Data sovereignty + processing
Australian by default. Multi-region available. Where data crosses a border, we disclose it, scope it, and apply contractual + technical safeguards.
01Plain English summary
Your data lives in Australia by default — Cloudflare AU edge, Sanity AU dataset. Per-region datasets (EU · UK · US) are available per Pilot+ tier. Cross-border processing is disclosed, scoped to minimum necessary, and subject to applicable EU SCCs / UK IDTA / APP 8 safeguards.
02Why this matters
If you operate in a regulated industry, your regulators + customers expect your data to stay in your home jurisdiction by default. Cross-border transfers must be necessary, disclosed, and accountable. We’ve designed Xlooop around this expectation. AU customers get AU residency by default. EU + UK + US customers can request regional residency at Pilot+ tier.
03Where your data lives (by region)
2.1 Australian customers (default)
2.2 European Union customers (Germany · France · others — Pilot+ tier)
Cross-border transfers from EU to non-adequacy countries governed by EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) Module 2 and/or Module 3, with a Transfer Impact Assessment completed and supplementary measures applied as required.
2.3 United Kingdom customers (Pilot+ tier)
Cross-border transfers from UK to non-adequacy countries governed by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs, with Transfer Risk Assessment + supplementary measures.
2.4 United States customers (Pilot+ tier)
No federal US data-residency mandate — state-specific requirements (HIPAA · FERPA · GLBA · state finance regulators) addressed in the DPA + region-specific addenda where applicable.
2.5 Other regions
Customers in regions outside AU + EU + UK + US sign under AU-default with case-by-case region negotiation.
04Cross-border transfer mechanisms
All transfer mechanisms recorded in the Data Processing Agreement.
05APP 8 accountability (Australia)
Under Australian Privacy Principle 8, we remain accountable for personal information disclosed to overseas recipients. Our reasonable-steps regime:
- Contractual — sub-processors sign APP-equivalent obligations
- Technical — minimum-necessary data flows; no bulk transfers
- Operational — Sub-Processor List publicly maintained; 30-day notice
- Audit — annual sub-processor compliance review
Sub-processor compliance report available under DPA on request.
06EU GDPR Article 44–49 transfer regime
07UK GDPR Chapter V transfer regime
UK transfers follow Chapter V of UK GDPR + DPA 2018. UK IDTA is our primary mechanism. UK adequacy decisions are relied on where applicable; supplementary measures applied per case-by-case transfer risk assessment.
08Customer-controlled cross-border opt-outs
09Per-tier data-residency options
10Data residency for regulated verticals
9.1 Australia
- Health data (NDIS) — AU-residency only
- Tax data (ATO) — AU-residency by default
- AUSTRAC reporting — transaction-pattern data stays AU
- PROTECTED / IRAP-classified — Xlooop not designed for v1
9.2 European Union
- Health data — Article 9 special category; EU-residency + explicit consent
- Financial services — Member State regulator may require in-country residency
- Schrems II compliance — TIA mandatory for transfers to US
9.3 United Kingdom
- Health data — UK GDPR Article 9 + Caldicott Principles
- Financial services — FCA + PRA may require in-country residency
9.4 United States
- HIPAA — BAA required; HIPAA-eligible residency (US)
- FERPA — student-record handling
- GLBA — financial-services data
- State-specific — CPRA + VCDPA + CPA + others
11AU-headquartered ownership + jurisdiction
- ADEVI PTY LTD (trading as Xlooop) — ABN 80 627 916 698 · ACN 627 916 698 — registered in Australia
- NSW law is the default governing law
- Regional consumer-protection rights preserved
- Foreign government access requests — we resist + challenge through legal process
12Change notification
Material changes to data-residency posture — ≥60 days notice. Minor changes — logged in the Sub-Processor List with 30-day notice.
13Compliance alignment
- AU — Privacy Act 1988 + APPs · OAIC AI Guidance Oct 2024 · NAIC GfAA Oct 2025 · AS ISO/IEC 42001:2023 · NDB Scheme
- EU — GDPR + Member State implementations · EU AI Act · 2021 SCCs · EDPB guidelines · ENISA
- UK — UK GDPR + DPA 2018 + DUAA 2025 · ICO guidance · IDTA · Age-appropriate Design Code
- US — CCPA / CPRA + state laws · NIST AI RMF · Colorado AI Act 2026 · FTC Act §5 · sector laws
- Cross-cutting — ASD Essential Eight ML1 floor · ISO/IEC 27001 (target)
14Questions
For data-residency or processing enquiries: privacy@xlooop.com. Related pages — privacy policy ·terms of service ·regional regimes.
15Change log
Three doors. Same destination: a firm whose AI work is provable.
Pick the one that fits where you are today — none commit you to anything.
Or simply email hello@xlooop.com — one human reads every message.