GDPR compliance?
Hi! I can't find anything in the docs about GDPR compliance. For many european companies, it's a requirement that their data is housed in the EU and for certain companies it's also a requirement that their data never crosses over into the US. Is Convex unsuitable for such use cases?
35 Replies
Hi @khromov. Good question. unfortunately, convex is not yet GDPR compliant.
our near-term focus is SOC2. we don't yet have a timeline on GDPR, but we'll re-assess our next compliance milestones to take on once SOC2 is done
Thanks for the info!
When will SOC2 be completed?
No firm commitment yet, but likelihood is within 3 months or so.
One more vote for that, as we're listing convex.dev on our list of sub-processors of customer data.
@Mitak excellent. well, we have our vanta account set up, and we kicked off the process today! we'll be tackling controls one by one over the next couple of months and hope to get our audit done ASAP. so this is underway and we'll definitely update everyone as we make progress on compliance
Any updates here? The security page now says that AWS which Convex uses is "GDPR certified", and while this is great, I'm interested in my data not leaving the European Union. Maybe offer a EU zone (like AWS has)?
https://www.convex.dev/security
Data placement outside the US is likely 2+ quarters away.
GDPR verification for convex is much nearer. But convex itself collects essentially no PII. We know customers want data sovereignty controls for their own compliance, but it’s not currently on the Q1 roadmap, and will be iffy to make it in Q2.
Thanks for the update!
Our cybersecurity analyst is asking what is the list of EU-related privacy controls being baked into your architecture and who(or who will) perform the certification? And will you produce a map of NIST Special Publication 800-53Rev5 controls to GDPR.
Its little early to ask as we really don't expect to need it ourselves at least till 2025.
@Jamie is a DPA available to sign? A bit like Supabase does https://github.com/orgs/supabase/discussions/2341
GitHub
Is supabase GDPR compliant? · supabase · Discussion #2341
Wondering if I can already try supabase for a EU-based project?
If we want to get certified on Vanta ourselves, it would be extremely useful for there to be a Convex integration with them (just like they do with e.g. Supabase and other BaaS providers). Are there any plans for this? I'm not sure if others have requested this
@Jamie any updates on this?
Cannot use Convex if it's not compliant 🥲
Convex is gdpr compliant! But perhaps you need eu hosting?
Or vanta integration?
Yeah, we would need eu hosting of sensitive data and a signed DPA.
Same as supabase: https://github.com/orgs/supabase/discussions/2341
GitHub
Is supabase GDPR compliant? · supabase · Discussion #2341
Wondering if I can already try supabase for a EU-based project?
Are there any updates on this regarding EU hosting? Or would you need to self host to make that happen for now? Or is Convex now also certified under DPF and with a DPA we can still be GDPR complient eventhough hosting is in the US ?
Technically GDPR compliance does not require EU hosting. However, some other compliances EU companies need do, especially in Germany. And some EU companies would prefer it for their own reasons, which we respect.
our timeline is still Fall for the first non-us zone. it will likely be frankfurt
That would be amazing, we are doing a healthcare platform in the netherlands so EU hosting is very important for MDR classification
Looking forward to the non us zone, fall would work for our roadmap
Just want to second that. We are an EU-based climate tech startup with German customers. Most of them (often traditional companies) require data storage within the EU. Not guaranteeing this is currently the only reason we're not using Convex. Looking forward to this addition.
will it be possible to migrate an existing convex instance to the frankfurt zone when this launches in fall?
yes! but probably via export/import
we won't offer any kind of online migration for awhile
Hi Jamie, any updates on the timeline?
yeah, we're starting work on it soon. end of sept, maybe early october?
We are based in the Middle East, and having a server located in this region—or even in Frankfurt—would significantly improve performance
cool. frankfurt will be first up!
HELL YEAH! That’s awesome! Will we be able to migrate there?
Just throwing another vote into the ring. Especially in Germany, data residency is super important. If I can say that the data is hosted in the EU thats a huge plus. Even better when I can say its hosted in Germany for german customers and hosted in UK for UK customers. But I guess thats a bit much to ask 😅
Yes, but probably via export/import
we won't have automatic migration for a while
That’s good enough :)
“If we use the Frankfurt hosting option, can you guarantee that the data and encryption keys will remain entirely under EU legal jurisdiction, and that no US entity has access?”
“Will Convex EU act as a separate legal entity under EU law to isolate data from US government requests?”
We are looking into building an app that will host information about children and health data. So the GDPR is a minefield when it comes to this. And we would like not to do self-hosting
unfortunately, no
like AWS, we remain an US company
there is no separate subsidiary that provides this kind of isolation
Have you guys started working on it?
Latest will be here: https://discord.com/channels/1019350475847499849/1410082090682159205
First of all you have an awesome product, I really like the DX and the AI coding agent capabilities. I am programming since 30 years and always looked out for faster turnaround times. I think you nailed it. This out of the way:-) We are creating a SAAS platform where we need to store data where the customers want to ensure the data does not leave the EU. So I am happy to hear that this is on the roadmap. Data migration is also fine if this needs to be done manually. At least the customers are happy 🙂 Take care
Having eu data hosting available will make me able to use and recommend convex to my company, such an amazing DX. But is about the eu limitation that I can adopt it fully yet. 😔 if this is likely to be supported anytime soon I’ll be more than happy.