Kazakhstan: New Law Forces Cloud Data On-Shore by 2025
Alexander Bazilevich is a CRM expert and Top Salesforce Partner with over 17 years of sales experience in the IT industry. He specializes in transforming corporate goals into profits through cross-functional collaboration and innovative business solutions, with deep expertise in business systems and IT products.
Kazakhstan mandates all personal data generated by its users for cloud SaaS platforms to be stored physically within the country.
In a significant policy shift for Kazakhstan, a new law forces cloud data on-shore by 2025, mandating that all personal data from its citizens on platforms like Salesforce and Slack be stored on servers within the country. This rule, effective January 2025, requires global tech companies and local businesses to store Kazakh user data - from names and CRM records to chat histories - on physical servers located in Kazakhstan or face substantial penalties.
What are the new personal data localization requirements for cloud SaaS in Kazakhstan?
Beginning January 2025, Kazakhstan requires all personal data of its citizens generated by cloud SaaS platforms to be stored on servers physically inside the country. This mandate applies universally to all companies using services like Salesforce or Slack, with non-compliance resulting in heavy fines or service bans.
What changed on 8 January 2025
The change stems from a concise but powerful amendment to the Informatization Law package, stating:
"Electronic information resources containing personal data shall be placed only on technical means located in the Republic of Kazakhstan."
The rule offers no grace period, size-based exemptions, or industry-specific exclusions. Data controllers must delete or relocate any data stored abroad within 15 business days unless a local copy (or "mirror") was created first.
"Storage is understood as actions ensuring integrity, confidentiality and accessibility of personal data, therefore tangible media must be physically located in Kazakhstan."
- Chambers & Partners note, summarising Agency explanations
Who is caught
| Category | Example | Obligation |
|---|---|---|
| Local LLC | Air Astana HR system | keep employee data in-country |
| Kazakh branch of foreign firm | L'Oréal Kazakhstan CRM | same as domestic company |
| Pure offshore SaaS | US-headquartered Slack workspace used by Kazakh employees | must open a Kazakh instance or contract a local processor |
Penalties for non-compliance begin at 500 Monthly Calculation Indices (approximately USD 4,000) for each non-compliant database and can escalate to a complete ban on data processing activities.
How vendors are reacting
- Salesforce has proactively introduced a "Kazakhstan locale" option, ensuring customer data is routed to servers rented from the Astana Hub hyperscale wing.
- Slack advises its Enterprise Key Management solution, which allows encrypted data fragments to cross borders while the essential decryption keys remain stored securely within Kazakhstan.
- Smaller SaaS providers are partnering with local data centers like QazCloud and KazTelecom. They offer white-label hosting solutions, though at a premium price of around USD 0.08 per GB-month - nearly double the rate in European hubs like Frankfurt.
Portability collides with localization
The law creates a complex workflow for data portability requests, where data must be re-associated and transferred exclusively within Kazakhstan's borders. A typical process involves:
- Maintaining a complete, localized replica of user data.
- Exporting only a pseudonymized data subset for any external processing.
- Re-linking the full dataset upon user request, but only within a secure environment in Kazakhstan before turnover.
"Controllers must consider objections to automated processing within 3 business days, but the local copy cannot leave the territory even if the user wants it elsewhere."
- DLA Piper, Data Protection Laws of the World 2025 edition
Work-arounds that survive scrutiny
| Approach | Risk | Practicality |
|---|---|---|
| Strip Kazakh IP addresses | high - geo-blocking is unreliable | low |
| Consent-based export | medium - regulator questions blanket consent | medium |
| Local encrypted vault + tokenised foreign analytics | low if keys stay local | high - adopted by two telecom operators already |
Counting the cost
For a mid-sized FMCG company with 250 sales representatives on Salesforce Sales Cloud, the annual compliance cost is approximately USD 18,000. This budget includes:
- Local data storage (4 TB): USD 3,900
- Annual security penetration testing and certification: USD 6,000
- Dedicated 24/7 technical support in Kazakhstan: USD 8,000
Despite these costs, CFOs widely accept the compliance premium, as it prevents a potential loss of USD 1.2 million in sales from a processing ban.
Outlook
The new law is already shaping the local tech landscape. Membership in Astana Hub surged by 32% in the first quarter of 2025, largely from SaaS providers drawn to its "Data Centre Preferential Zone" tax incentives. As neighboring countries like Uzbekistan consider similar data localization laws, vendors who successfully navigate Kazakhstan's requirements are well-positioned to offer a proven compliance blueprint across Central Asia.