Splat Labs Enterprise customers can now choose where their geospatial data lives. Every 3D scan, Gaussian Splat, point cloud, and associated asset can be stored and processed in a specific AWS S3 region — keeping data within a chosen country or jurisdiction to meet data sovereignty, compliance, and latency requirements.
This is not a minor configuration option. It is a fundamental shift in how 3D cloud platforms handle geospatial data. Most competing platforms offer storage in a single region or at best a few fixed locations. Splat Labs Enterprise gives customers granular control over data residency — backed by AWS's global infrastructure spanning 39 regions across every inhabited continent.
Why Data Sovereignty Matters
Before we get into the technical details, it helps to clarify three concepts that are closely related but legally distinct.
- Data Residency is where data is physically stored — the geographic address of the servers. When you choose AWS
eu-central-1(Frankfurt), that is a data residency decision. - Data Sovereignty is the legal principle that data is subject to the laws of the country where it physically resides. If data sits on a server in Germany, German law governs it — regardless of where the company is headquartered.
- Data Localization refers to regulatory requirements that mandate data generated within a country be stored and processed there before — or instead of — being transferred internationally.
These distinctions matter because violating any of them can carry severe consequences.
A C-Suite Problem
Data sovereignty has shifted from a niche IT concern to a strategic business priority. The numbers tell the story.
- 137 countries have data protection laws, with many more under consideration.
- 62+ countries have explicit data localization controls — a number that doubled in just four years.
- GDPR fines can reach €20 million or 4% of global annual turnover, whichever is greater.
- In 2023, Meta was fined €1.2 billion for data localization violations — the largest GDPR fine on record.
- In 2025, TikTok was fined €530 million for unlawfully transferring EU user data to China.
- 46% of organizations now identify regulatory compliance as the most important factor when choosing a cloud provider.
Cloud strategies are shifting toward regional or in-country hosting. Vendor selection is increasingly driven by where data is stored, how it is encrypted, and what sovereignty controls are in place. This is not hypothetical — it is happening now, and it is affecting purchasing decisions at every level of enterprise procurement.
Why Geospatial Data Is Especially Sensitive
Here is the part that matters most to our customers. Geospatial data is not just another data type — it is intelligence.
The World Economic Forum has classified spatial data as one of the most impactful emerging technologies. Gartner ranked spatial computing among the most transformative technology categories. Unlike other data types, geospatial data does not just reveal "where" things are — it answers tangential questions including "when," "how," "who," and "why." It illuminates hidden patterns, forecasts events, and discloses relationships.
The Sensitivity Spectrum
Not all geospatial data carries the same risk level. Understanding where your data falls on this spectrum determines the compliance requirements you face.
- Low sensitivity: Location of a retail store, public park survey, tourist attractions. Minimal risk to privacy or national security if shared or stored outside the region.
- Moderate sensitivity: Construction site documentation, utility mapping, commercial building interiors. Subject to data residency requirements and may have specific cross-border restrictions. Partial local legal compliance required.
- Critical sensitivity: Critical infrastructure coordinates (power plants, water treatment), military installations, government facilities. Strict data localization and legal sovereignty. Data is subject to full national laws and restricted to origin country.
Specific Risks of Geospatial Data Exposure
The consequences of geospatial data falling into the wrong hands are uniquely severe:
- GPS spoofing: Attackers broadcasting false satellite signals can mislead aircraft, ships, and autonomous vehicles.
- Infrastructure vulnerability: Detailed 3D scans of critical infrastructure — bridges, power plants, pipelines — could be exploited for physical attacks.
- Corporate espionage: Travel patterns of executives, locations of critical assets, and supply chain routes become visible through geospatial data.
- Data manipulation: Malicious alteration of geospatial data can deceive critical navigation and mapping systems — arguably a greater threat than data theft.
- National security: Detailed geospatial mapping of government facilities has obvious security implications.
Industries Where This Matters Most
| Industry | Why Sovereignty Matters |
|---|---|
| Government / Defense | National security data must stay within sovereign borders. The DHS Geospatial Information Infrastructure operates as a "Sensitive But Unclassified" platform. |
| Utilities | Critical infrastructure mapping is explicitly regulated in many jurisdictions. China's Cybersecurity Law requires critical infrastructure operators to store data domestically. |
| Construction / Engineering | Large public works projects often have government data residency requirements tied to procurement contracts. |
| Transportation | Highway and transit infrastructure scans contain vulnerability data. Agencies like Caltrans often have data handling requirements. |
| Real Estate / Smart Cities | Detailed 3D models of urban environments are increasingly regulated as cities adopt digital twin programs. |
| Mining / Natural Resources | South Africa explicitly requires mirroring of data generated from national natural resources within the country. |
The Global Regulatory Landscape
The regulatory picture is complex and varies dramatically by jurisdiction. Here is what Enterprise customers need to understand.
European Union — GDPR and Beyond
The GDPR does not explicitly mandate data localization, but it imposes strict requirements on data transfers outside the EEA that create de facto localization pressure. Any transfer to a non-adequate country requires Standard Contractual Clauses, Transfer Impact Assessments, and potentially supplementary technical measures. The 2020 Schrems II ruling invalidated the EU-US Privacy Shield, forcing companies to reconsider data storage strategies. Fines reach up to €20M or 4% of global turnover.
The EU Data Act (effective September 2025) requires cloud providers to implement safeguards preventing third-country access to non-personal data stored in the EU. The EU Cloud Sovereignty Framework (October 2025) published eight sovereignty objectives for EU institutions. The NIS2 Directive tightens cybersecurity requirements across industries. DORA applies to financial services with stringent requirements for knowing exactly where data is located.
AWS has invested €7.8 billion in a new European Sovereign Cloud, with its first region in Brandenburg, Germany — operated exclusively by EU residents, with strict residency for customer data and metadata.
China
China's Cybersecurity Law (Article 37) requires critical information infrastructure operators to store data within China. The Personal Information Protection Law (PIPL) imposes strict localization and mandatory security assessments for cross-border transfers, with penalties up to 5% of global turnover. The Data Security Law classifies data by importance to national security with strict export controls on "important data."
India
The Digital Personal Data Protection Act (DPDPA) restricts cross-border data flows and supports storage localization for "critical personal data," which may only be processed within India. Penalties for violations can reach INR 2.5 billion (~€27.5 million).
United States
The US has no comprehensive federal data localization law, but a patchwork of sector-specific regulations creates significant requirements:
- Executive Order 14117 restricts transfer of Americans' bulk sensitive data to countries of concern. Precise geolocation data has a bulk threshold of just 1,000 US persons. Government-related location data has no bulk threshold at all.
- The Geospatial Data Act of 2018 codified federal geospatial data governance and the National Spatial Data Infrastructure.
- FedRAMP / GovCloud requires government data to be processed in authorized, US-only environments.
- The CLOUD Act allows US law enforcement to compel US-based companies to provide data stored overseas — a major driver of localization pressure in other jurisdictions.
This means that geospatial data companies handling US government-related location data face some of the strictest data handling requirements in the world.
Other Key Jurisdictions
| Country/Region | Key Regulation | Requirement |
|---|---|---|
| Russia | Federal Law No. 242-FZ | Personal data of Russian citizens must be stored on servers within Russia |
| Japan | APPI | Strict cross-border transfer rules; mutual adequacy with EU/EEA and UK |
| Brazil | LGPD | Requires adequate protections for cross-border transfers |
| South Korea | PIPA | Sector-specific localization for financial and health data |
| Vietnam | Cybersecurity Law | Vietnamese data must be stored locally |
| Indonesia | GR 71/2019 | Certain data categories must be stored domestically |
| Australia | Privacy Act (APPs) | Sector-specific restrictions for health and financial data |
| South Africa | POPIA | Critical infrastructure data must be stored within the country |
Data at Rest vs. Data in Motion
Both states of data matter for compliance, and a proper sovereignty architecture must address each.
Data at Rest
Data stored in databases, file systems, or object storage like S3 buckets must comply with the sovereignty laws of the jurisdiction where it physically resides. AES-256 encryption at rest is a baseline requirement. AWS S3 provides server-side encryption by default on all new objects.
Data in Motion
Data being transmitted between systems, users, or regions must be encrypted in transit with TLS 1.2+. Cross-border transfer of data in motion is where most regulatory friction occurs. Even temporary caching or processing in a foreign jurisdiction can trigger compliance obligations.
For Splat Labs customers, this distinction is practical: when a user in Germany views a Gaussian Splat, the data streaming to their browser constitutes data in motion. The storage location determines sovereignty, but the transit path also matters.
How Federation Addresses Both
By deploying storage in the same region as the customer, Splat Labs minimizes cross-border data transit. Data at rest stays in-jurisdiction. Most data in motion stays within the same region or at least within the same legal framework. This is a fundamentally cleaner architecture for compliance than a single-region global platform.
How It Works: Federation Across AWS S3 Regions
Splat Labs Enterprise leverages AWS's global infrastructure to offer customer-selected storage regions. As of early 2026, Amazon S3 is available in 39 regions worldwide.
Recommended Enterprise Regions
For most compliance scenarios, these regions cover the majority of Enterprise customer requirements:
| Region | AWS Code | Primary Use Case |
|---|---|---|
| US East (N. Virginia) | us-east-1 | Default for US customers, broadest service availability |
| Europe (Frankfurt) | eu-central-1 | GDPR compliance for EU customers |
| Europe (London) | eu-west-2 | UK data residency post-Brexit |
| Asia Pacific (Tokyo) | ap-northeast-1 | Japan market, APPI compliance |
| Asia Pacific (Sydney) | ap-southeast-2 | Australia / New Zealand market |
| Asia Pacific (Singapore) | ap-southeast-1 | Southeast Asia hub |
| Canada (Central) | ca-central-1 | Canadian data residency |
| South America (São Paulo) | sa-east-1 | LGPD compliance for Brazilian customers |
| AWS GovCloud (US) | us-gov-west-1 | US Government / FedRAMP workloads |
| Middle East (UAE) | me-central-1 | Growing GCC market |
Additional regions — including the new AWS European Sovereign Cloud in Germany, Mexico (Central), Asia Pacific (Thailand), Asia Pacific (New Zealand), and Asia Pacific (Taipei) — are available on request.
AWS Sovereignty Features We Leverage
Splat Labs Enterprise is built on AWS's sovereignty capabilities:
- AWS Digital Sovereignty Pledge: Control over data location, verifiable data access controls, encryption everywhere, and cloud resilience.
- AWS Nitro System: Hardware-enforced security boundary — nobody, including AWS employees, can access customer data running on EC2.
- S3 Server-Side Encryption: All objects encrypted at rest by default with SSE-S3, SSE-KMS, or SSE-C options.
- AWS KMS: Customer-managed encryption keys that never leave the selected region.
- VPC Endpoints for S3: Data can be accessed without traversing the public internet, keeping data in motion within AWS's private network.
- AWS CloudTrail: Audit logging of all API activity for compliance documentation.
- S3 Object Lock: Immutable storage for compliance retention requirements.
What Makes Splat Labs Different
Most competing platforms in the reality capture and 3D cloud space do not offer per-customer regional storage selection. This is a clear differentiator.
Splat Labs is the first Gaussian Splatting and 3D model hosting platform to offer:
- Customer-selected AWS S3 region for all asset storage
- Data at rest encryption within the chosen jurisdiction
- Compliance with local sovereignty requirements by design
- No cross-border data transfer unless explicitly configured
- Enterprise-grade access controls tied to regional deployments
Other platforms in this space — including Trimble Connect, Autodesk ReCap, Cintoo, and others — may offer secure storage, but none prominently feature customer-selectable multi-region sovereignty as a core capability. In a market where 46% of organizations say compliance is the number one factor in choosing a cloud provider, this matters.
Who This Is For
Splat Labs Enterprise with federated regional storage is built for organizations that:
- Operate across multiple jurisdictions and need data to stay where regulations require it
- Work with government agencies that mandate in-country data residency
- Handle critical infrastructure scans that fall under sector-specific data localization rules
- Need to demonstrate compliance to clients, auditors, or regulatory bodies
- Want to reduce latency by storing data closer to end users
If your team is scanning bridges in Germany, government buildings in Japan, or mining operations in South Africa — your data should stay where your projects are. Now it can.
Get Started
Splat Labs offers plans for teams of every size. Create a free account to explore the platform with two projects. For Enterprise pricing with federated regional storage, contact our sales team.
