Data Sovereignty

1. Primary Data Residency

Data Storage Locations

• Primary Database: AWS Sydney region (ap-southeast-2) or Azure Australia East
• Backup & Disaster Recovery: AWS Melbourne region (ap-southeast-4) for redundancy
• SMS Gateway Infrastructure: Australian-based SMS carriers with local infrastructure
• Application Servers: Deployed in Australian regions for optimal latency

All primary data storage uses tier III+ data centers with SOC 2 Type II compliance and ISO 27001 certification.

2. International Data Transfers

While we prioritize Australian data residency, some services may involve limited international data transfers:

When Transfers Occur

• Analytics & ML Services: Anonymized data may be processed in US or EU regions for sentiment analysis, AI training, and platform optimization
• CDN & Edge Caching: Non-sensitive static content cached in global edge locations for performance
• Customer Support Tools: Support ticket data stored in service provider regions (e.g., Intercom, Zendesk US regions)
• Payment Processing: Billing data processed by Stripe (US/Ireland) in compliance with PCI DSS standards

Safeguards for International Transfers

All international data transfers comply with APP 8 (Cross-border Disclosure of Personal Information) and include:

• Standard Contractual Clauses (SCCs): EU-approved data transfer agreements with all overseas service providers
• Data Processing Agreements (DPAs): Binding contracts ensuring compliance with Australian privacy standards
• Adequacy Assessments: Regular review of destination country data protection laws
• Encryption in Transit: TLS 1.3 encryption for all data leaving Australian borders
• Data Minimization: Only necessary data transferred; personally identifiable information (PII) anonymized wherever possible

Client Control

Clients can request that all supporter data remain within Australian borders. This may limit access to certain AI/ML features but ensures absolute data sovereignty. Contact us to discuss sovereign data options.

3. Regulatory Compliance

Australian Privacy Principles (APPs)

Conversr complies with all 13 APPs, including:

• APP 1: Open and transparent privacy policy management
• APP 3: Collecting personal information only when necessary
• APP 5: Transparent notification of data collection practices
• APP 8: Rigorous controls for cross-border data disclosure
• APP 11: Industry-standard security measures for personal information
• APP 12: Clear processes for supporter access and correction requests

New Zealand Privacy Act 2020

For New Zealand charities, Conversr complies with the 13 Information Privacy Principles (IPPs), including:

• Collection, storage, and use limitations
• Accuracy and security requirements
• Individual access and correction rights
• Restrictions on overseas information transfers

Industry-Specific Regulations

• Spam Act 2003: All SMS messages include clear unsubscribe options; consent tracked and honored
• Australian Consumer Law: Fair, transparent communication; no misleading or deceptive conduct
• Charitable Fundraising Acts: Support for state-based fundraising license requirements
• PCI DSS: Payment data handled by PCI-compliant processors (Conversr does not store credit card details)

4. Sub-Processors and Third-Party Services

Conversr uses carefully vetted sub-processors to deliver services. All sub-processors sign Data Processing Agreements and comply with Australian privacy standards.

Key Sub-Processors

A complete, current list of sub-processors is available to clients upon request. We notify clients of new sub-processors at least 30 days before data processing begins.

5. Data Residency Options

Standard Configuration

All supporter personal data stored in Australian data centers. Analytics and AI services may use anonymized data in overseas regions.

Sovereign Data Configuration

100% Australian data residency — no international transfers. All processing, analytics, and AI services run within Australian borders. Available on request for charities with strict sovereignty requirements (e.g., government-funded organizations, health charities handling sensitive data).

New Zealand-Specific Configuration

For New Zealand clients requiring NZ-based data storage, we can configure primary residency in AWS Auckland region (ap-southeast-1) or Azure New Zealand North. Contact us to discuss requirements.

6. Data Breach Notification

In the unlikely event of a data breach, Conversr follows the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988:

• Assessment: Immediate investigation to determine scope, impact, and risk
• Notification: Affected charities notified within 24 hours of discovery
• OAIC Reporting: Eligible data breaches reported to the Office of the Australian Information Commissioner
• Affected Individuals: Charities responsible for notifying their supporters (we provide detailed breach information and recommended communication templates)
• Remediation: Immediate steps to contain breach, prevent recurrence, and restore security

7. Government Access and Lawful Requests

Conversr may be required to disclose data in response to lawful requests from Australian authorities:

• All government requests assessed for legal validity before disclosure
• Clients notified of requests unless legally prohibited (e.g., by court order)
• Only minimum necessary data disclosed to satisfy legal requirements
• Annual transparency report published outlining number and nature of government requests (aggregated, no client-specific details)

As an Australian company, Conversr is not subject to US CLOUD Act or other foreign surveillance laws that would compel overseas data access.

8. Your Rights and Control

• Data Location Transparency: Request details on where your specific data is stored and processed
• Sovereign Data Option: Upgrade to 100% Australian residency configuration
• Data Portability: Export all your data in machine-readable formats
• Deletion: Request complete data deletion upon termination (subject to legal retention requirements)
• Audit Rights: Review our security and compliance certifications; request audit reports

9. Contact & Questions