EU/US Data Residency — Choose where events are processed

TrackLayer

Start free

Language

EN DE FR ES PT JA

Theme

Currency

Start free

← /security overview

TRACKLAYER · PRIVACY

Choose where your
events are processed.

Pro+ plans select a processing region at account setup. EU merchants route through Dublin (eu-west-1). US merchants route through Virginia (us-east-1). Events stay in-region from edge to delivery.

Start free trial →READ THE DOCS

WHY RESIDENCY MATTERS

▸ GDPR Article 45 requires adequacy decisions before transferring EU personal data to US servers
▸ Customer contracts increasingly demand explicit residency clauses for PII processing
▸ German health and French finance merchants cannot legally route events through US infrastructure
▸ Enterprise security teams audit data flow diagrams for cross-border exposure

Most server-side tracking tools either (a) process everything in us-east-1 or (b) require separate deployments per region. TrackLayer routes per merchant at the queue layer — one account, regional isolation.

$ tracklayer account residency

// merchant residency configuration

merchant_id: m_abc123

region: eu-west-1 (Dublin)

ingest_queue: tracklayer-events-eu

delivery_queue: tracklayer-delivery-eu

processing_region: locked

─── event flow ───

→ browser → edge-eu-1 → ingest-worker-eu → consumer-worker-eu → meta-eu-api

▸ suggestion: All event processing happens within eu-west-1. No US hop. No cross-region database reads. Delivery fan-out respects platform API region when available (Meta CAPI EU endpoint).

// THE PROBLEM

Server-side tracking concentrates residency risk.

Client-side pixels defer to browser jurisdiction.When a user in Frankfurt clicks a Meta ad, the pixel fires from their local browser. Meta receives the event via its EU edge. The EU merchant doesn't need to think about residency — the browser handled it.

Server-side tracking changes that. Events now flow through your infrastructure before reaching the platform. If your queue is in us-east-1, you've just created a GDPR Article 45 transfer without an adequacy decision.

Enterprise procurement checks flow diagrams.Security teams scan architecture docs for data crossing borders. 'Does this SaaS process EU PII in the EU?' is a standard questionnaire line item.

When the answer is 'no', the deal stalls. The fix isn't explaining the adequacy decision. The fix is offering regional processing as a first-class feature.

§ 01

Regional queues and workers.

Pro+ merchants are assigned to a processing region at account creation. All queues, workers, and consumer processes live in that region.

§ 01

Ingest routing at edge

Edge worker inspects merchant residency config. EU merchants → tracklayer-events-eu (D1). US merchants → tracklayer-events-us.

§ 02

Regional queue isolation

tracklayer-events-eu and tracklayer-events-us are separate Cloudflare queues. Workers only poll their assigned queue.

§ 03

Worker colocation

Ingest workers and consumer workers run in the same region as their queue. No cross-region worker dispatch.

§ 04

Database residency enforcement

D1 database has region metadata. Queries are scoped by merchant_id → region mapping. Cross-region queries rejected.

// queues · regional isolation

queue_id                  | region    | merchant_count | last_processed | events_backlogged
--------------------------+-----------+----------------+----------------+------------------
tracklayer-events-eu      | eu-west-1 | 12,847         | 14:02:11 UTC  | 0
tracklayer-events-us      | us-east-1 | 8,432          | 14:02:08 UTC  | 0
tracklayer-delivery-eu     | eu-west-1 | 12,847         | 14:02:10 UTC  | 142
tracklayer-delivery-us     | us-east-1 | 8,432          | 14:02:07 UTC  | 89

§ 02

Cross-region drop enforcement at consumer.

Consumer worker validates region before platform delivery. If an EU merchant's event somehow routes to us-east-1, the worker drops it before sending.

// consumer · region validation

// Consumer worker region check (Phase 6.6)
async function validateRegion(event: Event): Promise&lt;ValidatedEvent | null&gt; {
  const merchant = await getMerchant(event.merchant_id);
  const queueRegion = await getQueueRegion(event.queue_id);

  // Drop cross-region events before platform send
  if (merchant.residency_region !== queueRegion) {
    await logDrop({
      event_id: event.event_id,
      reason: 'cross_region_enforcement',
      merchant_region: merchant.residency_region,
      queue_region: queueRegion,
    });
    return null; // Drop without sending to platform
  }

  return { ...event, validated_region: queueRegion };
}

This enforcement happens after queue polling but before any platform API call. Even if a misconfiguration routes an EU merchant's event to a US worker, the platform never receives the event outside its compliance boundary.

§ 03

Limitations and roadmap.

Current implementation is best-effort residency. Full multi-region database partition is planned for Q3 2026.

current

Best-effort signal routing

Events route to regional queues at edge. Workers colocate with queues. Consumer enforces region before delivery. Platform API region is used when available (Meta CAPI EU endpoint).

roadmap

Full DB partition per region

Planned for Q3 2026. merchants table will be sharded by region. All queries will physically stay within regional database partitions. No cross-region reads even for admin operations.

roadmap

Region migration

Allow merchants to migrate from EU to US (or vice versa) without account re-creation. Planned for Q4 2026.

current

AP-south-1 support

Enterprise can select AP-south-1 (Mumbai) as processing region. Follows same queue/worker isolation model.

// HOW IT COMPARES

Other tools vs TrackLayer Data Residency.

CAPABILITYTRACKLAYERStapeElevar

Regional queue isolation•——

Worker colocation with queues•——

Cross-region drop enforcement•——

Platform API region routing (Meta EU)•~~

Per-merchant region assignment•——

AP-south-1 support•——

Separate deployment per region required—••

TRACKLAYER

Regional queue isolation: •
Worker colocation with queues: •
Cross-region drop enforcement: •
Platform API region routing (Meta EU): •
Per-merchant region assignment: •
AP-south-1 support: •
Separate deployment per region required: —

Stape

Regional queue isolation: —
Worker colocation with queues: —
Cross-region drop enforcement: —
Platform API region routing (Meta EU): ~
Per-merchant region assignment: —
AP-south-1 support: —
Separate deployment per region required: •

Elevar

Regional queue isolation: —
Worker colocation with queues: —
Cross-region drop enforcement: —
Platform API region routing (Meta EU): ~
Per-merchant region assignment: —
AP-south-1 support: —
Separate deployment per region required: •

// AVAILABLE ON

Pro+ and Enterprise.

EU/US data residency is part of the Pro+ tier ($599/mo). Enterprise adds AP-south-1 and dedicated regional infrastructure.

PRO+ · $599/moENTERPRISE · custom

§ A

Regional queues

tracklayer-events-eu / tracklayer-events-us with worker colocation.

§ B

Cross-region drop

Consumer enforces region before any platform API call.

§ C

Edge routing

Ingest routes to regional queue based on merchant config.

§ D

Platform endpoint routing

Meta CAPI EU endpoint used for EU merchants.

FAQ

Common questions about data residency.

Can I change region after signup?

Region is locked at account creation for compliance reasons. Region migration without re-creation is planned for Q4 2026. Contact support for edge cases.

What about Meta CAPI regional endpoints?

EU merchants use Meta's eu-west-1 CAPI endpoint. US merchants use us-east-1. Platform-specific regional routing is handled automatically.

Is PII hashed before regional routing?

Yes. PII hashing (email, phone) happens at ingest worker, which is collocated with the regional queue. No raw PII crosses regions.

Do you support AP-south-1?

Yes. Enterprise can select AP-south-1 (Mumbai) as processing region. Follows the same queue/worker isolation model as EU/US.

What's the difference between best-effort and full partition?

Best-effort (current) isolates queues and workers but admin operations may query across regions. Full partition (Q3 2026) shards the database by region so all queries physically stay within regional partitions.