Data Residency in Cisco Webex Teams Overview

The overall goal of data residency (formerly called data locality) in Cisco Webex Teams is to keep user data in regional data centers that correspond with the organization's location. Phase 2 of the offering is available for new organizations and provides the following high-level functionality:

  • Your users have a single identity stored in your organization's geographic region. The identity service in your organization's geographic region handles client authentication requests.

    Your users can continue to meet with, message, and call users in other organizations across the globe without the need for separate accounts in foreign clusters. This means that Webex Teams does not proliferate extra personally identifiable information.

  • Encryption keys for your users are created and stored in your organization's geographic region, and the key management service (KMS) in your region handles requests for the keys to encrypt and decrypt spaces, messages, and content in Webex Teams.

  • New in Phase 2: Encrypted user-generated content (messages, whiteboards, files and related metadata) is stored in the organization's geographic region. This feature is available to new Europe, Middle East, Africa, Russia (EMEAR) organizations created after February 28, 2020.

  • We store data about your organization, such as verified domains, preferences, and security settings, in your geographic region.

  • Partners in one region can create customer organizations in any region.

  • New in Phase 2: Hybrid Data Security is now supported for organizations in the European region. This support includes both newly created phase 2 EMEAR organizations and existing phase 1 EMEAR organizations.

    Hybrid Data Security allows organizations to bring encryption key management and other security-related functions into their own premises data centers.

  • New in Phase 2: Hybrid Calling for Webex Devices is now supported for organizations in the European region. This support includes both newly created phase 2 EMEAR organizations and existing phase 1 EMEAR organizations.

    Hybrid Calling for Webex Devices provides on-premises Unified CM calling capabilities to Cisco Webex Room, Desk and Webex Board devices that are registered to the cloud.

  • New in Phase 2: Webex Video Mesh is now supported for organizations in the European region. This support includes both newly created phase 2 EMEAR organizations and existing phase 1 EMEAR organizations.

For data residency, we added a European geography (GEO) with data centers in London, Frankfurt, and Amsterdam. The existing data centers in the United States of America continue to serve North America and the "Rest of World" (RoW).

We currently don't support migrating an organization between GEOs nor migrating a phase 1 organization to phase 2.

How We Determine the Data Residency Region

During provisioning, the administrator who sets up an organization sees a Country Selector drop-down menu in Control Hub. We determine the GEO region in which the organization's data resides based on the selected country.

If you have users in different countries, select the country where the majority of your users are located. To maximize user experience and minimize latency, data should be stored in the data centers closest to most users.

To determine which region a country maps to, you can download the following Microsoft Excel file and select the country name from the drop-down menu: https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cloudCollaboration/wbxt/datalocality/CountryCodeGEOmapping.xlsx (The file begins to download immediately when you access the link.)

Limitations in Data Residency Phase 2

The following are limitations that exist in this phase of the data residency program, which we expect to address in a future phase of the program:

  • The following features are not available in Phase 2 for organizations that are provisioned in the European GEO:

    • Cisco Webex Calling (formerly Spark Call) (only available in North America)

    • Context Service

  • We do not support migrating an organization between GEO locations at this time. Organization data stays in the GEO in which it was created.

    We also do not support migrating a phase 1 organization to phase 2 at this time.

  • You can manage Cisco Webex Meetings sites for an EMEAR organization in Control Hub. However, data residency does not apply to Webex meeting recordings, which are stored in the cluster to which your Webex meeting site belongs.

Temporary Limitations

The following are current limitations that we expect to remove within the next three to six months.

  • Support for these additional clients is expected later:

    • Cisco Jabber (team messaging mode, Cisco Jabber Softphone for VDI, Hybrid Message Service)

  • You cannot currently enable People Insights for phase 2 EMEAR organizations.

Data Sharing, Processing, and Storage in Phase 2

The following tables describe how data is shared, processed, and stored in various scenarios for organizations created after Phase 2 release. Because Webex Teams enables collaboration amongst users in multiple organizations, the rules for storage and processing depend in some cases on the type of collaboration, and whether you enable communication with other organizations.

In each table, the following designations are used for data residency:

Global—Data may be handled at a Cisco data center in any location.

Limited—Data resides in the organization's geographic region, but copies may be created or processed in other regions as needed.

Restricted—Data resides in the organization's geographic region.

In addition to sharing, processing, and storage, for each of these activities we use certain data for the purposes of logging and auditing. This data is handled as global and includes some service and user information to help generate business metrics and usage metrics. The data stored and managed in these centralized components is governed by the Cisco Corporate Information Security guidelines, which require strict adherence related to sharing with third parties, retention, and documentation of this data.

Table 1. Control Hub Administration Activities

Scenario

Data Involved

Shared With

Processing

Storage

Create a new customer organization.

Data collected or generated to manage a customer account, including administrative email addresses, organization id, claimed domains associated billing information

Cisco, partner

Global

Global

Use and manage a customer organization; add licensed services.

Operational data such as organization settings, subscription history, product catalog, usage data, analytics, stored CSV files

Cisco, partner, administrators

Global

Global

Create a new user.

Universally unique identifier (UUID)

Global

Global

Table 2. Webex Teams User Sign-in and App Configuration

Scenario

Data Involved

Shared With

Processing

Storage

Sign in to user account.

OAuth token

Identity service

Limited

Restricted

Password

Identity service

Restricted

Restricted

Configure and use the Webex Teams app.

Data such as mobile device ID, device name, IP address; settings such as time zone and locale; personal directory data such as first name, last name, avatar, phone number

Organization and partner administrators

Global

Restricted

Personal directory data such as first name, last name, avatar, phone number

Other users in the organization, or an external organization in the same region

Restricted

Restricted

Users from an external organization in a different region*

Limited

Restricted

* Use Control Hub to block communication with external organizations to prevent this scenario. This blocks communication with all external organizations.

Table 3. Webex Teams User Content Generation

Scenario

Data Involved

Shared With

Processing

Storage

Send a message or file, create a space, flag messages.

User-generated content

Compliance officers

Restricted

Restricted (based on space owner's region—see Space Ownership and Content Storage Region in Phase 2)

Other users in the organization, or an external organization in the same region

Restricted

Restricted

Users from an external organization in a different region*

Limited

Limited

Encryption keys

Other users in the organization, or an external organization in the same region

Restricted

Restricted

Users from an external organization in a different region*

Limited

Restricted (keys are not stored outside the region)

Search indexes and derived metadata required to operate the service without "leaking" user-generated content or personally identifiable information outside of the region.

Limited

Limited

Share real-time media.

Voice, video, content share

Other users in the organization, or an external organization in the same region

Restricted

Restricted

Users from an external organization in a different region

Limited

Limited

Record a meeting.

Meeting recordings stored in Webex Meetings

Restricted (meeting host's region)

Restricted (meeting host's region)

Create a whiteboard.

Whiteboard content (whiteboards between organizations are co-owned)

Other users in the organization, or an external organization in the same region

Restricted

Restricted

Users from an external organization in a different region*

Limited

Limited

* Use Control Hub to block communication with external organizations to prevent this scenario. This blocks communication with all external organizations.

Table 4. Service Integrations

Entity

Data Involved

Shared With

Processing

Storage

Calendar environment integration

Calendar meetings and events, some personally identifiable information

Membership of all spaces (within the user's organization)

Limited

Limited

Developer APIs

API services for developers – transparent look-up and re-direct to the appropriate region's services.

Global look-up

In-region processing

Depends on the rules of the content (as listed in previous tables) and the APIs supporting it

Depends on the rules of the content (as listed in previous tables) and the APIs supporting it

Space Ownership and Content Storage Region in Phase 2

We store content in the region of the organization that owns the space where the content appears. Ownership depends on the type of space:

  • Group space—The owner is generally the organization of the person who created the space. We store content in the region of the owner organization.

  • Space within a team—The organization of the person who created the team owns spaces created within the team. Spaces created outside of the team and then moved into the team retain their original ownership. We store content in the region of the space owner organization.

  • Conversation between two people (nongroup space)—If the people are in different organizations, each organization owns the content that its user posts. If the conversation includes a user from the North America/RoW GEO, we store the conversation content in the North America/RoW GEO.

  • Space created by a bot—We assign ownership to the organization of the first nonbot participant, and store the content in the region of the owner organization.


    Bots aren’t currently expected to work for spaces that are owned by or have members from phase 2 EMEAR organizations. We expect to deliver this feature later.

Frequently Asked Questions for Data Residency

Why am I seeing a Country Selector during the organization provisioning process?

Cisco Webex is excited to provide customers the ability to localize certain Cisco Webex Teams data within “geo-based” data centers. During provisioning, the Country Selector determines which region will store a new customer organization's data. This includes organization identity, users' personal identities, encryption keys, and—for phase 2 organizations (those newly created after February 28, 2020)—user-generated content (encrypted messages, boards, files and related metadata).

Note that Webex Meetings sites can be managed through any such organization and recordings are still associated with the meetings site cluster.

Which GEO locations are currently supported?

In Phase 1, we introduced the following locations, with the intention of expanding to more later:

  1. Europe—Hosted in the data centers in London (United Kingdom), Amsterdam and Frankfurt. This region is mapped to countries in Europe, the Middle East, Africa and Russia (EMEAR).

  2. North America and Rest of the World (RoW)—Hosted in data centers in the United States.

Phase 2 is now available for organizations created after February 28, 2020. Phase 2 supports the same GEOs as phase 1 but additionally includes in-region storage of user-generated content. Currently, is not possible to migrate an existing organization between GEOs or from phase 1 to phase 2.

What is the recommendation when selecting a country for the GEO location?

A customer’s organization data is created and maintained in the GEO location where the Webex Teams service is provisioned. During provisioning, the administrator will see a new option for selecting a country from a drop-down menu. This action permanently sets the GEO location for the organization’s users and encryption keys.

When selecting the country for an organization, consider the following recommendations:

  • If the organization's users are primarily based in one country, select that country, even if it doesn't match the business address of the organization. This will improve the user experience and minimize latency by utilizing storage in the data centers closest to the users.

  • If the users are spread across multiple countries, select the country that has the highest user count. Keep in mind that all of the organization's users will have their data stored in the associated GEO location, even those who are not located in that country or GEO.

  • Ideally, the ship-to country and country of data residency are the same.


We do not currently support migrating between GEO locations. When you create an organization in a GEO, it stays in that GEO.

We also do not support migrating a phase 1 organization to phase 2 at this time.

To check the GEO location that a particular country maps to, download the CountryCodeGEOMapping.xlsx file, open the file in Microsoft Excel, and select the country from the drop-down menu.

Can my organization's users continue to collaborate with users in other regions?

Yes. Data residency strengthens the security and compliance features of Webex Teams without compromising the simplicity of the user experience. All users on our platform can communicate globally while retaining a single user identity.

How does data residency impact compliance and visibility across GEOs?

Compliance officers continue to have 100% visibility to user content regardless of where the data is stored (based on the Webex Teams ownership model). This means that compliance capabilities like eDiscovery and cloud access security broker (CASB) integrations will continue to allow you to monitor and take action on data loss prevention events, even if your users collaborate with those from other regions. The administrator controls that are already available allow you to disable external communication as needed.