Planning for data residency

Data residency gives you more control over where your Security Command Center data is located. This document provides essential information about how Security Command Center supports data residency.

The following definitions apply to this document:

  • A location is a Google Cloud region or multi-region that corresponds to the location in which your data resides.
  • The meaning of the term your data is equivalent to the meaning of the term "Customer Data" in the Data Location item in the Google Cloud General Service Terms.

To learn how to work with Security Command Center resources when data residency is enabled, see Security Command Center regional endpoints.

Supported data locations

This section describes the data locations that you can use for Security Command Center and related services.

Security Command Center data locations

When you enable data residency, the Security Command Center API supports the following Google Cloud multi-regions as data locations:

European Union (eu)
Data resides in any Google Cloud region within member states of the European Union.
Kingdom of Saudi Arabia (KSA) (sa)
Data resides in any Google Cloud region in KSA.
United States (us)
Data resides in any Google Cloud region in the United States.

For more information about Security Command Center locations, see Products available by location.

If you need to specify a default location for data residency that Security Command Center doesn't support, then contact your account representative or a Google Cloud sales specialist.

Model Armor data locations

For Model Armor, data residency is always enabled.

The Model Armor API provides regional endpoints in the following locations:

European Union
europe-west4: Netherlands leaf icon Low CO2
United States
us-central1: Iowa leaf icon Low CO2
us-east1: South Carolina
us-east4: Northern Virginia
us-west1: Oregon leaf icon Low CO2

The Model Armor API provides multi-region endpoints in the following locations:

European Union
eu
United States
us

Requirements for data residency

This section explains the requirements for using data residency in Security Command Center and related services.

Requirements for Security Command Center

You can enable data residency for Security Command Center only when you activate the Standard or Premium service tier for an organization for the first time. The Enterprise tier doesn't support data residency.

After data residency is enabled, you can't disable it.

Data residency requires you to use the Security Command Center v2 API. If data residency is enabled, then you can't use earlier versions of the Security Command Center API.

If you don't enable data residency when you activate Security Command Center, then Security Command Center does not restrict your data to any particular location, and it's stored in accordance with the Google Cloud Platform Terms of Service.

Requirements for Model Armor

For Model Armor, data residency is enabled by default. You can't disable data residency for Model Armor.

How and when data residency is enforced

When you enable data residency for Security Command Center, some Security Command Center data is kept within a specified location when it's in one of the following states:

After you enable data residency and select a data location, Security Command Center does the following:

  • When a finding is created for a resource that resides in the specified location, the finding always resides in your data location.
  • When a finding is created for a resource that resides in another location, the finding eventually resides in your data location. However, the finding might temporarily reside in a different region.
  • When you create specific types of configuration resources in your data location, they reside in that location.
  • In cases where Security Command Center stores data that is not Customer Data, as defined in the Data Location item in the Google Cloud General Service Terms, Security Command Center stores the data in accordance with the Google Cloud Platform Terms of Service.

Data residency at rest

Data is at rest when all of the following criteria are met:

Data residency in use

Data is in use when all of the following criteria are met:

  • The data is for a resource type that is subject to data residency controls.
  • Google Cloud is completing an operation that was initiated at your request—for example, because your application called the Security Command Center API—or an operation that produces audit logs or Access Transparency logs.
  • It's possible for Google Cloud to operate on the data in a way that requires knowledge of the data's meaning—for example, by updating specific fields in a configuration resource. This includes any case where data is unencrypted in memory.

Data residency in transit

Data is in transit when all of the following criteria are met:

  • The data is for a resource type that is subject to data residency controls.
  • The data is being transmitted, with encryption, within Google's network, or the data is in memory, with encryption, for the purpose of transmitting it within Google's network.

Security Command Center resources and data residency

The following list explains how Security Command Center applies data residency controls to Security Command Center resources. If a resource isn't listed here, then it's not subject to data residency controls and is stored in accordance with the Google Cloud Platform Terms of Service.

BigQuery exports

BigQuery export configurations are subject to data residency controls. Use the regional endpoints to create and manage these configuration resources.

The Security Command Center API represents BigQuery export configurations as BiqQueryExport resources.

Continuous exports

Continuous export configurations are subject to data residency controls. Use the regional endpoints to create and manage these configuration resources.

The Security Command Center API represents continuous export configurations as NotificationConfig resources.

Findings

Findings are subject to data residency controls.

When a finding is created for a resource that resides in the data location that you selected, the finding always resides in the same location.

When a finding is created for a resource that resides in another location, the finding eventually resides in the data location that you selected. However, the finding might reside in a different region at the time that it's created.

To help ensure that findings always reside in your data location, create all of your Google Cloud resources in that location.

Model Armor resources

All Model Armor resources are subject to data residency controls. Use the regional endpoints to create and manage these configuration resources.

Mute rules

Mute rule configurations are subject to data residency controls. Use the regional endpoints to create and manage these configuration resources.

The Security Command Center API represents mute rule configurations as MuteConfig resources.

Other Security Command Center resources and settings

Security Command Center resources and settings that aren't listed here, such as those that define which services are enabled or which tier is active, are not subject to data residency controls. This data is stored in accordance with the Google Cloud Platform Terms of Service.

Create or view data in a location

When data residency is enabled, you must specify a location when you create or view any data that's subject to data residency controls. Security Command Center automatically chooses a location for findings that it creates.

You can create or view data in only one location at a time. For example, if you list findings in the United States (us) location, then you won't see findings in the European Union (eu) location.

To learn how to create or view data that's subject to data residency controls, see About the jurisdictional Google Cloud console and Tools for regional endpoints.

What's next