The Data Sovereignty Questions Every Vendor Security Review Should Include
## The short answer
Most vendor security questionnaires ask one sovereignty question — "where is the data stored?" — and move on. That single question misses the majority of jurisdictional risk. A thorough review should also ask about **processing locations, administrative access, encryption key custody, sub-processor chains, government-request handling, and corporate control**. The presence or absence of clear answers to these reveals far more about your real exposure than a storage-region field ever will.
## Why one question isn't enough
A storage location tells you where the bytes rest. It tells you nothing about where they are processed, who can log in to administer them, who holds the keys, which other companies touch them, or who could be legally compelled to hand them over. Each of those is a separate avenue of exposure, and a vendor can have an impeccable storage answer while failing on all the others. A good questionnaire closes those gaps deliberately.
## The questions to add to your questionnaire
Group the questions so the vendor cannot answer one and imply they have answered all.
### Storage and processing
- In which countries is data stored at rest?
- In which countries is data processed, including analytics, search, and AI features?
- Can we pin or select a region, and is that commitment contractual?
- Do backups and disaster-recovery copies stay in the same region?
### Access and administration
- Who can technically access our data, and from which countries?
- Can administrative and support access be restricted to a named jurisdiction?
- How is privileged access logged, reviewed, and time-limited?
- Can support staff view our content, or only metadata?
### Encryption and key custody
- Is data encrypted at rest and in transit?
- Who holds the encryption keys — you or us?
- Can we use customer-managed keys, and what happens if we revoke them?
- Can you decrypt our data unilaterally?
### Corporate control and legal exposure
- Where are you and your parent company incorporated and headquartered?
- Could any foreign authority compel you to produce our data?
- What is your documented process for responding to government requests?
- Will you notify us of a request and challenge ones you consider overbroad?
### Sub-processors and the supply chain
- Can you provide a current sub-processor list with locations and data categories?
- How are sub-processors vetted and monitored?
- How and when are we notified of sub-processor changes?
- Do any sub-processors move data across borders?
## How to read the answers
The quality of the answers matters as much as their content. Look for:
- **Specificity** — named countries and entities, not "various" or "as needed."
- **Documentation** — answers backed by a DPA, sub-processor list, or audit report.
- **Contractual force** — commitments that appear in the contract, not just the questionnaire.
- **Consistency** — answers that align across the questionnaire, the contract, and the marketing.
Vague, inconsistent, or undocumented answers are a finding in themselves, regardless of how reassuring the words sound.
## Turning answers into a risk decision
A questionnaire is only useful if it feeds a decision. For each material gap:
- Decide whether it is acceptable given the sensitivity of the data involved.
- Determine whether a mitigation — customer-managed keys, restricted access, data minimisation — closes it.
- Record the residual risk and who has accepted it.
- Re-assess on a schedule, because sub-processors and architectures change.
This turns the review from a box-ticking exercise into an actual control.
## What good vendors make easy
Vendors that have taken sovereignty seriously can answer this whole questionnaire quickly and in writing, because they designed their systems with these boundaries in mind. neart.ai builds enterprise-grade products with regional controls, access boundaries, and key custody options designed precisely so that these questions have clear, documented, defensible answers rather than improvised ones.
## Practical takeaway
Expand your vendor security review beyond "where is the data stored?" to cover processing, access, key custody, corporate control, and sub-processors. Demand specific, documented, contractually backed answers, and treat vagueness as a finding. The questionnaire's real value is not the answers themselves but the risk decisions you make from them — so make sure every material gap is either mitigated or formally accepted by someone accountable.