Privacy — APP 8

Overseas Disclosure Register

Under APP 8, Obsidia is required to take reasonable steps before disclosing personal information to overseas recipients. This register lists every recipient of personal information that is located outside Australia, together with the reasonable steps taken for each.

Last updated 4 June 2026
Review cadence Quarterly
Related Sub-Processor Register →
APP 8 framework

Our approach to overseas disclosure

APP 8.1 requires that before disclosing personal information to an overseas recipient, Obsidia takes reasonable steps to ensure the recipient does not breach the APPs in relation to that information. For each overseas recipient below we document the specific reasonable steps taken.

APP 8.2(a) provides an exception where we reasonably believe the recipient is subject to a law or binding scheme that has the effect of protecting the information in a way that is at least substantially similar to the APPs, and there are mechanisms for the individual to enforce that protection. Where we rely on this exception it is noted in the relevant entry.

Compliance tier customers: The Compliance tier uses Australian-hosted infrastructure exclusively (AWS ap-southeast-2, Sydney). AI inference runs on AWS Bedrock (Sydney region). No Customer Data is disclosed to overseas recipients on the Compliance tier. The entries below apply to the Standard tier only unless otherwise noted.
Overseas recipients

Standard tier — overseas disclosures

Anthropic PBC
United States of America
Overseas
Purpose
AI language model inference (Claude API) — conversation messages and document content sent as prompts
Data transferred
Conversation messages, uploaded document content, workflow inputs
Retention by recipient
Per Anthropic API policy — not used for model training; check Anthropic's current data handling documentation
Reasonable steps taken (APP 8.1)
Contractual commitment via Anthropic's API usage policy: customer data is not used for model training or fine-tuning. Anthropic holds SOC 2 Type II certification. Data Processing Addendum (DPA) available from Anthropic for enterprise customers. We have reviewed Anthropic's data handling documentation and privacy policy and are satisfied that obligations are substantially similar to the APPs for the purpose of this disclosure.
SOC 2 Type II No model training on customer data API usage policy reviewed
Voyage AI Inc.
United States of America
Overseas
Purpose
Text embedding generation for RAG retrieval (Standard tier)
Data transferred
Document text chunks (cleartext) — transient during embedding generation only
Retention by recipient
Zero-day retention (ZDR) opt-out active — no data retained after embedding generation
Reasonable steps taken (APP 8.1)
Obsidia has enabled the Voyage AI zero-day retention (ZDR) opt-out per installation. Customer data is not stored or used for model training after embedding generation is complete. Data is transferred transiently and not persisted by the recipient. This contractual opt-out substantially limits the risk of APP breach.
Zero-day retention (ZDR) No model training on customer data Transient transfer only
Functional Software Inc. (Sentry)
United States of America
Overseas
Purpose
Application error monitoring and performance tracking
Data transferred
Error stack traces, bounded error messages (≤500 chars), safe diagnostic tags only. All request bodies, auth headers, and user content are scrubbed before transmission.
Retention by recipient
90 days (Sentry default)
Reasonable steps taken (APP 8.1)
Technical scrubbing applied before transmission: request bodies, authentication headers, navigation history, and all user-supplied content are removed. Only diagnostic tags (function name, HTTP status, correlation ID) and bounded error messages are transmitted. Session replay is disabled by default — no screen content is captured. Sentry holds SOC 2 Type II certification and a DPA is available. Because no personal information is transmitted after scrubbing, APP 8 risk is materially reduced.
SOC 2 Type II DPA in place PII scrubbed before transmission Session replay disabled
Netlify Inc.
United States of America (global CDN)
Overseas
Purpose
Serverless function hosting and CDN (API layer and static asset delivery)
Data transferred
API request payloads (transient — not persisted by Netlify beyond 7-day function logs)
Retention by recipient
Function execution logs: 7 days (Pro plan) / 1 day (Starter). Logs stored in United States (Netlify's US-based control plane) regardless of function execution region — confirmed in writing by Netlify Support (case #1041817, 4 June 2026).
Reasonable steps taken (APP 8.1)
Netlify holds SOC 2 Type II certification. A DPA is available (Netlify GDPR/CCPA documentation). API request payloads are transient — Netlify's role is to route and execute requests, not to store data. Persistent storage of all Customer Data occurs in Supabase (Australia). Function execution logs are shipped to Netlify's US-based control plane and retained for up to 7 days. Log content is limited to function execution metadata and bounded error output (request bodies and user content are not logged). Netlify has advised that organisations requiring strict Australian log residency should implement an external Australian-hosted log drain — this is noted as a future consideration for any customer with explicit log-residency requirements.
SOC 2 Type II DPA available Transient — not persisted Log residency confirmed (US)
Resend Inc.
Japan — ap-northeast-1 (Tokyo)
Overseas
Purpose
Transactional email delivery (invitations, password resets, notifications)
Data transferred
Recipient email address, name (for personalisation), email body content
Retention by recipient
Per Resend DPA — email delivery records retained under Resend's standard data processing terms; contact data used for transactional delivery only
Reasonable steps taken (APP 8.1)
A Data Processing Agreement (DPA) is in place with Resend. Resend's DPA is signed by Resend and is considered fully executed upon account signup — available at resend.com/settings/documents. Resend holds SOC 2 Type II certification (February 2025 – February 2026, audited by Vanta & Advantage Partners) and conducts annual penetration testing by Oneleet. Email content is limited to transactional messages (no Customer Data content). Recipient email addresses are collected by Obsidia for the purpose of delivering the service only.
DPA in place SOC 2 Type II Annual pen test (Oneleet) Transactional use only
Onshore recipients

Australian-hosted — no APP 8 obligation

The following service providers process personal information within Australia and do not trigger APP 8 overseas disclosure obligations.

Supabase (ap-southeast-2)
Australia — Sydney region
Onshore
Purpose
Database, authentication, and storage infrastructure
Entity
Supabase Inc. (USA-incorporated) — data stored in AWS ap-southeast-2 per DPA Clause 6.2
DPA status
Signed DPA in place — 23 April 2026
Amazon Web Services (ap-southeast-2)
Australia — Sydney region (Compliance tier)
Onshore
Purpose
Compute, storage, networking, and AI inference (Compliance tier only)
Entity
Amazon Web Services Australia Pty Ltd
Region commitment
ap-southeast-2 exclusively — no cross-region replication without consent
Review schedule

Review schedule

Quarterly review — This register is reviewed quarterly and whenever a new overseas recipient is engaged. Any new overseas sub-processor requires Privacy Officer approval and must be added to this register before go-live.
Change history

Register changelog

4 June 2026
Updated
Netlify log residency confirmed. Netlify Support confirmed (case #1041817) that function execution logs are stored in the United States regardless of function execution region. Retention: 7 days (Pro) / 1 day (Starter). Netlify's compliance recommendation noted: AU-hosted log drain required for strict AU log residency. Pending action removed; Netlify card updated with confirmed details.
4 June 2026
Updated
Resend DPA confirmed. Resend DPA is fully executed upon account signup (self-executing). Resend holds SOC 2 Type II (Feb 2025–Feb 2026, Vanta & Advantage Partners) and conducts annual pen testing by Oneleet. Resend DPA pending action removed. Reasonable-steps assessment updated to reflect DPA in place.
26 May 2026
Updated
Resend region corrected. Region updated from "United States of America (assumed)" to "Japan — ap-northeast-1 (Tokyo)" based on confirmed Resend dashboard configuration. DPA review still pending.
26 May 2026
Added
Initial register published. All overseas recipients listed above added at platform launch. Pending actions identified for Resend DPA and Netlify log residency confirmation.