By Sean Falconer, Head of Marketing & Developer Relations – Skyflow
By Chintan Sanghavi, Sr. Partner Solution Architect – AWS
By Bill Tarr, Sr. Partner Solutions Architect – AWS SaaS Factory


As a modern business, you’re no longer confined to operating within the borders of a single country or region. Cloud conveniences and interconnectivity introduce the possibility of global expansion, but scaling globally comes with challenges and one of the most complex challenges centers on data residency.

Many countries and regions have their own laws restricting how companies handle customers’ sensitive data, and complying with data handling practices in one region does not guarantee compliance in another. When considering data residency requirements they must meet to expand into a new region, companies may think the only option is to replicate their entire infrastructure in that region.

Meeting data residency by replicating infrastructure poses several challenges:

  • Architectural: Data fragmentation impedes global analytics and adds overhead for securing a complex and duplicative architecture. Replicating infrastructure across regions leads to data fragmentation and challenges in maintaining a unified view of data.
  • Operational efficiency: As you duplicate cloud services, you impede your scalability because each service requires maintenance and monitoring while increasing the complexity of efforts to manage security and data governance.
  • Cost: Beyond the cost of duplicating cloud services, managing these additional services increases labor costs. These costs remain high ongoing and continue to add up, as you need to meet data residency requirements to launch in a new region.

What if there’s a better option to meet multiple data residency requirements without sacrificing scalability? Data privacy vaults simplify the complexity of meeting multiple sets of data residency and compliance requirements, enabling businesses to scale globally without the headaches that come with non-scalable infrastructure, or the hefty price tag.

In this post, we’ll break down what data residency is and why it’s often a barrier for businesses to scale globally. We’ll then look at how Skyflow Data Privacy Vault works, and how it helps businesses overcome this barrier.

To illustrate the practical application of this approach, we’ll also explore a customer story and real-world example of a company that successfully addressed its data residency needs with a scalable software-as-a-service (SaaS) solution based on Skyflow Data Privacy Vault.

Skyflow is an AWS Partner and AWS Marketplace Seller that’s a zero-trust data privacy vault built to simplify how companies isolate, protect, and govern their customers’ most sensitive data.

Barriers to Global Expansion

One of the largest advantages of being a cloud-first SaaS company is the absence of geographical boundaries, allowing you to sell to anyone, anywhere in the world. With a product-led growth strategy, you might not even be limited by the location of your sales team.

However, complying with the increasing number of global privacy regulations that restrict the physical storage location of customer data could completely derail your expansion plans; for example, if you have customers in the European Union (EU) but store your customer data in the AWS us-east-2 region.

Different countries and regions have specific laws that dictate how (and where) handle, process, store, and protect customer data. The EU has GDPR, Brazil has LGPD, and the United States has various state-specific laws (such as CCPA in California and CTDPA in Connecticut). These regulations differ in their requirements and penalties.

Today, companies are choosing to duplicate their entire infrastructure in different regions to comply with local regulations. For example, consider the following simple web application infrastructure.

Figure 1 – Simple web application architecture.

Now, if you want to expand your business to Europe and avoid transatlantic data transfers, you can replicate the original cloud services to a region in Europe, as shown below.

Figure 2 – Simple web application architecture, duplicated in two regions.

In this example, we face the overhead of operating the same services across two regions. If we need to comply with regulations in India, Australia, Singapore, and Brazil, it’s going to get complicated to manage services across regions.

Now that we’ve looked at this problem, let’s explore how Skyflow helps address it.

How Skyflow Works

Skyflow is a data privacy vault company, and a data privacy vault isolates, protects, and governs sensitive data while facilitating region-specific compliance through data localization.

With a vault architecture, you store sensitive data in your vault, isolated outside of your existing systems. Isolation helps ensure the integrity and security of sensitive data as well as simplifying regionalization of this data.

Skyflow uses opaque tokens that serve as references to sensitive data stored in traditional cloud storage and downstream services. A data privacy vault can store sensitive data in a specific geographic location and tightly control access to this data. Other systems only have access to non-sensitive tokenized data.

As an example workflow, in the image below we collect a phone number from our frontend application. We securely store this phone number, along with any other personally identifiable information (PII), in the vault which is isolated outside of your existing SaaS infrastructure. Any downstream services—application databases, data warehouse, analytics, any logs—store only a token representation of the data and are removed from the compliance scope.

Figure 3 – Reducing compliance and security scope with a data privacy vault.

The vault architecture vastly simplifies the complexities of data residency, data security, and compliance. With a vault, rapid, low-cost global expansion is now possible, even to small and highly regulated markets.

Global Expansion with Skyflow Data Privacy Vault

Skyflow Data Privacy Vault is ISO 27001 Certified, SOC 2 Type 2 Certified, PCI Level 1 Certified, HIPAA Assessed and Eligible, and GDPR Assessed and Compliant. Skyflow vaults run on AWS, and it takes advantage of AWS’s large number of regions and availability zones. This allows any Skyflow customer to deploy vault instances in various regions around the world. Currently, Skyflow supports the data residency requirements of over 150 countries.

Skyflow is a SaaS offering deployed via virtual private cloud (VPC) and supports a variety of deployment models, including Bring Your Own Encryption Keys (BYOK). Behind the scenes, Skyflow leverages AWS services such as AWS Key Management Service (AWS KMS), AWS Secrets Manager, AWS Nitro System, and Amazon Elastic Kubernetes Service (Amazon EKS).

As a managed service, using Skyflow means the complexity of running your AWS services across multiple regions is greatly reduced. You store and process only the regulated data in specific regions, and Skyflow manages the infrastructure for you.

This approach eliminates the need for infrastructure in multiple regions, substantially reducing cost and complexity. It performs all workflows involving sensitive data—including analytics, data sharing, data transformation, and computation—within the chosen region to help ensure data doesn’t get transferred outside the regulated area.

With polymorphic encryption and tokenization, Skyflow stores sensitive data in the geographically appropriate vault and de-identified as a token that you safely store in your downstream services. Unlike encrypted data, there’s no mathematical connection between the original plaintext sensitive data value and the de-identified tokenized value. With Skyflow, format-preserving and deterministically generated tokens are used to maintain data integrity and support analytics.

This approach simplifies effective data residency compliance while retaining the use of sensitive data for operational and analytics needs.

Skyflow Data Privacy Vault gives you complete control over how you access and use sensitive customer data. Your vault provides fine-grained access control so you control who sees what, when, how, and for how long, and it’s configurable through APIs and an intuitive SaaS graphical user interface (GUI).

Figure 4 – Centralized architecture with local data privacy vaults.

As shown above, Skyflow empowers companies to store their sensitive customer data in region so they can quickly scale up to ensure data residency compliance in any country or region where they want to expand.

Skyflow’s approach to data protection not only aligns with the diverse regulatory landscape but also simplifies the process. When a potential new market opens up, Skyflow Data Privacy Vault eliminates most of the friction of, and delays associated with, expanding your business into that market.

Customer Success Story

A SaaS payment automation platform based in Europe recently partnered with Skyflow and AWS to expand to new regions. The SaaS company enables merchants to set up and automate their payment infrastructure, seamlessly connecting merchants with payment service providers such as Stripe or Tamara.

The SaaS payment platform’s merchants operate across multiple geographies, so they needed a SaaS solution capable of meeting data residency requirements for markets across regions.

The payment platform also needed flexible payment orchestration and routing capabilities to give their merchant a PCI DSS-compliant payment processing SaaS platform. Finally, the payment platform needed to handle CVV codes to facilitate payment retries and re-routing without storing CVV codes, because PCI DSS Requirement 3.2 prohibits storing CVV codes.

The SaaS customer deployed its Skyflow vaults in multiple AWS regions to meet multiple data residency requirements. By routing its customer data to the geographically appropriate vault, the company was able to store and handle this data in a straightforward and compliant manner that solved data residency challenges.

Better yet, using Skyflow gave scalable SaaS solutions to meet new and evolving data residency requirements as the company expand into new regions. This means that as the payment platform provider continues to grow into new markets, it can quickly and easily deploy a new vault to make sure it maintains compliance with local regulations.

Each vault is configured to store credit card information for merchant customers. Because Skyflow vaults are PCI-DSS compliant, the payment platform enjoys the benefits of out-of-the-box PCI compliance whenever they deploy to a new region. They also simplify integrations with trusted third-party services because Skyflow vaults can securely share sensitive data with any third-party API, including payment processor APIs.

This lets merchant customers avoid the drawbacks of working with a single payment processor that may not suit their needs in all of the regions where they operate. Merchants can easily route their payments through multiple payment gateways.

Lastly, by using transient field tokenization through Skyflow to temporarily cache CVV codes with a time-to-live (TTL) setting, the SaaS payment platform is able to provide user-friendly authorization across multiple payment processors without violating PCI-DSS requirements. Merchant customers are able to provide a high-quality payment experience to their customers without additional implementation effort.

So, how did it work out? An overview of the integrated architecture is shown below.

Figure 5- SaaS payment platform architecture with Skyflow.


Data residency and compliance issues are substantial challenges, with data protection regulations varying from region to region and country to country. As a result, businesses wrongly believe their only recourse is to spin up a complex and costly local infrastructure replica, so they shy away from embracing new opportunities due to fear of architectural complexity, operational challenges, and increasing SaaS service costs.

Skyflow’s data privacy vaults provide companies with a SaaS service that offers a simpler and more cost-effective solution. With Skyflow, businesses host data privacy vaults around the world and offload the complexities of sensitive data de-identification, encryption, security, and governance—all while remaining compliant with local data regulations. The SaaS payment provider’s success story shows how Skyflow’s scalable, SaaS-based approach turns obstacles into opportunities.

Learn more about how your business can scale globally without compromising your data compliance posture and check out Skyflow in AWS Marketplace.

About AWS SaaS Factory

AWS SaaS Factory helps organizations at any stage of the SaaS journey. Whether looking to build new products, migrate existing applications, or optimize SaaS solutions on AWS, we can help. Visit the AWS SaaS Factory Insights Hub to discover more technical and business content and best practices.

SaaS builders are encouraged to reach out to their account representative to inquire about engagement models and to work with the AWS SaaS Factory team..

Skyflow – AWS Partner Spotlight

Skyflow is an AWS Partner that isolate, protects and governs sensitive information like PII, PHI, and PCI-regulated data. Skyflow customers can host data privacy vaults anywhere in the world simultaneously, with total control over data residency and access.

Contact Skyflow | Partner Overview