Letsdial
All posts·Security

Why we ship region pinning instead of just region cookies

The difference between 'EU region' and 'EU data residency' costs healthcare buyers their next audit. Here's how we drew the line.

AP
Aisha Patel
Security Engineer
Apr 11, 20267 min read
Security

Essay · letsdial · Apr 11, 2026

Introduction

Almost every cloud phone vendor now offers an "EU region" option. Most of them mean the same thing: your traffic is routed through a European data centre by default, but there is no enforcement that prevents data from crossing a border if a failover, a backup job, or a support escalation routes it elsewhere. For a buyer in Germany or France checking a box on a procurement form, that distinction is invisible right up until the DPA audit.

Region preference versus data residency

A region preference is a default. When everything is working normally, your data stays where you chose. The problem is the exception paths: automated backups, cross-region disaster recovery, global support tooling, and log aggregation pipelines can all transfer data to jurisdictions outside the preference without triggering an alert or a log entry that an auditor would ever see.

Data residency is a constraint. It means the system is architected so that certain data classes cannot leave the nominated region, regardless of operational state. The constraint is enforced at the infrastructure layer — not by configuration, not by policy, not by training — so it holds during an outage as well as during normal operation.

What region pinning means in practice

Region pinning means a tenant's data — call recordings, voicemail audio, transcripts, call detail records, contact data — is stored and processed only within the nominated region. The pin is enforced at the data layer, not the application layer. When a recording is written, it goes to a bucket in the specified region and only that region. When a transcript job runs, the compute that processes it is provisioned in-region. Cross-region replication of that data class is disabled, not just discouraged.

The operational implication is that some failover scenarios that would be transparent in a global architecture become visible in a pinned one. If the pinned region goes down, the choice is to fail closed (service is unavailable until the region recovers) or to fail open (data crosses the border and the residency guarantee is broken). We fail closed. We document this clearly so buyers can make an informed decision and plan accordingly — most find that a transparent service interruption is a better outcome than a silent residency breach.

What we pin and what we don't

Not every data class carries the same residency risk. We distinguish between three classes:

  • Pinned data — call recordings, voicemail audio, transcripts, CDRs, contact records. These are pinned to the tenant's nominated region and never replicated outside it.
  • Control plane data — authentication tokens, feature flags, billing records. These live in a global control plane. They don't contain communication content and are outside the scope of most data residency requirements.
  • Telemetry and logs — anonymised performance metrics. Aggregated before leaving the region, so no individual record crosses a border.

The boundary between pinned and unpinned data is documented in the Data Processing Addendum and available to any customer on request before they sign.

Why this matters for healthcare buyers

Healthcare procurement in the EU increasingly requires explicit data residency commitments, not just a region selection in a portal. GDPR's Chapter V restrictions on international transfers apply to any personal data that includes communication content — which call recordings and voicemails almost always do. A vendor that offers region preference but cannot document where data goes during a support escalation or a backup run cannot sign a Data Processing Agreement that accurately describes their architecture.

We can sign one. The DPA maps to actual infrastructure constraints, not aspirational configurations. When an EU healthcare buyer asks which data classes are pinned, we can answer with specifics rather than telling them to review the SLA.

The audit question to ask every vendor

The single most useful question to ask a vendor's sales team: 'If your EU region experiences an outage, where does my call recording data go?' A vendor with genuine data residency will say 'the service fails until the region recovers.' A vendor with region preference will say something about seamless failover and global redundancy. The second answer is operationally friendlier and legally riskier. Know which one you need before you sign.

End

Written by Aisha Patel · Apr 11, 2026

Reply to the author
Security & Compliance

Data residency you can document, not just select.

EU region pinning with a DPA that maps to actual infrastructure constraints — not a preference flag. Available on all plans.

AP

About the author

Aisha Patel · Security Engineer

Aisha runs the security programme at letsdial, SOC 2, HIPAA, and the boring half of the audit calls.

Read next

All posts

Newsletter

Get the next post in your inbox.

One thoughtful post every other week. No spam, easy unsubscribe.