Standard, Premium, and Enterpriseservice tiers (requiresorganization-level activation)

Data residency gives you more control over where your Security Command Center data islocated. This document provides essential information about howSecurity Command Center supports data residency.

The following definitions apply to this document:

• Alocation is a Google Cloudregion or multi-regionthat corresponds to the location in which your data resides.
• The meaning of the termyour data is equivalent to the meaning of the term"Customer Data" in theData Location item in the Google CloudGeneral Service Terms.

To learn how to work with Security Command Center resources when data residency isenabled, seeSecurity Command Center regional endpoints.

Supported data locations

This section describes the data locations that you can use forSecurity Command Center and related services.

Security Command Center data locations

When you enable data residency, the Security Command Center API supports the followingGoogle Cloud multi-regions as data locations:

European Union (eu)

Data resides in any Google Cloud region within member states of theEuropean Union.

Kingdom of Saudi Arabia (KSA) (sa)

Data resides in any Google Cloud region in KSA.

United States (us)

Data resides in any Google Cloud region in the United States.

If you use the Standard or Premium service tier, then upgrading to the Enterprise tier does notchange the location of your Security Command Center data. If you did not enable Security Command Center dataresidency for the Standard or Premium tier, then you cannot enable it when you upgrade to theEnterprise tier.

For more information about Security Command Center locations, seeProducts available by location.

If you need to specify a default location for data residency thatSecurity Command Center doesn't support, then contact your account representative oraGoogle Cloud sales specialist.

Google SecOps data locations

For Google Security Operations, data residency is always enabled. To find out whereGoogle SecOps data resides, see thelist of Google SecOps locations.

Note: By default, data residency controls for Google SecOps are enforced when data is atrest. If you need these controls to be enforced when data is in use or in transit, then contact youraccount representative.

Supported features and launch stages

For the Enterprise service tier of Security Command Center, if you enable dataresidency, then the following features are not available:

• AI Security findings framework
• Cloud Infrastructure Entitlement Management (CIEM) for external cloud providers
• Mandiant Attack Surface Management

Also, as stated in thePre-GA Offerings Terms item in theGeneral Service Terms,theData Location terms do not apply topre-General Availability(GA) features and services.

Requirements for data residency

This section explains the requirements for using data residency inSecurity Command Center and related services.

Requirements for Security Command Center

You can enable data residency for Security Command Center only when youactivate Security Command Center for an organization for the first time. After dataresidency is enabled, you can't disable it.

Important: For the Enterprise service tier, before you activate Security Command Center with data residencycontrols, you must contact your Google Cloud account representative and schedule a date andtime when you will activate Security Command Center. After activation, your account representative willhelp ensure that your Google SecOps instance is configured to fully support dataresidency controls.

Data residency requires you to use the Security Command Center v2 API. If dataresidency is enabled, then you can't use earlier versions of theSecurity Command Center API.

If you don't enable data residency when you activate Security Command Center, thenSecurity Command Center does not restrict your data to any particular location, andit's stored in accordance with theGoogle Cloud Platform Terms of Service.

Requirements for Google SecOps

For Google SecOps, data residency is enabled by default. Youcan't disable data residency for Google SecOps.

Note: By default, data residency controls for Google SecOps are enforced when data is atrest. If you need these controls to be enforced when data is in use or in transit, then contact youraccount representative.

How and when data residency is enforced

When you enable data residency for Security Command Center, some Security Command Centerdata is kept within a specified location when it's in one of the followingstates:

• At rest
• In use
• In transit

Note: By default, data residency controls for Google SecOps are enforced when data is atrest. If you need these controls to be enforced when data is in use or in transit, then contact youraccount representative.

After you enable data residency and select a data location, Security Command Centerdoes the following:

• When a finding is created for a resource that resides in the specifiedlocation, the finding always resides in your data location.
• When a finding is created for a resource that resides in another location, thefinding eventually resides in your data location. However, the finding mighttemporarily reside in a different region.
• When you create specific types ofconfiguration resources in your datalocation, they reside in that location.
• In cases where Security Command Center stores data that is notCustomer Data, asdefined in theData Location item in the Google CloudGeneral Service Terms, Security Command Center stores thedata in accordance with theGoogle Cloud Platform Terms of Service.

Data residency at rest

Data isat rest when all of the following criteria are met:

• The data is for a resource type that issubject to data residency controls.
• You have not requested an operation that requires the data to be accessed.
• The data is not being accessed in a way that producesaudit logs orAccess Transparency logs.

Data residency in use

Data isin use when all of the following criteria are met:

• The data is for a resource type that issubject to data residency controls.
• Google Cloud is completing an operation that was initiated at yourrequest—for example, because your application called theSecurity Command Center API—or an operation that producesaudit logs orAccess Transparency logs.
• It's possible for Google Cloud to operate on the data in a way thatrequires knowledge of the data's meaning—for example, by updatingspecific fields in a configuration resource. This includes any case where datais unencrypted in memory.

Data residency in transit

Data isin transit when all of the following criteria are met:

• The data is for a resource type that issubject to data residency controls.
• The data is being transmitted, with encryption, within Google's network,or the data is in memory, with encryption, for the purpose of transmittingit within Google's network.

Security Command Center resources and data residency

The following list explains how Security Command Center applies data residencycontrols to Security Command Center resources. If a resource isn't listed here,then it's not subject to data residency controls and is stored in accordancewith theGoogle Cloud Platform Terms of Service.

BigQuery exports

BigQuery export configurations are subject to data residency controls. Use theregional endpoints to create and managethese configuration resources.

The Security Command Center API represents BigQuery exportconfigurations asBiqQueryExportresources.

Continuous exports

Continuous export configurations are subject to data residency controls. Use theregional endpoints to create and managethese configuration resources.

The Security Command Center API represents continuous export configurations asNotificationConfigresources.

Findings

Findings are subject to data residency controls.

When a finding is created for a resource that resides in the data locationthat you selected, the finding always resides in the same location.

When a finding is created for a resource that resides in anotherlocation, the finding eventually resides in the data location that youselected. However, the finding might reside in a different region at thetime that it's created.

To keep all findings in your data location, always create all of yourGoogle Cloud resources in that location.

Google SecOps resources

All Google SecOps resources are subject to data residency controls. Use theregional endpoints to create and managethese configuration resources.

Note: By default, data residency controls for Google SecOps are enforced when data is atrest. If you need these controls to be enforced when data is in use or in transit, then contact youraccount representative.

Mute rules

Mute rule configurations are subject to data residency controls. Use theregional endpoints to create and managethese configuration resources.

The Security Command Center API represents mute rule configurations asMuteConfigresources.

Other Security Command Center resources and settings

Security Command Center resources and settings that aren't listed here, such asthose that define which services are enabled or which tier is active, are notsubject to data residency controls. This data is stored in accordance with theGoogle Cloud Platform Terms of Service.

Create or view data in a location

When data residency is enabled, you must specify a location when you create orview any data that'ssubject to data residency controls.Security Command Center automatically chooses a location for findings that itcreates.

You can create or view data in only one location at a time. For example, if youlist findings in the United States (us) location, then you won't see findingsin the European Union (eu) location.

To learn how to create or view data that's subject to data residency controls,seeAbout the jurisdictional Google Cloud consoleandTools for regional endpoints.

What's next

• Learn how toactivate Security Command Center for an organization.
• Find out how to useSecurity Command Center regional endpoints.
• Enable Security Command Center tostream findings to BigQuery.
• Set upcontinuous exportsfrom Security Command Center to Pub/Sub.
• Create amute rulefor findings.