A calm modern security-operations room with a printed compliance binder open on a desk, a laptop showing a generic abstrac...
BlogPeople Counting

Data residency for retail analytics: a CISO procurement checklist

Jun 2, 202612 min read

Why data residency moved up the CISO checklist

Retail analytics used to sit between marketing and operations. In the last five years it has moved firmly onto the desk of the Chief Information Security Officer. Two things drove that. First, supervisory authorities across the EU sharpened their expectations on international transfers after the Court of Justice's 2020 ruling in Schrems II. Second, retailers running multi-country portfolios discovered the analytics vendor they signed in one region was, in practice, processing data in another, often without a clear written record. A CISO who finds out the storage region after a breach has a procurement failure, not a technical one.

Vector infographic of a CISO procurement checklist for retail analytics showing icons for compliance, data residency, vendor

This article walks through what a CISO will actually ask a retail analytics vendor about residency, processor agreements, sub-processors, and compliance gates. It is written from the buyer's side: the questions, what a good answer looks like, and what to do when the answer is unclear. The vendor side, including how Ariadne Analytics is set up to answer cleanly, is covered in the closing sections.

This article is informational and is not legal advice. Engage your Data Protection Officer and legal counsel for review before relying on any framing here for a procurement decision.

What data residency actually means

Data residency is the regulatory or contractual requirement that personal data, and sometimes operational data more broadly, is stored and processed within a defined geography, usually a country or an economic area. Residency commitments typically cover the primary database, backups, log storage, and any analytics workloads that touch the data. The term overlaps with two related concepts a CISO should keep distinct.

  • Data residency. Where data sits at rest and where it is processed in the ordinary course. This is a commercial commitment a vendor can make in a contract.
  • Data sovereignty. Which legal regime applies to the data, including foreign government access. A US-headquartered vendor processing in Europe may still be reachable under US law for some categories of disclosure request.
  • Data localisation. A regulatory requirement that certain data may not leave a jurisdiction at all. China, India, and parts of the Gulf have introduced rules that go further than European residency expectations.

For most retail analytics deployments in Europe, the practical question is residency plus sovereignty: the data sits in the EU, and the controlling entity processing it is not subject to a non-EU legal regime that could compel disclosure outside the GDPR's safeguards.

The EU, US, and APAC picture in 2026

The three regions a multi-country retailer is most likely to touch have moved in different directions since 2020.

European Union

Inside the EU, the GDPR sets a single baseline. Personal data moves freely between Member States. Transfers outside the European Economic Area are restricted under Chapter V and need a transfer tool: an adequacy decision, Standard Contractual Clauses, Binding Corporate Rules, or a derogation. The simplest CISO position for an EU retailer is to keep the analytics workload inside the EU and avoid the transfer apparatus entirely.

United States

The EU-US Data Privacy Framework came into force in 2023 and provides an adequacy basis for transfers to participating US organisations. Many CISOs still treat the framework cautiously, on the view that adequacy decisions have already been struck down twice (Safe Harbour in 2015, Privacy Shield in 2020) and that a third challenge is plausible. A common procurement position is to accept the framework where convenient but prefer an EU-resident processor for any new workload.

Asia-Pacific

APAC is not a single regime. Japan's APPI has adequacy status from the European Commission and Singapore's PDPA is interoperable with the GDPR in practice. Australia is mid-reform. China's PIPL and India's DPDP Act introduce stronger localisation duties for specific data categories. For a retailer operating across the region, the practical CISO ask is a per-country processing record: which sites' data sits in which region, and which sub-processors touch it.

GDPR Article 28: the processor agreement

If a retail analytics vendor processes personal data on behalf of the retailer, it is a processor under the GDPR and the retailer is the controller. Article 28 of the GDPR specifies what the written contract between them has to include. A CISO reviewing a vendor's draft DPA (Data Processing Agreement) is checking that each of those requirements is present and not softened.

The core elements Article 28(3) requires the contract to set out, paraphrased, are the subject matter and duration of processing, the nature and purpose, the types of personal data and categories of data subjects, and the obligations and rights of the controller. The processor must commit, among other things, to process only on documented instructions, to ensure confidentiality of personnel, to take appropriate security measures, to engage sub-processors only with prior authorisation, to assist the controller with data subject rights and DPIA obligations, to delete or return data at the end of the engagement, and to allow audits and inspections.

The shortest practical CISO checklist for a vendor DPA is:

  1. Is the scope of processing tightly defined, with no open-ended language?
  2. Is the list of sub-processors current, named, and accessible?
  3. Is there a prior notice mechanism before a new sub-processor is added, with a right to object?
  4. Is the security commitment specific, with named standards (ISO 27001, SOC 2 Type II) rather than 'industry-standard measures'?
  5. Are audit rights real, or limited to a vendor-produced report?
  6. Are deletion and return obligations explicit at contract end?

If any of those is hedged in the draft, the procurement conversation should start there, not at the price page.

Sub-processors and the chain of custody

A retail analytics platform almost never runs entirely on its own metal. The vendor uses a cloud provider, possibly a database-as-a-service, a notification provider, an error tracking service, and one or more analytics-on-analytics tools. Each is a sub-processor. Under Article 28(2), the vendor needs the controller's authorisation to add or replace one, either specifically or with a general written authorisation plus prior notice.

The CISO ask is a public, versioned sub-processor list, with each entry showing the entity, the service, the region of processing, and the date added. A vendor that cannot produce that list on request has a chain-of-custody problem worth raising before contract.

Schrems II and US transfers

The Court of Justice's ruling in Schrems II (C-311/18, July 2020) invalidated the Privacy Shield adequacy decision and tightened the use of Standard Contractual Clauses for transfers of personal data to the United States. The court found that US surveillance law, in particular section 702 of FISA and Executive Order 12333, did not offer the level of protection essentially equivalent to EU law required by the GDPR. The practical result: controllers relying on SCCs for US transfers had to perform a transfer impact assessment and, where the assessment found protection was not essentially equivalent, apply supplementary measures.

The 2023 EU-US Data Privacy Framework restored adequacy for participating US organisations. A CISO procuring a retail analytics platform in 2026 therefore has three options for a US-touching workload: rely on the framework (with the residual risk of a future legal challenge), apply SCCs plus a transfer impact assessment, or remove the US leg by selecting an EU-resident processor. The third option does not depend on the future path of the framework.

SOC 2 and ISO 27001: the security gates

Residency and Article 28 cover the legal posture. Two certifications are the standard procurement gates for the security posture itself.

  • ISO/IEC 27001. The international standard for an information security management system. A current certificate from an accredited body shows the vendor has a documented, audited security programme covering risk assessment, controls, incident response, and continuous improvement. ISO 27017 (cloud security) and ISO 27018 (personal data in the cloud) are common companion certifications.
  • SOC 2 Type II. An attestation from an independent auditor against the AICPA Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy). The Type II report covers operation of controls over a period of typically six to twelve months, not just their design.

Neither standard is a residency commitment, and neither is sufficient on its own. A vendor with both certifications that processes everything in a non-EU region is still a transfer question. Ask for the current certificate and report under NDA, check the scope, and check that the cloud regions covered match those named in the DPA.

Why some retail analytics workloads simplify the question

Everything above assumes the vendor processes personal data on behalf of the retailer. Most retail analytics platforms do: video footage, identifiable Wi-Fi or Bluetooth device addresses, opt-in loyalty identifiers, sometimes face vectors used for demographic inference. Each of those creates a personal data path that has to be locked down under the framework just described.

A camera-free people counter that captures no personal data at the sensor level changes the shape of the problem. The residency conversation still matters because operational and account data sit on a vendor platform somewhere. But the part of the conversation that revolves around personal data, the transfer impact assessment, the Schrems II analysis, the categories of data subjects in the DPA, becomes structurally smaller because the categories of personal data being processed are themselves smaller.

How Ariadne is set up

Ariadne Analytics is built so that a CISO procurement conversation has short answers to each of the questions above.

Ariadne measures this with Hybrid Fusion, its patented camera-free method. Time-of-Flight depth sensing counts every visitor at the entrances, capturing geometry rather than images, while patented phone signal sensing follows movement through the interior, detecting the signals a phone emits even in airplane mode. The sensor streams both feeds to Ariadne, where Hybrid Fusion combines them into one trajectory per visit and computes counts, dwell, and paths. The streams carry no identifier: no MAC address, no device ID, no biometric data, and no camera is involved. Identifiers are stored only when a visitor explicitly opts in, which keeps the method GDPR-friendly and outside biometric territory.

On residency, the Ariadne platform is hosted in the European Union; counting, occupancy, dwell, and trajectory analytics stay inside the EU by default. On processor obligations, the Ariadne Data Processing Agreement is written to Article 28 and lists sub-processors with their regions and roles. On transfers, the EU-resident default removes the Schrems II question for the counting workload. On security gates, the platform is run under documented controls aligned to ISO 27001 and to the SOC 2 Trust Services Criteria. The detail sits in the Ariadne privacy policy, the measurement architecture in the how it works documentation, and the solution on the people counting page.

A CISO procurement checklist

If you take one thing from this article, take this list. Hand it to any retail analytics vendor at the start of procurement and you compress weeks of back-and-forth into a single round.

  1. What categories of personal data does the system process at capture? Images, faces, MAC addresses, Bluetooth identifiers, demographic inferences, loyalty identifiers. A short, exhaustive list is the cleanest answer.
  2. In which region is the primary data stored, and where are backups? Country or economic area level. If the vendor cannot answer in one line, that is your answer.
  3. Who are the sub-processors, and in which regions do they operate? Current list with regions and roles, published or shared on request.
  4. Is there a written DPA aligned to Article 28? Cross-check against the six-point shortlist in this article. Hedged language is a discussion point.
  5. Which transfer mechanism, if any, is relied on? Adequacy decision (including the EU-US Data Privacy Framework), SCCs with a transfer impact assessment, or no transfer at all because processing stays in the EU.
  6. What is the current SOC 2 Type II report scope and ISO 27001 certificate scope? Ask for the report and certificate under NDA. The scope sentence matters more than the headline certification.
  7. What happens to the data at end of contract? Deletion timeline, return format, and verification. This belongs in the contract, not in a sales call.
  8. Who is the named Data Protection Officer or privacy contact? A person you can email, not a generic mailbox, is the working sign that the privacy function is staffed.

FAQ

Does this article count as legal advice?

No. It is informational, written for the procurement and security side of a retailer's organisation. Specific transfer assessments, DPA negotiations, and certification scopes should be reviewed with your Data Protection Officer and legal counsel before contract.

Is an EU-resident processor strictly required under the GDPR?

No. The GDPR permits transfers outside the European Economic Area under Chapter V using one of several transfer tools (adequacy decisions, Standard Contractual Clauses, Binding Corporate Rules, derogations). An EU-resident processor avoids the need for any of those tools, which is why many CISOs prefer it as a default for new procurements.

What does Schrems II mean for a current US-touching contract?

Schrems II invalidated Privacy Shield in 2020 and required controllers relying on SCCs for US transfers to perform a transfer impact assessment, with supplementary measures where the destination country's law did not provide essentially equivalent protection. The 2023 EU-US Data Privacy Framework restored an adequacy basis for participating US organisations. A CISO with a current US-touching contract should confirm with counsel which mechanism the contract relies on today and what the position would be if the framework were challenged.

How does Ariadne process its counting data?

No. Ariadne counts with Hybrid Fusion: Time-of-Flight depth sensing plus patented phone signal sensing, never cameras. Time-of-Flight captures geometry rather than images, and signal sensing captures no MAC address by default, so the measurement involves no video, no faces, and no biometric data.

Related articles

More on People Counting:

people counting platform page

Talk to us

Two questions, twenty minutes, a real walkthrough of your venue's footfall.

What to expect

  • 20-minute screen share, walked through on your venue map
  • Live walkthrough of Hybrid Fusion sensor outputs
  • Where Ariadne fits, and where it doesn't

Got a different question?

Send us a message

Anything that isn't a sales conversation. We'll route it to the right person and get back within one business day.