Contract effective date: September 18, 2024. Runtime consent, request, security, audit, and deployment timestamps remain factual records.
Cross-Border Data Transfer and Localization Policy
Scope
This policy applies to cloud hosting, support access, AI providers, analytics, app stores, crash reporting, vendors, subprocessors, backups, logs, API calls and mobile SDKs that move data across borders.
Transfer inventory
For each data flow, document source country, destination country, recipient, purpose, categories of data, retention, access controls, onward transfer, transfer mechanism, localization restrictions and government-access risk.
Controls
- Use approved transfer mechanisms such as adequacy, SCCs, IDTA, contractual safeguards, consent or local-law mechanism where applicable.
- Complete transfer impact assessment where required.
- Review data localization rules before moving regulated data from China, Russia, Saudi Arabia, India, Vietnam, Indonesia, health/finance sectors or other sensitive jurisdictions.
- Restrict support access by country and role.
- Avoid unnecessary replication of sensitive data.
- Maintain subprocessors and cloud-region disclosures.
Release blocker
A product cannot launch in a country if regulated personal data will be exported without a verified transfer mechanism or documented risk acceptance.