Where is the data stored?
You can pick where your data is stored.
If you have specific data storage requirements, you can opt to have your data stored within Australia (and a variety of regions around the world). Read more about a dedicated solution that meets your data location requirements here
Does that mean I can't use this tool in Australia?
No. Not at all. This is a common misconception. This is why a large number of government organisations are using Comply Group today (see the logos on our Home Page - https://comply.group).
The underlying principle here is not where the data is kept, but a combination of;
the type of data stored (in this case Personally Identifiable Information aka PII) and wherein the flow does encryption change its classification;
decisions made around data encryption and security (read more about our security practices here) at each step along the data's processing journey, and;
the hosting provider's legally binding commitments to maintaining privacy policies in parity with the Australian Privacy Principles (APP).
We are comfortable with the decisions made in the design of this platform's architecture that Comply Group is operating in accordance with, and is fully compliant with, the Australian Privacy Principles (APP).
For more information about data encryption with regards to data crossing borders, take a read of the next section that talks about GDPR. The same levels of protection that we have put in place for Europe also apply to Australian data as well, which is why we can confidently state our compliance with the APP.
From a GDPR perspective, how is this platform compliant?
GDPR regulations do strictly require a PII to be kept within Europe for European citizens (this still includes UK citizens whilst the Brexit transition period is in place until 31 Dec 2020). However, before, during, and after the data is transferred outside the UK/EU, it is encrypted. Here's how it works:
The encryption process scrambles the PII after check-in has been created (e.g. an email address of [email protected] will become, for example, hukhuigYUGF%678gf66Gu55hGGUIIY&J8lj7o).
This process means the data is no longer considered personal data because you can't identify a person from looking at the scrambled email address above.
The information is only unscrambled when accessed via the user's account that owns the location in the EU/UK in which the PII was originally captured.
This means, that even though the information is stored in California, it is neither transferred outside the UK/EU in an identifiable state nor is it accessible outside of the EU/UK. This is how Comply Group achieves GDPR and APP compliance whilst maintaining our servers and database in California.
This is still a fairly oversimplified explanation, so if you have additional queries about this, please direct them to [email protected] and we can go further down the data sovereignty and compliance rabbit hole together.