisation must notify the OAIC and conduct a data exposure assessment. APRA is notified under CPS234 ¶24 of a material information security incident. The root cause: no automated, real-time residency verification control—only monthly batch reporting.
14. Regulatory Considerations
| Regulation |
Specific Obligation |
Architectural Control |
Reference |
| Privacy Act 1988 APP 8.1 |
Cross-border disclosure: must ensure equivalent privacy protection or have accountability mechanism |
DPA with AI vendor; SCC equivalent; or fail-closed to in-region |
APP 8.1 |
| GDPR Article 46 |
Transfers to third countries require appropriate safeguards |
Standard Contractual Clauses; adequacy decision for destination country |
GDPR Article 46(2) |
| GDPR Article 44 |
General principle: personal data not transferred to third countries without Chapter V compliance |
Residency router ensures no transfer without mechanism |
GDPR Article 44 |
| APRA CPS234 ¶20 |
Third-party providers used by regulated entities; offshore risk management |
APRA offshore notification if material; DPA; right to audit |
CPS234 Paragraph 20 |
| Australian Government ISM |
Protected and Highly Protected data must be stored and processed in Australia |
On-premises or ASD-certified Australian cloud for government data |
ISM Control 0113, 0114 |
| EU AI Act Article 10 |
Training data governance may impose residency requirements for AI training data |
Training data pipeline in-region for restricted data |
EU AI Act Article 10 |
| GDPR Article 32 |
Technical measures to ensure security appropriate to the risk |
Regional encryption with region-specific keys |
GDPR Article 32(1)(a) |
15. Reference Implementations
AWS
| Component |
AWS Service |
Region |
| AU-Region LLM Inference |
Amazon Bedrock (Claude 3, Titan) |
ap-southeast-2 (Sydney) |
| AU-Region Embedding |
Amazon Bedrock Titan Embeddings |
ap-southeast-2 |
| AU-Region Vector Store |
Amazon OpenSearch Service |
ap-southeast-2 |
| Residency Router |
Amazon API Gateway + Lambda routing logic |
ap-southeast-2 |
| VPC Enforcement |
VPC Endpoints for Bedrock; no public NAT for AI APIs |
ap-southeast-2 |
| DLP |
Amazon Macie + Lambda egress inspection |
Per-region |
| SCP |
AWS Organisation SCP: deny AI service calls from non-permitted regions |
Organisation level |
| Flow Logs |
VPC Flow Logs → S3 (ap-southeast-2, Object Lock) |
ap-southeast-2 |
Azure
| Component |
Azure Service |
Region |
| AU-Region LLM Inference |
Azure OpenAI Service |
Australia East |
| AU-Region Embedding |
Azure OpenAI Embeddings |
Australia East |
| AU-Region Vector Store |
Azure AI Search |
Australia East |
| Residency Router |
Azure API Management with routing policy |
Australia East |
| VPC Enforcement |
Azure Private Endpoint for Azure OpenAI |
Australia East |
| DLP |
Azure Purview DLP + Policy |
Per-region |
| SCP Equivalent |
Azure Policy — deny resource creation outside permitted regions |
Management Group |
| Flow Logs |
Azure Network Watcher → Storage Account (Australia East, Immutable) |
Australia East |
GCP
| Component |
GCP Service |
Region |
| AU-Region LLM Inference |
Vertex AI (Gemini) |
australia-southeast1 |
| AU-Region Embedding |
Vertex AI Embeddings |
australia-southeast1 |
| AU-Region Vector Store |
Vertex AI Vector Search |
australia-southeast1 |
| Residency Router |
Cloud Endpoints + Cloud Run |
australia-southeast1 |
| VPC Enforcement |
VPC Service Controls with access policy |
australia-southeast1 |
| DLP |
Cloud DLP + Cloud Functions inspection |
Per-region |
| SCP Equivalent |
Organisation Policy — resource locations constraint |
Organisation |
| Flow Logs |
VPC Flow Logs → Cloud Storage (australia-southeast1, Bucket Lock) |
australia-southeast1 |
On-Premises / Sovereign Cloud
| Component |
Technology |
Notes |
| LLM Inference |
vLLM or Ollama on bare-metal GPU |
Located in Australian data centre |
| Embedding Service |
Sentence-transformers on CPU/GPU |
Local inference; no external API call |
| Vector Store |
pgvector on PostgreSQL |
On-premises; no cloud replication |
| Network Enforcement |
Firewall egress rules blocking known AI API endpoints |
Hardware firewall; regularly updated |
| Flow Logs |
NetFlow / sFlow → on-premises SIEM |
Retained on-premises for 7 years |
| Pattern ID |
Pattern Name |
Relationship |
Notes |
| EAAPL-CMP004 |
Privacy-Preserving AI |
PREREQUISITE |
PII detection and classification is required before residency tagging can be applied |
| EAAPL-CMP002 |
APRA CPS234 AI Security |
COMPLEMENTARY |
CPS234 ¶20 offshore risk obligations are directly addressed by this pattern |
| EAAPL-CMP008 |
GDPR-Compliant AI |
COMPLEMENTARY |
GDPR Article 46 cross-border transfer obligations require residency controls from this pattern |
| EAAPL-CMP003 |
EU AI Act Compliance |
COMPLEMENTARY |
EU AI Act Article 10 training data governance may require in-EU training data processing |
| EAAPL-PLT005 |
AI Data Governance |
PREREQUISITE |
Data classification and jurisdiction tagging must be operational before residency routing works |
| EAAPL-SEC001 |
Zero-Trust Architecture |
COMPLEMENTARY |
Zero-trust network controls reinforce VPC/VNet endpoint residency enforcement |
17. Maturity Assessment
Overall Maturity Label: Proven
| Dimension |
Level 1 |
Level 2 |
Level 3 |
Level 4 |
Level 5 |
Current Level |
| Data Flow Mapping |
No AI flow mapping |
Ad-hoc flow documentation |
Comprehensive jurisdiction-annotated AI data flow maps |
Real-time data flow monitoring |
Automated continuous flow discovery |
Level 3 |
| Residency Enforcement |
No controls |
Manual review |
Automated routing + VPC enforcement + DLP |
Real-time violation detection + auto-remediation |
Zero-touch residency enforcement with continuous audit |
Level 3 |
| Audit Evidence |
No evidence |
Screenshot-level evidence |
Monthly compliance reports from flow logs |
Automated regulatory report generation |
Immutable continuous audit trail with regulatory portal access |
Level 3 |
| Vendor Management |
No DPA |
DPA exists but no location commitment |
DPA specifies processing location; verified annually |
Continuous vendor compliance monitoring |
Real-time vendor location verification API |
Level 3 |
18. Revision History
| Version |
Date |
Author |
Changes |
| 1.0 |
2025-06-01 |
EAAPL Working Group |
Initial draft |
| 1.1 |
2026-06-12 |
EAAPL Working Group |
Added APRA notification workflow; updated GCP reference implementation; added cascading failure scenario |