Deep-dive · Design 2.5
Region choice is one of the first decisions you make and one you cannot reverse without a migration. Personal data leaves the EEA only with a valid mechanism, and since Schrems II that often means extra homework. Scroll through the decision.
Pick an EU region as the primary home for any EU-personal-data system, even if your company's centre of
gravity is elsewhere. Defaulting to us-east-1 is the most common avoidable mistake, and it is
nearly irreversible.
Data may go outside the EEA only with (a) an adequacy decision, (b) appropriate safeguards such as SCCs or BCRs, or (c) a narrow Art. 49 derogation. No mechanism, no transfer.
For an adequacy country (Art. 45) the transfer needs no extra safeguard. The list includes the UK, Switzerland, Japan, and the US for organisations self-certified to the Data Privacy Framework. Treat the DPF as "valid today, verify before relying on it": a CJEU appeal is pending.
Standard Contractual Clauses (Art. 46) are the usual route. Since Schrems II they are not enough on their own: run a Transfer Impact Assessment, and where the destination's surveillance law is problematic, add supplementary measures.
Art. 49 derogations (explicit consent, contract necessity, legal claims) are for one-off situations. "Explicit consent" for routine transfers is fragile; "necessary for the contract" is narrow. Do not build on them.
"Encrypted with keys we control in the EU" is the strongest supplementary measure. Use customer-managed keys in an EU KMS for anything that touches non-EU infrastructure, even ancillary services like CDN, observability and support tooling. Keep a transfer register parallel to the RoPA.
Control plane operations, IAM, billing metadata, support data and some global services involve US processing regardless of the data-plane region. And residency is not sovereignty: under the CLOUD Act a US-headquartered provider can be compelled to produce data even when it sits in the EU. Document those flows; consider sovereign-cloud options where it matters.