Data Residency in Webex Overview

The overall goal of data residency (formerly called data locality) in Webex is to keep user data in regional data centers that correspond with the organization's location. This offering is available for new organizations and provides the following high-level functionality:

  • Your users have a single identity stored in your organization's geographic region. The identity service in your organization's geographic region handles client authentication requests.

    Your users can continue to meet with, message, and call users in other organizations across the globe without the need for separate accounts in foreign clusters. This means that Webex does not proliferate extra personally identifiable information.

  • Encryption keys for your users are created and stored in your organization's geographic region, and the key management service (KMS) in your region handles requests for the keys to encrypt and decrypt spaces, messages, and content in Webex.

  • Encrypted user-generated content (messages, whiteboards, files and related metadata) is stored in the organization's geographic region. This feature is available to new Europe, Middle East, Africa, Russia (EMEAR) organizations created after February 28, 2020.

  • We store data about your organization, such as verified domains, preferences, and security settings, in your geographic region.

  • Partners in one region can create customer organizations in any region.

  • Hybrid Data Security is now supported for organizations in the European region.

    Hybrid Data Security allows organizations to bring encryption key management and other security-related functions into their own premises data centers.

  • Hybrid Calling for Webex Devices is now supported for organizations in the European region.

    Hybrid Calling for Webex Devices provides on-premises Unified CM calling capabilities to Cisco Webex Room, Desk and Webex Board devices that are registered to the cloud.

  • Webex Video Mesh is now supported for organizations in the European region.

For data residency, we added a European geography (GEO) with data centers in London, Frankfurt, and Amsterdam. The existing data centers in the United States of America continue to serve North America and the "Rest of World" (RoW).

How We Determine the Data Residency Region

Messaging Data Residency

During provisioning, the administrator who sets up an organization sees a Country Selector drop-down menu in Control Hub. We determine the geographic region in which the organization's data resides based on the selected country. When you create a trial and select a country that maps to the European region, the organization's user-generated content is stored in the region as well as the user identities and encryption keys.

To determine which region a country maps to, you can download the following Microsoft Excel file and select the country name from the drop-down menu: https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cloudCollaboration/wbxt/datalocality/CountryCodeGEOmapping.xlsx (The file begins to download immediately when you access the link.)

Meetings Data Residency

Meetings data is stored in a data center based on the time zone that you select for a Webex Meetings site during provisioning. If you select a time zone from one of the European Union cities, then the Meetings data will reside in the data center in Frankfurt. Meetings data for other time zones outside of the European Union will reside in whichever data center is closest to the selected city.


At Cisco, we're committed to the protection and privacy of our customers’ data and personal information. The new data center in Frankfurt, Germany is part of this effort and complements existing data centers in the region, providing additional opportunities to host data in the EU. Starting July 2021, new Webex customers from Europe will be provisioned to the data center in EU. We also have a migration plan in place to provide existing customers with more flexibility, and to manage your meetings data migration from the data center in London to the one in Frankfurt through Control Hub.

Data Sharing, Processing, and Storage

The following tables describe how data is shared, processed, and stored in various scenarios. Because Webex enables collaboration amongst users in multiple organizations, the rules for storage and processing depend in some cases on the type of collaboration, and whether you enable communication with other organizations.

In each table, the following designations are used for data residency:

Global—Data may be handled at a Cisco data center in any location.

Limited—Data resides in the organization's geographic region, but copies may be created or processed in other regions as needed.

Restricted—Data resides in the organization's geographic region.

In addition to sharing, processing, and storage, for each of these activities we use certain data for the purposes of logging and auditing. This data is handled as global and includes some service and user information to help generate business metrics and usage metrics. The data stored and managed in these centralized components is governed by the Cisco Corporate Information Security guidelines, which require strict adherence related to sharing with third parties, retention, and documentation of this data.

Table 1. Control Hub Administration Activities

Scenario

Data Involved

Shared With

Processing

Storage

Create a new customer organization.

Data collected or generated to manage a customer account, including administrative email addresses, organization id, claimed domains associated billing information

Cisco, partner

Global

Global

Use and manage a customer organization; add licensed services.

Operational data such as organization settings, subscription history, product catalog, usage data, analytics, stored CSV files

Cisco, partner, administrators

Global

Global

Create a new user.

Universally unique identifier (UUID)

Global

Global

Table 2. Webex User Sign-in and App Configuration

Scenario

Data Involved

Shared With

Processing

Storage

Sign in to user account.

OAuth token

Identity service

Limited

Restricted

Password

Identity service

Restricted

Restricted

Configure and use the Webex app.

Data such as mobile device ID, device name, IP address; settings such as time zone and locale; personal directory data such as first name, last name, avatar, phone number

Organization and partner administrators

Global

Restricted

Personal directory data such as first name, last name, avatar, phone number

Other users in the organization, or an external organization in the same region

Restricted

Restricted

Users from an external organization in a different region*

Limited

Restricted

* Use Control Hub to block communication with external organizations to prevent this scenario. This blocks communication with all external organizations.

Table 3. Webex User Content Generation

Scenario

Data Involved

Shared With

Processing

Storage

Send a message or file, create a space, flag messages.

User-generated content

Compliance officers

Restricted

Restricted (based on space owner's region—see Space Ownership and Content Storage Region)

Other users in the organization, or an external organization in the same region

Restricted

Restricted

Users from an external organization in a different region*

Limited

Limited

Encryption keys

Other users in the organization, or an external organization in the same region

Restricted

Restricted

Users from an external organization in a different region*

Limited

Restricted (keys are not stored outside the region)

Search indexes and derived metadata required to operate the service without "leaking" user-generated content or personally identifiable information outside of the region.

Limited

Limited

Share real-time media.

Voice, video, content share

Other users in the organization, or an external organization in the same region

Restricted

Restricted

Users from an external organization in a different region

Limited

Limited

Record a meeting.

Meeting recordings stored in Webex Meetings

Restricted (meeting host's region)

Restricted (meeting host's region)

Create a whiteboard.

Whiteboard content (whiteboards between organizations are co-owned)

Other users in the organization, or an external organization in the same region

Restricted

Restricted

Users from an external organization in a different region*

Limited

Limited

* Use Control Hub to block communication with external organizations to prevent this scenario. This blocks communication with all external organizations.

Table 4. Service Integrations

Entity

Data Involved

Shared With

Processing

Storage

Calendar environment integration

Calendar meetings and events, some personally identifiable information

Membership of all spaces (within the user's organization)

Limited

Limited

Developer APIs

API services for developers – transparent look-up and re-direct to the appropriate region's services.

Global look-up

In-region processing

Depends on the rules of the content (as listed in previous tables) and the APIs supporting it

Depends on the rules of the content (as listed in previous tables) and the APIs supporting it

Space Ownership and Content Storage Region

We store content in the region of the organization that owns the space where the content appears. Ownership depends on the type of space:

  • Group space—The owner is generally the organization of the person who created the space. We store content in the region of the owner organization.

  • Space within a team—The organization of the person who created the team owns spaces created within the team. Spaces created outside of the team and then moved into the team retain their original ownership. We store content in the region of the space owner organization.

  • Conversation between two people (nongroup space)—If the people are in different organizations, each organization owns the content that its user posts. If the conversation includes a user from the North America/RoW GEO, we store the conversation content in the North America/RoW GEO.

  • Space created by a bot—We assign ownership to the organization of the first nonbot participant, and store the content in the region of the owner organization.


    Bots aren’t currently expected to work for spaces that are owned by or have members from EMEAR organizations. We expect to deliver this feature later.

Frequently Asked Questions for Data Residency

Why am I seeing a Country Selector during the organization provisioning process?

Cisco Webex is excited to provide customers the ability to localize certain Webex data within “geo-based” data centers. During provisioning, the Country Selector determines which region will store a new customer organization's data. This includes organization identity, users' personal identities, encryption keys, and user-generated content (encrypted messages, boards, files and related metadata).

Note that Webex Meetings sites can be managed through any such organization and recordings are still associated with the meetings site cluster.

Which GEO locations are currently supported?

We introduced the following locations, with the intention of expanding to more later:

  1. Europe—Hosted in the data centers in London (United Kingdom), Amsterdam and Frankfurt. This region is mapped to countries in Europe, the Middle East, Africa and Russia (EMEAR).

  2. North America and Rest of the World (RoW)—Hosted in data centers in the United States.

What is the recommendation when selecting a country for the GEO location?

A customer’s organization data is created and maintained in the GEO location where the Webex service is provisioned. During provisioning, the administrator will see a new option for selecting a country from a drop-down menu. This action permanently sets the GEO location for the organization’s users and encryption keys.

When selecting the country for an organization, consider the following recommendations:

  • If the organization's users are primarily based in one country, select that country, even if it doesn't match the business address of the organization. This will improve the user experience and minimize latency by utilizing storage in the data centers closest to the users.

  • If the users are spread across multiple countries, select the country that has the highest user count. Keep in mind that all of the organization's users will have their data stored in the associated GEO location, even those who are not located in that country or GEO.

  • Ideally, the ship-to country and country of data residency are the same.


We do not currently support migrating between GEO locations. When you create an organization in a GEO, it stays in that GEO.

To check the GEO location that a particular country maps to, download the CountryCodeGEOMapping.xlsx file, open the file in Microsoft Excel, and select the country from the drop-down menu.

Can my organization's users continue to collaborate with users in other regions?

Yes. Data residency strengthens the security and compliance features of Webex without compromising the simplicity of the user experience. All users on our platform can communicate globally while retaining a single user identity.

How does data residency impact compliance and visibility across GEOs?

Compliance officers continue to have 100% visibility to user content regardless of where the data is stored (based on the Webex ownership model). This means that compliance capabilities like eDiscovery and cloud access security broker (CASB) integrations will continue to allow you to monitor and take action on data loss prevention events, even if your users collaborate with those from other regions. The administrator controls that are already available allow you to disable external communication as needed.