“We’re SOC 2 compliant” is not an answer to “where does my patient data live.”
Regulated industries need per-category control. Healthcare can’t send patient records to the cloud. Finance can’t let audit logs live outside tamper-proof systems. A single compliance badge doesn’t tell your CISO which data categories are stored where, who has access, or whether PII is being stripped before it crosses a network boundary.
JieGou’s data residency controls give you granular, per-category rules for every type of data the platform handles — with automatic PII detection, compliance presets for 8 frameworks, and a validation engine that catches misconfigurations before they become audit findings.
Four residency modes
Every data category in JieGou is assigned one of four residency modes:
Local Only — Data stays in your VPC. It never leaves your network. The JieGou control plane receives execution status and timing metadata, but never the content itself.
Cloud Only — Data stored in JieGou’s cloud infrastructure. Required for platform features that depend on the data being accessible to the control plane (workflow orchestration, user authentication).
Cloud Sync — Data stored locally in your VPC, with a full copy synced to the cloud. This enables dashboards, collaboration, and version history while keeping the primary copy in your infrastructure.
Cloud (Redacted) — Data synced to the cloud with PII and sensitive fields automatically removed before transmission. You get cloud-based visibility and collaboration without exposing regulated data.
9 data categories
Each data category has a default residency mode and a set of allowed modes. Some categories are locked to a single mode because the platform requires it.
| Category | Default | Allowed Modes | Notes |
|---|---|---|---|
| Execution Results | Cloud Sync | Local Only, Cloud Sync, Cloud Redacted | Step outputs, generated content |
| Execution Metadata | Cloud Sync | Local Only, Cloud Sync, Cloud Only | Duration, token counts, performance metrics |
| Audit Logs | Cloud Sync | Local Only, Cloud Sync, Cloud Only | Who ran what, when, from where |
| Workflow Definitions | Cloud Only | Cloud Only (locked) | Required for orchestration engine |
| Recipe Definitions | Cloud Only | Cloud Only (locked) | Required for orchestration engine |
| Knowledge Base Documents | Local Only | Local Only, Cloud Sync, Cloud Redacted | Uploaded PDFs, processed content, embeddings |
| LLM Conversations | Local Only | Local Only, Cloud Sync, Cloud Redacted | Chat history, reasoning traces |
| User Data | Cloud Only | Cloud Only (locked) | Required for authentication and RBAC |
| Credentials | Local Only | Local Only (locked) | API keys never leave your VPC |
Three categories are locked: workflow definitions and recipe definitions must live in the cloud for the orchestration engine to function, and credentials are permanently local — your API keys never transit through JieGou’s infrastructure.
Automatic PII detection
JieGou detects 10 categories of personally identifiable information:
- Email addresses
- Phone numbers
- Social Security numbers
- Credit card numbers
- Physical addresses
- Dates of birth
- Medical record numbers
- Financial account numbers
- IP addresses
- Personal names
For each PII category, you choose one of three actions:
| Action | Behavior | Use case |
|---|---|---|
| Redact | Replace with [REDACTED] | Default for most compliance frameworks |
| Hash | One-way SHA-256 hash, preserves referential integrity | Analytics that need to correlate records without exposing values |
| Flag Only | Mark the field as containing PII but keep the value | Internal workflows where the data is needed downstream |
You can also add custom regex patterns for domain-specific data types — internal patient IDs, proprietary account formats, custom reference numbers. These patterns run alongside the built-in detectors.
8 compliance frameworks with one-click presets
JieGou supports preset configurations for 8 regulatory frameworks:
- HIPAA
- SOX
- GDPR
- CCPA
- PCI-DSS
- FedRAMP
- ISO 27001
- SOC 2
Each preset auto-configures data residency rules and PII detection settings based on the framework’s requirements. Select the frameworks you’re subject to, and the system applies the appropriate configuration.
HIPAA preset
The strictest healthcare configuration. Execution results, LLM conversations, and knowledge base documents are all set to Local Only — no patient data leaves your VPC. PII detection enables 7 categories including medical_record, name, date_of_birth, ssn, phone, email, and address. End-to-end encryption is required for all agent communication.
GDPR preset
Designed for EU data protection. Execution results and knowledge base documents are set to Cloud Redacted — data syncs to the cloud with all PII stripped, so you get platform features without exposing personal data. PII categories include ip_address (which GDPR explicitly classifies as personal data). Redaction is the default action for all detected PII.
PCI-DSS preset
Focused on cardholder data protection. Enables credit_card and financial_account PII categories with redaction. Narrower scope than HIPAA or GDPR — PCI-DSS doesn’t require medical records or IP addresses to be treated as sensitive. Execution results containing payment data are set to Local Only.
FedRAMP preset
The most restrictive configuration. All data-bearing categories — execution results, execution metadata, audit logs, knowledge base documents, and LLM conversations — are set to Local Only. End-to-end encryption is required. This preset assumes a zero-trust posture where no substantive data leaves the government enclave.
Compliance validation engine
Selecting a compliance framework doesn’t just set defaults — it activates ongoing validation. The system checks your configuration against framework-specific rules and returns two types of findings:
Errors — Configuration violations that must be fixed. Example: HIPAA is selected but execution results are set to Cloud Sync without redaction. This is a blocking finding.
Warnings — Recommended changes that aren’t strictly required. Example: SOX is selected but audit log retention is set to 180 days instead of the recommended 365.
Validation works across multiple frameworks simultaneously. Selecting HIPAA + GDPR + PCI-DSS validates your configuration against all three rule sets. The most restrictive rule wins for any given category. If HIPAA requires Local Only and GDPR allows Cloud Redacted, the validation engine flags anything less restrictive than Local Only as an error.
Data residency reports
Every VPC agent execution response includes a data residency report. This report documents:
- Which fields were retained locally
- Whether PII was detected and what action was taken (redacted, hashed, or flagged)
- A SHA-256 hash of the output for audit purposes
The output hash is generated even when content stays entirely local. This enables integrity verification — your audit team can confirm that an execution produced a specific output without the output ever leaving your VPC. The hash travels to the control plane; the content does not.
Audit settings
Three configuration options support ongoing compliance operations:
Decision logging — Records every data residency decision: what was redacted, what was kept local, what was synced. Required for SOX compliance where auditors need to trace the handling of every data element.
SIEM webhook — Sends audit events to your external SIEM system (Splunk, Sumo Logic, Datadog, or any webhook-compatible endpoint) in real time. Your security operations team sees JieGou data handling events alongside your other infrastructure events.
Retention period — Configurable audit log retention, default 365 days. Set per your framework requirements — SOX typically requires 7 years for financial data, HIPAA requires 6 years for certain records. The retention setting applies to JieGou’s audit logs; your local VPC data follows your own retention policies.
Availability
Data residency controls are available on Enterprise plans. Includes all 9 data categories, PII auto-detection with 10 categories, compliance presets for 8 frameworks, the validation engine, and SIEM webhook integration. Learn more about enterprise features or start a trial.