TL;DR: Cloud-routed ZTNA can create GDPR exposure when vendor-controlled PoPs move traffic, metadata, or identifiers across borders, according to AppGate. Direct-routed access architecture matters because sovereignty failures can arise even when content is encrypted and access appears secure.
NHIMG editorial — based on content published by AppGate: GDPR and data sovereignty in ZTNA routing
Questions worth separating out
Q: How should security teams evaluate ZTNA for GDPR compliance?
A: Security teams should assess where traffic is routed, where identity metadata is processed, and who controls the infrastructure that brokers access.
Q: Why can metadata create GDPR risk in remote access tools?
A: Metadata can identify a person or reveal their behaviour, which makes it regulated data under GDPR when tied to access sessions, logs, or identity context.
Q: What breaks when a ZTNA vendor controls the access path end to end?
A: The compliance model becomes harder to prove because the organisation may not control where brokering, policy enforcement, and logging occur.
Practitioner guidance
- Map jurisdictional data flows Inventory every ZTNA relay, policy decision point, identity integration, and logging destination to determine whether personal data or metadata crosses the EEA.
- Classify identity telemetry as regulated data Treat user identifiers, device posture signals, access logs, and session metadata as personal data during DPIAs and vendor risk reviews.
- Prefer customer-controlled routing paths Choose architectures that let you place controllers and gateways in regions you control, rather than relying on vendor-operated points of presence.
What's in the full article
AppGate's full article covers the architectural detail this post intentionally leaves at a governance level:
- How direct-routed ZTNA is deployed across customer-controlled regions and infrastructure
- The GDPR reasoning behind cross-border transfer risk in routing, metadata, and authentication flows
- How the architecture supports accountability and auditability for regulated access paths
- Why reduced latency and simpler management matter operationally once sovereignty controls are in place
👉 Read AppGate's explanation of direct-routed ZTNA and GDPR sovereignty controls →
ZTNA routing and GDPR compliance: where sovereignty breaks down?
Explore further
Jurisdiction is now part of the access-control problem. ZTNA is often discussed as a connectivity control, but GDPR makes routing choices part of the compliance model. If a vendor PoP handles identity context or session metadata outside the customer’s jurisdiction, the access pathway itself becomes a transfer risk. Practitioners should treat network access design as a governance control, not just a performance decision.
A question worth separating out:
Q: Who is accountable when access routing violates GDPR transfer rules?
A: The organisation deploying the access service remains accountable for lawful transfer decisions, vendor oversight, and data protection obligations. A supplier can provide tooling, but it cannot absorb the controller’s responsibility under GDPR. Privacy, IAM, and procurement teams therefore need shared ownership of routing and residency decisions.
👉 Read our full editorial: GDPR data sovereignty and ZTNA routing risk for enterprises