Data residency
- Enterprise only
- Private preview
This feature is in Private preview and subject to change. It is available only to Enterprise users on multi-tenant SaaS.
You can choose the geographic region where your security assessment data is stored and processed. Your organization gets the same XBOW platform as other users with all the security-sensitive data kept in your selected region.
Available regions
The standard XBOW platform at console.xbow.com is hosted in the United States and is available to all customers. This is not a data residency region — it is the default platform.
Each data residency region is a separate deployment in a specific Amazon Web Services (AWS) location.
| Region | AWS location | Console URL | API URL | Status |
|---|---|---|---|---|
| European Union | EU (Frankfurt) | console.eu.xbow.com | console.eu.xbow.com/api | Private preview |
| Singapore | Asia Pacific (Singapore) | console.sg.xbow.com | console.sg.xbow.com/api | Private preview |
Additional regions will be added based on customer demand. Contact the XBOW sales team to discuss region requirements.
Note: API keys and webhooks are region-specific. An API key created in the EU region only works against console.eu.xbow.com/api. Keys and webhooks are not interchangeable between the standard platform and data residency regions.
Data storage and processing
All security-sensitive data is stored and processed in your chosen data region. Operational data is stored centrally.
Security-sensitive data
All security-sensitive data you share with XBOW or that XBOW generates is stored and processed in your chosen region:
- Application inventory — asset names, target URLs, discovered endpoints, boundary rules, headers, authentication configuration
- Credentials and secrets — application credentials stored for assessments, API tokens, webhook signing keys
- Assessment guidance — uploaded source code, OpenAPI specs, documents, endpoint extraction results, focus, and exclusion configurations
- Assessment results and reports — scan summaries, assessment traces, endpoint coverage data, and exported reports
- Security findings and vulnerabilities — vulnerability details, severity scores, CVSS vectors, exploit payloads, proof of concepts, remediation guidance, finding states, and history
- Audit logs — user actions, configuration changes, assessment triggers, finding state changes
- User identities — email addresses, authentication configuration, login history, user roles, and permissions
Data processed by AI models
During assessments, XBOW sends prompts to an AI model through providers that support your chosen data region. These prompts may contain structural information about your application (endpoint paths, parameter names), as well as previously observed behavior and conclusions obtained by the AI model itself.
Operational data
Operational data that does not contain information about your users, vulnerabilities, application code, or security posture is managed globally:
- Account and billing — company name, subscription plan, payment information, invoice history
- Support communications — support tickets and customer service conversations
- Platform telemetry — system health metrics, error rates, performance monitoring
Note: Do not include sensitive security details in support tickets. Instead, add links to the identifiers for findings. This ensures that details of the actual finding stay in your region.
Frequently asked questions
Do I need data residency?
You need data residency if your organization has policies, contractual commitments, or governance requirements that mean security assessment data should remain within a specific geographic region. If you have no such requirements, the standard platform at console.xbow.com is sufficient.
Does data residency affect features or performance?
No. You get the same XBOW features regardless of region. Performance may improve if you are geographically closer to your selected region, as console and API requests are served from regional infrastructure.
Can I use multiple regions for one organization?
Not currently. Each organization is associated with one region. If you need multiple regions, contact the XBOW sales team.
How does data residency interact with SSO?
User identity data is stored in your regional instance. If you use SAML or OIDC Single Sign-On, your identity provider handles authentication. XBOW stores the user profile and role assignment in-region.