In one embodiment, a device determines a category of sensitive data processed by an application, based on annotations embedded into programming code of the application and protection bindings, which associate the category of sensitive data with one or more data types used by the application. The device computes, based on one or more data compliance constraints for the category of sensitive data, a set of one or more execution constraints for the application. The device identifies target infrastructure to execute a workload of the application that satisfies the set of one or more execution constraints. The device causes a deployment of the workload of the application for execution by the target infrastructure.