Bugcrowd has expanded its penetration-testing platform to meet growing European Union (EU) requirements and concerns in the private sector regarding data sovereignty and data residency.
The new Data Residency Option is aimed at Bugcrowd customers operating in or doing business with the EU, which has strict data residency and data sovereignty requirements. Data residency and sovereignty is about jurisdiction, and laws call for EU data to be governed by EU laws and regulatory frameworks, no matter where it is stored and processed.
The requirements are increasing for organizations across Europe, says Bugcrowd CTO Braden Russell. And for many Bugcrowd customers, vulnerability findings, asset information, and security program data are among their most sensitive data sets, he adds.
Organizations around the world are reeling from an overwhelming — and growing — number of reported and exploited vulnerabilities. Bugcrowd offers bug-bounty programs and penetration testing to help researchers responsibly disclose vulnerabilities and to help organizations identify, address, and mitigate flaws.
By launching the new configuration, Bugcrowd looks to help customers use the platform while maintaining greater control and visibility over where their data resides. At issue is who controls the data and which nation’s regulations determine its handling.
“More broadly, we’re seeing data residency become a key factor in cybersecurity purchasing decisions,” Russell tells Dark Reading. “We view data residency as a critical component of data access and governance and an important part of building trust and supporting customers operating in highly regulated environments.”
Location, Location, Location
Data sovereignty is an increasingly important topic across Europe as organizations and governments seek to gain greater control over critical digital infrastructure and sensitive data, explains Russell. Privacy and regulatory compliance are important drivers, but the conversation has expanded to include operational resilience, geopolitical risks, and long-term control over digital assets, he adds.
“[Organizations] want to understand where their data is stored, which legal jurisdictions apply, and how they can maintain continuity and control in a rapidly evolving global environment,” Russell says.
Laws pertaining to data collection, access, and retention differ from one country to the next. Most apply across borders, says Ben Radcliff, vice president of cyber operations at Optiv.
For example, the EU’s General Data Protection Regulation (GDPR) applies to EU citizens’ personal data regardless of where data processing occurs and prohibits unlawful access to data by foreign governments. By comparison, the US Clarifying Lawful Overseas Use of Data (Cloud Act) authorizes the US government to require US companies to produce data they control if requested by authorities, regardless of where the data physically resides.
Discrepancies could lead to complicated legal arguments about where data is hosted, he explains.
“Data sovereignty is the premise that data is governed by the laws of the country in which the data was created, establishing clear lines of jurisdiction,” Radcliff tells Dark Reading. “Conflict arises when sovereign countries cannot come to an agreement on which jurisdiction takes precedence.”
Geopolitical Tensions Drive Data Sovereignty Issues
Bugcrowd believes data sovereignty and regional data residency will become increasingly important to both private- and public-sector organizations.
“What began as a concern primarily for government agencies and highly regulated industries is increasingly becoming a consideration across enterprise organizations more broadly,” Russell says.
Russell attributes that to growing cyber-risks, regulatory complexities, and geopolitical uncertainties. These tensions have made organizations pay closer attention to where critical data is stored and governed. Bugcrowd is seeing this influence purchasing decisions across cloud, security, and software platforms, reveals Russell.
“I expect the industry to move toward greater flexibility, giving customers more choice regarding where their data resides and how it is managed,” he says. “Much like security certifications became a standard expectation over time, regional data residency and sovereignty capabilities are increasingly becoming foundational requirements for organizations operating globally.”
Radcliff also notes that geopolitical tensions are heavily influencing the space. Historically, the companies hosting infrastructure and services provided legal pushback and tested legal frameworks to protect their clients and, by extension, their reputations, he says. But as geopolitical tensions increase globally, governments are taking advantage and companies may have less ability to protect customer data.
For example, governments may force compliance through national data localization laws, which make it more challenging for companies to resist legal repercussions.
China and the US are two of the most prominent examples of governments asserting control over data by pressuring both tech companies and other world governments, Radcliff says. The Cloud Act and Foreign Intelligence Surveillance Act section 702 both directly challenge local data sovereignty, he adds.
“Some governments seek to assert their authority over corporate entities through economic and political pressure, making such pushback difficult to sustain,” he says.

No responses yet