International Data Transfers
CloudNexus's policies, technical controls, and legal mechanisms governing the cross-border processing of customer data.
Contents
1. Overview & Commitment #
CloudNexus operates a globally distributed infrastructure to deliver low-latency performance and high availability. We recognize that cross-border data transfers are subject to stringent regulatory requirements, particularly under the EU General Data Protection Regulation (GDPR), UK GDPR, and various data localization laws.
Our commitment is to ensure that all personal and sensitive data transferred across international boundaries maintains the same level of protection and compliance as required by the origin jurisdiction. We do not rely on blanket adequacy decisions alone; instead, we employ a layered approach combining legal safeguards, technical encryption, and contractual commitments.
2. Legal Mechanisms & Compliance #
CloudNexus utilizes recognized legal instruments to authorize and protect international data transfers. Depending on the origin and destination jurisdictions, we implement the following frameworks:
- EU Standard Contractual Clauses (SCCs): The revised EU Commission SCCs (Module Two & Module Three) are incorporated into our Data Processing Addendum (DPA) for all transfers originating in the EEA.
- EU-US Data Privacy Framework (DPF): CloudNexus US operations are certified under the EU-US DPF, providing a baseline adequacy mechanism for US-based processing.
- UK International Data Transfer Agreement (IDTA): For UK origin data, we implement the UK IDTA alongside the UK SCCs where required.
- Supplementary Measures: Where legal mechanisms require additional risk mitigation, we apply technical and organizational safeguards detailed in Section 4.
Transfer Impact Assessments (TIAs) are conducted annually for each non-adequate third country in our infrastructure footprint. Results are documented and available to auditors and regulated customers upon request.
3. Data Residency & Regional Isolation #
CloudNexus provides data residency controls to ensure customer workloads remain within specified geographic boundaries. Our infrastructure is partitioned into isolated regions, each governed by local jurisdictional rules.
| Region | Primary Data Centers | Compliance Frameworks | Cross-Border Restrictions |
|---|---|---|---|
| EU Central | Frankfurt, Paris, Amsterdam | GDPR, EU SCCs, ISO 27001 | Strict opt-in for non-EEA routing |
| UK | London, Manchester | UK GDPR, IDTA, Cyber Essentials Plus | UK Sovereign Cloud isolation available |
| US | Virginia, Oregon, N. Virginia | EU-US DPF, SOC 2 Type II, HIPAA-ready | State-level localization compliant |
| APAC | Singapore, Sydney, Tokyo | PDPA, APP, ISO 27701 | Regional data sovereignty enforced |
Customers can enforce data residency at the account, project, or workload level via the Control Panel or API. Enabling "Data Residency Lock" prevents automated replication or failover to non-compliant regions.
4. Technical & Organizational Safeguards #
To meet regulatory requirements and mitigate third-country surveillance risks, CloudNexus implements the following security controls for all international data transfers:
- Encryption in Transit: All cross-border data flows are protected via TLS 1.3 with forward secrecy. Internal backbone traffic uses IPsec tunnels or MACsec.
- Encryption at Rest: Data is encrypted using AES-256. Customer-Managed Keys (CMK) are supported via AWS KMS, Azure Key Vault, or CloudNexus HSM clusters. Keys never leave the source region unless explicitly configured.
- Tokenization & Pseudonymization: Sensitive PII can be tokenized at the edge before cross-region replication, reducing exposure during transit.
- Access Controls: Zero-trust architecture with hardware-backed root of trust. CloudNexus personnel access customer data only under audited, just-in-time provisioning with multi-party approval.
- Audit Logging: All cross-border transfer events, access attempts, and encryption key usage are logged in immutable audit trails available to customers for 365 days (extendable to 7 years).
5. Subprocessors & Third-Party Vendors #
CloudNexus engages a limited number of vetted subprocessors for specialized services (e.g., threat intelligence feeds, regional CDN peering, backup replication). All subprocessors:
- Are contractually bound by data processing agreements that mirror or exceed CloudNexus's obligations.
- Undergo annual security assessments and compliance audits.
- Are listed publicly in our Subprocessor Registry with change notifications provided 30 days in advance.
No personal data is transferred to subprocessors in non-adequate countries without explicit customer consent and applicable SCCs/IDTAs in place.
6. How to Configure Transfer Controls #
CloudNexus customers can manage international data transfer settings through the following methods:
- Dashboard: Navigate to
Project Settings > Compliance & Residencyto enable region locks, view active transfer routes, and download SCC execution certificates. - API: Use the
compliance.v1endpoints to enforce residency policies programmatically. See the API Documentation for rate limits and schema. - Support Portal: Request custom data flow diagrams, TIA documentation, or jurisdiction-specific addenda via a Tier-2 support ticket.
For enterprise customers requiring sovereign cloud deployments or dedicated cross-border circuit provisioning, our Professional Services team will draft architecture blueprints aligned with your DPO's requirements.
Questions About Data Transfers?
Our Data Protection Officer and compliance engineering team are available to assist with TIAs, SCC execution, or custom residency configurations.
Contact the DPO Office →