Data Residency
Qarion provides full control over where your data is stored. Both the database and attachment storage are independently configurable per instance, allowing you to meet data residency, sovereignty, and compliance requirements.
Architecture Overview
Each Qarion instance stores data in two distinct layers:
| Layer | What it stores | How residency is controlled |
|---|---|---|
| Database | Metadata catalog, configurations, audit logs, user data | Instance provisioned in a specific cloud region |
| Attachment Storage | Uploaded files, documents, meeting attachments | Region-specific storage bucket (S3, GCS, or Azure) |
These two layers are configured independently — you can, for example, run your database in EU-West and store attachments in a separate EU-compliant bucket.
Database Residency
Managed Instances
When Qarion provisions a new instance, the PostgreSQL database is created in the cloud region you select. All metadata, configuration, and audit data remain within that region.
Supported regions depend on your cloud provider — common options include:
- EU:
eu-west-1,eu-central-1,europe-west1 - US:
us-east-1,us-west-2,us-central1 - APAC:
ap-southeast-1,ap-northeast-1
Bring Your Own Database (BYODB) — Enterprise
Enterprise customers can connect their own PostgreSQL database. This gives you:
- Full ownership of the database infrastructure
- Data never leaves your network perimeter
- Use of your existing backup, replication, and DR policies
- Custom encryption-at-rest configurations
To configure BYODB, provide your database connection details during instance setup. See Multi-Instance Administration for provisioning details.
BYODB requires PostgreSQL 14 or later. The database must be accessible from the Qarion application tier, and the provided credentials must have schema-creation privileges.
Attachment Residency
Qarion uses pluggable storage backends for file attachments. You select both the backend type and the region independently.
Supported Backends
| Backend | Description |
|---|---|
| Amazon S3 | S3 or any S3-compatible store (MinIO, DigitalOcean Spaces) |
| Google Cloud Storage | GCS buckets |
| Azure Blob Storage | Azure Blob containers |
Configuration is done through the Admin Panel: Administration → System Settings → Storage. For detailed backend settings, see Storage Configuration.
Bring Your Own Storage (BYOS) — Enterprise
Enterprise customers can point Qarion at a storage bucket they own and manage. This provides:
- Full control over the bucket location and replication
- Data stays within your cloud account
- Use of your existing IAM policies and encryption keys
- Compliance with internal data-handling procedures
Configure BYOS by providing your bucket credentials and region in the storage settings.
Combine BYODB and BYOS on the Enterprise tier to ensure that no Qarion data — metadata or files — ever leaves your infrastructure.
Encryption
Regardless of residency configuration, all data is protected by:
| Protection | Standard |
|---|---|
| Encryption at rest | AES-256 |
| Encryption in transit | TLS 1.2+ |
| Credential storage | Encrypted vaults (never logged or exposed in UI) |
Tier Availability
| Capability | Community | Professional | Enterprise |
|---|---|---|---|
| Region selection (database) | — | ✓ | ✓ |
| Region selection (attachments) | — | ✓ | ✓ |
| Bring Your Own Database (BYODB) | — | — | ✓ |
| Bring Your Own Storage (BYOS) | — | — | ✓ |
| Dedicated instance isolation | — | — | ✓ |
Related Documentation
- Storage Configuration — backend settings for S3, GCS, and Azure
- Multi-Instance Administration — instance provisioning and lifecycle management
- Secrets Management — how credentials and API keys are stored