Ask most teams where their data physically sits and who is legally able to access it, and few can answer precisely. That is manageable — until a regulator, an enterprise customer, or a security incident makes it the only question that matters. Here is how to think about it clearly, without the jargon.
Three terms people use interchangeably, and shouldn’t
Most confusion in this area comes from blurring three distinct ideas. They are related, but they are not the same, and a provider can satisfy one while failing the others.
| Term | What it means | The question it answers |
|---|---|---|
| Residency | Where the data is physically stored | In which country do the disks sit? |
| Localisation | A legal requirement to keep certain data in-country | Are you allowed to store it elsewhere at all? |
| Sovereignty | Whose laws govern the data and who can compel access | Who can be forced to hand it over, and under which courts? |
Residency is a checkbox. Sovereignty is the thing your lawyers actually care about. A provider can store a copy in your country and still be a foreign company subject to foreign court orders, which means the data is resident but not sovereign.
Why “the cloud” gets uncomfortable
When your infrastructure runs offshore, three things tend to go wrong at the worst possible time. A “local” provider gets acquired and quietly changes its terms. A regulator refuses to accept a compliance certificate issued on another continent. Or an outage leaves you explaining to customers why their data was in a country they had never heard of. None of these are technical failures. They are sovereignty failures, and no amount of uptime fixes them.
Technical detail
Even with in-region storage, the control plane, the support staff, and the parent company may sit elsewhere — and that is what determines legal access. Encryption helps, but if the provider holds or can recover the keys, it does not remove the provider from the legal picture. What actually changes the answer is the contracting entity’s jurisdiction and who administers the systems day to day.
Four questions to ask any provider
You do not need to be a lawyer to pin this down. Put these four questions in writing and keep the answers:
- Contracting entity: which legal company, registered in which country, am I actually contracting with?
- Location: in which country does my data sit at rest, and through which countries does it transit?
- Administration: who can technically access the systems holding my data, and from where?
- Compulsion: under whose jurisdiction can access to my data be legally compelled, and have you ever received such a request?
The straightforward answer
Metal on Cloud runs dedicated servers and colocation from a partner Tier-III data center in Nairobi. Your data is stored and processed in Kenya, under Kenyan law, on hardware that is yours alone, administered by a team in-region. When someone asks where your data lives, you can point at a city and a jurisdiction, and name the entity on the contract.
Key takeaway
If you cannot name the country and the legal entity that hold your data, you do not yet control it. In-region infrastructure on hardware you control turns an uncertain answer into a precise one — the answer your regulator and your largest customer will eventually ask for.
Ready to talk specifics?
Get a Quote