Data Localization in Uzbekistan: What It Means for SaaS and Mobile Apps
If you're building a SaaS product or mobile app that handles data from Uzbekistan-based users, data localization requirements apply to you directly. We break down what 'storing data in Uzbekistan' actually means, the risks of non-compliance, and how to architect your product correctly from day one.
Data Localization in Uzbekistan: What It Means for SaaS and Mobile Apps
If your product collects personal data from users in Uzbekistan — names, phone numbers, emails, geolocation, behavioral data — the law requires that the primary database for that data be hosted on servers physically located inside the country. That's data localization in a nutshell. It sounds straightforward, but in practice it raises dozens of questions: What counts as a "primary database"? Can you use AWS or GCP? What happens if you don't comply?
Key takeaways:
- Data operators must store databases containing Uzbekistan citizens' personal data on servers physically located within the country.
- This applies to foreign companies too, if they deliberately target Uzbek users.
- Cross-border data transfers are not prohibited, but they come with conditions.
- Fines and service blocks are a real risk — the regulator is already flagging violators.
---
Who Does This Apply To?
Short answer: anyone processing personal data of individuals in Uzbekistan. That includes:
- Local startups and SaaS products — obviously.
- International platforms with an Uzbek user base: if you display your interface in Uzbek or Russian, or accept payments in Uzbek soums, you're within scope.
- B2B tools that store data about employees or clients of Uzbek companies.
- Mobile apps — even if your backend lives in Europe.
When we were building Pactum, one of the first questions investors asked was: "Where is your clients' data stored?" That's now the same question regulators are asking.
---
What Exactly Needs to Be Stored Locally?
The law refers to personal data databases — structured repositories where data is organized and searchable. This doesn't mean every byte of traffic must pass through an Uzbek server. But the primary record — where data lands first and is treated as the source of truth — must be local.
In practical terms:
- Your primary database (PostgreSQL, MongoDB, etc.) — must be in Uzbekistan.
- Offsite backups abroad — permissible under cross-border transfer conditions.
- CDNs and caches — a separate question that requires case-by-case analysis.
- Analytics platforms (e.g., Amplitude, Mixpanel) — a grey area; I'd strongly recommend getting dedicated legal advice on these.
---
Hosting Options: Pros, Cons, and When Each Fits
| Option | Pros | Cons | Best For |
|---|---|---|---|
| Uzbek data center (colocation) | Full regulatory compliance | Limited provider choice, higher cost | Enterprise products, fintech, government-facing apps |
| Uzbek cloud provider | Easier setup, SLA included | Fewer managed services than AWS/GCP | Startups focused on the local market |
| Hybrid: local DB + foreign compute | Flexibility and performance | More complex architecture | SaaS with global infrastructure |
| Foreign servers only | Familiar, lower upfront cost | Violates the law — risk of blocking | Not recommended without legal sign-off |
---
Cross-Border Data Transfers: Allowed, But With Conditions
Localization ≠ a ban on exporting data. You can transfer personal data abroad if:
- The receiving country provides an adequate level of data protection (the list is determined by the authorized body).
- The data subject has given explicit consent to the cross-border transfer.
- The transfer is necessary for fulfillment of a contract with the data subject.
Important: the conditions and notification procedures for cross-border transfers may change — always verify the current requirements at the time of application.
---
What Happens If You Ignore the Requirements?
Uzbekistan's data protection regulator — the Personal Data Protection Agency — has the authority to:
- Issue compliance orders requiring remediation.
- Impose administrative sanctions (check current legislation for applicable penalty amounts at time of enforcement).
- Initiate blocking of your service within the country.
For a SaaS product, a block means losing the market. For a mobile app, it means removal from app stores at the regulator's request. These aren't theoretical risks — there are already precedents.
---
Your Action Checklist for This Week
- [ ] Build a data map: what you collect, where you store it, who you share it with.
- [ ] Identify which data qualifies as "personal data" under Uzbek law.
- [ ] Verify the physical location of your servers and databases.
- [ ] Review your cloud provider contracts for data center location clauses.
- [ ] If you use third-party analytics, CRM, or support tools — include them in your analysis.
- [ ] Assign a data protection responsible person within your team.
---
FAQ
We're an early-stage startup with few users — do the requirements still apply?
Yes. The law makes no exceptions based on company size or user count. It's far better to build the right architecture from the start than to refactor it under regulatory pressure.
Can we use AWS or Google Cloud?
Yes — if you select a region physically located in Uzbekistan, or build a hybrid setup with a local primary database. The providers themselves are not prohibited.
Do we need to register our database with any official registry?
Personal data operators are required to notify the authorized body. The exact procedure and form of notification are updated periodically — always verify the current process.
What about data from foreign users who access our product?
Uzbekistan's law governs data belonging to citizens and individuals located within the country. Data from foreign users with no connection to Uzbekistan generally falls outside this requirement — but each situation warrants specific analysis.
We're a B2B SaaS — our clients store their own users' data. Who's responsible?
Responsibility is shared between the data controller (your client) and the data processor (you). This needs to be clearly defined in your contract — otherwise both parties carry the risk.
---
*This article is general information, not individual legal advice. Specific requirements depend on your product type, data categories, and business model.*
---
If you'd like to work through your specific situation — your data storage architecture, cloud provider contracts, or privacy policy — book a consultation. At Pactum, this is exactly the kind of case we handle: at the intersection of product and law.

Founder of the Pactum legal platform. Writes about the legal side of IT, AI and startups in Uzbekistan — from data protection and IT Park to venture deals.
Read also
Challenging a Tax Audit Report in Uzbekistan: A Step-by-Step Guide
Received a tax audit report with additional tax assessments? Don't accept it without scrutiny. The Pactum legal team walks you through the full defense strategy — from written objections to court proceedings — including what documents to prepare and where taxpayers most commonly go wrong.
Notarial Confidentiality: What a Notary Is Legally Bound to Keep Secret
Notarial confidentiality is one of the cornerstone protections you receive when working with a notary in Uzbekistan. In this article, I explain exactly what information the law shields, who can lawfully access it and under what conditions, and why confidentiality is far more than a procedural formality.
Legal Audit of a Company: What We Review and What It Does for Your Business
A legal audit is a systematic review of a company's documents and legal risks — before they turn into lawsuits or penalties. We break down exactly what is analysed, which errors come up most often, and when a business legal audit pays for itself many times over.