A partner reached out to us about a client — a financial services company in the UAE — that had been running on Odoo.sh for eight months. Everything worked fine. Then their compliance team ran an audit.
The data was in Belgium.
Not Dubai. Not even the Middle East. Belgium. Because Odoo.sh runs exclusively on Google Cloud Platform, and the closest GCP data center to the UAE is in Dammam, Saudi Arabia. Different country. Different jurisdiction. Different laws.
Under UAE Federal Law No. 45 of 2021, financial and health data must stay within the UAE. No exceptions. No “close enough.” The penalty? Up to AED 20 million (about $5.4 million USD) for repeat violations (as of March 2026).
Their client had been non-compliant since day one and didn't know it.
Odoo.sh Has 7 Locations. The World Has 195 Countries.
The complete list of Odoo.sh data center locations:
| Region | Location | Country |
|---|---|---|
| Americas | Iowa | United States |
| Canada | Toronto | Canada |
| Europe | Saint-Ghislain | Belgium |
| Middle East | Dammam | Saudi Arabia |
| Southern Asia | Mumbai | India |
| Southeast Asia | Singapore | Singapore |
| Oceania | Sydney | Australia |
Seven locations. All on Google Cloud Platform. No choice of provider. No bring-your-own-server option.
If your country isn't on this list — and most aren't — your Odoo data is being stored in whichever location Odoo SA assigns you to. For most European businesses, that's Belgium. For Latin America, that's Iowa. For all of Africa, that's probably Belgium or Iowa. There is no African data center.
The 2025–2026 Enforcement Wave
Data residency stopped being optional in 2025. These laws aren't drafts or proposals — they're all in effect right now (as of March 2026). Regulators are actively issuing fines.
| Law / Regulation | Effective | What It Requires | Penalty |
|---|---|---|---|
| EU DORA | Jan 2025 | Financial entities must document exact data processing locations; ICT providers need audit-chain compliance | Up to 5% global turnover |
| India DPDP Act | Sep 2025 | RBI mandates all payment data stored exclusively in India; SEBI requires critical data in-country | Up to ~$30M |
| Brazil ANPD SCCs | Aug 2025 | All international data transfers must use ANPD-approved Standard Contractual Clauses | Up to ~$8.8M |
| Nigeria GAID | Sep 2025 | Major data controllers must register, appoint local DPO, justify every cross-border transfer | 2% annual revenue |
| Vietnam Data Law | Jul 2025 | User data must be stored within Vietnam; foreign companies must open local office | 5% annual revenue |
| UAE DIFC Amendment | Jul 2025 | Updated cross-border transfer framework for Dubai International Financial Centre | Up to $50K per failure |
| Turkey KVKK | 2024–25 | Fines increased 44% YoY; Board can force localization without warning | Growing |
Countries Where Odoo.sh Cannot Be Used Compliantly
Here are the countries where data residency laws make Odoo.sh non-compliant for at least some business types (as of March 2026).
Tier 1: Legal Blockers — Data Must Stay In-Country
| Country | Law | Odoo.sh Node? | Penalty |
|---|---|---|---|
| UAE (health/finance) | Federal Law No. 45/2021 | No (Dammam ≠ Dubai) | Up to ~$5.4M |
| Nigeria | NDPA 2023 + GAID | No (zero Africa nodes) | 2% annual revenue |
| Vietnam | Cybersecurity + Data Law 2025 | No (Singapore ≠ Vietnam) | 5% annual revenue |
| South Korea (healthcare) | Medical Services Act | No | Criminal penalties |
| Kenya | Data Protection Act 2019 | No (zero Africa nodes) | 1% annual turnover |
| South Africa (govt) | POPIA + National Data Policy | No (zero Africa nodes) | 10% global turnover |
| Russia | Federal Law 242-FZ | No | Site blocked + $195K |
| China | PIPL + CSL + DSL | No | Up to 5% turnover |
Tier 2: Sector-Specific Blocks — Belgium Isn't Enough
| Country | Sector | Why Belgium Fails | Penalty |
|---|---|---|---|
| Germany | Banking/Finance | No BSI C5 attestation; BaFin audit chain not in Odoo.sh terms | License revocation |
| France | Healthcare | Odoo.sh not HDS-certified; required for all health data hosting | 4% global turnover |
| Netherlands | Finance/Energy | Sector regulators require contractual audit rights not in Odoo.sh SLAs | DNB sanctions |
| All EU | Public sector | EU Cloud Rulebook + NIS2 require EU-sovereign cloud — GCP doesn't qualify | 2% turnover |
The Africa Problem
Here's the coverage gap nobody talks about.
Africa has 1.4 billion people, the fastest-growing internet adoption rate in the world, and a rapidly expanding Odoo community. Nigeria, South Africa, Kenya, Ethiopia, Tanzania, and Egypt all have active or emerging data protection laws.
Odoo.sh has zero African data centers. Not one. The closest options are Belgium (6,000+ km from Lagos) or Dammam, Saudi Arabia (5,500+ km from Johannesburg).
African Data Protection Laws in Effect
- Nigeria — NDPA 2023 + GAID (Sep 2025): Major data controllers must register, appoint local DPO, justify every cross-border transfer.
- South Africa — POPIA (Jul 2021): Government-adjacent data must be stored in South Africa. SARS requires written approval for employee tax data to leave the country.
- Kenya — Data Protection Act 2019: Strategic state data must be processed through Kenyan servers.
If you're an Odoo partner serving African clients on Odoo.sh, the compliance question isn't theoretical. It's a ticking audit.
The Latency Tax You're Also Paying
Compliance aside, there's a performance cost to having your data on the wrong continent. A typical Odoo page load hits the database 15–20 times. At 150ms round-trip from São Paulo to Belgium, that's 3 seconds of pure network latency.
| Users In | Data Goes To | Round-Trip | 20 DB Queries = |
|---|---|---|---|
| Lagos, Nigeria | Belgium | ~120ms | 2.4s |
| São Paulo | Iowa, USA | ~150ms | 3.0s |
| Johannesburg | Belgium | ~180ms | 3.6s |
| Istanbul | Belgium | ~50ms | 1.0s |
| Jakarta | Singapore | ~20ms | 0.4s |
“But Belgium Is in the EU — Isn't That Enough for GDPR?”
For general personal data under standard GDPR — yes, usually. Data flows freely within the EEA, and Belgium satisfies geographic requirements for most EU businesses.
But “most” is doing a lot of work in that sentence.
German Banking
BaFin requires BSI C5 attestation for cloud providers. Odoo.sh doesn't have it. A German bank using Odoo.sh in Belgium is technically processing data in the EEA but failing sector-specific regulatory requirements.
French Healthcare
Any entity hosting French health data must use an HDS-certified provider. Odoo.sh is not HDS-certified. A French hospital using Odoo.sh for patient records is non-compliant — even though the data is in Belgium.
EU Public Sector (NIS2 + Cloud Rulebook)
The EU Cloud Rulebook and NIS2 directive push “essential entities” toward EU-sovereign cloud solutions. GCP, being a US-owned hyperscaler subject to the US CLOUD Act, does not qualify as EU-sovereign.
EU Financial Services (DORA)
Since January 2025, the Digital Operational Resilience Act requires financial entities to document exact data processing locations and maintain full ICT audit chains. Odoo.sh's standard terms do not guarantee the contractual audit rights that DORA demands.
Belgium is a location. Compliance is a framework. They're not the same thing.
Need to deploy Odoo in a specific country?
OEC.sh supports 9 cloud providers across 40+ locations. Deploy in Frankfurt, São Paulo, Tokyo, Dubai — or connect your own server anywhere.
Deploy in Your RegionWhat OEC.sh Does Differently
We built OEC.sh specifically because the “7 GCP locations” model doesn't work for a global Odoo community.
9 cloud providers
AWS, Azure, GCP, DigitalOcean, Hetzner, Vultr, OVH, Linode, and Custom Server. Not just GCP.
40+ data center locations
Frankfurt for German banking. São Paulo for LGPD. Tokyo for Japanese medical data. Lagos through a custom server for Nigerian NDPA compliance.
Bring your own server
This is the differentiator no one else offers. If no major cloud provider has a data center in your country, connect your own server. A bare-metal box in a Nairobi colocation. A government-approved data center in Riyadh. A university server room in Hanoi.
Country-by-Country: Odoo.sh vs OEC.sh
| Country | Data Law | Odoo.sh Status | OEC.sh Solution |
|---|---|---|---|
| Germany | BDSG + BaFin | Belgium (insufficient) | Frankfurt via Hetzner, AWS, OVH |
| France | HDS Certification | Belgium (no HDS) | Paris via OVH or AWS |
| Brazil | LGPD | Iowa (requires SCCs) | São Paulo via AWS, Azure, GCP |
| Nigeria | NDPA + GAID | No Africa node | Lagos via custom server |
| UAE | Federal Law 45/2021 | Dammam (wrong country) | Dubai via AWS, Azure, Vultr |
| Japan | APPI + Medical Act | Singapore (wrong country) | Tokyo via AWS, GCP, Azure |
| South Korea | PIPA + Medical Act | Singapore (wrong country) | Seoul via AWS, GCP, Azure |
| Turkey | KVKK | Belgium (fragile SCCs) | Istanbul via custom server or Azure |
| Indonesia | UU PDP + OJK | Singapore (wrong for finance) | Jakarta via AWS, Azure, GCP |
| Switzerland | FADP + GDPR | Belgium (OK general) | Zurich via Azure, AWS, Hetzner |
What to Do If You're on Odoo.sh Right Now
If you're reading this and realizing your data might be in the wrong country, don't panic. But do act.
Check your data location
Log into Odoo.sh. Find your project settings. Your GCP region is assigned there. If it says europe-west1 (Belgium) and you need data in Germany, France, or anywhere else — you have a gap.
Check your country's data residency requirements
Not all countries mandate in-country storage. Some only restrict cross-border transfers (manageable with SCCs). Others have absolute in-country requirements (Russia, China, Vietnam, UAE health data). Know which category you're in.
Evaluate your options
- Stay on Odoo.sh and accept the risk. Some businesses choose this. Not recommended.
- Self-host on a compliant provider. Full control but you manage everything — updates, security, backups, performance.
- Migrate to OEC.sh. Pick your cloud, pick your location, deploy in the region your law requires. We handle the infrastructure.
Document everything
Whether you stay or move, document your data processing locations, the legal basis for cross-border transfers (if any), and your risk assessment. When the auditor comes, this is what they'll ask for.
Frequently Asked Questions
Where does Odoo.sh store data?
Odoo.sh stores data exclusively on Google Cloud Platform (GCP) across 7 locations: Iowa (US), Toronto (Canada), Saint-Ghislain (Belgium), Dammam (Saudi Arabia), Mumbai (India), Singapore, and Sydney (Australia). You cannot choose a different cloud provider or bring your own server. Your project is assigned to one of these locations based on your region.
Is hosting Odoo data in Belgium compliant with GDPR?
For general personal data under standard GDPR, Belgium satisfies geographic requirements since data flows freely within the EEA. However, sector-specific regulations add requirements beyond GDPR. German financial regulators (BaFin) require BSI C5 attestation. French healthcare requires HDS certification. EU DORA requires financial entities to document exact data processing locations with contractual audit rights. Belgium is a location — compliance is a framework that goes beyond geography.
Which countries have data residency laws that affect Odoo hosting?
Countries with strict in-country data storage requirements include Russia (Federal Law 242-FZ), China (PIPL + CSL), Vietnam (Data Law 2025), UAE for health and financial data (Federal Law No. 45/2021), Nigeria (NDPA 2023), South Korea and Japan for healthcare data. Additional countries like Germany, France, Brazil, Turkey, Indonesia, and Kenya have sector-specific or conditional requirements that may conflict with Odoo.sh's limited locations.
Does Odoo.sh have data centers in Africa?
No. Odoo.sh has zero data centers in Africa. The closest options are Belgium (6,000+ km from Lagos) or Dammam, Saudi Arabia (5,500+ km from Johannesburg). This creates compliance issues for businesses in Nigeria (NDPA 2023), South Africa (POPIA), and Kenya (Data Protection Act 2019) that require in-country or in-region data storage.
How does OEC.sh solve data residency issues?
OEC.sh supports 9 cloud providers (AWS, Azure, GCP, DigitalOcean, Hetzner, Vultr, OVH, Linode, and Custom Server) across 40+ data center locations. You choose exactly where your data lives — Frankfurt for German banking, São Paulo for Brazilian LGPD, Tokyo for Japanese medical records, or connect your own server in any country. Your data stays on your cloud account, not ours.
What are the penalties for data residency violations?
Penalties vary by jurisdiction but are significant. EU DORA: up to 5% of global turnover. India DPDP Act: up to ₹250 crore (~$30M). Brazil ANPD: up to BRL 50M (~$8.8M). Nigeria NDPA: 2% of annual revenue. UAE Federal Law: up to AED 20M (~$5.4M). South Korea and Japan impose criminal penalties including imprisonment for healthcare data violations. These laws are actively enforced as of March 2026.
Deploy Odoo Where Your Data Needs to Live
9 cloud providers. 40+ locations. Or bring your own server — anywhere in the world. Free to start.