Data Localization in Uzbekistan: What It Means for SaaS and Mobile Apps
Law

Data Localization in Uzbekistan: What It Means for SaaS and Mobile Apps

If you're building a SaaS product or mobile app that handles data from Uzbekistan-based users, data localization requirements apply to you directly. We break down what 'storing data in Uzbekistan' actually means, the risks of non-compliance, and how to architect your product correctly from day one.

Bakhrom Isomadinov
Bakhrom Isomadinov
Founder & CEO of Pactum · IT, AI and startup law
July 18, 20266 min read
Поделиться:

Data Localization in Uzbekistan: What It Means for SaaS and Mobile Apps

If your product collects personal data from users in Uzbekistan — names, phone numbers, emails, geolocation, behavioral data — the law requires that the primary database for that data be hosted on servers physically located inside the country. That's data localization in a nutshell. It sounds straightforward, but in practice it raises dozens of questions: What counts as a "primary database"? Can you use AWS or GCP? What happens if you don't comply?

Key takeaways:

  • Data operators must store databases containing Uzbekistan citizens' personal data on servers physically located within the country.
  • This applies to foreign companies too, if they deliberately target Uzbek users.
  • Cross-border data transfers are not prohibited, but they come with conditions.
  • Fines and service blocks are a real risk — the regulator is already flagging violators.

---

Who Does This Apply To?

Short answer: anyone processing personal data of individuals in Uzbekistan. That includes:

  • Local startups and SaaS products — obviously.
  • International platforms with an Uzbek user base: if you display your interface in Uzbek or Russian, or accept payments in Uzbek soums, you're within scope.
  • B2B tools that store data about employees or clients of Uzbek companies.
  • Mobile apps — even if your backend lives in Europe.

When we were building Pactum, one of the first questions investors asked was: "Where is your clients' data stored?" That's now the same question regulators are asking.

---

What Exactly Needs to Be Stored Locally?

The law refers to personal data databases — structured repositories where data is organized and searchable. This doesn't mean every byte of traffic must pass through an Uzbek server. But the primary record — where data lands first and is treated as the source of truth — must be local.

In practical terms:

  • Your primary database (PostgreSQL, MongoDB, etc.) — must be in Uzbekistan.
  • Offsite backups abroad — permissible under cross-border transfer conditions.
  • CDNs and caches — a separate question that requires case-by-case analysis.
  • Analytics platforms (e.g., Amplitude, Mixpanel) — a grey area; I'd strongly recommend getting dedicated legal advice on these.

---

Hosting Options: Pros, Cons, and When Each Fits

OptionProsConsBest For
Uzbek data center (colocation)Full regulatory complianceLimited provider choice, higher costEnterprise products, fintech, government-facing apps
Uzbek cloud providerEasier setup, SLA includedFewer managed services than AWS/GCPStartups focused on the local market
Hybrid: local DB + foreign computeFlexibility and performanceMore complex architectureSaaS with global infrastructure
Foreign servers onlyFamiliar, lower upfront costViolates the law — risk of blockingNot recommended without legal sign-off

---

Cross-Border Data Transfers: Allowed, But With Conditions

Localization ≠ a ban on exporting data. You can transfer personal data abroad if:

  • The receiving country provides an adequate level of data protection (the list is determined by the authorized body).
  • The data subject has given explicit consent to the cross-border transfer.
  • The transfer is necessary for fulfillment of a contract with the data subject.

Important: the conditions and notification procedures for cross-border transfers may change — always verify the current requirements at the time of application.

---

What Happens If You Ignore the Requirements?

Uzbekistan's data protection regulator — the Personal Data Protection Agency — has the authority to:

  • Issue compliance orders requiring remediation.
  • Impose administrative sanctions (check current legislation for applicable penalty amounts at time of enforcement).
  • Initiate blocking of your service within the country.

For a SaaS product, a block means losing the market. For a mobile app, it means removal from app stores at the regulator's request. These aren't theoretical risks — there are already precedents.

---

Your Action Checklist for This Week

  • [ ] Build a data map: what you collect, where you store it, who you share it with.
  • [ ] Identify which data qualifies as "personal data" under Uzbek law.
  • [ ] Verify the physical location of your servers and databases.
  • [ ] Review your cloud provider contracts for data center location clauses.
  • [ ] If you use third-party analytics, CRM, or support tools — include them in your analysis.
  • [ ] Assign a data protection responsible person within your team.

---

FAQ

We're an early-stage startup with few users — do the requirements still apply?

Yes. The law makes no exceptions based on company size or user count. It's far better to build the right architecture from the start than to refactor it under regulatory pressure.

Can we use AWS or Google Cloud?

Yes — if you select a region physically located in Uzbekistan, or build a hybrid setup with a local primary database. The providers themselves are not prohibited.

Do we need to register our database with any official registry?

Personal data operators are required to notify the authorized body. The exact procedure and form of notification are updated periodically — always verify the current process.

What about data from foreign users who access our product?

Uzbekistan's law governs data belonging to citizens and individuals located within the country. Data from foreign users with no connection to Uzbekistan generally falls outside this requirement — but each situation warrants specific analysis.

We're a B2B SaaS — our clients store their own users' data. Who's responsible?

Responsibility is shared between the data controller (your client) and the data processor (you). This needs to be clearly defined in your contract — otherwise both parties carry the risk.

---

*This article is general information, not individual legal advice. Specific requirements depend on your product type, data categories, and business model.*

---

If you'd like to work through your specific situation — your data storage architecture, cloud provider contracts, or privacy policy — book a consultation. At Pactum, this is exactly the kind of case we handle: at the intersection of product and law.

Liked the article?
Поделиться:
Bakhrom Isomadinov
Bakhrom Isomadinov
Founder & CEO of Pactum · IT, AI and startup law

Founder of the Pactum legal platform. Writes about the legal side of IT, AI and startups in Uzbekistan — from data protection and IT Park to venture deals.

Основатель и CEO Pactum · pactum.uz

Need professional advice?

Our lawyers are ready to help with any question

View services
We'll call you back in 15 minutes
Leave your phone number — a lawyer will answer your question from this article for free