Packetman saysI'm PacketMan. Sovereignty isn't a single question — it's three. Where did your data already go? Where is it allowed to go from here? Where does the platform itself sit? Compliance leads with the first; security with the second; legal with the third. The same agent answers all three. The survey way of answering question one — ask each vendor, trust the answer, refresh it yearly — turns into a measurement: every outbound flow carries a destination IP that geolocates to a country, and the agent already counts the bytes. The killer query is "non-EU destinations from EU-tagged agents." A number, not a promise.Tether your data.
Compliance audits today live on vendor surveys: “do you store data in the EU?” The answer is whatever the vendor says, refreshed once a year. We answer the same question with measurement: bytes by destination country, by department tag, in real time, with no DPI. Three layers stack into the answer that holds up at audit time — where did data go, where is it allowed to go from here, and where does the platform itself sit.
An Enterprise-tier analytic that turns the agent’s existing flow records into a residency report. Bytes uploaded (and downloaded) per destination country, sliced by department / location tag, over arbitrary time ranges. Filter, export, attest.
| Destination country | Top vendor | Department / tag | Bytes out | |
|---|---|---|---|---|
| United States | Anthropic | EU · Engineering | 14.2 GB | ⚠️ |
| United States | Microsoft 365 | EU · Sales | 8.9 GB | ⚠️ |
| Singapore | Cloudflare | EU · Marketing | 2.4 GB | ⚠️ |
| Ireland | AWS Dublin | EU · Engineering | 112.0 GB | |
| Germany | SAP | EU · Finance | 4.1 GB |
The mechanic is simple: every flow record the agent already emits carries a destination IP, a process attribution, a byte count, and an agent tag (you set department / location tags during enrollment or later). MaxMind GeoLite2 turns the IP into a country. The Enterprise rollup pivots those flows into the report. No new collection, no DPI, no privacy regression — the data is the same set we’ve always observed; the analytic is what’s new.
Available on the Enterprise tier ($6 / agent / month, 100+ agents). Bundled with two other org-wide analytics (executable analysis, beaconing detector) since they all only become valuable at fleet scale. See pricing →
Same question, two completely different kinds of answer.
An auditor can’t act on a promise that was true last year. They can act on a number measured this morning — with the vendor and the department attached.
Packetman saysLayer 1 — the rollup above — tells you where your data already went. That's audit. Layer 2 is the proactive complement: where is it allowed to go from here? Hop Starvation is the per-agent, per-port distance limit that answers it. A database server can be set to reach only the local switch and nothing beyond. A laptop can be set to reach only the company network plus a measured pinhole to your payment processor. The TTL field in every IP packet is what enforces the limit at the router level — packets simply expire before they leave the boundary the operator set. The router that drops the packet sends back an ICMP confirmation, so you have proof the rule held. Reversible in seconds, AI-sanity-checked before apply, priced as a $10-per-agent-per-month add-on. The audit and the enforcement live in the same dashboard on the same agent install.Layer 1 above measures where your data went. Layer 2 sets where it’s allowed to go next. Hop Starvation turns the TTL field in every IP packet into a per-agent, per-port distance limit — a database server can be told to reach the local switch and nothing beyond, a laptop to reach the company network plus a measured pinhole to your payment processor.
The rollup tells you where bytes went. Hop Starvation lets you set where they’re allowed to go from now on. Different questions, complementary answers, one agent install. The compliance lead reads the rollup; the security lead applies the limit; the dashboard is shared.
Operator measures the hop count, picks the limit, the AI sanity-checks the rule against today’s flows before apply, the router confirms it stuck. If anything you didn’t expect breaks, one toggle reverses the rule.
Hop Starvation is a per-agent add-on on Business tier and above — $10 / agent / month, pro-rated on enable / disable, no minimum beyond a single agent. Buy it for the agents that protect crown jewels; leave laptops on the standard agent. The audit rollup is on Enterprise tier today; Hop Starvation is independent and stackable.
Layer 1 and Layer 2 happen on every agent install. Layer 3 is independent: where does the DataStun platform itself run? Three deployment options — pick what suits.
The default tenant runs on DataStun’s cloud infrastructure. Tenant boundaries enforce at the database row level today, with per-tenant DNS (*.tenant.datastun.com) and a path to per-tenant database isolation on paid tiers. Region selection lands as we add regions.
Right answer for: most teams who want a hosted product and care more about the per-flow observability than where the database physically lives.
The reputation system splits into multiple federated instances per region or per customer. Tenants relocated to a region-local reputation instance phone home only to verify license — observations stay in-region. The federation directory + license check-in are documented in the architecture notes.
Right answer for: customers who want hosted convenience for the tenant control plane but need investigation traffic and reputation queries to stay regional.
Enterprise-tier customers run the tenant platform and the reputation system on their own infrastructure with the same code base. Observations never leave the customer environment except for the optional public IP-reputation pull (one-way, hash-style queries against the canonical set).
Right answer for: regulated, air-gapped, or sovereign-cloud requirements where "no data leaves the boundary" is a hard line.
Layers 1 and 2 (where your fleet’s data went, where it’s allowed to go next) are the same product capability across all three Layer-3 options — the rollup and Hop Starvation both run the same way whether you’re on cloud, federated, or self-host. The platform-residency choice is independent of the per-fleet measurement and enforcement.
Specific frameworks and how the rollup answers their core measurement question.
tag in (EU, EEA) AND dest_country NOT IN (EU, EEA) over the audit window. The output is a per-destination-country byte count with vendor attribution — a measurement you can attach to your transfer impact assessment.regulated-clinical, run the rollup with tag=regulated-clinical AND dest_country NOT IN (US), get a vendor list. The rollup is volume + attribution; pairing it with your BAA inventory closes the loop.The rollup is volume + attribution. We can prove that bytes left for a destination in country X — we cannot prove what was in those bytes. For most data-residency questions (“did we send any traffic from EU agents to non-EU destinations?”) that’s exactly the right scope. For “did we leak this specific document?” it’s the wrong tool — you want a DLP product, and we are intentionally not a DLP product.
The wrong-tool boundary is deliberate. Building DLP would require either a TLS-decryption proxy or content inspection on the endpoint — both incompatible with the “metadata only, never content” promise that makes DataStun safe to deploy on every machine in your fleet.
For the broader privacy posture — what we collect, what we don’t see, where the binding language lives — see /trust and the Privacy Policy.
The data-sovereignty rollup is the answer to GDPR Art. 44; seven other framework crosswalks live on the compliance landing — SOC 2, ISO 27001, HIPAA, PCI-DSS, NIST 800-171 / CMMC, FedRAMP, CCPA / CPRA. Each lists controls + the DataStun evidence that maps.
Sovereignty is about where data went; trust is about what we see and don’t see in the first place. No content inspection, hash-only file reputation, no cross-tenant data merge — the constraints that make the agent safe to deploy on every machine.
This page answers where did the data go? with a measurement. The complement is where can the data go? — a per-agent, per-port distance limit that stops outbound packets at a router you choose. Operator-measured, AI-sanity-checked before apply, reversible in seconds. Per-agent add-on on Business and above.
Iris Locke
DataStun’s leadership voice
For the compliance officer, this changes the conversation. Instead of forwarding a vendor questionnaire and hoping, you open the rollup and export a timestamped number with vendor and department attached — that’s the audit answer to Layer 1. For the security lead, Hop Starvation answers Layer 2: not just where the data went, but how far it’s allowed to go from here, set at the agent level and reversible in seconds. Layer 3 — where the platform itself sits — is your choice across cloud, federated, or full self-host. Same agent install, three different audiences, three layers of evidence.
The rollup is the cleanest answer most teams have to the cross-border-data question. Sign up free, enroll an agent, and on Enterprise the rollup lights up the moment you have fleet data to slice. For self-host or federation conversations, drop us a line.