Most organizations will tell you their data is “in the cloud.” But ask exactly where and the answer is often far less clear. That uncertainty may seem harmless, but it obscures a dangerous reality: the cloud isn’t locationless and hasn’t removed regulatory, legal and operational risk from managing data.
Data doesn’t float around a jurisdictionless environment. It lives on actual servers, somewhere very real, with legal, technical and operational consequences. When organizations do not know where that is, they lose time, increase costs and introduce risk at the exact moment they need clarity and control.
This is especially important when it comes to disputes, investigations, eDiscovery and regulatory response. Uncertainty about data location slows response, increases exposure and undermines decision-making. What appears to be an infrastructure detail quickly becomes a board-level risk, with serious operational and legal implications.
The Misconception of the Locationless Cloud
Cloud platforms are designed to feel seamless. Users can access data from anywhere, collaborate across regions and scale quickly without thinking about infrastructure. But that simplicity masks a physical reality: data is stored in centers located in specific countries, governed by laws and regulations.
Whether your organization uses Google Workspace, Microsoft 365, Slack or other cloud platforms, your data is always tied to a physical location, even if you have never explicitly chosen one. That distinction matters more than most teams realize.
Why Data Location Matters
When legal, compliance and investigation teams need to act quickly, data location is a critical factor, often in ways that are not obvious until something goes wrong.
Data stored in different regions is subject to different regulatory frameworks, from the GDPR in the European Union to U.S. federal and state laws to stricter data localization requirements in jurisdictions like China. If an organization does not know where its data resides, it may not fully understand which laws apply or whether it is already at risk of noncompliance. What seems like a technical detail can quickly become legal exposure.
At the same time, moving data across borders is rarely straightforward. Certain jurisdictions impose restrictions on exporting data, and transfers may require approvals, safeguards or additional legal review. In time-sensitive situations, such as an internal investigation or regulatory inquiry, these constraints can introduce delays that materially impact outcomes.
For eDiscovery and investigative teams, data location directly affects how and where data can be collected, processed and reviewed. Without clarity, teams may find themselves unable to proceed with standard workflows, leading to delays, duplication of effort and increased costs. What should be a routine process can become unnecessarily complex when location is not well understood.
Even when organizations believe they understand where their data is stored, complications can arise from the distinction between hosting and processing. Data may be hosted in one region but processed in another, creating additional layers of regulatory and operational complexity. These nuances can create friction between legal, IT and external partners, particularly when there is no shared understanding of how data moves through the environment.
The Hidden Operational Risk
In practice, the biggest issue is not just legal; it is operational.
When organizations do not understand where their data lives, collections slow down because IT teams need to investigate architecture in real time. Legal teams lose confidence in how and where data can be handled. External partners such as law firms and services providers cannot proceed without clarity.
The breakdown of these workflows across teams often surfaces at the worst possible moment: during an active investigation or regulatory request when speed and precision matter most.
The Questions Every Organization Should Be Able to Answer
To avoid these challenges, organizations should be able to clearly answer:
- Where is our data hosted?
- Where is it processed?
- Do we control region or data residency settings?
- Are we using SaaS platforms, hybrid environments or private cloud infrastructure?
- Is our data replicated across regions?
- Do we understand how our vendors handle data storage and transfer?
If these answers are unclear or undocumented, the organization is operating with avoidable risk.
How to Find the Answers
This doesn’t require a full infrastructure overhaul, but it does require coordination.
Start with a practical approach
Review System Settings
Microsoft 365
- Start in the Microsoft 365 Admin Center (admin.microsoft.com). Navigate to Settings, then Org Settings, then Organization Profile. There you will find a “Data Location” entry that shows where core data, including Exchange Online, SharePoint, OneDrive and Teams, is stored at rest.
- A few things to understand about what you are seeing. Microsoft distinguishes between your “default geography,” which is where your tenant was originally provisioned, and any “expanded data residency” or “Multi-Geo” configurations your organization may have enabled. A standard tenant will show a single region. Organizations that have purchased Multi-Geo licensing may have data distributed across multiple regions with different users or groups pinned to different geographies.
- If your organization uses Microsoft Purview (formerly Compliance Center), additional detail is available there around data handling, retention policies and information governance, all of which are relevant in an investigation context.
- Key things to document are your tenant’s default data location, whether Multi-Geo is enabled, which workloads are covered and whether any data residency add-ons have been purchased.
- In the Google Admin Console (admin.google.com), navigate to Account, then Account Settings, then Legal and Compliance, where you will find Data Regions. Google refers to this as a “data region policy,” and it controls where data for covered services, including Gmail, Drive, Docs, Meet and Chat, is stored at rest.
- Google offers three options: no preference (Google determines storage location), United States or Europe. If no policy has been explicitly set, your data may be distributed globally across Google’s infrastructure with no regional constraint.
- It is worth noting that Google’s data region policy applies to primary data storage, but metadata and certain operational data may still be processed outside the selected region. This distinction matters in regulatory contexts, particularly under the GDPR, where the line between storage and processing has legal significance.
- Key things to document are whether a data region policy exists, which region is selected, which organizational units or groups the policy applies to and which services are covered.
- Slack’s data residency settings are managed at the workspace or Enterprise Grid level. For Enterprise Grid customers, navigate to the Admin Dashboard, then Settings, then Data Residency. Slack currently offers residency options in the United States and Europe (via AWS infrastructure in those regions).
- It is important to understand that Slack’s data residency feature is not available on all plan tiers. Organizations on free or standard plans do not have residency controls, meaning Slack determines where data is stored. Only Enterprise Grid customers have access to explicit data residency configuration.
- Additionally, Slack stores different types of data, including messages, files and metadata, and not all of it may be covered equally under residency settings. If your organization uses Slack for sensitive communications and is subject to regulatory requirements, this is a gap worth investigating before it surfaces in a matter.
- Key things to document are your Slack plan tier, whether data residency is enabled, which region is selected and whether your usage involves Enterprise Grid or individual workspace configurations.
- Vendor documentation
- Contracts and data processing agreements (DPAs)
- Internal architecture diagrams
- IT and security
- Data governance
- External vendors and service providers
Document It Before You Need It
The goal is not just to find the answer, but also to make it repeatable. Document:
- Where data resides.
- How it flows.
- What constraints apply.
This way, when an investigation arises, you’re not starting from scratch.
The Operational Fix: Build Repeatable Workflows
Organizations that handle this well do not treat data management as a one-time exercise. They build repeatable, cross-functional workflows that align legal, IT, compliance and external partners. This includes standardized processes for data collection, processing and review along with clear ownership across teams and predefined approaches based on data location scenarios.
These teams know that compliance is a basic requirement. Speed, consistency and confidence define effective execution. Taking control of data starts with knowing where it is located. And without control, no effective response when it matters most.