Skip to main content
2-ICDATA SYSTEMS
Compliance

Global Data Privacy Compliant Migration

Every migration we run is designed from the ground up to meet GDPR (EU & UK), CCPA (US), PIPEDA (Canada), and Privacy Act (Australia) requirements. Here's exactly how we protect your data.

01

How we handle your data during migration

During a data migration, we act as a Data Processor under GDPR Article 28 (and equivalent provisions under CCPA, PIPEDA, and the Privacy Act). You remain the Data Controller — all processing decisions rest with you.

  • All data is transferred over encrypted channels (TLS 1.2+) at all times
  • Migration environments are isolated — your data never touches another client's pipeline
  • Access is limited to the specific 2-IC engineers assigned to your project under NDA
  • No data is retained on our systems beyond 30 days post-migration completion
  • We maintain a complete audit log of every read, write, and transformation operation
  • You can request a full data processing report at any point during the engagement
02

Our global data privacy compliance framework

Article 25 — Privacy by Design

Data minimisation is built into every migration pipeline. We only process the fields required to complete the migration.

Article 28 — Processor Agreement

We operate under a signed Data Processing Agreement (DPA) for every client. Request yours below.

Article 32 — Security of Processing

Encryption at rest and in transit, access controls, and regular security assessments aligned with ISO 27001.

Article 33 — Breach Notification

In the unlikely event of a security incident, we will notify you within 24 hours — well within the 72-hour GDPR deadline and aligned with CCPA and other regulatory timeframes.

03

Data Processing Agreement (DPA)

Our DPA covers GDPR (EU & UK), CCPA (US), PIPEDA (Canada), and Privacy Act (Australia). It covers lawful basis for processing, sub-processor lists, data subject rights obligations, and retention schedules. Complete the form below and we'll send a countersigned copy within 1 business day.

04

Source data post-migration: our destruction protocol

Zero retention beyond 30 days

All source data, transformation logs, and intermediate files are securely deleted within 30 days of project sign-off. We issue a written Certificate of Destruction confirming this.

DoD 5220.22-M compliant wiping

For on-premise or VM-based migration environments, we apply Department of Defense standard multi-pass overwrite before decommissioning.

Audit trail retained for 6 years

Per GDPR and equivalent guidance, we retain anonymised audit logs (not personal data) for 6 years to demonstrate compliance. These logs contain operation hashes — not the underlying data.

05

Contact our Data Protection lead

For data subject rights requests, compliance queries, or DPA negotiations, contact our Data Protection lead directly:

team@flow-x.madethis.app