One sentence ends enterprise backup evaluations on the first security review: “We require UK data residency for our Jira and Confluence backups.” Sometimes EU. Sometimes Canada. Sometimes Australia. A vendor that cannot answer in 48 hours loses the deal, and nobody says why.
Governance leads and procurement reviewers run the same three questions on every SaaS evaluation: Where does data live at rest? Where does processing happen? Where are the keys held? A clean answer advances the deal. A vague answer puts it on ice.
Gartner projects that by 2028, 75% of enterprises will prioritize SaaS backup as a critical requirement, up from 15% in 2024. Kaseya found 87% of IT professionals reported SaaS data loss in 2024, led by malicious deletions. Sophos reports that in 94% of ransomware attacks, criminals tried to compromise the victim’s backups. And 79% of technology leaders admit they are not completely prepared for regulations like DORA, per Cockroach Labs.
What data residency actually means
Residency is three things:
- Storage location, where data sits at rest
- Processing location, where compute runs against the data
- Encryption key locality, where the keys that decrypt the data are held
A vendor that answers only the first has answered a third of the question. Rewind supports data residency with customer choice of storage region across five regions: EU, US, Canada, Australia, and UK. Supported regions vary by product integration; for Jira and Confluence, all five are supported options.
EU: GDPR, NIS2, DORA, and Schrems II
GDPR, the General Data Protection Regulation, is the anchor for any EU residency conversation. Article 32(1)(c) calls for “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.” That is a backup obligation in plain language. GDPR Article 83 Tier 1 tops out at EUR 10 million or 2% of total worldwide annual turnover, whichever is higher. Tier 2 doubles to EUR 20 million or 4%.
NIS2, Directive (EU) 2022/2555, is the updated EU cybersecurity directive for essential and important entities. Article 34 pegs maximum fines for essential entities at “at least EUR 10 million or at least 2% of total worldwide annual turnover of the preceding financial year, whichever is higher.” Important entities face at least EUR 7 million or 1.4%.
DORA, Regulation (EU) 2022/2554, has been applicable since January 17, 2025. It covers roughly 22 types of EU financial entities and critical ICT third-party service providers. Article 12 governs ICT continuity and backup policies.
Cross-border transfers carry their own test. Schrems II, Case C-311/18, decided by the CJEU Grand Chamber on 16 July 2020, invalidated the EU-US Privacy Shield. It confirmed that Standard Contractual Clauses, SCCs, remain valid but require transfer impact assessments and supplementary measures where third-country law does not afford “essentially equivalent” protection.
Enforcement is not theoretical. Deutsche Wohnen was fined EUR 14.5 million by the Berlin Data Protection Authority in October 2019 for retention and deletion failures. A Berlin court overturned the fine on procedural grounds in 2021, and the case remains legally unresolved. The evidence of retention and deletion is still what reviewers probe.
UK: the IDTA, the addendum, and the data bridge
UK buyers operate under a stack of overlapping instruments: UK GDPR, the UK Data Protection Act 2018, the UK IDTA, the UK Addendum to EU SCCs, and the UK Extension to the EU-US Data Privacy Framework. The UK IDTA, the International Data Transfer Agreement, has been mandatory for new restricted transfers since 21 March 2024. The UK-US Data Bridge entered force on 12 October 2023. The choice between IDTA, UK Addendum, and Data Bridge turns on where data flows and under which instrument. A vendor that cannot name both its residency regions and the contracting instrument it uses has not answered the question.
Canada: PIPEDA, Quebec Law 25, and the provinces
The Canadian regime operates at the federal level, with provincial layers. PIPEDA, the Personal Information Protection and Electronic Documents Act, is the federal baseline. Quebec Law 25, originally Bill 64, phased in from 2022 through 2024 and tightened Quebec’s private-sector rules substantially. Alberta PIPA and BC PIPA are the substantially-similar provincial laws. Other provinces default to PIPEDA. A Canadian customer with operations in Quebec, Alberta, or BC will ask where backup data lives, whether it crosses the border, and how the vendor handles provincial notification obligations.
Australia and APAC: the Privacy Act, APPs, and APRA CPS 234
Australian buyers work from the Privacy Act 1988 (Cth). Two Australian Privacy Principles, APPs, carry most of the residency weight. APP 8 governs cross-border disclosure. APP 11 governs security.
The 2024-2025 Privacy reforms tightened the regime further. The Privacy and Other Legislation Amendment Act 2024 received Royal Assent on 10 December 2024. A new statutory tort for serious invasions of privacy commenced on 10 June 2025. Regulated financial entities also operate under APRA CPS 234 Information Security, the prudential standard effective since 1 July 2019.
US regulated industries: HIPAA and SEC 17a-4
Healthcare buyers ask through the HIPAA lens. 45 CFR 164.316(b)(2)(i) requires six years of retention for policies, procedures, and compliance documentation, “from the date of its creation or the date when it last was in effect, whichever is later.” 45 CFR 164.308(a)(7) mandates Contingency Plan standards, including a Data Backup Plan, a Disaster Recovery Plan, and an Emergency Mode Operation Plan. All three are required.
The 2026 HIPAA civil monetary penalty tiers took effect January 28, 2026. Tier 1 starts at a minimum of $145 per violation. Tier 4 caps at $2,190,294 annually.
Financial-services buyers ask through the SEC lens. SEC Rule 17a-4 applies to broker-dealers and security-based swap entities, and mandates preservation of specified business records for three to six years depending on record type. Post-2022 amendments, SEC Release No. 34-96034 effective May 3, 2023, permit audit-trail storage as an alternative to WORM.
The penalty precedent is concrete. JP Morgan paid $125 million to the SEC in 2021, announced December 17, 2021, for recordkeeping failures involving off-channel communications. A separate $75 million went to the CFTC. In August 2023, the SEC charged 11 firms, 10 broker-dealers plus one dually-registered investment adviser, with off-channel communications recordkeeping violations, imposing $289 million in combined civil money penalties.
Rewind’s residency and compliance posture
Rewind is a SaaS resilience platform built on independent architecture, not a plugin, which keeps data accessible even if the SaaS vendor is compromised. Rewind is an Atlassian Silver Marketplace Partner, Cloud Fortified for Jira and Confluence.
Rewind uses AES-256 encryption in transit and at rest. BYOK (Bring Your Own Key) runs through AWS KMS, so only your organization can encrypt and decrypt backup data. BYOS, Bring Your Own Storage, lets you store backup data in your own AWS S3 environment. Rewind follows the 3-2-1 backup rule for SaaS: three copies of your data, in two different places in the cloud, one of which is not your SaaS provider.
Rewind holds SOC 2 Type II and SOC 3, latest reports issued May 2025, and is certified to ISO/IEC 27001:2022, the international information security management standard, as of June 2025. A Business Associate Agreement is available for HIPAA, and Rewind supports HITECH compliance. Rewind also holds CSTAR Level 1 from the Cloud Security Alliance STAR program, is a CSA member, and is a CSIA Secure-by-Design pledge signatory. Rewind supports compliance with SOC 2, ISO/IEC 27001:2022, GDPR, CCPA/CPRA, PIPEDA, DORA, HIPAA via BAA, and HITECH.
Rewind ships failover-ready capabilities, predefined options that keep humans in control while minimizing disruption. Hot Standby for Jira, scheduled for Q2 2026, is a pre-synced secondary Jira instance in a different region. Pilot Light for Jira is scheduled for Q3 2026. Both are publicly announced. Timelines are subject to change.
Seven questions to ask any SaaS backup vendor
Ask these in writing and compare answers side by side:
- In which regions is backup data stored?
- In which regions does processing occur?
- Where are the encryption keys held?
- Are the Data Processing Agreements aligned to my jurisdiction?
- What is the subprocessor register?
- How are cross-border transfers handled, and under which instrument?
- What is the breach notification posture?
GDPR Article 33 requires notification to the supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware” of a personal data breach. That 72-hour window is the deadline a DPO is working against on day one.
The Atlassian Backup and Restore baseline
Atlassian’s Backup and Restore for Atlassian Cloud delivers a 24-hour RPO, a 12-hour RTO, and 30-day retention, with Jira sites covered up to 300 GB and Confluence sites up to 32 GB. On April 29, 2026, Atlassian Cloud Backup and Restore exited open beta and became a paid add-on. The v1 Backup Manager API was deprecated on March 30, 2026. Atlassian’s Backup and Restore follows Atlassian’s infrastructure choices for your site, which is a separate question from where your independent backup copy lives.
Jeremy Neyhart, Engineering Manager at Lutron, put it plainly: “We have a requirement to maintain daily data backups for everything we do in engineering. That is just not feasible with SaaS.” The residency version of that requirement sits on procurement desks across the UK, EU, Canada, and APAC.
Rewind is trusted by more than 25,000 organizations worldwide. Learn more about Rewind’s data residency and compliance documentation at rewind.com/trust.
Rewind">
