All posts
June 22, 20264 min read

Data Residency for Non-Human Identities

Many assume that storing service‑account tokens in a central vault automatically satisfies data residency requirements, but the reality is more nuanced. In most organizations, non‑human identities, CI/CD runners, automation bots, and service accounts, use long‑lived keys that sit in repositories or on shared file shares. Those keys let the identity connect directly to databases, APIs, and internal services. Because the runner talks straight to the target, engineers cannot see where the data tra

Free White Paper

Non-Human Identity Management + Data Residency Requirements: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

Many assume that storing service‑account tokens in a central vault automatically satisfies data residency requirements, but the reality is more nuanced.

In most organizations, non‑human identities, CI/CD runners, automation bots, and service accounts, use long‑lived keys that sit in repositories or on shared file shares. Those keys let the identity connect directly to databases, APIs, and internal services. Because the runner talks straight to the target, engineers cannot see where the data travels, and they cannot guarantee that the request stays inside the approved jurisdiction.

Regulators now require that any personal or sensitive data processed by automated workloads remain within specific geographic boundaries. That requirement applies to the bots that move data as much as it applies to human users. If a CI job running in a cloud region outside the allowed zone writes logs to a database in another region, the organization may breach data residency rules, even though the credentials never left the vault.

Relying only on secret‑management tools answers the question “who can use the credential.” It does not answer “where the data flows.” The request still reaches the target directly, bypassing any checkpoint that could verify residency, mask region‑restricted fields, or demand an approval before crossing a border.

Why the data path matters for data residency

To enforce residency, the policy must sit where the traffic moves. Placing control in the data path lets the system inspect each request, compare the source and destination regions, and enforce rules before the payload leaves the trusted network. Without a gateway, a request can tunnel through any network the runner can reach, making it impossible to guarantee that the data never leaves the approved geography.

In practice, every call from a non‑human identity should be proxied through a component that can:

  • Identify the caller and read its residency constraints.
  • Validate the target’s location against those constraints.
  • Block or reroute the request if it would violate policy.
  • Record the interaction for audit and replay.
  • Apply inline masking to any fields that are not allowed to leave the jurisdiction.

Introducing hoop.dev as the residency‑enforcing gateway

hoop.dev provides the required data‑path enforcement. It sits between the non‑human identity and the infrastructure target, acting as a Layer 7 proxy that understands the wire protocol of databases, SSH, HTTP APIs, and Kubernetes. Because the gateway terminates the connection, it can enforce residency policies on every request.

Setup – Non‑human identities authenticate to hoop.dev with OIDC or SAML tokens that carry the identity’s group membership and residency attributes. The organization’s identity provider issues the token, so the gateway knows which geographic constraints apply to each service account.

The data path – After authentication, hoop.dev routes the request through its agent that runs inside the customer network. The gateway inspects the protocol payload, determines the target’s region, and applies the residency rule set. If the request would cross a forbidden border, hoop.dev blocks it and returns a clear error.

Continue reading? Get the full guide.

Non-Human Identity Management + Data Residency Requirements: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Enforcement outcomes – hoop.dev records each session, preserving an audit trail that shows which non‑human identity accessed which resource, from where, and what data was returned. It masks region‑restricted columns in database responses, ensuring that even an allowed query never leaks data outside the approved geography. For any cross‑region operation, hoop.dev can trigger a human approval workflow, turning a potential violation into a controlled exception.

Because enforcement lives in the gateway, the underlying service does not need to change. Existing CI pipelines, automation scripts, and bots keep using their familiar clients (psql, kubectl, curl) while hoop.dev silently enforces the residency policy.

Designing residency policies

Start by tagging each non‑human identity with the regions it may operate in. Most identity providers let you add custom attributes to service‑account tokens; use those attributes to encode allowed regions. Next, label each target resource with its actual hosting region. hoop.dev reads both tags at request time and compares them. If the allowed‑region list does not contain the target’s region, the gateway denies the request.

You can also create “soft” policies that allow cross‑region access only after a manual approval step. hoop.dev’s approval workflow integrates with common ticketing systems, so an engineer can grant a one‑time exception without granting permanent rights.

Operational workflow

  1. A CI job starts and obtains an OIDC token for its service account.
  2. The token includes a claim that lists the permitted regions, for example us-east-1 and eu-west-1.
  3. The job points its database client at the DNS name that resolves to the hoop.dev gateway.
  4. hoop.dev authenticates the token, reads the allowed regions, and looks up the target database’s region.
  5. If the regions match, hoop.dev forwards the query; otherwise it blocks or routes to an approval step.
  6. Every interaction is logged, and any masked fields are redacted before the response reaches the job.

This flow gives you visibility and control without rewriting automation code.

Benefits and trade‑offs

By moving enforcement to the data path, you gain:

  • Continuous evidence of residency compliance for auditors.
  • Real‑time blocking of illegal cross‑region traffic.
  • Fine‑grained masking that protects region‑restricted fields.
  • Just‑in‑time approvals that reduce the need for permanent privileged accounts.

The main trade‑off is the added hop in the network path. hoop.dev runs close to the target, so latency impact is minimal, and the security benefits usually outweigh the performance cost.

For a quick start, see the getting‑started guide. The learn section dives deeper into policy definition, masking, and audit‑trail configuration.

FAQ

Can hoop.dev enforce residency for cloud‑hosted databases?
Yes. The gateway knows the endpoint’s region from the connection metadata and compares it to the caller’s allowed regions before forwarding the query.

What happens to existing service‑account keys?
They remain the credential used to talk to the target, but hoop.dev stores them internally. The non‑human identity never sees the key, and every use is logged.

Do automation scripts need code changes?
No. Scripts continue to point at the original host address; you update the DNS entry to resolve to the hoop.dev gateway, which then proxies the traffic.

Explore the source code on GitHub.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot