CASE 43 · ASPEN · 2024
EU customer data that stays in the EU, demonstrably.
A B2B SaaS expanding into Germany hit a Data Processing Addendum requirement: EU customer data must be stored, processed, and backed up exclusively in EU regions, with cryptographic enforcement and verifiable evidence. We re-architected the data plane for verifiable residency.
B2B SaaS
SECURITY
2024
RESULTS
What changed, by the numbers.
DATA-RESIDENCY CONFIDENCE
100%
CONTRACT VALUES UNBLOCKED
€4.2M
REGION VIOLATIONS
0
AUDIT EVIDENCE TIME
AUTO
HOW IT WENT
The legal team had drafted a DPA assertion the engineering team couldn’t actually back up: "all EU customer data is stored, processed, and backed up in EU regions." The team’s architecture used US-East-1 for some backup jobs. Nobody had connected the two.
We rebuilt the data plane around EU-Central-1 (primary) and EU-West-1 (DR) for EU-tenant traffic. KMS keys for EU tenants were created in EU regions and pinned by key policy. SCPs at the org level blocked `s3:*`, `rds:*`, `kms:*` outside the approved EU region list for the EU production OU.
Config rules monitored cross-region replication paths; Audit Manager produced quarterly evidence. The €4.2M in pending German enterprise deals closed within two months of the architecture passing legal review. The DPA assertion is now provable.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.