Data residency and GDPR for agencies: how BYOC helps
A BYOC (Bring Your Own Cloud) model helps GDPR and data residency by writing client CRM data to a database on your own Cloudflare account, in a region you choose, instead of a shared database the vendor controls. That shortens the sub-processor chain and gives you an inspectable answer to 'where does this record live' — but it doesn't remove your own DPA obligations; confirm those with counsel.
A BYOC (Bring Your Own Cloud) model helps GDPR compliance by moving your client CRM data into a database on your own cloud account, in a region you choose, instead of a shared database the software vendor controls. That turns “where does this client’s data live, and who else can reach it” from a policy statement you take on trust into a resource you can point to in your own Cloudflare dashboard. It does not make your DPA obligations disappear — you’re still the data controller, and you should still confirm your own sub-processor documentation with counsel — but it genuinely shortens the chain of custody for the data that matters most.
This post is about the mechanism, not a compliance guarantee. If you run an agency handling EU client data, here’s what actually changes.
Why agencies feel the GDPR sub-processor question more than most businesses
If you run an agency, your client’s personal data — contact details, deal notes, calendar entries, sometimes billing information — is not incidental to your business. It is the business. And it usually passes through several layers before it’s “yours”:
- Your CRM vendor’s database.
- That vendor’s own sub-processors (hosting, email delivery, AI features).
- Your project management tool, often a separate vendor with its own list.
- Your invoicing tool, often a third.
Every one of those is a sub-processor you have to document, and every one of them can ask you to update your Article 30 records or your clients’ Article 28 disclosures when their infrastructure changes. Consolidating tools helps (fewer vendors to track), but it doesn’t answer the harder question clients and auditors increasingly ask directly: where, physically and jurisdictionally, does this specific record live, and who besides you can read it?
For a conventional multi-tenant SaaS, the honest answer is “in our shared database, alongside every other customer’s data, in whatever region we picked.” That’s not a violation of anything by itself — plenty of compliant SaaS products work exactly this way, with proper DPAs and sub-processor lists. But it means residency is a policy choice made by the vendor, and you’re trusting that policy rather than pointing at a resource you control.
What “sub-processor chain” means in practice
A sub-processor, under GDPR, is any third party your vendor uses to process personal data on your behalf — their cloud host, their email provider, their AI vendor if they’re piping data through one. Article 28 requires you (the controller) to know who they are, and requires your vendor (the processor) to flow the same obligations down to each of them.
The chain gets longer, not shorter, as software gets more “all-in-one” in the conventional sense: one central vendor now touches your CRM, projects, and billing at once, and every downstream infrastructure decision they make (a new hosting region, a new AI provider) is a sub-processor change you have to track on their behalf. Consolidation without ownership just centralises the risk in one vendor instead of three.
How does sSystm’s BYOC model change this?
sSystm is built around a different default for the CRM layer: there’s no central database the vendor owns for your contacts, companies, deals, tasks and calendar. When your organisation connects its own Cloudflare account, a dedicated D1 database is provisioned there, and a BYOC-aware data layer in the API routes reads and writes for that org to that database instead of sSystm’s shared one.
Concretely, in the API this is a routing decision made per request: if your organisation has a working Cloudflare connection, the CRM scope resolves your Cloudflare API token (stored encrypted, decrypted only per-request) and talks to your own D1 instance; if not, it falls back to the central database the same way any non-BYOC customer’s data would be handled. Crucially, this is fail-closed, not fail-open: if your organisation is connected but the stored token can no longer reach your account (revoked, expired, misconfig), the request errors out and asks you to reconnect — it does not silently write your CRM data into the shared central database as a fallback. A broken connection degrades to “you have to fix the connection,” not “your residency guarantee quietly breaks.”
That single design decision means the sub-processor picture for your CRM records looks different: instead of “sSystm, plus sSystm’s infrastructure providers,” the database itself sits on infrastructure you already have a direct relationship with (Cloudflare, on your own account), in the region you picked when you connected it.
What data actually moves under BYOC, and what stays central — be precise about it
It’s worth being exact here, because “BYOC” can be marketed loosely elsewhere and we’d rather you know precisely what today’s split covers before you rely on it for a compliance conversation:
| Data | Where it lives today |
|---|---|
| CRM contacts, companies, deals | Your own Cloudflare D1 if connected, otherwise central |
| Tasks, calendar entries | Your own Cloudflare D1 if connected, otherwise central |
| Projects, documents | sSystm’s central platform database |
| Invoices, quotes, billing line items | sSystm’s central platform database |
| Design systems, brand assets, routines | sSystm’s central platform database |
| Org metadata, entitlements, AI-credit ledger | sSystm’s central platform database (always) |
| Workers/code you build in the Build module | Deployed to your own Cloudflare account |
The CRM layer is where the bulk of client personal data concentrates — the names, emails and deal notes that GDPR is squarely about — and that’s the layer BYOC covers today. Project titles, document contents and invoice line items currently live centrally alongside genuine platform metadata (your org’s plan, entitlements, usage ledger). If your compliance review needs the whole workspace on your own infrastructure, ask about the current state of that split before you rely on it — architecture evolves, and this is exactly the kind of claim worth re-verifying rather than taking from a blog post.
Does this mean sSystm isn’t a sub-processor at all?
No, and we won’t claim otherwise. sSystm still operates the software that reads and writes to your database, still runs the platform’s central metadata store, and still counts as a processor under GDPR for the data it touches. What BYOC changes is the custody of your CRM records specifically — they sit in a database you provisioned, under your account, not in a database sSystm operates for every customer at once. That’s a real reduction in blast radius and in the number of parties who have technical access to that data, but it is not a substitute for your own DPA, your own Article 30 records, or your own legal review of what “processor” means for your specific regulatory exposure. If GDPR compliance is a live question for your agency, talk to counsel about what documentation you need regardless of which vendor you choose.
How do you prove where your data lives — to a client, or an auditor?
Two concrete things, beyond a policy statement:
- The database is a resource in your own Cloudflare dashboard, not an abstraction. You can show a client or an auditor the actual account and region it lives in, the same way you’d show them any other piece of your own infrastructure.
- An on-demand export. sSystm exposes an owner-only data export endpoint that produces a full JSON snapshot of your workspace — CRM records, projects, documents, billing history — in one request. That’s useful both as your own backup and as evidence you can hand to a client who asks “can you show me what you hold on us.”
Neither of these is a certification. They’re the kind of concrete artefact that makes a residency conversation go from “we trust the vendor’s policy” to “here’s the resource, here’s the export” — which is generally what clients and auditors actually want to see.
A checklist for evaluating agency software on data residency
Before you tell a client (or write into a DPA) where their data lives, confirm the following about any tool you use — sSystm included:
- Is the database dedicated to my organisation, or shared with every tenant? Dedicated-but-vendor-owned is isolation; it’s not the same as data being on your own account.
- Whose cloud account does it sit on — the vendor’s, or mine?
- Can I choose the region, and is that a real provisioning choice or a marketing claim?
- What happens if the connection to my account breaks — does the vendor fail closed, or silently fall back to a shared store?
- Which specific data categories are covered — all of it, or a subset? (Get the honest answer, not the marketing one.)
- Do I still need my own DPA and sub-processor documentation? Yes, always — no architecture removes that requirement, it only changes what goes into it.
Where this leaves you
BYOC doesn’t turn GDPR compliance into someone else’s problem — it never can, because you remain the controller of your clients’ data regardless of where the bytes sit. What it does is shorten the chain for the layer of data that matters most (client CRM records), give you a concrete resource to point to instead of a policy to trust, and fail closed instead of silently breaking your residency guarantee if a connection drops. Read more about the underlying architecture in what a BYOC agency OS is and the security and data model, see how the connection itself works in how sSystm works, and check the module catalogue for what runs on your own account today.
Frequently asked questions
Does BYOC remove the need for a DPA with sSystm?
No. sSystm still processes data as part of operating the software, so a Data Processing Agreement still applies. What changes is what the DPA covers: the CRM records that move to your own Cloudflare account under BYOC are no longer sitting in sSystm's central database, which shortens the sub-processor chain for that specific data. Confirm your exact DPA and sub-processor documentation needs with your own counsel.
What client data actually moves to our own Cloudflare account under BYOC?
Today that is the CRM layer — contacts, companies, deals, tasks and calendar entries — which is routed through a BYOC-aware data layer that reads and writes to your own D1 database when one is connected. Projects, documents, billing/invoice records, design systems and routines currently live in sSystm's central platform database regardless of BYOC status, alongside org metadata, entitlements and the AI-credit ledger.
Can we pin our data to an EU region?
Yes — because the database is provisioned on your own Cloudflare account at connection time, you choose the region Cloudflare creates it in, the same way you'd choose a region for any resource on your own cloud account.
What happens if our Cloudflare connection breaks — does data silently fall back to a shared database?
No. sSystm is built to fail closed on a broken BYOC connection: if a Cloudflare token can't be used to reach your database, the request fails with an error asking you to reconnect, rather than silently writing to a central database and breaking your residency guarantee.
How do we prove where our data lives, for our own clients or auditors?
You can point to the database in your own Cloudflare dashboard — it's not an abstract promise, it's a resource under your account. sSystm also provides an owner-only data export endpoint that produces a full JSON snapshot of your workspace data on demand, which is useful evidence for your own records or a client's due-diligence request.
sSystm is the first BYOC agency OS — your clients, your code and your cloud on your own Cloudflare account, with your AI working the whole workspace over MCP.
Join the waitlist