GDPR compliance?
Hi! I can't find anything in the docs about GDPR compliance. For many european companies, it's a requirement that their data is housed in the EU and for certain companies it's also a requirement that their data never crosses over into the US. Is Convex unsuitable for such use cases?
21 Replies
Hi @khromov. Good question. unfortunately, convex is not yet GDPR compliant.
our near-term focus is SOC2. we don't yet have a timeline on GDPR, but we'll re-assess our next compliance milestones to take on once SOC2 is done
Thanks for the info!
When will SOC2 be completed?
No firm commitment yet, but likelihood is within 3 months or so.
One more vote for that, as we're listing convex.dev on our list of sub-processors of customer data.
@Mitak excellent. well, we have our vanta account set up, and we kicked off the process today! we'll be tackling controls one by one over the next couple of months and hope to get our audit done ASAP. so this is underway and we'll definitely update everyone as we make progress on compliance
Any updates here? The security page now says that AWS which Convex uses is "GDPR certified", and while this is great, I'm interested in my data not leaving the European Union. Maybe offer a EU zone (like AWS has)?
https://www.convex.dev/security
Data placement outside the US is likely 2+ quarters away.
GDPR verification for convex is much nearer. But convex itself collects essentially no PII. We know customers want data sovereignty controls for their own compliance, but it’s not currently on the Q1 roadmap, and will be iffy to make it in Q2.
Thanks for the update!
Our cybersecurity analyst is asking what is the list of EU-related privacy controls being baked into your architecture and who(or who will) perform the certification? And will you produce a map of NIST Special Publication 800-53Rev5 controls to GDPR.
Its little early to ask as we really don't expect to need it ourselves at least till 2025.
@Jamie is a DPA available to sign? A bit like Supabase does https://github.com/orgs/supabase/discussions/2341
GitHub
Is supabase GDPR compliant? · supabase · Discussion #2341
Wondering if I can already try supabase for a EU-based project?
If we want to get certified on Vanta ourselves, it would be extremely useful for there to be a Convex integration with them (just like they do with e.g. Supabase and other BaaS providers). Are there any plans for this? I'm not sure if others have requested this
@Jamie any updates on this?
Cannot use Convex if it's not compliant 🥲
Convex is gdpr compliant! But perhaps you need eu hosting?
Or vanta integration?
Yeah, we would need eu hosting of sensitive data and a signed DPA.
Same as supabase: https://github.com/orgs/supabase/discussions/2341
GitHub
Is supabase GDPR compliant? · supabase · Discussion #2341
Wondering if I can already try supabase for a EU-based project?
Are there any updates on this regarding EU hosting? Or would you need to self host to make that happen for now? Or is Convex now also certified under DPF and with a DPA we can still be GDPR complient eventhough hosting is in the US ?
Technically GDPR compliance does not require EU hosting. However, some other compliances EU companies need do, especially in Germany. And some EU companies would prefer it for their own reasons, which we respect.
our timeline is still Fall for the first non-us zone. it will likely be frankfurt
That would be amazing, we are doing a healthcare platform in the netherlands so EU hosting is very important for MDR classification
Looking forward to the non us zone, fall would work for our roadmap
Just want to second that. We are an EU-based climate tech startup with German customers. Most of them (often traditional companies) require data storage within the EU. Not guaranteeing this is currently the only reason we're not using Convex. Looking forward to this addition.
will it be possible to migrate an existing convex instance to the frankfurt zone when this launches in fall?
yes! but probably via export/import
we won't offer any kind of online migration for awhile