← Back to KB index
Residency

Data residency binding (per-tenant geo)

How DarkCoders enforces data location at the storage layer per tenant.

What this is

Every tenant carries a residency_region enum (fra1 | nyc1 | sgp1 | lon1). All

tenant-scoped data writes route via the corresponding regional droplet pool. Cross-region

data movement is blocked by Z.329 Data Residency Enforcement.

How it works

  1. Tenant signup wizard requests region preference
  2. Region is stored in ciso/data/tenants//residency_region
  3. Z.329 enforcer intercepts writes to Vault, MinIO, OpenSearch, Eramba MariaDB

4. Cross-region writes are rejected with HTTP 451

Audit trail

All residency decisions append to the Z.246 hash-chain at

/var/lib/ciso/audit-chain//chain.jsonl with event_type residency_enforced.

Verify your region

curl -H "X-API-Key: $KEY" https://api.darkcoders.io/api/v1/v26/auth/whoami | jq .tenant.region

Change region

Region changes require Enterprise plan + a 14-day data-mirror handover. Open a

support ticket via /api/v1/v25/support/tickets/create with subject "Region change".

GDPR + Data Privacy Framework alignment

Tenants on fra1 or lon1 automatically satisfy GDPR data localization.

Tenants on sgp1 satisfy Singapore PDPA. nyc1 satisfies New York DFS.