Frequently Asked Questions (FAQs)
What is TomTom API data residency and privacy
TomTom APIs manage data in alignment with regional data residency requirements and privacy regulations.
Data residency ensures that API requests are processed only within the specified region when using a regional hostname (for example, eu-api.tomtom.com or us-api.tomtom.com). TomTom’s API Gateway routes requests accordingly, ensuring compliance with regional policies and that data is handled within the designated geographic boundaries.
In general, full global data coverage is available across regions, with the exception of Korea. Due to local regulatory requirements, Korean data is accessible only from within Korea and requires the use of the dedicated regional endpoint kr-api.tomtom.com.
Data residency in TomTom defines where API providers (upstream/backend services) are deployed and where requests are processed, stored (if applicable), and governed under regional legal frameworks.
From a privacy perspective, TomTom stores metadata related to API requests for up to 90 days. If a specific agreement is in place with a customer, only aggregated data may be retained beyond this period for reporting and billing purposes.
What type of customer data does TomTom collect?
TomTom collects general metadata about API requests for security, debugging, and reporting purposes.
This may include information such as request timestamps, endpoints used, and performance metrics.
In addition, individual backend services (API providers) may collect supplementary data to support debugging and product improvement. The scope of such data collection can vary by service and should be verified with the respective teams responsible for those APIs.
Does TomTom store the content of API calls?
API call content storage is governed by data privacy and GDPR requirements. The API Gateway stores only the minimum necessary data required for billing and service performance reporting.
In general, TomTom does not store the full content of API calls unless required for specific use cases. Additionally, TomTom provides mechanisms to propagate data privacy requirements to API providers, helping ensure that downstream services remain compliant.
Does EU customer’s request for US data go through a US server?
It depends on the product. Most public APIs provide global data access across regions.
The only exception is Korea, where regulatory restrictions apply. Korean data is accessible only from within Korea and requires the use of the dedicated endpoint kr-api.tomtom.com.
For other regions, data is not restricted in the same way. For example, US data can be accessed via eu-api.tomtom.com, and EU data via us-api.tomtom.com. The selected hostname determines the region in which the request is routed and processed, rather than limiting the dataset itself.
Can a customer accidentally poll data from another region?
If a customer consistently uses the correct hostname (e.g., eu-api.tomtom.com for EU), the API Gateway ensures the request remains within the specified region. However, API providers should also be consulted to verify how they handle requests.
How does TomTom keep data in different regions?
TomTom maintains data in different regions using dedicated endpoints that ensure requests are routed through the correct regional server. The API Gateway ensures that requests are processed in the intended region and forwarded to the appropriate API provider.
Which TomTom APIs are integrated into Microsoft Azure Maps?
Microsoft Azure Maps uses TomTom’s core Maps APIs, including:
- Map Display API
- Traffic API
- Search API
- Routing API
How are incidents investigated if customer data is not stored?
For root cause or customer error analysis, Microsoft must provide:
- The tracking identifier of the request
- The specific customer data related to that request
TomTom uses the tracking identifier to find the associated scrubbed logs. Combined with the customer data provided by Microsoft, this allows issue investigation without storing customer data long-term.
What happens if an API request is not processed within 24 hours?
This is currently under discussion. The concern is how to comply with the 24-hour deletion requirement if processing exceeds that time.
What is the API Gateway�’s policy on customer-sensitive data?
The API Gateway does not store Personally Identifiable Information (PII) in request payloads. However, certain request details—such as the request path—are stored for up to 90 days for security and debugging purposes. Request payloads are not stored.
If a customer requires a higher level of privacy, the storage of user input (including request paths and requester IP addresses) can be disabled.
In addition, only general metadata is retained to support reporting on usage and service performance, such as request volume, availability, latency, and error rates.
Does data residency depend on where the API consumer is located?
No. Data residency applies to where the data is processed and stored, not where the API consumer resides.
How does TomTom enforce data residency requirements?
TomTom provides dedicated regional endpoints (hostnames) for each supported region. Requests sent to a regional hostname are guaranteed to be processed and, if needed, stored within that region.
Which TomTom products are affected by data residency?
All TomTom products that have customers with data residency requirements are within scope.
Does aggregated data need to follow data residency rules?
No. Aggregated data may be stored in any region, regardless of its origin.
Is it allowed to fail over to another region in case of an outage?
No. Failover to another data residency region is not allowed. However, EU and US regions have internal redundancy to handle regional failures without cross-region traffic.