Data residency requirements

Organizations in regulated industries or that are covered by data protection legislation often have requirements about where their data is stored and processed. This page explains how to evaluate those requirements and choose the right Timefold Platform deployment option.

Common data residency scenarios include:

  • GDPR (EU General Data Protection Regulation): personal data of EU residents must be processed in accordance with GDPR. For many organizations, this means keeping data within the EU or in countries with an adequacy decision.

  • US data sovereignty: some US government, defense, or financial sector organizations require data to remain within the United States.

  • Country-specific laws: organizations in countries such as Germany, France, Australia, Canada, or India may be subject to data localization laws requiring data to remain within national borders.

  • HIPAA (US Health Insurance Portability and Accountability Act): healthcare organizations handling Protected Health Information (PHI) have specific requirements around where and how that data is stored and who can access it.

  • Internal policy: some organizations have self-imposed policies requiring all data to remain on company-controlled infrastructure.

What data Timefold handles

It’s important to clarify what data is sent to the Timefold Platform, because the data is often less sensitive than it first appears.

The Timefold Platform receives planning problem data: a description of resources, tasks, constraints, and objectives to be optimized. Examples include delivery locations, shift schedules, or job assignments. This data:

  • Isn’t inherently personal: a delivery address or a shift slot isn’t PII in isolation.

  • Is submitted by your own application via the REST API using an API key.

  • Is stored by Timefold for a configurable retention period (plan-dependent) and then deleted.

  • Is encrypted at rest (AES-256) and in transit (TLS).

You’re responsible for ensuring that any data you send to the platform doesn’t contain unobfuscated personally identifiable information (PII) unless this is explicitly addressed in your data processing agreement with Timefold.

In practice, the best approach is to anonymize or pseudonymize identifiers before sending data to the platform, and map results back to real identifiers in your own application.

See Data security for details on how Timefold stores, encrypts, and retains your data.

GDPR

Recommended approach: Timefold Cloud EU

app.timefold.ai is hosted on Google Cloud Platform in europe-west1 (Belgium). All customer data is stored and processed within the EU. This deployment satisfies the most common GDPR data residency requirement.

Timefold provides a Data Processing Agreement (DPA) as part of its Terms of Use (available at timefold.ai/terms). The DPA defines how Timefold processes customer data, sub-processor relationships, and data subject rights. This is the contractual instrument for GDPR compliance.

Practical guidance

  • Use app.timefold.ai, not app-us1.timefold.ai, for EU data.

  • Sign the DPA, it’s included in the Terms of Use.

  • Pseudonymize planning data before submission where possible. For example, replace employee names with internal IDs and map back on receipt of the solution.

  • Review Timefold’s Data security and the Timefold Trust Center for audit evidence, including the ISO 27001 certificate and sub-processor list.

Edge cases

If you have requirements beyond EU storage, for example, data must remain within a specific EU member state, Timefold Cloud may not satisfy those requirements. In that case, consider a Managed service deployment in the required region, or self-hosting.

US data residency

Recommended approach: Timefold Cloud US

app-us1.timefold.ai is hosted in the United States. Use this endpoint if your data must remain within the US.

The same DPA and security controls apply as for the EU deployment.

Other geographic regions

If you require data to remain in a region not covered by either Timefold Cloud endpoint, for example, Australia, Canada, Japan, or a specific country, there are two options:

Option 1: Managed service

A Managed service is a private dedicated cluster that Timefold sets up and operates in a specific region. It may be an option if you can’t use Timefold Cloud due to regional data residency requirements. This is a premium offering. Contact Timefold to discuss whether it’s available for the required region and to understand the cost and timelines involved.

Option 2: Self-hosted

You install and operate the Timefold Platform on your own infrastructure in your own region. Data never leaves your environment.

This option is only recommended when the Managed service can’t meet your needs, because it carries significant operational overhead. See Air-gapped environments for detailed self-hosting guidance.

HIPAA

Important limitation

The Timefold Cloud Platform is not designed to handle Protected Health Information (PHI). Timefold’s Terms of Service state this explicitly. Timefold doesn’t currently offer a HIPAA Business Associate Agreement (BAA) for Timefold Cloud.

Practical guidance

In most planning optimization scenarios, PHI isn’t actually required. A hospital scheduling problem, for example, can be modeled entirely with anonymized resource IDs: no patient names, diagnoses, or health records need to be sent to the optimizer. Your application maps those IDs back to real data after receiving the optimized schedule.

Before concluding that HIPAA blocks Timefold Cloud, validate the following:

  1. Does the planning problem data you intend to send actually contain PHI? Often it doesn’t.

  2. Can the data be anonymized or pseudonymized before submission? This is almost always possible and is the recommended approach.

  3. If the answer to both is "yes, PHI is unavoidable", then Timefold Cloud isn’t appropriate for that data.

If PHI can’t be avoided

If you genuinely can’t avoid sending PHI to the optimizer:

  • A Managed service with a negotiated BAA may be possible in specific cases. Contact Timefold to discuss availability and cost.

  • Self-hosting keeps all data within your own environment, where you’re responsible for HIPAA compliance. Timefold doesn’t provide a BAA for self-hosted deployments; your own HIPAA compliance program covers your infrastructure.

Summary

Requirement Recommended option Notes

GDPR, data in the EU

Timefold Cloud (app.timefold.ai)

DPA available; ISO 27001 certified

Data in the United States

Timefold Cloud (app-us1.timefold.ai)

DPA available

Data in a specific non-EU/US country

Contact Timefold

Managed service may be available; premium pricing applies

Data must not leave your network

Self-hosted

Significant operational overhead

HIPAA, PHI can be anonymized

Timefold Cloud

Anonymize before submission

HIPAA, PHI can’t be anonymized

Contact Timefold, or self-hosted

Managed service BAA may be possible; premium pricing applies

Internal policy: no third-party data processing

Self-hosted

Only if policy can’t be waived

Next