Where does your AI security vendor
store prompt data?
AI security platforms capture the prompts employees send to AI tools, which means they hold your most sensitive content. This checklist gives CISOs and privacy teams the questions to ask before signing, and explains what vendor documentation typically does and does not disclose.
The short answer
If you cannot get a named storage region for prompt content in writing, you do not have a data residency answer. Most AI security vendors publish a hosting provider and a certification list, but few publicly commit to where prompt data lives, and fewer let the customer choose. The storage region for prompts belongs in your DPA and contract, verified before signature, because the prompts your vendor captures contain the sensitive data the tool exists to protect.
This guide covers why residency is a first-order question for prompt-level security tools, the practical GDPR and Schrems II context, a 10-question vendor checklist, and what public vendor documentation usually leaves out.
Last updated: 12 June 2026
Prompts are the payload
Most SaaS vendors hold metadata about your business. An AI security platform that monitors prompts holds the content itself: a concentrated archive of the riskiest material employees handle, collected precisely because it is sensitive.
The tool you buy to stop sensitive data leaking through AI becomes, by design, a store of that sensitive data. Where that store lives is not a footnote. It is part of the control.
When a security platform captures full prompt content for governance and DLP, every record it keeps inherits the sensitivity of the original data. A vendor that stores those records offshore turns your monitoring programme into a cross-border transfer of customer records, source code, and legal material, often without the privacy team realising it during procurement.
Customer and employee records
Names, contact details, account histories, HR matters, and health information get pasted into AI tools to draft emails, summarise cases, and answer questions. The monitoring layer captures all of it.
Source code and credentials
Developers paste proprietary code, configuration, connection strings, and occasionally live secrets into AI assistants. Prompt capture preserves them, wherever the vendor stores them.
Financial and deal data
Board papers, forecasts, pricing models, and M&A material are exactly the documents employees most want summarised. They are also the documents your regulators care most about.
Legal and privileged material
Contracts, advice, disputes, and investigation notes flow through prompts in legal and compliance teams. Storage location can affect privilege and disclosure analysis.
GDPR and Schrems II, practically
GDPR does not flatly prohibit storing personal data outside the EU. What it does, in Chapter V, is condition any transfer out of the European Economic Area on a valid legal mechanism: an adequacy decision for the destination country, standard contractual clauses, binding corporate rules, or a narrow derogation. Captured prompts routinely contain personal data, names in customer emails, HR matters, health details, so a security vendor storing them abroad puts that whole archive inside the transfer rules.
Schrems II, the 2020 ruling of the Court of Justice of the European Union, raised the bar. It invalidated the EU-US Privacy Shield and held that contractual clauses alone are not enough where the destination country's laws undermine them. In practice, organisations transferring EU personal data are expected to assess the destination jurisdiction and add supplementary measures where protections fall short. The EU-US Data Privacy Framework has since restored a lawful route for transfers to certified US companies, but it covers a single corridor and only certified companies, and it does not remove the assessment burden for transfers anywhere else.
The practical consequence for buyers is simple: every cross-border hop in a vendor's architecture is analysis you have to do, document, and defend. In-region storage and processing removes the question rather than answering it. That is why data residency has moved from a nice-to-have to a named requirement in security reviews run by EU, UK, and APAC regulated organisations.
This guide is general information for security and privacy teams, not legal advice. Confirm your obligations with qualified counsel.
10 questions to ask your AI security vendor
Put these to every vendor in the evaluation, in writing, and keep the answers with your procurement record. A vendor with real residency commitments will answer all ten quickly.
In which country or region is prompt content stored at rest?
The single most important question. Ask for a named country or region, not a hosting provider name or a phrase like secure cloud infrastructure.
Can we choose the region, and is the choice contractual?
Residency you cannot select, or cannot enforce in the contract, is a hosting detail rather than a commitment. Ask whether the region is fixed per customer and written into the agreement.
Is prompt content processed in-region, or only stored there?
Some architectures store data locally but route it elsewhere for analysis. Processing location matters as much as storage location for any transfer assessment.
Which sub-processors receive prompt content, and where do they run?
Model providers, analytics services, and support tooling can quietly move prompt content across borders. Ask for the sub-processor list with locations, scoped to prompt data specifically.
Is prompt content ever used to train or improve models?
If yes, ask where that training happens and whether you can opt out in writing. Training pipelines are a common path for data to leave its stated region.
What is the retention period for prompt content, and can we configure it?
Shorter retention shrinks the blast radius of any incident. Look for per-customer configurable retention rather than a fixed vendor-wide default.
Who at the vendor can access stored prompt content, and from which countries?
Support and engineering access from another jurisdiction can itself constitute a transfer. Ask how access is gated, logged, and reviewed.
What happens to prompt data when the contract ends?
Ask for deletion timelines, the treatment of backups, and whether the vendor will certify deletion. Exit terms are where residency promises often go quiet.
Is residency stated in the DPA and security documentation, or only on the website?
Marketing pages are not contracts. If the storage region does not appear in the DPA, treat the residency claim as unverified until it does.
Which certifications cover the controls around stored prompts?
SOC 2 Type II or an equivalent independent audit, with the systems that store prompt content in scope. Ask for the report, not just the badge.
What public vendor documentation typically discloses
Security pages and trust centers follow a pattern. Knowing what is usually published, and what is usually missing, tells you which answers you will need to chase in the DPA.
Usually published
- The primary cloud or hosting provider
- Broad certifications such as SOC 2 or ISO 27001
- A general sub-processor list
- Encryption in transit and at rest
- A privacy policy covering the vendor's own website
Usually missing
- The specific country or region where prompt content is stored at rest
- Whether the customer can choose the storage region
- Whether processing, not just storage, stays in-region
- Which sub-processors receive prompt content specifically
- Where support and engineering staff access stored prompts from
- Retention defaults and configurability for prompt content
None of this means a given vendor lacks good controls. It means public documentation rarely answers the residency question on its own, so the checklist above has to be worked through vendor by vendor, in writing.
Aona's answer to the checklist
Aona built data residency in as a product decision, so the checklist answers are short.
7 live regions, you choose
Australia (Sydney), France (Paris), the United Kingdom (London), Germany (Frankfurt), the United States (Central), Singapore, and Hong Kong. You select your region at the start of your deployment.
Prompts stay in-region
Prompts, AI interactions, file-upload content, audit logs, and policy data are processed and stored on dedicated regional infrastructure in your chosen region. They are not moved to another region.
Audited and configurable
Aona is SOC 2 Type II certified across the Security, Availability, and Confidentiality criteria, and data retention is configurable per customer, for example 30, 90, or 180 days.
Full region list and FAQ on the AI data residency page.
Frequently asked questions
Know where your prompt data lives
before you sign
Aona keeps prompts, file uploads, and audit logs in the region you choose, across 7 live regions. Bring the checklist to a demo and work through it with us.