af agentic-first

Directory ยท data residency

Know where agent data can live.

The directory's data-location labels are practical field notes for agent tools. They help you spot whether a tool is EU/UK friendly, US/global, local-first, self-hosted, or still needs a vendor check before sensitive use.

Back to the directory -> Source note

Field notes, not legal advice

Agent tools can touch prompts, source code, shells, email, CRM records, analytics, payments, customer tickets, browser sessions, and logs. The useful question is not just where the company is based, but where your data can be stored, processed, logged, supported, exported, and accessed.

A region chip only counts when it applies to this exact agent surface and can be selected, enforced, or controlled for the actual workload. Do not infer residency from headquarters, marketing copy, CDN location, or a different product from the same vendor.

How to read the chips

EU

EU or EEA

Public sources indicate an EU, EEA, or Europe-region option for the exact product or workload surface.

UK

UK

Public sources indicate a UK-region option for the exact product or workload surface.

US

US

Public sources indicate US hosting, US residency, or a US/global default for the exact product or workload surface.

Local

Local or controlled

The tool runs locally or the operator controls the repository, site, or deployment.

Self-host

Self-hosted

You can choose the hosting location, and you own the operational controls.

Verify

Verify vendor

No clear public residency claim was confirmed, or the claim applies only to an adjacent surface.

EU or EEA

EU/EEA residency is usually the cleanest starting point for EU organisations because it reduces cross-border transfer questions and keeps more of the operational stack under familiar data-protection rules. It still does not mean everything is automatically safe. Check support access, subprocessors, model inference, telemetry, backups, analytics, abuse review, and whether the EU region is enabled on your exact plan.

UK

UK residency is often a good fit for UK organisations and UK-regulated workflows. It can reduce transfer complexity under UK GDPR, but the same checks apply: contract, DPA, subprocessor list, support access, logs, backups, and feature-specific data flows.

US or global

US/global tools are not automatically unsafe. Many are excellent products with serious security teams. The practical issue is leverage and recourse. If a critical workflow depends on a US vendor, US-hosted infrastructure, or a global platform default, availability and access can be affected by vendor policy, account enforcement, export controls, sanctions, lawful access processes, cloud-provider decisions, and outages.

For UK/EU sensitive workflows, treat that as an operational dependency to understand before you connect production data. Keep exports, backups, documented contracts, and a credible exit path.

Local, self-hosted, or customer controlled

Local and self-hosted tools usually give the strongest operational control over where data lives. They also move more responsibility to you: patching, secrets, backups, logs, network exposure, retention, monitoring, and incident response.

When the chip says Verify

Verify means the tool may be useful, but the directory did not confirm a clear public data-residency claim. Before sensitive use, ask where data is stored and processed, which features leave the chosen region, what model providers are used, how long logs are retained, and whether support staff or subprocessors can access your content.

The simple checklist

Official references