Skip to main content

Privacy

We respect your privacy and follow industry standards to protect your personal information. Learn more about how your data is processed, transferred, and stored.

HCP data location overview

While some local, country-specific data privacy laws may require you to store your own data, the leading industry standards for data privacy encourage you to understand what data is stored and the shared responsibility for protecting that data.

HashiCorp's products and services give you different options to manage data storage, including selecting the regions you want to store specific data in.

Organizations can choose their cloud providers and regions for HCP Consul and HCP Vault to optimize network latency between these services and their applications and infrastructure. While this data is stored within the selected region, some data will also be transferred back to the United States for processing and storage.

Supported cloud provider and regions

When you create an HCP Consul or HCP Vault cluster, you must specify the cloud provider and region to host the cluster. The following tables lists the geographical boundary where data that can be stored is hosted.

Refer to the Product-specific data section for which product-specific data is stored.

AWS regions

You can select from the following AWS regions to host your HCP Consul or HCP Vault clusters.

Region
Name
Available HCP Services
Oregon
us-west-2
Consul, Vault
Virginia
us-east-1
Consul, Vault
Ohio
us-east-2
Consul, Vault
Canada (Central)
ca-central-1
Consul, Vault
Ireland
eu-west-1
Consul, Vault
London
eu-west-2
Consul, Vault
Frankfurt
eu-central-1
Consul, Vault
Tokyo
ap-northeast-1
Consul, Vault
Singapore
ap-southeast-1
Consul, Vault
Sydney
ap-southeast-2
Consul, Vault

Azure Regions

You can select from the following Azure regions to host your HCP Consul or HCP Vault clusters.

Region
Name
Available HCP Services
West US 2
westus2
Consul, Vault
Central US
centralus
Consul, Vault
East US
eastus
Consul, Vault
East US 2
eastus2
Consul, Vault
Canada Central
canadacentral
Consul, Vault
Canada East
canadaeast
Vault
West Europe
westeurope
Consul, Vault
North Europe
northeurope
Consul, Vault
France Central
francecentral
Consul, Vault
UK South
uksouth
Consul, Vault
South East Asia
southeastasia
Consul, Vault
Japan East
japaneast
Consul, Vault
Australia SouthEast
australiasoutheast
Consul, Vault

Product-specific data

This section details the product-specific data that HashiCorp stores and where it resides.

HCP Boundary

All customer data, including audit logs and backup snapshots, is stored in the United States. Customers cannot choose a different hosting location.

HCP Consul Dedicated

The following data will be stored in the region you selected. However, there is no guarantee that the data will remain here. For example, processing of audit logs for download involves data moving across regions.

  • Product encrypted snapshots

  • Operational (platform) logging

  • Operational metrics

  • Configuration data

  • Audit logs

HCP Packer

All customer data, including audit logs and backup snapshots, is stored in the United States. Customers cannot choose a different hosting location.

HCP Vault Radar

All customer data, including audit logs and backup snapshots, is stored in the United States. Customers cannot choose a different hosting location.

HCP Vault Dedicated

The following data will be stored in the region you selected. However, there is no guarantee that the data will remain here. For example, processing of audit logs for download involves data moving across regions.

  • Product Analytics

  • Customer-driven analytics

  • KMS keys

  • Operational metrics

  • Configuration data

  • Audit logs

HCP Terraform

HCP Terraform is a multi-tenant service. Customer data is stored in the United States. Customers cannot choose a different hosting location.

Shared cloud services

User identity, billing, and operational information services that serve all products cannot be pinned to a region. We do not offer local storage of these services and the user account information in them. We only host this data within the United States to meet our customers' performance requirements. As such, we cannot support strict data residency to these services' data.

GDPR/CCPA compliance

HashiCorp is committed to protecting the privacy of individuals. We have built a global privacy program to adhere to the most stringent and applicable data protection requirements, such as the EU and UK General Data Protection Regulation (GDPR) and California's Consumer Privacy Act (CCPA). A few of our key compliance activities include, but are not limited to:

  • Publishing a compliant and readily available Privacy Policy.

  • Establishing a data subject rights request process for individuals.

  • Requiring a duty of confidentiality of personnel with access to personal data.

  • Implementing and maintaining appropriate technical and organizational measures and providing an annual certification that evidences compliance with this obligation.

  • Performing a privacy risk review of all third parties with access to personal data, requiring execution of a Data Protection Addendum (DPA).

  • Complying with Standard Contractual Clauses concerning personal data transfers.

Data subprocessors

HashiCorp uses third parties or subprocessors to process personal HashiCorp customers' data in order to deliver and support our products or services. We perform privacy risk reviews on all subprocessors and require them to satisfy equivalent obligations as those that apply legally or contractually to HashiCorp as a data processor (within a DPA). For more details on our subprocessors and our due diligence process, refer to the subprocessors page.

HCP Europe Data Location, Transfer, Purpose, and Processing

The table below shows how categories of data are handled, from where it resides to its purpose and processing details.

Category

Examples

Data Location

Purpose & Processing Details

Terraform Application Data 

Terraform state, environment variables, Sentinel policies.

Stored in Europe

Primary data for your infrastructure as code. 

Authentication

User account data (ID, name, email), 2FA recovery codes, SSH keys, OAuth tokens.

Transferred to US

For consistent user experience, account administration, and billing.

Logs

Application logs, metrics, traces.

Stored in Europe

Service performance monitoring and troubleshooting


Logs may be transferred to the US or accessed by authorized personnel outside the Europe.

Only data attributes essential for operational purposes are transferred (see Note 1) 

Security Telemetry

Log entries & metadata from your Europe region.

Transferred to US 

For security threat detection and incident investigation. 

Only data attributes essential for operational purposes are transferred (see Note 1) 

Product Analytics Data 

Aggregated usage data, feature adoption metrics.

Transferred to US

For service performance and feature improvement. Data is aggregated/de-identified before processing.

Usage Metrics

Aggregated data on user actions, consumption for billing.

Transferred to US

For consistent billing and business operations.

Support Data

Information provided in a support 

ticket.

Transferred to US

For global support.

Only data attributes essential for operational purposes are transferred (see Note 1) 

Data Subject Rights Requests Data 

Data for complying with data subject rights requests under global data privacy laws.

Transferred to US 

For centralized facilitation of data subject rights requests

Note 1 HashiCorp may transfer customer data outside Europe for necessary operational or security monitoring. When we do, any customer data not strictly required for business purposes like security, support, or billing is automatically redacted. Authorized personnel outside Europe may access your data, but this access is limited to specific roles and is not used to store or save your data. To ensure full transparency and security, all access is tracked and auditable.