khromov
khromov2y ago

GDPR compliance?

Hi! I can't find anything in the docs about GDPR compliance. For many european companies, it's a requirement that their data is housed in the EU and for certain companies it's also a requirement that their data never crosses over into the US. Is Convex unsuitable for such use cases?
12 Replies
jamwt
jamwt2y ago
Hi @khromov. Good question. unfortunately, convex is not yet GDPR compliant. our near-term focus is SOC2. we don't yet have a timeline on GDPR, but we'll re-assess our next compliance milestones to take on once SOC2 is done
khromov
khromovOP2y ago
Thanks for the info!
whoami
whoami2y ago
When will SOC2 be completed?
jamwt
jamwt2y ago
No firm commitment yet, but likelihood is within 3 months or so.
Mitak
Mitak2y ago
One more vote for that, as we're listing convex.dev on our list of sub-processors of customer data.
jamwt
jamwt2y ago
@Mitak excellent. well, we have our vanta account set up, and we kicked off the process today! we'll be tackling controls one by one over the next couple of months and hope to get our audit done ASAP. so this is underway and we'll definitely update everyone as we make progress on compliance
khromov
khromovOP10mo ago
Any updates here? The security page now says that AWS which Convex uses is "GDPR certified", and while this is great, I'm interested in my data not leaving the European Union. Maybe offer a EU zone (like AWS has)? https://www.convex.dev/security
jamwt
jamwt10mo ago
Data placement outside the US is likely 2+ quarters away. GDPR verification for convex is much nearer. But convex itself collects essentially no PII. We know customers want data sovereignty controls for their own compliance, but it’s not currently on the Q1 roadmap, and will be iffy to make it in Q2.
khromov
khromovOP10mo ago
Thanks for the update!
ampp
ampp9mo ago
Our cybersecurity analyst is asking what is the list of EU-related privacy controls being baked into your architecture and who(or who will) perform the certification? And will you produce a map of NIST Special Publication 800-53Rev5 controls to GDPR. Its little early to ask as we really don't expect to need it ourselves at least till 2025.
stefano
stefano7mo ago
@jamwt is a DPA available to sign? A bit like Supabase does https://github.com/orgs/supabase/discussions/2341
GitHub
Is supabase GDPR compliant? · supabase · Discussion #2341
Wondering if I can already try supabase for a EU-based project?
David Alonso
David Alonso2w ago
If we want to get certified on Vanta ourselves, it would be extremely useful for there to be a Convex integration with them (just like they do with e.g. Supabase and other BaaS providers). Are there any plans for this? I'm not sure if others have requested this