Data residency commitment

Status: Founding policy (Pre-launch) Last updated: 2026-05-04 Owner: Founder / Compliance

Summary

OpenShft commits to Australian data residency for all customer data at v1 GA. All customer-related Personal Information (as defined in the Privacy Act 1988 (Cth)) is stored, processed, and backed up within Australia (ap-southeast-2 — AWS Sydney region).

This policy operationalises Australian Privacy Principle 8 (Cross-border disclosure of personal information) for OpenShft's customers (NDIS providers) and the participants they serve.

What this covers

• All Postgres data (Supabase Postgres in Sydney region).
• All file uploads and exports (Supabase Storage in Sydney region).
• All session / cookie data (Supabase Auth in Sydney region).
• All audit logs.
• All form submissions, registers, and evidence packs.
• All AI-related stored content (ai_conversations, ai_chat_messages, ai_documents, ai_jobs).
• All daily backups (35-day retention; cross-AZ within ap-southeast-2).

Where data may transit (with safeguards)

Some processing is unavoidable across borders for technical reasons. In each case, OpenShft applies APP 8 safeguards:

| Data flow | Reason | Safeguard | |---|---|---| | LLM API calls (Anthropic Claude / OpenAI) | Model providers operate globally. | PII is redacted at the edge BEFORE any LLM call. System prompts wrap user context in an isolation envelope. No customer data used to train shared models. Per-tenant opt-out available. | | Vercel Edge runtime | The Edge runtime has globally distributed PoPs. | Customer data stays in ap-southeast-2 (Vercel does not persist data); only request/response payloads transit. Sensitive paths gated to Sydney-region functions where required. | | Sentry | Error tracking. | PII scrubbing in sentry.server.config.ts:beforeSend and sentry.client.config.ts block list. | | PostHog | Product analytics. | Configured to capture event names + IDs only — no PII fields. | | Stripe | Payment processing. | Stripe is a contracted third party; OpenShft does not store card data (Stripe-tokenised). Stripe's APP 8 stance is documented at https://stripe.com/legal. | | Resend / Twilio / ClickSend / FCM | Notification dispatch. | Recipient address (email / phone / FCM token) transits but is not stored at the dispatcher beyond delivery-window. |

What this DOES NOT cover (yet)

• NZ / UK / EU data residency is on the v4 roadmap (year 2). Until then, OpenShft is offered to AU customers only.
• Customer self-hosting is not offered. Enterprise customers can request a dedicated Supabase project (still in ap-southeast-2) with separate database isolation; a fully self-hosted OpenShft deployment is not in v1.

How to verify

• Database region: confirmed via Supabase project metadata. Customers can request a written confirmation.
• Storage region: Supabase Storage uses the same project region as Postgres.
• Audit: the OpenShft Public Trust Center will publish the data-residency posture as a verifiable artefact.

Contractual commitments

• The OpenShft Customer Agreement (drafted before v1 GA) will include a data-residency clause aligned with this policy.
• Any change to data residency posture (e.g. introducing a NZ region) will be communicated to customers ≥30 days in advance.

Related

• Privacy Act 1988 (Cth), Australian Privacy Principles 1, 8, 11.
• Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth).
• NDIS Practice Standards — Information Management.