Compliance
Data Locality, Data Residency, and Data Sovereignty Are Not the Same Thing
These three terms get used interchangeably in Bangladeshi cloud RFPs. They are not interchangeable — and confusing them can sink a procurement.
Three terms, used as synonyms in almost every Bangladeshi cloud RFP. They are not. Confusing them produces clauses that look strict and protect very little.
Where
Locality is a hardware question
Bytes at rest, in flight, in cache
What
Residency is a contract question
What you must keep where
Whose
Sovereignty is a jurisdiction question
Whose laws govern access
Nested
Each one builds on the previous
Locality ⊂ Residency ⊂ Sovereignty
| Locality | Residency | Sovereignty | |
|---|---|---|---|
| Question answered | Where the bytes sit | What you must keep where | Whose laws govern access |
| Type of artefact | Topology diagram | Contract clause | Statute / incorporation |
| Stops physical exfiltration | Yes | Yes | Yes |
| Stops contract breach | Partial | Yes | Yes |
| Stops foreign legal process (e.g. CLOUD Act) | Weak | Partial | Yes |
| Provider must be in-jurisdiction | No | No | Yes |
Source: Cloud Digit risk-mapping framework, indicative.