RegulusDataResidencyPlugin¶
In one sentence¶
Validates that every wired SessionService / MemoryService /
ArtifactService + model endpoint sits in an allowed region — at startup,
fail-closed — and re-checks at runtime.
Who does it apply to?¶
Anyone covered by GDPR, UK GDPR, DORA, FCA SYSC 13, PRA SS2/21 §6, NHS DSPT 8.x, EHDS Chapter III. Effectively, every regulated AI agent.
The two-minute explainer¶
The plugin runs two checks:
- Startup. Triggered by the Regulus Spring starter (or by your own
bootstrap if you wire plugins by hand). Inspects each wired service's
configured region and refuses to activate the
Appif any sits outside the allowlist. - Per call. A
BeforeAgentCallbackre-validates the wired services' current configuration. Defensive — catches the (rare) case of runtime rewiring.
The allowlist comes from two sources, with the YAML overriding the profile default:
ResidencyPolicy.allowedRegions()on the active composite profile.regulus.adk.residency.allowed-regionsin YAML.
If both are empty, the plugin is permissive — useful for non-personal-data internal agents. Most deployments populate one or the other.
What it actually requires of an engineer¶
- Configure the regions your tenant is allowed to operate in.
- Ensure the Firestore / GCS / Vertex AI region matches before deploy.
- If CMEK is required by the profile (
dora,nhs-dspt,fca-sysc,pra-*), supply a key name.
What Regulus does for you¶
- Fail-closed startup. No "we'll warn in the logs" mode.
- Per-call re-check.
- Audit event on any blocked invocation.
Saves you ~¶
- ~2 engineer-weeks for the allowlist + startup hook + evidence export.
Code: minimal¶
Code: production¶
regulus:
adk:
residency:
allowed-regions: [europe-west2]
require-cmek: true
session-service:
kind: vertex-ai
project-id: ${GOOGLE_CLOUD_PROJECT}
location: europe-west2
cmek-key-name: projects/.../cryptoKeys/regulus-sessions
The plugin and RegulusVertexAiSessionService will each refuse to start
if location is outside [europe-west2].
How to verify¶
$ ./gradlew bootRun -Dregulus.adk.session-service.location=us-central1
RegulusVertexAiSessionService refused to start: location 'us-central1'
is not in the residency allowlist [europe-west2]
What an auditor will ask¶
- "Show me the allowlist." YAML /
ResidencyPolicy. - "Show me what happens when something is misconfigured." Force a misconfiguration; show the startup refusal.
- "What about model endpoints?" The Vertex AI client uses the same region; show its config.
What this doesn't cover¶
- Outbound network egress. That's a network-layer control (VPC-SC, firewall rules) — orthogonal.
- Cross-region replication of your data outside Regulus-aware services. Audit your data flows separately.
- The transfer-paperwork side (SCCs / IDTA). Paper, not code.
Citations¶
See Concepts → Data residency, plus the compliance pages for GDPR, UK GDPR, PRA SS2/21.