estøkad

Residency

Estokad runs per-country, not "EU region." Customers pick where their data lives at signup; provisioning happens only after the residency module is paid for. The chosen region binds every byte of data — Postgres rows, asset blobs, cache state, audit logs.

Available regions

| Region | Country | Provisioned in | |---|---|---| | eu-fra-1 | Germany | Default — included in the platform fee | | eu-bru-1 | Belgium | Belgium residency module (€499/mo) | | eu-par-1 | France | EU residency module (€199/mo, France-eligible) | | eu-ams-1 | Netherlands | EU residency module | | eu-lux-1 | Luxembourg | EU residency module | | ch-zrh-1 | Switzerland | Switzerland residency module (€699/mo) |

The Sovereign tier includes a customer-dedicated region (e.g. AWS Outpost, Scaleway sovereign cloud) at €1,299/mo on top of the platform fee.

How the binding works

Each region is a separate Postgres cluster + Object Storage bucket + Redis instance + Bunny.net pull zone. There is no cross-region replication and no fallback to a "primary" region. If a region is offline, the workspaces in it are offline — by design. We do not ship customer data to a different jurisdiction to keep an SLA.

DNS resolution is done at the edge: api.estokad.com resolves to the regional gateway nearest the workspace. A Belgian customer's request never crosses the border.

Daily residency proofs

Once a day, every region's workers run a residency check:

  • Inventory every active table, bucket, and queue
  • Read each entry's region tag
  • Sign a proof with the region's KMS key

The proofs land in /settings/compliance/residency-proofs as a list, each downloadable individually. The DORA pack bundles the last 90 days automatically.

The proof format is JSON with a JCS-canonicalised body and a JWS signature from the region's KMS key. Verification is a one-liner with any standard JWT library; the public key is published at https://api.estokad.com/.well-known/residency-keys.json.

What can move

Two things cross regions:

  • Control plane data — workspace metadata, billing, user accounts. Lives in eu-fra-1 for all tenants. The control plane has no customer content; it has only the routing information the data plane needs.
  • Aggregate logs sent to Grafana Cloud (EU instance) — request counts, latencies, error rates. Never includes content body. Grafana Cloud's EU instance is contractually committed to EU residency.

Both are documented in the sub-processor register so a regulator sees exactly what crosses what boundary.

Switching regions

Switching is a migration, not a config change. You request the move through /settings/compliance/residency; we provision the destination region, copy your data with end-to-end attestation, run a parallel period for verification, then cut over. The whole process takes 1-3 days for a typical workspace, longer for terabyte-scale ones.

The exit plan covers the same logistics in the other direction — getting your data out of Estokad entirely.