XBOW Now Available With EU Data Residency

Over the past year, we have heard from security teams across Europe who want to bring XBOW into their organisations. The product fits. The depth of testing is what they need. But there has been one consistent recurring theme: where the data lives.

XBOW security assessments produce detailed, high-value data — how your applications behave under attack, where the weaknesses are, and how to exploit them. For many European organisations, their internal policies, customer contracts, or data governance requirements mean that they want the type of data XBOW produces to stay in-region. 

Until now, XBOW stored everything in the US region, but to meet the needs of European teams, today, we are announcing that XBOW is now available with EU data residency.

We already support data protection obligations like GDPR, detailed data processing agreements, standard contractual clauses, and our security practices — regardless of which region you are based in. EU Data Residency builds on that foundation by giving organisations direct control over where their most sensitive security data is stored and processed.

‘What stood out to us through our pilot work with XBOW is its ability to find verifiable vulnerabilities with zero false positives. Just as important for us is that this can now be delivered within the high regulatory and governance standards we apply to our services. EU data residency gives us a new level of confidence in the solution, and we are excited to bring XBOW-based security testing to European clients as a strategic partner.’
- Paul Pols, CTO, Bureau Veritas Cybersecurity

What we are launching

XBOW Multi-Tenant SaaS is now available with EU Data Residency. When your organisation chooses the EU region, all security-sensitive data — vulnerability findings, assessment results, reports, asset inventory, credentials, audit logs, and user identity — is stored and processed in the European Union (AWS Frankfurt, eu-central-1).

The AI models powering your assessments are also served from EU infrastructure, so your data stays in-region throughout the entire assessment pipeline. Everything else about XBOW is identical. The same AI-powered assessment engine. The same console. The same depth of testing that finds real, exploitable vulnerabilities. You are not getting a regional subset of the product — you are getting XBOW, running in your region.

Why this matters

Security testing generates some of the most sensitive data an organisation holds. A vulnerability finding describes exactly how your application can be exploited: the attack vector, the proof of concept, the affected endpoint. Assessment traces contain your application's internal structure. Credentials stored for testing can access your live systems. This is not data you want crossing borders.

For European organisations, the question is not whether XBOW is good enough, it is whether the data stays where it needs to stay. With EU Data Residency, the answer is yes.

What stays in the EU

We drew a clear line between security-sensitive data that must stay in-region and operational data required to run XBOW as a service:

• In your EU region: Security findings and vulnerabilities, assessment results and reports, application inventory and endpoint data, credentials and secrets, audit logs, assessment guidance (uploaded specs, nudges), and user identity
• Global (operational): Billing and account data, support tickets, platform telemetry. None of this contains information about your vulnerabilities, application code, or security posture.

We have published a detailed breakdown of the data scope in our Data Residency documentation.

How it works

Data Residency is a region selection.

• You tell our Sales team you need EU Data Residency.
• We provision your organisation in the EU region.
• You are onboarded at console.eu.xbow.com

What comes next

The EU is our first Data Residency region outside the US, but not the last. We are actively working on additional regions, starting with Singapore, based on customer demand. If your organisation needs a region we do not yet support, talk to us.

We are also extending Data Residency to our Managed Hosted deployment model, so organisations that need a dedicated single-tenant infrastructure can combine it with regional data storage.

EU Data Residency is now available in Private Preview for Enterprise customers. If your organisation requires EU data storage for security assessments, talk with your sales team or customer success team to get started.

If you're not yet on XBOW, request a demo at xbow.com.

‍