Data Residency Policy
Your health data stays in Australia - guaranteed
Compliance with Australian Government Data Sovereignty Requirements
Our Data Sovereignty Commitment
100% of your personal and health information is stored exclusively within Australian borders and remains subject to Australian privacy laws and jurisdiction.
1. Where Your Data is Stored
Primary Data Centers
Sydney Data Center
AWS ap-southeast-2 (Sydney)
Primary location for real-time data processing and user interactions
Melbourne Data Center
AWS ap-southeast-2 (Melbourne)
Backup and disaster recovery location with real-time replication
Infrastructure Details
- All servers physically located within Australian territory
- Hosted on Amazon Web Services (AWS) Australia regions exclusively
- Database encryption at rest using Australian-managed encryption keys
- Network traffic routed through Australian internet infrastructure only
- Real-time data synchronization between Sydney and Melbourne facilities
Government Compliance: Our infrastructure meets Australian Government requirements for sensitive data storage and is regularly audited for compliance with data sovereignty regulations.
2. Data Covered by Australian Residency
Personal Health Information
- Blood test results and pathology reports
- Health trends and analysis data
- Medical conditions and medications
- Health profile information (age, gender, physical characteristics)
- Generated health insights and recommendations
Personal Identifiable Information
- Name, email address, phone number
- Address and location information
- Account credentials and authentication data
- Payment information and billing history
- Communication records and support interactions
Technical and Usage Data
- Application logs and system activity
- Device information and IP addresses
- Usage patterns and interaction data
- Performance metrics and analytics
- Security logs and access records
3. Protection and Security Measures
Physical Security
- Tier III certified data centers with 24/7 physical security
- Biometric access controls and surveillance systems
- Environmental controls (fire suppression, climate control)
- Redundant power systems and network connectivity
- Regular security audits by independent Australian firms
Digital Security
- AES-256 encryption for all data at rest
- TLS 1.3 encryption for data in transit
- Australian-controlled encryption key management
- Multi-factor authentication and access controls
- Regular penetration testing and vulnerability assessments
Backup and Recovery
- Real-time backup to secondary Australian location
- Daily encrypted snapshots stored locally
- Point-in-time recovery capabilities
- Disaster recovery testing every 6 months
- Recovery time objective (RTO) of less than 4 hours
4. Australian Legal Framework
Governing Laws
-
1
Privacy Act 1988 (Cth)
Australian Privacy Principles (APPs) compliance
-
2
My Health Records Act 2012
Health information protection standards
-
3
Notifiable Data Breaches Scheme
Mandatory breach notification requirements
-
4
Australian Government ISM
Information Security Manual compliance
Jurisdiction and Enforcement
- All data subject to Australian courts and legal system
- Office of the Australian Information Commissioner (OAIC) oversight
- Australian Federal Police jurisdiction for data breaches
- No foreign government access without Australian court approval
5. Prohibition on Offshore Data Transfer
Absolute Prohibition
We never transfer, store, or process your personal or health information outside of Australia under any circumstances.
Prohibited Activities:
- • Offshore backup storage
- • International data processing
- • Cloud storage outside Australia
- • Third-party offshore services
Technical Safeguards:
- • Geographic IP restrictions
- • Data residency monitoring
- • Automated compliance checks
- • Regular auditing and verification
Emergency Scenarios
Even in emergency situations such as natural disasters or major system failures, your data will only be recovered from our backup Australian facilities. We have no offshore disaster recovery arrangements.
6. Third-Party Service Compliance
Approved Service Providers
| Service | Provider | Data Location | Compliance |
|---|---|---|---|
| Cloud Infrastructure | AWS Australia | Sydney/Melbourne | ✓ ISM Compliant |
| Payment Processing | Stripe Australia | Australia Only | ✓ PCI DSS Level 1 |
| Email Communications | AWS SES Australia | Australia Only | ✓ Data Residency |
| Monitoring & Analytics | AWS CloudWatch | Australia Only | ✓ Data Residency |
Due Diligence Requirements
Any new third-party service must demonstrate:
- 100% Australian data residency capability
- Compliance with Australian privacy laws
- No offshore data processing or storage
- Regular security and compliance auditing
- Contractual data sovereignty guarantees
7. Continuous Monitoring and Compliance
Real-Time Monitoring
- Automated geographic location verification for all data
- 24/7 monitoring of data access and movement
- Immediate alerts for any unusual data activity
- Regular verification of third-party compliance
Compliance Reporting
- Monthly data residency compliance reports
- Quarterly security and privacy audits
- Annual third-party security assessments
- Transparency reports available to customers
8. Your Rights and Verification
Verification Rights
You have the right to:
- Request confirmation of your data's physical location
- Receive copies of our compliance certificates
- Access data residency audit reports (anonymized)
- Report any concerns about data location compliance
How to Verify
Data Residency Verification: [email protected]
Compliance Officer: [email protected]
Response Time: 5 business days for verification requests
Available Reports: Monthly location certificates, compliance summaries
9. Contact Information
For questions about data residency or to report compliance concerns:
Data Residency Officer
Email: [email protected]
Phone: 1300 XXX XXX
Address: [Company Address], Australia
This Data Residency Policy was last updated on January 1, 2024. We conduct quarterly reviews to ensure continued compliance with evolving Australian data sovereignty requirements.