Compliance Matrix · Regime - data protection

EU data residency

Where customer data physically lives. EU-hosted platforms simplify the GDPR transfer story; US-hosted or hybrid platforms rely on Standard Contractual Clauses and transfer impact assessments, which an Irish data controller has to stand over.

last checked 2026-06-03 accounting / invoicing / ERP category

Why this regime matters

Data residency is the one regime where vendors publish enough to verify cell by cell. We read each platform’s own trust or privacy page, mark EU-resident where the vendor states it, and mark the gap honestly where the default hosting is outside the EU.

Where each platform stands

Xero
Default hosting is outside the EU per the vendor’s own data page; EU residency is not offered as a region. Transfers rely on an adequacy decision or Standard Contractual Clauses.
Source →
Not started
Sage
The vendor has not published a data-centre location we could cite. GDPR compliance is claimed; the physical hosting region is not stated. Confirm directly before treating as EU-resident.
No public source confirmed yet.
?
QuickBooks Online
The vendor has not published a data-centre location we could cite. GDPR compliance is claimed; the physical hosting region is not stated. Confirm directly before treating as EU-resident.
No public source confirmed yet.
?
BrightBooks
Irish vendor; customer data hosted in EU/Ireland data centres per the vendor’s published security page.
Source →
Ready
Big Red Cloud
The vendor has not published a data-centre location we could cite. GDPR compliance is claimed; the physical hosting region is not stated. Confirm directly before treating as EU-resident.
No public source confirmed yet.
?
Invoice Ninja
The vendor has not published a data-centre location we could cite. GDPR compliance is claimed; the physical hosting region is not stated. Confirm directly before treating as EU-resident.
No public source confirmed yet.
?
Oracle NetSuite
EU data residency available and documented on the vendor’s own privacy or data-centre page.
Source →
Ready
Odoo
EU data residency available and documented on the vendor’s own privacy or data-centre page.
Source →
Ready
Priority Software
The vendor has not published a data-centre location we could cite. GDPR compliance is claimed; the physical hosting region is not stated. Confirm directly before treating as EU-resident.
No public source confirmed yet.
?

How we read each cell

A cell is Ready only when the vendor’s own trust, security, or privacy page states that customer data is hosted in the EU (or Ireland). NetSuite documents EMEA data centres in Amsterdam, Frankfurt, London, and Newport; Odoo documents EU-region hosting in France and Belgium with EU-only backups for newer versions; Bright (BrightBooks) states EU/Ireland-hosted ISO 27001 infrastructure.

A cell is Not started when the vendor’s own documentation puts default hosting outside the EU. Xero hosts on AWS infrastructure with processing in New Zealand under the EU adequacy decision, and does not offer an EU data region - so for an Irish controller the GDPR story runs on an adequacy decision, not EU residency.

Where a vendor claims GDPR compliance but does not publish a hosting location we can cite, we render ?. "GDPR compliant" is not the same claim as "EU-resident", and we will not infer one from the other.

4 of 9 cells carry a cited vendor or regulator source; the rest read ? until evidence is published. Back to the full Compliance Matrix.