Data residency
Also: data location, where your data is stored
Data residency is where an AI vendor actually stores and processes your data, meaning which country or region and under which legal jurisdiction, as distinct from where the vendor is headquartered.
Data residency describes the physical and legal location of the servers and data centers where your inputs, outputs and account data are stored and processed. It matters because data stored in a given jurisdiction is generally subject to that jurisdiction's laws, including government access requests, regardless of where your company or your users are based.
Why AI makes residency harder
For AI tools specifically, residency questions get more complicated than for plain SaaS storage, because a prompt often gets processed by more than one system: the vendor's own infrastructure, a cloud provider underneath it, and sometimes a separate model provider entirely (a chat product built on someone else's foundation model, for instance). Each of those legs can sit in a different region unless the vendor explicitly commits otherwise.
US by default, EU or UK by upgrade
Most AI vendors default to US-based processing, since that is where the major cloud and model infrastructure is concentrated. EU and UK data residency, when offered, is typically an enterprise-tier feature, an explicit commitment that data stays within EU data centers, not the out-of-the-box behaviour of the free or standard plan.
Confirm it in writing
If residency is a hard requirement (common in finance, public sector and some healthcare contexts), don't infer it from a vendor being 'GDPR compliant' generally: GDPR compliance and EU data residency are different guarantees. Residency is also not the same as data sovereignty, which adds the question of which country's laws ultimately govern access even when the data is stored abroad. Confirm residency specifically, in writing, for the plan tier you will actually be on; the AI Tool Risk Directory notes residency options where vendors publish them.