Survey reveals that data sovereignty is becoming the default for organizations, not the exception

We asked over 500 respondents where the organizations they worked for stored their data and why. Our research reveals that data residency and data sovereignty are key considerations for businesses and that some countries are ahead of the trend.

A quick definition:

• Data residency refers to the physical or geographical location where an organization stores its digital data.
• Data sovereignty is the principle that any organization's data is subject to the laws and regulations of the country, continent, or region where it is collected, stored, and/or processed.

Data residency and data sovereignty are becoming more important considerations for businesses globally, as regulations like GDPR and PIPEDA define what organizations can and can't do with their data, and why they're liable for what happens to it.

For many organizations, especially those in highly regulated industries like healthcare and legal, this scrutiny on data storage means that it makes sense to store data locally to maintain security and comply with the law.

Our poll suggests that data residency and sovereignty are on the minds of many leaders. In fact, only 11.7% of respondents across the EU, Canada, and Australia say they're comfortable storing organizational data outside their country or continent. Meanwhile, 80.1% already store it locally, and another 8.2% have moved in the last 12 months or are actively evaluating a move.

This tallies with data from other sources: Cisco's 2025 Data Privacy Benchmark Study found that 90% of organizations believe data stored locally is inherently safer.

Also, for the first time since Cisco began tracking this in 2019, more than half of global consumers (53%) said they're aware of their country's privacy laws in 2025.

Organizations want compliance, control, and, increasingly, governance

Among the 435 respondents who ranked the reasons behind their approach, the strongest drivers were regulatory requirements and internal security and compliance policies.

Each appeared in the top three reasons for roughly two-thirds of respondents. Regulatory requirements were in the top three for 67.6% of respondents, while internal security and compliance appeared in the top three for 68.3%.

By comparison, reducing costs was selected in the top three by 32.4% of respondents. That gap suggests that organizations are not treating data residency as a simple hosting preference or a budget exercise; they are treating it as a governance issue tied to compliance, oversight, and internal risk controls.

When it came to what was ranked top, regulatory requirements came first by some margin at 40%, more than twice the number of respondents who ranked internal security and compliance: 19.5%.

‍

One of the clearest patterns in the survey appears when you isolate the organizations that are in motion or have moved their data recently.

Among respondents who had moved their data locally in the last 12 months or were actively evaluating a move, improving data sovereignty and control became much more prominent. In the full ranking sample, 11.0% chose data sovereignty and control as their number one reason. Among organizations that had moved or were evaluating a move, that rose to 23.1%.

The same pattern appears with foreign jurisdiction concerns. Overall, 2.5% of ranked respondents selected limiting foreign jurisdiction access as their number one reason. Among organizations that had moved or were considering a move, that rose to 5.1%.

A comparison of the top three reasons shows the same difference in perspective:

• Data sovereignty and control rose from 46.4% overall to 53.8% among organizations in motion
• Limiting foreign jurisdiction access rose from 20.0% overall to 33.3%

Australian and Canadian organizations most invested in data sovereignty

Australian (92.6%) and Canadian (92.3%) organizations were the most likely to say that they stored their data within their respective countries. 83% of organizations in the EU store their data within the EU, while 68.8% of organizations in the rest of the world host their data in their country or continent.

In some ways, Canada was an outlier.

Among Canadian respondents who store data locally or are considering moving data locally, 33.3% placed limiting foreign jurisdiction access in their top three. Across the full ranking sample, the average was 20.0%.

"Although Canada's PIPEDA doesn't explicitly require personal data to remain in Canada, the U.S. CLOUD Act has caused a growing concern among Canadian organizations about U.S. authorities accessing Canadian data held by U.S.-linked cloud providers, even when that data is stored in Canada."
‍
– Elliot Kim, CEO, Checkbox

What this means for software vendors and users

There is a practical takeaway running through all of this.

Organizations are not simply buying data management platforms, survey software, or research tooling based on features alone. They are also evaluating the conditions around deployment.

• Can cloud platforms be hosted in-region?
• Can they support stricter governance requirements?
• Can the organization retain tighter control over its data environment if it needs to?
• Could an on-premises deployment be a better alternative to cloud platforms?

For teams running sensitive studies, collecting regulated data, or operating inside large enterprise and public sector environments, it's especially relevant. In those settings, deployment flexibility is not a nice-to-have; it becomes part of the buying criteria.

"We're seeing some interesting trends when it comes to data sovereignty and data residency. In some regions, like Canada, even small, sometimes one-person, teams are asking for solutions to repatriate their data and systems back to their countries – a concern we usually only heard from enterprise-level businesses."
‍
– Elliot Kim, CEO, Checkbox

It's no surprise, then, that according to data from Mordor Intelligence, the data residency and data sovereignty tool market is expected to grow 25% between 2025 and 2030.

Our poll results point to a market that is already moving in that direction. For many teams, data residency and data sovereignty are now part of their infrastructure strategy. For a smaller but important group, data sovereignty and foreign jurisdiction concerns are significant reasons they are changing direction right now.

Respondent statistics

• There were a total of 554 respondents.
• All respondents were in full- or part-time employment and worked either in the office or in a hybrid work environment.
• 435 respondents completed the reason ranking question.