Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Check for Data Residency and Regional Controls

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Google Cloud Document AI processors are deployed in appropriate regions to meet data residency requirements and support AI/ML Data Location commitments. These commitments ensure that AI/ML processing (like training, prediction, and tuning) and data at rest occur only within the compliant region(s). The compliant region(s) must be specified in the rule settings, in your Trend Cloud One™ – Conformity account.

Security
Operational
excellence

Choosing the incorrect region for your Google Cloud Document AI processors could violate data residency and compliance regulations for AI/ML data within your organization. Since location settings are immutable after processor deployment and configuration, correct initial setup is essential for ensuring long-term compliance.

Audit

To determine if your Google Cloud Document AI processors are deployed in appropriate regions, perform the following operations:

Checking Document AI processors for data residency and regional controls using GCP Command Line Interface (CLI) is not currently supported.

Using GCP Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Check for Data Residency and Regional Controls conformity rule settings, and identify the Google Cloud region(s) that meet data residency requirements, configured for the rule.

02 Sign in to the Google Cloud Management Console.

03 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

04 Navigate to Document AI console available at https://console.cloud.google.com/ai/document-ai/.

05 In the left navigation panel, under Processors, choose My Processors to access the list of Document AI processors available for the selected GCP project.

06 Click on the name (link) of the Document AI processor that you want to examine, listed in the Name column.

07 Choose the Overview tab to access the processor configuration information.

08 In the Basic information section, check the Region attribute value to identify the region of the selected AI processor. If the Google Cloud region specified by the Region attribute is different from the one identified in step no. 1, the selected Document AI processor was not deployed to the AI/ML Data Location-compliant region established by your organization.

09 Repeat step no. 6 - 8 for each Document AI processor available within the selected GCP project.

10 Repeat steps no. 3 - 9 for each GCP project deployed within your Google Cloud account.

Remediation / Resolution

Since the location settings are immutable after AI processor deployment, you must redeploy your Google Cloud Document AI processor to a compliant location (region). To do this, peform the following operations:

Using GCP Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Check for Data Residency and Regional Controls conformity rule settings, and identify the Google Cloud region(s) that meet data residency requirements, configured for the rule.

02 Sign in to the Google Cloud Management Console.

03 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

04 Navigate to Document AI console available at https://console.cloud.google.com/ai/document-ai/.

05 In the left navigation panel, under Processors, select My Processors, choose CREATE CUSTOM PROCESSOR, and perform the following operations to create a new custom AI processor:

  1. Select the Document AI processor type that best fits your requirements and choose CREATE PROCESSOR.
  2. For Processor name, provide a unique name for your custom AI processor.
  3. For Region, choose the appropriate region where your processor and its dataset will be stored. Choose the AI/ML Data Location-compliant region established by your organization, specified in step no. 1.
  4. Choose ADVANCED OPTIONS, and perform the following actions:
    1. For Storage location, select the appropriate storage location for the processor dataset.
    2. For Encryption, choose Cloud KMS key, select Cloud KMS for Key management type, and choose the name of your Customer-Managed Encryption Key (CMEK) from the Select a Cloud KMS key dropdown list. Inside the \ service account does not have the "cloudkms.cryptoKeyEncrypterDecrypter" role. Verify the service account has permission to encrypt/decrypt with the selected key box, choose GRANT to grant the associated service account access to your key using the Cloud KMS CryptoKey Encrypter/Decrypter role.
  5. Choose CREATE to deploy your new location-compliant Document AI processor.

06 To create a location-compliant processor from the Document AI processor gallery, choose Processor gallery from the left navigation panel, select the processor model that you want to use and follow the setup steps, as outlined in step no. 5, to create your new Document AI processor.

07 Repeat steps no. 5 and 6 for each Document AI processor that you want to deploy for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project available in your Google Cloud account.

References

Publication date Jul 28, 2025

Related DocumentAI rules