AG-328: Data Localisation and Transfer Logging Governance

2. Summary

Data Localisation and Transfer Logging Governance requires that AI agent systems maintain a complete, auditable record of where personal data is stored, processed, and transferred across borders — and enforce data localisation requirements where applicable law mandates that certain categories of personal data remain within specific jurisdictions. The system must implement transfer detection that identifies when an agent action would cause personal data to cross a jurisdictional boundary, apply the appropriate transfer mechanism (adequacy decision, SCCs, BCRs, or derogation), log the transfer with full provenance, and block transfers that lack a valid legal mechanism. This dimension addresses the reality that AI agents operating on cloud infrastructure can inadvertently transfer personal data across borders through API calls, model inference requests, data replication, and backup operations — creating regulatory exposure at machine speed.

3. Example

Scenario A — Undetected Transfer Through Cloud API: A European healthcare AI agent processes patient data in an EU-hosted environment. The agent calls a third-party NLP API for medical text analysis. The API endpoint is hosted in the United States. Each API call transmits patient symptom descriptions, medication lists, and clinical notes to the US-hosted service. Over 8 months, 340,000 patient records are transferred to the US without a valid transfer mechanism (no SCCs, no adequacy decision, no BCRs). An investigation triggered by a patient complaint discovers the transfers. Result: CNIL enforcement action: EUR 3.2 million fine for unauthorised transfer under Chapter V GDPR, mandatory suspension of the API integration, and notification to 340,000 affected patients.

What went wrong: The AI agent's API call triggered a cross-border transfer that was invisible to the compliance team. No transfer detection mechanism existed. The agent's infrastructure was EU-hosted, but the third-party API was not. No check verified the geographic location of downstream services before transmitting personal data.

Scenario B — Data Residency Violation Through Backup: A financial AI agent operating in Russia processes customer data in compliance with Russia's data localisation law (Federal Law No. 242-FZ), which requires personal data of Russian citizens to be stored on servers physically located in Russia. The agent's primary database is Russia-hosted. However, the cloud provider's automated backup system replicates data to a disaster recovery site in Finland. The backup configuration was set at the infrastructure level, below the application team's visibility. A Roskomnadzor audit discovers the cross-border replication. Result: Regulatory enforcement, mandatory infrastructure reconfiguration, and suspension of the AI service until data residency is confirmed.

What went wrong: The application-level data localisation was compliant, but the infrastructure-level backup violated localisation requirements. No monitoring existed to detect data replication across borders. The compliance team was unaware that backup replication was occurring to a foreign jurisdiction.

Scenario C — Transfer Governance Correctly Implemented: A cross-border AI agent platform serves customers in the EU, UK, and Brazil. The transfer governance system: (1) maintains a data residency registry mapping each data category to its required storage jurisdiction, (2) monitors all agent network traffic for cross-border data flows, (3) verifies that a valid transfer mechanism exists for every detected cross-border flow (EU-UK: adequacy decision; EU-Brazil: SCCs with supplementary measures), (4) blocks flows to jurisdictions without valid transfer mechanisms, (5) logs every cross-border transfer with source jurisdiction, destination jurisdiction, transfer mechanism, data categories, volume, and timestamp. A quarterly audit confirms 47,000 transfers logged, all with valid mechanisms, and 23 blocked transfers where the mechanism was expired or missing. Result: Transfer compliance confirmed across all jurisdictions. Regulatory review finds exemplary governance.

4. Requirement Statement

Scope: This dimension applies to all AI agents that process personal data and operate on infrastructure that spans or could span multiple jurisdictions. This includes: agents hosted on cloud infrastructure (where data may be processed in any region where the provider operates), agents that call third-party APIs (where the API may be hosted in a different jurisdiction), agents with data replication or backup configurations that may involve cross-border transfer, and agents that serve data subjects in multiple jurisdictions. The scope extends to every mechanism by which personal data may cross a jurisdictional boundary: direct transfer (sending data to a foreign system), indirect transfer (calling an API hosted abroad), replication transfer (backup or disaster recovery to a foreign location), and inference transfer (sending personal data to a model hosted in a different jurisdiction). Agents that process only anonymised data verified as non-reversible and operate on single-jurisdiction infrastructure verified by the cloud provider are excluded.

4.1. A conforming system MUST maintain a data residency registry documenting, for each data category and data subject jurisdiction, where the data is stored and where it may be processed, including backup and disaster recovery locations.

4.2. A conforming system MUST detect when an agent action — including API calls, data transmissions, model inference requests, and data replication — would cause personal data to cross a jurisdictional boundary.

4.3. A conforming system MUST verify that a valid transfer mechanism exists for every detected cross-border transfer before the transfer proceeds (adequacy decision, SCCs, BCRs, binding data processing agreement, or applicable derogation under GDPR Article 49).

4.4. A conforming system MUST block cross-border transfers for which no valid transfer mechanism exists, returning a structured rejection identifying the missing mechanism.

4.5. A conforming system MUST log every cross-border data transfer with: source jurisdiction, destination jurisdiction, transfer mechanism reference, data categories transferred, data volume, timestamp, and the agent or process that initiated the transfer.

4.6. A conforming system MUST enforce data localisation requirements where applicable law mandates that specific data categories remain within a specific jurisdiction, blocking any transfer that would violate the localisation requirement.

4.7. A conforming system SHOULD monitor cloud infrastructure configurations (including backup, replication, and disaster recovery settings) for configurations that could cause inadvertent cross-border data transfer.

4.8. A conforming system SHOULD maintain an expiry tracker for transfer mechanisms (SCCs, BCRs, adequacy decisions) and alert when mechanisms are approaching expiry, with sufficient lead time for renewal.

4.9. A conforming system MAY implement real-time geographic routing that directs data processing requests to the nearest compliant jurisdiction, minimising unnecessary cross-border transfers.

5. Rationale

GDPR Chapter V (Articles 44-49) restricts the transfer of personal data to third countries that do not ensure an adequate level of data protection unless appropriate safeguards are in place. The Schrems II ruling (CJEU Case C-311/18) invalidated the EU-US Privacy Shield and imposed additional requirements on SCCs, making transfer compliance more complex and enforcement more rigorous. National data localisation laws (Russia's Federal Law 242-FZ, China's PIPL Article 40, India's proposed data localisation requirements, Brazil's LGPD Article 33) add jurisdiction-specific storage mandates.

AI agents create unique transfer risks because they interact with distributed cloud services, third-party APIs, and model hosting infrastructure in ways that may not be visible at the application layer. A single agent API call to a cloud-hosted NLP service may route through multiple jurisdictions depending on load balancing, failover, and CDN configuration. An agent using a vector database hosted on a multi-region cloud may have embeddings replicated to regions in jurisdictions without adequate protection. An agent calling an external model API may transmit personal data to a jurisdiction where the model is hosted.

The Schrems II supplementary measures requirement means that organisations must assess the legal regime in the destination country for each transfer. For AI agents making thousands of API calls per day, manual assessment of each call is impossible. The transfer must be assessed at the configuration level (which services does the agent call, where are they hosted?) and monitored at the operational level (are transfers occurring to expected destinations?).

Data localisation requirements add a further layer. Russia requires personal data of Russian citizens to be stored in Russia. China requires critical information infrastructure operators to store personal data in China. India has proposed sector-specific localisation requirements for financial data. For AI agents serving data subjects in multiple jurisdictions, the data localisation map determines where data can reside, and the transfer mechanism map determines how data can move between locations.

6. Implementation Guidance

The core architecture for AG-328 is a transfer detection and enforcement layer that monitors all agent data flows for cross-border transfers, validates transfer mechanisms, and logs all transfers.

Recommended patterns:

Network-layer transfer detection. Implement monitoring at the network layer that inspects the destination of all outbound data flows from agent infrastructure. Map destination IP addresses and service endpoints to geographic locations using a regularly updated geo-IP database and service endpoint registry. When a data flow's destination resolves to a jurisdiction different from the source, flag the flow as a cross-border transfer. The transfer enforcement engine then checks: (1) does a valid transfer mechanism exist for this source-destination pair? (2) do the data categories being transferred have any localisation restrictions? If both checks pass, the transfer proceeds and is logged. If either check fails, the transfer is blocked.
API endpoint jurisdiction registry. Maintain a registry of all external APIs and services called by agents, with their hosting jurisdictions verified through contractual documentation (not just DNS resolution). Each registry entry includes: service name, hosting jurisdiction(s), data processing agreement reference, applicable transfer mechanism (adequacy, SCCs, BCRs), and mechanism expiry date. Before an agent can be configured to call an external service, the service must be registered with a valid transfer mechanism. Unregistered services are blocked.
Infrastructure configuration auditor. Implement automated scanning of cloud infrastructure configurations to detect cross-border data exposure. Check: storage bucket replication settings (is data replicated to foreign regions?), database backup locations (are backups stored abroad?), CDN configurations (are cached responses served from foreign PoPs?), message queue configurations (are messages routed through foreign regions?), and compute instance locations (are processing workloads running in foreign regions?). Any configuration that could cause cross-border data transfer is flagged for transfer mechanism validation.

Anti-patterns to avoid:

Assuming cloud region selection prevents all transfers. Selecting an EU region for a cloud service does not guarantee that all data processing occurs in the EU. Backup replication, CDN caching, management plane operations, and sub-processor services may involve data leaving the selected region. Infrastructure configuration must be verified beyond region selection.
Relying on third-party API providers' privacy claims without contractual verification. A third-party API provider may claim EU hosting but process data in the US for model training. Contractual verification of data processing locations and restrictions is essential.
Treating transfer mechanisms as perpetual. SCCs have validity periods. Adequacy decisions can be invalidated (as with Privacy Shield). BCRs have review cycles. Transfer mechanism expiry tracking is essential to prevent lapses.
Monitoring only primary data stores. Cross-border exposure often occurs through secondary data flows: backup replication, log aggregation, monitoring data, error reporting, and analytics. These secondary flows must be in scope.
Applying transfer governance only to structured data. Unstructured data in agent conversation logs, embeddings in vector databases, and model weights in training pipelines can all contain personal data that is subject to transfer restrictions. All data types must be in scope.

Industry Considerations

Financial Services. Financial data localisation requirements vary by jurisdiction. India's RBI requires certain payment data to be stored in India. PCI DSS requires cardholder data to be stored in compliant environments. Financial AI agents must map localisation requirements by data category and jurisdiction.

Healthcare. Health data transfers face additional restrictions. The EU's Clinical Trials Regulation requires certain clinical data to remain in the EU. National health data regulations may impose storage requirements. Healthcare AI agents must comply with both general transfer rules and sector-specific requirements.

Public Sector. Government data frequently has strict localisation requirements. Many jurisdictions require government data to be stored on sovereign infrastructure. Cloud service classifications (e.g., FedRAMP in the US, SecNumCloud in France) may be required.

Maturity Model

Basic Implementation — The organisation has documented which jurisdictions its AI agents process data in. Transfer mechanisms are identified for known cross-border flows. External API hosting jurisdictions are documented. Transfer logging is manual or semi-automated. This level addresses known transfers but may miss inadvertent transfers through infrastructure configuration.

Intermediate Implementation — Network-layer transfer detection monitors all outbound data flows for cross-border transfers. An API endpoint jurisdiction registry validates all external services. Transfer mechanisms are validated before transfers proceed. Blocked transfers are logged. Infrastructure configuration auditing runs monthly. Transfer mechanism expiry tracking alerts 90 days before expiry.

Advanced Implementation — All intermediate capabilities plus: real-time transfer monitoring with automated blocking of unauthorised transfers. Infrastructure configuration scanning runs continuously. Geographic routing optimises data flows to minimise unnecessary transfers. Transfer impact assessments are automated per Schrems II supplementary measures requirements. Independent testing confirms that no personal data leaves authorised jurisdictions under any tested condition. Cross-border transfer dashboards show real-time flows by jurisdiction pair, data category, and volume.

7. Evidence Requirements

Required artefacts:

Data residency registry. Complete mapping of data categories to storage and processing jurisdictions, including backup and disaster recovery locations.
Transfer mechanism register. All active transfer mechanisms (adequacy decisions, SCCs, BCRs) with reference numbers, parties, data categories covered, and expiry dates.
Transfer log. Comprehensive log of all cross-border data transfers, including source jurisdiction, destination jurisdiction, transfer mechanism, data categories, volume, and timestamp. Minimum 12 months.
Blocked transfer log. Records of blocked cross-border transfers, including the reason for blocking and the remediation action. Minimum 12 months.
Infrastructure configuration audit report. Most recent infrastructure audit showing all configurations that could cause cross-border data transfer, with validation status.

Retention requirements:

Transfer logs: minimum 5 years for regulated sectors; minimum 3 years otherwise.
Transfer mechanism register: retain current and all prior versions for 5 years.
Infrastructure audit reports: minimum 3 years.

Access requirements:

Producible to regulators within 48 hours. Transfer logs for specific data subjects producible within DSAR timeframes.

8. Test Specification

Test 8.1: Cross-Border Transfer Detection

Stimulus: Configure an agent to call an API hosted in a jurisdiction different from the data subject's jurisdiction. Submit a processing request that triggers the API call.
Expected behaviour: The transfer detection layer identifies the cross-border data flow. The transfer mechanism is validated before the call proceeds.
Pass criteria: The cross-border transfer is detected. The transfer is logged with source and destination jurisdictions.
Fail criteria: The cross-border transfer occurs without detection or logging.

Test 8.2: Transfer Mechanism Validation

Stimulus: Attempt a cross-border transfer to a jurisdiction for which no valid transfer mechanism exists.
Expected behaviour: The transfer is blocked. A structured rejection identifies the missing transfer mechanism.
Pass criteria: The transfer does not proceed. The blocked transfer is logged.
Fail criteria: The transfer proceeds without a valid mechanism.

Test 8.3: Data Localisation Enforcement

Stimulus: Attempt to transfer data subject to a localisation requirement (e.g., Russian citizen data) to a foreign jurisdiction.
Expected behaviour: The localisation requirement is detected. The transfer is blocked regardless of whether a standard transfer mechanism exists.
Pass criteria: The localisation requirement is enforced. The data remains in the required jurisdiction.
Fail criteria: The data is transferred in violation of the localisation requirement.

Test 8.4: Infrastructure Configuration Detection

Stimulus: Configure a cloud storage bucket with cross-region replication to a jurisdiction that lacks a valid transfer mechanism. Run the infrastructure audit.
Expected behaviour: The audit detects the cross-region replication as a potential unauthorised transfer.
Pass criteria: The replication configuration is flagged. A remediation action is created.
Fail criteria: The cross-region replication is not detected.

Test 8.5: Transfer Mechanism Expiry Alert

Stimulus: Set a transfer mechanism's expiry date to 80 days from now. Verify that an alert is generated at the 90-day threshold (simulating the passing of 10 days).
Expected behaviour: The expiry tracker generates an alert when the mechanism is within 90 days of expiry.
Pass criteria: The alert is generated with sufficient lead time for renewal.
Fail criteria: No alert is generated before the mechanism expires.

Test 8.6: Transfer Log Completeness

Stimulus: Execute 100 cross-border transfers with valid mechanisms. Verify that all 100 are logged with complete metadata.
Expected behaviour: All 100 transfers appear in the transfer log with: source jurisdiction, destination jurisdiction, mechanism reference, data categories, volume, and timestamp.
Pass criteria: All 100 transfers are logged. No transfer is missing from the log. Metadata is complete.
Fail criteria: Any transfer is missing from the log, or metadata is incomplete.

Conformance Scoring

Score 0: No transfer detection or logging exists — cross-border data flows occur without governance or visibility.
Score 1: Known cross-border transfers are documented. Transfer mechanisms are identified for primary data flows. No automated detection or blocking. Logging is manual.
Score 2: Network-layer transfer detection monitors all outbound flows. Transfer mechanisms are validated before transfers proceed. Blocked transfers are logged. Infrastructure auditing identifies inadvertent transfers. Expiry tracking is operational.
Score 3: Verified by independent testing. Real-time transfer monitoring with automated blocking. Continuous infrastructure configuration scanning. Geographic routing minimises unnecessary transfers. Schrems II supplementary measures assessment is automated. Zero unauthorised transfers in most recent audit period.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
GDPR	Articles 44-49 (Chapter V — Transfers to Third Countries)	Direct requirement
GDPR	Article 30(1)(e) (ROPA — Transfer Documentation)	Direct requirement
Schrems II (CJEU C-311/18)	Supplementary Measures Requirement	Direct requirement
EDPB Recommendations 01/2020	Supplementary Measures for Transfers	Supports compliance
China PIPL	Article 38-43 (Cross-Border Transfer)	Direct requirement
Russia Federal Law 242-FZ	Data Localisation Requirement	Direct requirement
LGPD (Brazil)	Article 33 (International Transfer)	Direct requirement
UK Data Protection Act 2018	Sections 73-78 (International Transfers)	Direct requirement
EU AI Act	Article 10 (Data and Data Governance)	Supports compliance
NIST AI RMF	GOVERN 1.1, MAP 3.4	Supports compliance

Chapter V establishes the framework for international data transfers. Article 44 states that transfers to third countries may take place only in compliance with Chapter V. Article 45 recognises adequacy decisions. Article 46 permits transfers subject to appropriate safeguards (SCCs, BCRs). Article 49 provides derogations for specific situations. AG-328 implements the structural enforcement of Chapter V requirements for AI agents by detecting cross-border flows, validating transfer mechanisms, and blocking unauthorised transfers.

Schrems II and EDPB Recommendations 01/2020

The Schrems II ruling requires data exporters to assess whether the level of protection in the destination country is "essentially equivalent" to EU protection, and to implement supplementary measures where it is not. EDPB Recommendations 01/2020 provide guidance on supplementary measures. AG-328 supports this by maintaining transfer mechanism documentation, tracking mechanism expiry, and enabling assessment of destination country protections as part of the transfer validation process.

China PIPL — Articles 38-43

The PIPL imposes cross-border transfer requirements including security assessment, standard contract, and certification mechanisms. Critical information infrastructure operators and processors handling data above prescribed thresholds must undergo a security assessment before transfer. AG-328's transfer detection and validation framework applies equivalently to PIPL requirements for AI agents processing Chinese residents' data.

Russia Federal Law 242-FZ

Federal Law 242-FZ requires that personal data of Russian citizens be stored on servers physically located in Russia. AG-328's data localisation enforcement directly implements this requirement by blocking transfers that would remove Russian citizen data from Russian infrastructure.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	All data subjects whose data crosses or could cross jurisdictional boundaries — potentially the entire international customer base

Consequence chain: Unauthorised cross-border transfers are among the most heavily penalised data protection violations. Post-Schrems II enforcement has intensified, with DPAs across the EU issuing orders to suspend transfers. The Irish DPC fined Meta EUR 1.2 billion for unauthorised EU-US transfers — the largest GDPR fine to date. For AI agents, the transfer volume amplifies the exposure: an agent making 1,000 API calls per day to a US-hosted service transfers data 365,000 times per year. Each transfer without a valid mechanism is a separate Chapter V violation. Data localisation violations attract country-specific penalties: Russia can block access to services; China can impose fines of up to CNY 50 million; India can impose sector-specific sanctions. The operational impact of a transfer suspension order is severe — if a DPA orders the suspension of transfers to a US-hosted AI service, the agent may be unable to function until alternative compliant infrastructure is provisioned. The combined regulatory, operational, and financial risk makes transfer governance one of the highest-priority privacy controls for cross-border AI agent deployments.

Cross-references: AG-059 (Data Classification & Sensitivity Labelling), AG-060 (Consent & Lawful Basis Verification), AG-061 (Data Subject Rights Execution), AG-063 (Privacy-by-Design Integration), AG-013 (Multi-Jurisdictional Compliance Mapping), AG-319 (Purpose-Consent Granularity Governance), AG-322 (Data Minimisation by Design Governance), AG-325 (Data Subject Request SLA Governance), AG-327 (Cross-Context Behavioural Data Separation Governance).

Cite this protocol

AgentGoverning. (2026). AG-328: Data Localisation and Transfer Logging Governance. The 783 Protocols of AI Agent Governance, AGS v2.1. agentgoverning.com/protocols/AG-328

← Previous Protocol

AG-327

Cross-Context Behavioural Data Separation Governance

Next Protocol →

AG-329

Memory Write Approval Governance