Skip To Content

ArcGIS Trust Center

  • Overview
  • Security
  • Privacy
  • Trusted AI
  • Compliance
  • Documents
Launch Security Adviser
Back to Top

Regional Hosting

In this topic

  1. Esri ISO Certification
  2. Data Residency, Sovereignty, & Localization
  3. Storage & Processing
  4. EU Services in Scope
  5. Deployment Options
  6. Resources

Regional hosting is the foundation in supporting ArcGIS Online customer data residency and data sovereignty objectives. This approach allows users to meet regulatory requirements while optimizing performance. Esri allows customers to select the geographic region-such as the United States, European Union (EU), or the Asia-Pacific (APAC), where their ArcGIS Online data will be stored. This decision is based on the customer's business needs, privacy requirements, and compliance obligations. This regional choice is made during the initial ArcGIS Online purchase or creation of a new organization. Once an organization is provisioned, its hosting region cannot be changed.

For customers with EU-specific security or compliance requirements, Esri's ISO/IEC 27001 certification for ArcGIS ISO Cloud applies to in-scope services in the European regional hosting location.

Esri ISO Certification

Esri's ISO/IEC 27001:2022 certification demonstrates our commitment to keeping your data safe and secure, helping you meet EU and local regulatory requirements with confidence. Our ArcGIS ISO Cloud certification covers ArcGIS Online and ArcGIS Location Platform hosted in the EU, meaning your sensitive data and personally identifiable information (PII) are protected with industry-leading security practices. With Esri Certified Services, you can focus on getting the most out of your location intelligence with a peace of mind.

Note:
While regional hosting includes APAC, Esri's ISO 27001 certification for ArcGIS ISO Cloud currently applies to in-scope services in the European regional hosting location and does not extend to APAC. Esri is actively working to expand ISO 27001 certification coverage to include APAC. AWS and Microsoft Azure maintain ISO 27001 certifications for in-scope cloud services, which support underlying infrastructure assurance but do not extend Esri's ISO scope.

Data Residency, Sovereignty, & Localization

Data sovereignty and data residency requirements are typically driven by jurisdictional laws, sector obligations, and organizational policy. In practice, these requirements can affect where data is stored, where it is processed, and how it is delivered to users.

  • Data residency (where): The geographic location where data is stored (data at rest).
  • Data sovereignty (whose laws): The concept that data is governed by the laws and regulations of the jurisdiction in which it is situated and used.
  • Data localization (where + how): Stricter requirements that data generated within a country's borders must be stored and processed within that same country.

Regional hosting is a primary control for residency of hosted geospatial data. For customers with stricter sovereignty or localization needs (for example, constraints on cross-border processing or country-specific requirements), Esri recommends combining regional hosting with governance and architecture choices described in the Deployment Options section below.

Replication

To support high availability, the solution hosts data in the customer selected region. These regions are designed to support geographic redundancy within the region (for example, across availability zones). To preserve regional data residency and support sovereignty expectations, hosted data is not replicated to other regions and does not fail over to other regions. In the unlikely event of a full regional outage, service for region-hosted resources is restored within the region when service is recovered.

Storage & Processing

Storage

When a customer uses an EU subscription, the following data sets are stored within the EU region only:

  • All customer uploads (shape files. .csv etc.)
  • All content is saved in a dedicated EU-based database
  • All customer configured caches are stored in the EU database

Processing

  • Authentication for ArcGIS Online/Platform is processed in the US, which is FedRAMP-authorized, rather than within the EU region.
  • If a customer prefers not to store user accounts in ArcGIS Online (hosted in the US), Esri recommends leveraging SAML authentication, allowing customers to manage accounts through their Identity Provider in alignment with organizational requirements.

Location

Depending on the origin of the request, processing of customer requests may occur in either the EU or the US. Specifically, for platform services who need to utilize the available designated EU endpoints, geoproximity is configured to ensure processing of their requests is handled in the EU.

  • If your request originates from the EU, it will be processed within the EU region, as long as the requested service or capability is hosted there. Otherwise, the request will be routed to the US.
  • If your request originates from the US, then processing will occur in the US.

Note:

URL alone regardless of EU-only URL does not guarantee EU-only routing. Physical location +geoproximity + CloudFront edge locations affect where the customer request is first handled.

EU Services in Scope

There are several services hosted in the EU which are part of the ISO 27001. Customers who need to ensure that they are leveraging strict EU endpoints can ensure their requests are processed within EU-based infrastructure (subject to the routing considerations noted in the location section). Please refer to the Esri Certified Services from the ArcGIS Trust Center for a list of services with respective endpoints.

Deployment Options

There are 3 common deployments patterns for addressing sovereignty and localization concerns.

  1. SaaS Only - ArcGIS Online Region
  2. Hybrid - ArcGIS Enterprise & ArcGIS Online
  3. Customer Hosted - ArcGIS Enterprise

SaaS Only - ArcGIS Online Region

Use when your primary need is to keep hosted geospatial data stored in one of the regions provided by ArcGIS Online (Currently US, EU, and APAC).

Recommended controls:

  • Specify your region at organization purchase time (region is selected at purchase and cannot be changed).
  • Classify data and decide what can safely use global services (see Customer Hosted pattern below if you need strict limitations).
  • Review workflows that call location-based services that operate from the United States if regional specific processing is required.

Hybrid ArcGIS Enterprise & ArcGIS Online

Use when you need tighter control of where sensitive data is stored and processed while still using ArcGIS Online for discovery, collaboration, or less-sensitive content.

Recommended controls:

  • Host sensitive datasets and analytics in ArcGIS Enterprise (self-managed or managed in a location you approve).
  • Publish or register only the necessary services/metadata into ArcGIS Online for discovery and collaboration.
  • Use ArcGIS Online regional hosting for non-sensitive hosted content where appropriate.
  • A related hybrid pattern is to keep sensitive datasets in Enterprise while storing non-sensitive datasets in specific ArcGIS Online regions (commonly used for SDI/Open Data scenarios).

Customer Hosted - ArcGIS Enterprise

Use when you require constraints beyond SaaS regional storage (for example: Country-specific localization, or strict rules for cross-border data access).

Recommended controls:

  • Keep sensitive enrichment, geocoding, routing, and analytics within environments you control where possible.
  • Minimize or avoid workflows that send sensitive inputs to services documented as operating from outside the required jurisdiction.

  • Define governance controls for sharing, access, logging, and incident response aligned to your regulatory obligations.

Resources

  • Understanding Data Sovereignty & ArcGIS (Presentation)
  • ISO Trust Center Page
  • Esri ISO 27001 Certificate
  • Listing of Esri Certified Services

Feedback on this topic?

In this topic
  1. Esri ISO Certification
  2. Data Residency, Sovereignty, & Localization
  3. Storage & Processing
  4. EU Services in Scope
  5. Deployment Options
  6. Resources